OFSI Makes First Use of New Settlement Mechanism in Apple Distribution International Limited Enforcement Action

On March 30, 2026, HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”) published details of a £390,000 civil monetary penalty imposed on Apple Distribution International Limited (“ADIL”), a subsidiary of US technology company Apple Inc. incorporated in the Republic of Ireland, for violating the prohibition on making funds available to an entity owned or controlled by a UK designated person under Regulation 12 of the Russia (Sanctions) (EU Exit) Regulations 2019 (“Russia Regulations”). 

The ADIL penalty represents the fifteenth use of OFSI’s civil monetary penalty powers and the third largest civil monetary penalty imposed by OFSI to date.  The enforcement action is notable because it represents the first use of OFSI’s new settlement mechanism to resolve a civil monetary penalty case involving violations of UK financial sanctions, as well as for targeting a non-UK person for conduct undertaken in the United Kingdom.  Several useful hints as to OFSI’s enforcement approach and compliance expectations for businesses required to comply with UK sanctions can be discerned from the ADIL case, which affected businesses should factor into their UK sanctions compliance efforts. 

The Breach

ADIL, a non-UK person, is responsible for instructing payment transactions for revenues earned by software developers who have placed their software applications on the App Store online marketplace operated by ADIL and its corporate affiliates.  These payments involved a UK nexus because they were made using ADIL funds held in a UK-based bank account that is controlled by ADIL.

ADIL instructed a UK-based bank to make two payments totaling £635,618.75 to Okko LLC, the operator of a Russian online media streaming platform (“Okko”):

• on June 6, 2022, for the equivalent of £356,429.27, with funds being released on June 30, 2022 (“June Payment”); and
• on June 30, 2022, for the equivalent of £279,189.48, with funds being released on July 28, 2022 (“July Payment”).

The June payment was processed on the day that Okko’s 100 percent owner, JSC New Opportunities, was designated in the United Kingdom.  In deciding to take enforcement action in relation to the June Payment, OFSI took into account that ADIL subsequently initiated the July Payment to the same recipient approximately one month later, as well as Okko’s ownership prior to 17 May 2022 by another UK designated person, PJSC Sberbank (“Sberbank”), during which time ADIL had processed two other payments in April 2022 with an equivalent total value of £1,160,278.39 to Okko and another entity owned at the relevant time by Sberbank.

According to OFSI’s decision notice, ADIL relied on its corporate affiliates to functionally implement relevant payment processes, sanctions screening and due diligence measures in relation to the payments to Okko.  OFSI determined that ADIL was the legal entity responsible for these financial sanctions breaches because it was the legal entity that instructed the payments to Okko.  In OFSI’s view, responsibility for ensuring compliance with sanctions legislation lies with the entity directly responsible for the breach. Consequently, while an entity may delegate compliance functions to third parties, including corporate affiliates within a corporate group structure, any mitigating or aggravating conduct demonstrated by those compliance functions will be assessed as conduct of the entity directly responsible for the breach.  

OFSI’s Investigation and Penalty Decision

ADIL voluntarily self-reported these payments to OFSI, along with other similar payments occurring in different timeframes, on October 4, 2022.  Following responses by ADIL to several requests for information made by OFSI in 2023 and 2024, OFSI issued a notice of intention to impose a monetary penalty on ADIL on November 11, 2025. Following the introduction of a new enforcement framework by OFSI on February 9, 2026, which enabled the settlement of civil monetary penalty cases, OFSI and ADIL agreed to enter into formal settlement discussions on February 16, 2026, under transitional arrangements. The current settlement was agreed on March 19, 2026.

OFSI’s Assessment of the Case

In assessing ADIL’s breach of UK financial sanctions, OFSI characterized the breach as “serious,” as opposed to “most serious.”  In assessing the case, OFSI applied the guidance contained in the November 2024 version of its Financial Sanctions Enforcement and Monetary Penalties Guidance (“Enforcement Guidance”).

OFSI identified a number of aggravating features to the case, as follows:

• High value breach – The funds of £635,638.75 made available to an entity owned or controlled by a UK designated person were deemed high value;
• Harm or risk of harm to the sanctions regime’s objectives – An entity wholly-owned and controlled by a UK designated person received the payments, which undermined the asset freeze and diminished its intended impact on Russia’s behaviour;
• Conduct – ADIL’s sanctions screening and broader financial crime controls were not sufficiently calibrated at the time of the breaches to address the increased financial sanctions risk associated with Russia following its full-scale invasion of Ukraine in February 2022 because the processes used by ADIL to assess sanctioned party ownership-related risks in the onboarding of Russian app developers focused primarily on a self‑certification model and ownership due diligence provided by third party due diligence vendors;
• Intention, knowledge and reasonable cause to suspect – ADIL did not supplement its due diligence process by affirmatively requesting ownership information from Russian paid app developers, despite the withdrawal of information from Russian corporate registries in mid-2022 and the availability at the time of the breaches of open‑source media articles indicating the transfer of Sberbank’s digital assets to JSC New Opportunities;
• Repeated, persistent or extended breaches – OFSI took into account two earlier payments made by ADIL that bore similar characteristics to the June Payment and July Payment that occurred prior to the entry into force of strict civil liability for breaches of financial sanctions in June 2022; and
• Severity – The sanctions imposed by the UK in respect of Russia were a strategic priority for the UK and its foreign policy in 2022 and remain so today.

These factors were weighed against four mitigating factors.  First, ADIL voluntarily disclosed the breaches to OFSI.  Second, OFSI also identified no evidence to suggest that ADIL was (or its third party due diligence providers were) aware at the relevant time that Okko was owned or controlled by a UK designated person.  Consequently, ADIL did not intend to breach financial sanctions and did not know or have reasonable cause to suspect that its conduct would constitute a sanctions breach.  Third, the June Payment was completed very shortly after the designation of JSC New Opportunities, offering ADIL limited opportunity to cancel the June Payment.  Fourth, ADIL commissioned an external due diligence report to ascertain the ownership of Okko after being made aware of concerns regarding Okko unrelated to UK financial sanctions by a third party.  ADIL proactively notified its third party due diligence providers of the link identified in that report between Okko and JSC New Opportunities and committed to making improvements to its sanctions compliance framework, including working to implement a new process to require Russian paid app developers to provide direct and indirect ownership and control information at onboarding and periodically thereafter.

Key Takeaways

The ADIL enforcement action serves as a timely reminder of four important compliance lessons for businesses that are required to comply with UK sanctions:

1. UK sanctions apply to any conduct in the UK, as well as to conduct by UK persons anywhere in the world.  Businesses that make use of UK financial institutions to process payments must ensure that they comply with UK sanctions in force from time to time.
2. Customer and counterparty due diligence frameworks must be sufficiently robust to  identify and understand ownership and control at the outset of a relationship and on an ongoing basis.  Businesses should take a risk-based approach and apply enhanced due diligence when ownership structures are complex, opaque, or involve higher risk jurisdictions or sectors. When proportionate to do so, businesses should require counterparties to provide clear, accurate and up to date information to support verification of the results of sanctions screening and other due diligence efforts. Ongoing monitoring should also be calibrated to identify any changes in ownership and control that may give rise to heightened sanctions risk for the duration of the business relationship.
3. Businesses are ultimately responsible for ensuring their own compliance with UK financial sanctions.  While use of third party service providers to screen payments and conduct due diligence can provide valuable compliance support, frequent changes to ownership structures or outdated input data can result in incomplete or inaccurate screening results for which businesses may be held liable if they engage in conduct contrary to UK sanctions.
4. Businesses should evaluate whether to voluntarily disclose breaches of financial sanctions.  OFSI values complete, detailed, and prompt voluntary disclosure of potential breaches of UK financial sanctions.  The reporting of suspected breaches can result in a discount of up to 30 percent as part of OFSI’s new Voluntary Disclosure and Co-operation discount. 

For more information on these developments and their implications for companies, contact the author of this post, Alexandra Melia, in Steptoe’s Economic Sanctions team in London.