Sanctions Compliance in 2026: A Practical Guide for Financial Institutions

Sanctions compliance has become one of the most demanding areas of financial crime risk management. The Russia sanctions regime — the most comprehensive peacetime sanctions programme ever imposed by the West — has fundamentally changed the scale and complexity of sanctions compliance for any institution with exposure to European trade finance, energy, commodities, or correspondent banking. At the same time, OFAC has increased its enforcement activity, the EU has adopted a criminal law framework for sanctions evasion, and the UK's OFSI has gained new enforcement powers.

This guide provides a practical framework for financial institutions — banks, payment institutions, crypto asset service providers, and others — to assess and strengthen their sanctions compliance programmes in 2026. It covers the three primary Western sanctions regimes, the Russia sanctions specifics, screening obligations, and enforcement trends.

The Three Primary Sanctions Regimes

Most financial institutions operating internationally must comply with multiple sanctions regimes simultaneously. The three with the broadest extraterritorial reach are OFAC, EU sanctions, and UK OFSI.

OFAC: US Office of Foreign Assets Control

OFAC administers US economic sanctions programmes under the authority of the International Emergency Economic Powers Act (IEEPA) and other statutes. OFAC's sanctions have the broadest extraterritorial reach of any sanctions authority — they apply to:

• US persons: Any US citizen, permanent resident, entity organised under US law (including foreign branches), and any person in the United States regardless of nationality.
• US dollar transactions: Any transaction that clears through the US financial system — effectively all USD-denominated transactions globally, because USD correspondent banking routes through US banks.
• Facilitating prohibited transactions: Non-US persons who facilitate transactions that would be prohibited if conducted by a US person may be subject to secondary sanctions in certain programmes.

OFAC maintains several distinct sanctions lists, of which the most important is the Specially Designated Nationals and Blocked Persons List (SDN List). Transactions with SDN-listed parties must be blocked — funds must be frozen and reported to OFAC within 10 business days. Separate from the SDN List, OFAC maintains the Consolidated Sanctions List (which includes all OFAC sanctions lists) and programme-specific lists for certain regimes (e.g., the Sectoral Sanctions Identifications List for Russia).

The 50% ownership rule is one of the most operationally complex aspects of OFAC compliance: any entity owned 50% or more (directly or indirectly, individually or in aggregate) by one or more SDN-listed persons is itself treated as an SDN, regardless of whether it appears on the list. This requires financial institutions to conduct beneficial ownership analysis — not just name screening — for all counterparties.

EU Sanctions

EU sanctions are adopted by the Council of the EU under Article 215 of the Treaty on the Functioning of the European Union (TFEU), implemented through Council Regulations that are directly applicable in all 27 Member States. The EU maintains consolidated sanctions list data through the EU Sanctions Map and the Official Journal of the EU.

EU sanctions apply to:

• All persons and entities within EU territory.
• All EU nationals, wherever located.
• All legal persons, entities, and bodies incorporated or constituted under EU Member State law.
• Any business conducted wholly or partly within the EU.

Unlike OFAC, EU sanctions do not apply to non-EU persons outside EU territory for most programmes — there is no general extraterritorial application equivalent to OFAC's USD clearing jurisdiction. However, the Russia sanctions include specific provisions targeting transactions that could circumvent the sanctions, which creates de facto obligations on non-EU entities in some circumstances.

The EU's ownership and control rule differs from OFAC's: an entity owned or controlled by a designated person is not automatically designated — but transacting with such an entity may constitute "making funds available" to the designated person if it is likely the funds would reach the designated person. The practical result is that financial institutions must conduct ownership and control analysis for EU sanctions too, even though the legal mechanism differs.

UK OFSI: Office of Financial Sanctions Implementation

Post-Brexit, the UK maintains its own autonomous sanctions regime under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). OFSI administers financial sanctions, maintaining the UK Consolidated List of financial sanctions targets. The UK regime largely mirrors EU sanctions in scope for Russia, Iran, and other major programmes, but diverges in some designations and thresholds.

OFSI received significantly enhanced enforcement powers through the Economic Crime (Transparency and Enforcement) Act 2022. OFSI can now impose civil monetary penalties without proof of knowledge or intent (a strict liability basis for penalties up to £1 million or 50% of the breach value, whichever is higher). The UK also introduced reporting obligations for professional services firms in 2023, extending sanctions compliance obligations beyond financial institutions.

Russia Sanctions: Current State in 2026

The Russia sanctions regime, imposed in response to Russia's full-scale invasion of Ukraine in February 2022, is the most expansive and operationally complex sanctions programme the EU and UK have ever implemented. As of April 2026, the EU has adopted 14 packages of Russia sanctions. OFAC has issued Russia-related sanctions across multiple programmes (including SDN designations under Executive Order 14024 and sectoral sanctions under E.O. 13662).

Key EU Russia Sanctions Measures

The cumulative Russia sanctions now cover:

• Asset freezes: Over 2,000 individuals and entities designated, including most major Russian state-owned banks (Sberbank, VTB, Gazprombank — though Gazprombank retained limited carve-outs for energy payments through mid-2024), Russian government officials, oligarchs, and their associated entities.
• Financial services restrictions: Prohibition on transactions with designated Russian banks; prohibition on providing loans, credit, and other financial services to designated persons and entities; prohibition on holding deposits from Russian state-owned entities above €100,000.
• SWIFT disconnection: Designated Russian banks have been disconnected from SWIFT messaging. Correspondent banking relationships with these banks are prohibited.
• Import restrictions: Comprehensive import bans on Russian oil (with price cap mechanism for third-country purchases), coal, steel, and numerous other product categories. Trade finance for prohibited imports is itself prohibited.
• Export restrictions: Export bans on dual-use goods, advanced technology, luxury goods, and numerous other categories for use in Russia. Export finance and insurance for prohibited exports is prohibited.
• Oil price cap: The G7/EU oil price cap mechanism (maximum $60/barrel for crude oil) allows third countries to continue purchasing Russian oil using Western services — shipping, insurance, finance — only if the price does not exceed the cap. Financial institutions involved in oil trade finance or shipping insurance must implement price cap compliance procedures.

Sanctions Evasion: The Growing Compliance Challenge

As the Russia sanctions regime has matured, Russia and designated entities have developed increasingly sophisticated evasion methodologies. The EU's 14th sanctions package (adopted June 2024) specifically targeted the "shadow fleet" — tankers used to transport Russian oil outside the Western maritime services framework — and introduced new anti-circumvention measures targeting third-country entities facilitating sanctions evasion.

Financial institutions face compliance obligations related to evasion detection. Key evasion typologies that compliance teams must address in transaction monitoring:

• Third-country intermediaries: Russian entities routing transactions through intermediaries in third countries (UAE, Turkey, Armenia, Kazakhstan) that are not themselves sanctioned. The transaction appears clean at the counterparty level but the ultimate beneficiary is a sanctioned entity or the purpose is to supply Russia with sanctioned goods.
• Shell companies and obfuscated ownership: Creation of new entities in non-sanctioned jurisdictions to replace sanctioned entities, with the same ultimate beneficial owners. Name screening alone will not detect these.
• Crypto-based evasion: Use of cryptocurrency to move funds around sanctions restrictions. See our guide on crypto AML compliance for the blockchain-specific screening requirements.
• Invoice manipulation: Misrepresentation of goods descriptions, values, or end-users in trade finance documentation to conceal that transactions relate to prohibited goods or sanctioned parties.

Sanctions Screening: What Best Practice Looks Like

Effective sanctions screening is the operational foundation of sanctions compliance. The standard has evolved significantly — basic name screening against a single list is no longer sufficient for any institution with meaningful sanctions exposure.

Lists to Screen Against

Financial institutions must determine which sanctions lists apply to their activities and screen against all of them. The minimum baseline for a EU-based institution with any USD or US person exposure:

Institutions with exposure to specific regions or sectors may also need to screen against additional lists: Swiss SECO, Canadian OSFI, Australian DFAT, and others. Correspondent banks serving institutions in multiple jurisdictions should map their jurisdictional footprint to determine the full list screening universe.

Screening Frequency and Triggers

Sanctions lists update continuously — OFAC can add new SDN designations at any time, and the EU adopts new packages with immediate effect upon publication in the Official Journal. Screening at customer onboarding alone is insufficient. Best-practice screening covers:

• Onboarding screening: All new customers, beneficial owners, and controlling parties screened before establishing the relationship.
• Ongoing periodic rescreening: Entire customer base rescreened at minimum monthly, and ideally more frequently (weekly or daily for higher-risk customers). Newly designated parties may have been customers for years before designation.
• Transaction screening: All payment instructions screened in real time (or near-real time) against all applicable lists before execution. Payment parties include the originator, beneficiary, all intermediaries, and any referenced parties in payment messages.
• Trigger-based rescreening: Immediate rescreening when a new sanctions package is adopted or a significant list update is published.

Fuzzy Matching and False Positive Management

The fundamental tension in sanctions screening is sensitivity versus specificity. Set matching thresholds too low: you miss genuine matches (false negatives — a compliance failure). Set thresholds too high: you generate thousands of false positives that must be manually reviewed, consuming compliance resources and potentially delaying legitimate transactions.

Effective screening programmes address this through:

• Algorithm calibration: Regular review of matching algorithms against known true positives and true negatives, adjusting thresholds to optimise the sensitivity/specificity balance for your customer and transaction population.
• Name variant handling: Sanctions lists include aliases, transliterations, and name variants — but not all variants of all names. Screening tools must apply phonetic matching, transliteration logic, and name variant libraries to catch matches that literal string comparison would miss.
• Risk-based alert prioritisation: Automatic escalation of high-confidence matches; risk-scored queuing of lower-confidence alerts to focus manual review resources on the highest-priority items.
• Documented false positive rationale: Every cleared alert must be documented with the rationale for clearing — not just "cleared by [name]". Regulators reviewing your sanctions programme will examine cleared alerts for quality of review.

Ownership and Control Analysis

Name screening catches direct matches against designated persons and entities. Ownership and control analysis is required to identify indirect sanctions exposure — where the counterparty is not itself designated but is owned or controlled by a designated person.

For OFAC purposes, the 50% rule means any entity owned 50%+ (individually or in aggregate) by one or more SDN-listed persons is treated as blocked. For EU sanctions, the test is whether funds are being made available to a designated person — which requires assessing whether the designated person controls the entity even without majority ownership.

Practical implementation challenges:

• Corporate registry access: Beneficial ownership information is held in national registries with varying quality, coverage, and accessibility. The EU Beneficial Ownership Registers (implemented under the AML Directives) provide improved access for EU-incorporated entities but quality varies by Member State.
• Nominee and bearer structures: Opaque ownership structures using nominees, trusts, and bearer shares complicate ownership analysis. Where structures cannot be penetrated, the risk must be escalated and may require enhanced due diligence or declining the relationship.
• Dynamic ownership: Ownership structures change. A customer may not have been sanctioned-entity-owned at onboarding but could be after a subsequent acquisition or change in beneficial ownership. Ongoing monitoring must capture material ownership changes.

Sanctions Enforcement Trends

The enforcement environment for sanctions violations has hardened significantly. Compliance teams should understand current enforcement priorities across the three major regimes.

OFAC Enforcement

OFAC enforcement actions against financial institutions have consistently produced multi-hundred-million-dollar settlements. Notable recent precedents:

• Binance (2023): $968 million OFAC settlement for sanctions violations involving Iran, Cuba, Syria, and other programmes — the largest crypto-related sanctions settlement ever. The case established that crypto exchanges are subject to the same sanctions obligations as banks.
• BitPay (2021): $507,375 settlement for processing cryptocurrency transactions from users in sanctioned jurisdictions (Cuba, Iran, North Korea, Sudan, Syria, Crimea). Small dollar amount, but significant for establishing OFAC's expectations for crypto payment processors.
• Clearing house and correspondent bank settlements: Multiple large correspondent banks have settled with OFAC for processing USD transactions involving sanctioned parties — typically involving Iran — with settlements ranging from tens of millions to over $1 billion.

OFAC's enforcement priorities in 2026 include: Russia sanctions evasion (especially third-country intermediary schemes), Iran sanctions (including crude oil transactions), and virtual currency sanctions compliance.

EU Sanctions Enforcement

The EU adopted Directive 2024/1226 on the definition of criminal offences and penalties for the violation of EU restrictive measures. This is a landmark development — it harmonises criminal sanctions for sanctions evasion across EU Member States and for the first time creates a common EU-level framework for prosecuting sanctions violations.

Under Directive 2024/1226:

• Wilful violation of EU sanctions is a criminal offence punishable by imprisonment of at least one year for natural persons and by criminal fines for legal persons.
• Legal persons can face fines of at least 5% of total worldwide turnover for the most serious violations.
• Asset confiscation of proceeds of violations is mandatory.
• Member States must implement the Directive by 20 May 2025.

National implementation is ongoing, and enforcement intensity will vary by Member State. However, the harmonisation of criminal liability creates a substantially more serious enforcement environment for EU sanctions compliance than existed before 2024.

"The Russia sanctions regime has transformed sanctions compliance from a specialist function into a systemic risk for every financial institution with European exposure. The combination of 14 EU packages, continuous OFAC list updates, and new criminal enforcement powers means sanctions compliance infrastructure that was adequate in 2021 is almost certainly inadequate today."

Building a Robust Sanctions Compliance Programme

For financial institutions assessing or strengthening their sanctions compliance programme, the following elements represent the current best-practice standard:

1. Sanctions risk assessment: A documented assessment of your institution's sanctions risk profile — covering products, customers, geographies, delivery channels, and payment currencies. The Russia sanctions add specific risk dimensions: any exposure to Russian counterparties, Russian-origin commodities, or trade with jurisdictions identified as Russia sanctions evasion hubs (UAE, Turkey, Armenia, Kazakhstan, Georgia) requires elevated risk assessment.
2. Sanctions policy and procedures: Documented policies covering: which sanctions programmes apply to your activities, screening obligations and frequency, procedures for blocking and rejecting transactions, reporting obligations (OFAC, OFSI, national competent authorities), and escalation procedures for complex cases.
3. Screening technology: Fit-for-purpose screening tools with demonstrated accuracy for your transaction volumes and customer populations. Tools must be updated on the same day as significant list changes. Algorithm performance must be regularly reviewed against defined accuracy metrics.
4. Ownership and control procedures: Documented procedures for conducting beneficial ownership analysis where name screening suggests possible indirect sanctions exposure. Define escalation thresholds (e.g., any match with confidence above X% triggers ownership analysis).
5. Correspondent banking due diligence: Enhanced due diligence on correspondent banking relationships, including assessment of the correspondent's own sanctions compliance programme. Relationships with correspondents in high-risk jurisdictions for Russia sanctions evasion require specific risk management.
6. Trade finance controls: For institutions involved in trade finance, additional controls for goods screening (dual-use, export control classifications), documentation verification (end-user certificates, bills of lading), and Russia price cap compliance for energy-related transactions.
7. Staff training: Regular sanctions training for all relevant staff — not just compliance, but front-line relationship managers, payments staff, and trade finance teams. Training must cover evasion typologies and red flag indicators, not just list screening mechanics.
8. Testing and audit: Regular independent testing of screening systems (including deliberate test cases of known SDN names) and audit of the sanctions compliance programme. Regulators expect documented evidence that controls work, not just that they exist.
9. Regulatory monitoring: Given the pace of change in the Russia sanctions regime — new packages, new designations, new guidance, new derogations — automated regulatory monitoring is essential. Sanctions list changes must trigger immediate screening reviews; new sanctions guidance must be assessed for programme impact within days, not weeks.

Sanctions compliance intersects with several other regulatory frameworks covered in the RegPulse blog. See our guides on crypto AML and sanctions screening, EBA banking regulation, and the broader financial services compliance landscape for related context.