June 2nd, 2026
On May 28th, 2026, the FCA published its review of 150 supervised firms across a range of financial services sectors, assessing their sanctions systems and controls related to financial and trade sanctions. The FCA’s findings reveal a gap in governance and oversight of the overall sanctions framework.
One of the areas the FCA investigated was Management Information (MI). While the FCA noted that MI was generally reported, it lacked quality and depth. MI is an important tool for detecting gaps in systems and for providing senior management with an understanding of the effectiveness of financial crime systems. Percentages of true and false matches are a regular dataset for MI; however, more is required to better govern systems. This includes alert resolution times, which the FCA highlighted some firms were unable to provide, as well as customer, product, jurisdiction, and channel sanction risks. The FCA also highlighted that MI wasn’t collected for overseas branches and offices. Firm-wide sanctions risk, as well as the sanctions risk of individual branches, should be collected to better understand the unique challenges being faced, and to ensure specific policies and procedures are being made to mitigate these risks. Common practice in financial crime policies and procedures for firms with global reach is to follow head office jurisdiction regulations, unless the overseas jurisdiction has stricter regulations, and this practice should be brought into MI to ensure consistent checks are being made, and the global financial system isn’t being exploited.
The FCA also brought up third-party vendors during its review. During its review of risk assessments, the FCA highlighted that there was an over-reliance on third-party vendor-provided risk ratings. Third-party vendors are a common service used for sanction lists and sanctions screening; however, relying on them is insufficient on its own. Firms should still be conducting their own risk assessments to ensure evolving risks are being mitigated and are consistent with local and international legislation, similar to how they would in correspondent banking. Gaps in systems of third-party vendors ultimately fall on the firms if enforcement action is taken, and therefore should be treated seriously. This is again where stronger governance comes up, as firms should challenge risk assessments produced by third-party vendors to ensure they match up with their own. Deutsche Bank London, on May 19th, 2026, was fined for a similar issue regarding third-party vendors. Due to Deutsche’s lack of oversight on its third-party vendor, the Bank failed to understand the due diligence conducted by its vendor, resulting in missed payments to a sanctioned entity.
The third-party vendor issue extends further with the FCA finding there were instances of reliance on third parties to conduct CDD and sanctions screening, firms not being able to demonstrate oversight of vendors’ controls, and a lack of clarity on the responsibility of sanctions risk management. CDD is the core of financial crime prevention and a fundamental section in the Money Laundering Regulations (MLR) 2017, and while it is acceptable to utilise third parties to handle it, the overall issue of governance and oversight persists. Firms can’t blindly allow third parties to handle this for them without regular testing of their systems and reviewing policies and procedures. Risk assessments shouldn’t stop at customers, but also include understanding the risks presented by partners and vendors to improve financial crime systems.
The FCA also investigated firms’ screening and alert management systems. The FCA observed that most firms conducted name screening daily, and transactions/payments screening at least daily, while recognizing that strong screening frameworks included well-documented policies and procedures and clear escalation routes with defined roles and responsibilities. However, in the case of list management, it was found that there were delays or failures in updating the UK Sanctions List promptly, as well as missing internal customer records, such as dates of birth. Moreover, issues were found regarding the configuration of screening systems and their testing, leading to variant names not being detected, as well as issues regarding alert resolution. Sanctions regimes are changing rapidly, and evasion of them is becoming more complex. Sample testing is a core part of financial crime prevention to ensure systems are calibrated correctly and don’t lead to missed matches, similar to what firms do for their onboarding processes, and ensuring the right due diligence is being used. Non-Latin names, for example, need to be taken into consideration when setting and configuring systems to ensure they are also applicable in sanctions screening.
The review also raised the difficulties surrounding trade sanctions controls. Firms have limited information to make informed decisions about potential exposure to trade sanction evasions, and preventing and detecting specific breaches are difficult due to global trade patterns and open book financing. The FCA noted that financial sanctions systems are more mature than trade sanctions systems; however, the volume of controls used for trade sanctions is greater than that of financial sanctions. The difference between control volume and control effectiveness is an interesting area to explore. With the difficulty that comes along with detecting breaches in trade sanctions, it makes sense that more controls are required to better mitigate them. However, reliance on controls is not the right direction. The controls mentioned by the FCA as good practice are essential, but staff training is required to understand the different sanctions restrictions to better understand breaches and common red flags. Moreover, trade sanctions should be separated from financial sanctions, which means conducting risk assessments specifically for trade to better govern systems against it.
Have you noticed any gaps in your sanctions screening systems mentioned by the FCA?
Sources:
The AML Analyst 
Leave a comment