FCA sanctions systems and controls: what the findings mean for payment and e-money firms
In short: FCA sanctions systems and controls are now a standing supervisory expectation for payment and e-money firms. On 28 May 2026 the FCA published findings from assessing over 150 firms since February 2022, with UK assets reported frozen rising to £37bn in 2024-25. Screening calibration, alert management and asset freezing are the recurring weak points.
For a payment or e-money firm, sanctions screening is no longer a control the regulator inspects once and moves on. FCA sanctions systems and controls are now a standing test of whether a firm’s systems work in practice, and the payments sector is one of the largest sources of suspected breach reporting. On 28 May 2026 the FCA published findings on where firms get this right and where they fall short, drawing on assessments of more than 150 firms since February 2022. The findings show that the control template built for banks does not fit the high-volume, real-time, agent-intermediated way payment firms actually operate.
Key findings: FCA sanctions systems and controls (28 May 2026)
- UK assets reported frozen rose to £37bn in 2024-25, up from £24.4bn in 2023-24. Source: FCA, Sanctions systems and controls in our firms: our findings, 28 May 2026.
- The FCA has assessed over 150 supervised firms since February 2022; this report follows its September 2023 review. Source: FCA findings, 28 May 2026.
- The payments, retail banking and wholesale markets sectors generate the majority of suspected sanctions breach reports. Source: FCA findings, 28 May 2026.
- Screening systems correctly identified the sanctioned party in 90% of exact-name-match tests, but only 75% where names appeared in slightly different forms. Source: FCA sanctions screening testing, 28 May 2026.
- The most common causes of breaches were weaknesses in due diligence, alert management, name and transaction screening, frozen-asset management and licence compliance. Source: FCA findings, 28 May 2026.
- On 28 May 2026 the FCA signed a new memorandum of understanding with OTSI, adding to its existing memorandum with OFSI. Source: FCA press release, 28 May 2026.
| What the FCA measured | Figure | Source |
|---|---|---|
| UK assets reported frozen | £24.4bn (2023-24) rising to £37bn (2024-25) | FCA findings, 28 May 2026 |
| Firms assessed since February 2022 | Over 150 FCA-supervised firms | FCA findings, 28 May 2026 |
| REP-CRIM firms using automated screening (2024-25) | 70% | FCA findings, 28 May 2026 |
| Exact-name-match alerts correctly identifying the sanctioned party | 90% | FCA sanctions screening testing |
| Minor-name-variation alerts correctly identifying the sanctioned party | 75% | FCA sanctions screening testing |
| Firms resolving name-screening alerts within one working day | 44% | FCA findings, 28 May 2026 |
Why payment and e-money firms are at the centre of the review
The payments sector sits at the centre of the FCA’s sanctions work because it generates more suspected breach reports than almost any other sector. In its findings published on 28 May 2026, the FCA said the majority of sanctions reporting comes from payments, retail banking and wholesale financial markets firms. It assessed the systems and controls of more than 150 supervised firms since February 2022, following its September 2023 review of firms’ response to the Russia sanctions.
The numbers explain the attention. UK assets reported frozen rose from £24.4bn in 2023-24 to £37bn in 2024-25. Reports still relate primarily to the Russia regime, but the FCA now sees reporting against Libya and, increasingly, Iran and North Korea. The regulator placed fighting financial crime among the four priorities of its 2025 to 2030 strategy, and the sanctions workstream is one expression of it. The FCA work programme for 2026 sets out where financial crime sits in the year’s supervisory diary.
The 28 May package was not a single document. The FCA also signed a new memorandum of understanding with the Office of Trade Sanctions Implementation (OTSI), the body that took on civil enforcement of trade sanctions in 2024, adding to the memorandum it already holds with the Office of Financial Sanctions Implementation (OFSI). Two reviews since 2022, over 150 firms and two memoranda of understanding tell the reader that sanctions has become a standing supervisory workstream, not a one-off response to 2022.
How sanctions rules bind payment and e-money firms
Sanctions obligations do not depend on FCA authorisation. They bind every person in the UK under regulations made by reference to the Sanctions and Anti-Money Laundering Act 2018. Dealing with the funds of a designated person, or making funds or economic resources available to them, is a criminal offence regardless of how good a firm’s systems are. Trade sanctions sit alongside financial sanctions and have widened well beyond military and dual-use goods to cover ancillary services and technical assistance, enforced civilly by OTSI under the Trade, Aircraft and Shipping Sanctions (Civil Enforcement) Regulations 2024.
The substantive exposure is sharper than many firms assume. Since 15 June 2022, when the Economic Crime (Transparency and Enforcement) Act 2022 amended OFSI’s powers, OFSI can impose a civil monetary penalty for a financial sanctions breach on a strict-liability basis. It need not show that the firm knew, or had reasonable cause to suspect, that it was dealing with a designated person. Good systems reduce the risk of a breach; they do not convert a breach into a non-breach. That is the point payment firms most often miss when they treat screening as the whole of the obligation.
The FCA’s own hook is its supervision of systems and controls. For payment institutions, the authorisation conditions in regulation 6 of the Payment Services Regulations 2017 require robust governance arrangements, effective risk procedures and adequate internal control mechanisms; the Electronic Money Regulations 2011 impose equivalent conditions on e-money institutions. The regulator measures those controls against its Financial Crime Guide, whose sanctions chapter sets out the expected approach to screening and asset freezing. One distinction matters for payments firms: unlike banks, payment institutions and e-money institutions sit outside the Senior Managers and Certification Regime, so individual accountability for sanctions controls runs through the firm’s governance arrangements and its money laundering reporting officer rather than a named senior manager function.
Where payment firms’ sanctions controls break down
The recurring failures cluster in screening, alert management and asset freezing. On screening, the FCA’s sanctions screening testing workstream found that systems were reliable on exact name matches, identifying the sanctioned party in 90% of tests, but dropped to 75% where a name appeared in a slightly different form. Systems struggled with obfuscated or variant names, names with non-Latin characters, honorifics that pushed match scores below alert thresholds, one-word names, and names that exceeded character limits and failed silently. For a firm screening payments in real time, and nearly six in ten of those that screen payments do so in real time, a configuration gap of this kind is a live exposure on every transaction, not a quarterly audit point.
Alert management is the second cluster. Only 44% of firms resolved name-screening alerts within one working day, and over a quarter took three to five days. The findings describe accounts that firms left unrestricted while they investigated a potential match, alerts incorrectly discounted under target pressure, and assets that moved before the firm applied a freeze. The payments-specific evasion typology the FCA flags is routing funds through e-money or cryptoasset wallets, and through chains of intermediary payment processors, to obscure links to designated persons. In one anonymised case, a payments firm uncovered customers receiving card top-ups originating from designated Russian banks but routed through multiple processors; it blocked the processors, froze the balances and reported the matter.
The third cluster is oversight of outsourced controls. Many payment firms rely on a screening vendor or a group function, and the FCA found firms that could not demonstrate they understood, challenged or validated the vendor’s configuration and matching logic. Asset-freeze failures completed the picture: undocumented freezing procedures, internal transfers and charges that continued on supposedly frozen accounts, and freeze obligations overlooked at offboarding. Where a sanctions concern drives an account closure, the firm must also work within the framework-contract termination rules in force from 28 April 2026. A firm facing FCA supervisory questions on screening or asset-freeze failures needs specialist investigations and enforcement support from the outset.
What the findings require of payment and e-money firms
The substantive obligation comes first. A payment or e-money firm must comply with the sanctions prohibitions themselves: it must not deal with a designated person’s funds, it must freeze without delay, and it must report suspected breaches to OFSI, OTSI, HMRC and the FCA as applicable. Because the OFSI civil penalty is strict liability, that duty bites even where the firm’s systems were reasonable. Operational controls are the means of meeting it, not a substitute for it.
The findings then point to where payment firms most often fall short. A sanctions risk assessment must cover trade and sectoral measures and proliferation financing, not asset freezes alone. Screening configuration needs documented testing against name variants, non-Latin characters and the firm’s own payment data, with governance over any list exclusions. Alert management needs service levels, clear escalation between the first and second lines, and quality assurance over outcomes. Asset-freeze and licence procedures must hold across the whole customer lifecycle, including at offboarding. Governance sits over all of it, and the two areas where the bank template most often fails a leaner payments operation are senior oversight of outsourced screening and the management information that would show the board a control is working.
Viewpoint
I read the 28 May package as confirmation that FCA sanctions systems and controls have settled into a permanent supervisory workstream for payment firms. Two reviews since 2022, over 150 firms assessed and a second memorandum of understanding, this time with OTSI, are the shape of a standing programme anchored in the fighting financial crime priority of the FCA’s 2025 to 2030 strategy, not a fading response to 2022. The sanctions screening testing workstream, which used firms’ own REP-CRIM data to probe configuration, is the part I would expect the FCA to widen, because it lets the regulator test the engine rather than the policy.
The binding constraint is rarely the screening engine. It is governance and oversight of an outsourced or group-provided control, and the management information that should tell the board the control is working. The FCA’s repeated emphasis on vendor over-reliance is the tell. The firms that came out of this review well were not the ones with the most expensive screening; they were the ones that could show they understood and challenged how their screening was configured. The strict-liability backdrop is what makes that gap matter: a firm that cannot explain why its system did not alert has no knowledge defence to fall back on.
Frequently asked questions
What do the FCA sanctions systems and controls findings mean for payment firms?
They set out the FCA’s expectations on screening, alert management and asset freezing, with examples of good and poor practice drawn from over 150 supervised firms. Payments is among the largest sources of suspected breach reporting, so the FCA expects payment and e-money firms to review their controls against the findings and close gaps in screening calibration, alert timeliness and vendor oversight.
Do sanctions rules apply to payment and e-money firms?
Yes. Financial sanctions made under the Sanctions and Anti-Money Laundering Act 2018 bind every person in the UK, regardless of FCA authorisation. Since 15 June 2022 OFSI can impose a civil monetary penalty for a breach on a strict-liability basis, without proving the firm knew it was dealing with a designated person. Trade sanctions are enforced civilly by OTSI.
Are payment institutions subject to the Senior Managers and Certification Regime?
No. Payment institutions and e-money institutions are authorised under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011, not the Financial Services and Markets Act 2000, so they fall outside the Senior Managers and Certification Regime. Accountability for sanctions controls runs through the firm’s governance arrangements under regulation 6 and its money laundering reporting officer.
What is the difference between OFSI and OTSI?
OFSI, the Office of Financial Sanctions Implementation, implements and enforces financial sanctions such as asset freezes. OTSI, the Office of Trade Sanctions Implementation, took on civil enforcement of trade sanctions in 2024, covering goods, technology and ancillary services. The FCA supervises firms’ systems and controls and now holds a memorandum of understanding with each.
If you are reviewing your firm’s sanctions systems and controls against the FCA findings, or responding to a supervisory request, Bratby Law advises payment institutions and e-money institutions on financial crime and payments regulation. Contact Rob Bratby at Bratby Law.
