Sanctions enforcement: A new era

U.S. Deputy Attorney General Lisa Monaco has called sanctions “the new FCPA.” [1] The EU has issued a proposal that would make sanctions evasion an EU crime [2] . The U.K.’s Office of Financial Sanctions Implementation (OFSI) is under pressure from key global partners to step up its enforcement activity [3]. These developments are just a few of the signs that the national security considerations of the Russian sanctions have coalesced the Western allies and are ushering in a new era of sanctions enforcement for sanctions evaders and facilitators —including financial institutions.


In the coming months and years, global sanctions enforcement regimes will sharpen their focus on sanctions compliance programmes of financial institutions — and the identification of sanctions risk in particular — as the Russian sanctions raise the stakes for accountability among institutions to preempt prohibited activity.

Although Western allies historically have been more aligned on sanctions enforcement in sentiment than in practice, countries with historically loose enforcement regimes, alongside their regulators, are strengthening their stances, undoing the disconnect that has enabled global financial institutions to manage sanctions risk differently across the enterprise. Institutions should recognise this shifting dynamic and plan for convergence in enforcement activity.

Below, we highlight the advances in sanctions enforcement in the U.S., the EU and the U.K. We focus on these jurisdictions specifically because they serve as domiciles and/or strategic markets for such a substantial number of organisations, broadening the reach of their sanctions programmes.

U.S. enforcement

The U.S. has a long track record of aggressive sanctions enforcement. Since 2017, the Office of Foreign Assets Control (OFAC) has issued 87 fines totaling $1.53 billion[4]. Still, the aggregate amount reflects a $1.3 billion single fine[5] that the U.S. levied against an individual financial institution that was charged with willful violations of U.S. sanctions in 2019 and is overshadowed by an $8.9 billion single fine[6] in 2014.

Monaco’s comparison of sanctions to the FCPA highlights sanctions evasion as a corporate crime, which, like terrorist financing and cybercrime, threatens national security and is therefore likely to receive heightened attention from a number of U.S. agencies, including the Department of the Treasury (DOT), the Department of State (DOS), the Department of Commerce (DOC) and the Department of Justice (DOJ).

Since the onset of the war in Ukraine, the world has observed the DOJ’s resources at work, notably via the creation of Task Force KleptoCapture, which complements the transatlantic task force launched by the U.S., leaders of the European Commission, France, Germany, Italy, the U.K. and Canada to identify and seize the assets of sanctioned individuals and entities globally. OFAC has broadened its enforcement scope beyond the financial services industry to the freight[7] and mining[8] industries.

EU enforcement

The EU faces a fundamental obstacle in its administrative structure. Unlike the U.S., the 27-nation bloc lacks a central enforcement agency. The EU framework divides sanctions enforcement powers between Brussels — which, as the de facto EU capital, sets the EU’s sanctions policy — and the member states, ministries and supervisors, which are required to interpret the EU’s sanctions obligation and draft and implement their own guidance. Member states are expected to have in place effective, proportionate and dissuasive penalties, and to enforce them when EU sanctions are breached.[9]

The weaknesses in the EU’s federated approach to enforcement and the narrow application of EU sanctions, which generally require compliance only by a subject and/or entity with a clear EU nexus, jurisdiction, nationality or incorporation, have been on display particularly this year amid the global rollout of the Russian sanctions.

Marking an inflection point, in May, the EU proposed criminalising sanctions violations, a strategically important move that would unify the EU’s fragmented sanction policy. Under the proposal, EU governments would have authority to confiscate assets of subjects and entities that evade EU restrictions against Russia, while service providers that advise Russians on masking control and ownership and/or circumventing restrictions would be penalised.

U.K. enforcement

As the war in Ukraine has progressed, the U.K. has been criticised for being less active in its censure of sanctions breaches than other countries and is under global scrutiny and pressure to make policy and implementation improvements. Since its creation of OFSI in 2016, the U.K. has issued just six fines totaling approximately £21 million. Recognising that it is out of step with allies, the U.K. has sought to change the legal tests and powers of sanctions enforcement.

Notably, in June, the U.K. passed the Economic Crime (Transparency and Enforcement) Act 2022 to operate its sanctions enforcement programme on a strict liability basis. Under the legislation, enforcement action is triggered by evidence of a sanctions violation, rather than a subject or entity’s awareness of it. Previously, the test required that the subject or entity “knew” or had “reasonable cause to suspect” that its conduct breached a financial sanction or that it had failed to comply with its obligations under the regime. This change is significant, as it not only aligns the U.K. sanctions regime more closely with the U.S. model but also removes the incentive for entities to avoid conducting due diligence to protect themselves. Further, the bill allows OFSI to publicise cases of sanctions violations that do not result in a penalty.

The role of the financial services regulators

As financial institutions continue to face significant legal, regulatory, operational and reputational risks related to their implementation of the Russian sanctions, financial services regulators globally will play an increasingly significant role in identifying and referring to law enforcement potential violations of law.

Exacerbating the situation is the reach of sanctions risks, which spans the enterprise-wide financial crime compliance programme and overlaps with other areas such as know your customer (KYC), transaction monitoring (TM) and investigation, and reporting. Moreover, sanctions control breakdowns, such as a growing sanctions-alert backlog, may expose programme deficiencies that result in additional penalties and/or fines. Cooperation with regulators, including self-disclosures and timeliness of disclosures, will remain key to global strategies for navigating potential violations, fines and exposure.

Actions financial institutions should take

The adaptation of global sanctions enforcement policies has implications for sanctions risk management in the current climate, and financial institutions should reposition themselves accordingly, beginning with the following actions:

  • Refresh risk assessments and socialise results: Refresh your annual sanctions-specific risk assessment, and review results to determine whether they are in line with the institution’s risk appetite. Adequately identify the institution’s current sanctions risk profile quantitatively and qualitatively. Report results and risk trending to senior management and the board.
  • Review due diligence processes: Review your direct and indirect sanctions risk exposure frequently and consistently. Ensure that policies and procedures applied during the due diligence process are risk appropriate and teams are adequately skilled up to identify and address the risks. 
  • Optimise use of data and technology: Review what sanctions technology is in place and assess what is working and failing. Boards and senior management should conduct internal reviews to assess what business units and/or legal entities need to enhance its sanction screening capabilities, including internally developed tools, vendor-supported technology and third-party data sources. 
  • Instill a strong culture of compliance: Promote sanctions compliance through a strong tone at the top. Consider deploying global surveys to gain an understanding of where your workforce identifies strengths and weaknesses within the sanctions programme. Couple the results with peer industry benchmarking to identify trends and emerging risks. 
  • Promote the importance of self-disclosures: Review and socialise self-disclosure process, policies and training across all three lines of defense. When assessing penalties, regulators consider the nature of noncompliance, and self-disclosure can help lessen the severity of a fine. Senior compliance and legal stakeholders should be actively engaging with their regulators on expectations, examination themes and focus areas.
  • Conduct targeted audits and testing: Perform frequent periodic and targeted sanctions-specific audits and quality assurance and control testing to ensure that the sanctions control inventory is complete, mapped to risk and working effectively.

The impact of the Russian sanctions is not fully realised and many policy amendments under development have yet to gain momentum and/or are modest in scope. However, the changes over the last several months are a significant step in the right direction to ramp up pressure on Russia to end its war against Ukraine. 

Sanctions risks for compliance programs will remain elevated. And though not all financial institutions face the same challenges managing the current sanctions environment, many will be tested as they maneuver though this unchartered territory. More than ever before, financial institutions need to ensure that their sanctions compliance controls are not only robust but also in line with global requirements, and undertake practices to manage the pressures that will continue to present themselves for the foreseeable future.

We need to add this to the bottom of the page: About Protiviti’s Financial Crimes Practice Protiviti’s Financial Crimes practice specialises in helping financial institutions satisfy their regulatory obligations and reduce their financial crime exposure using a combination of AML/CTF and sanctions risk assessment, control enhancements and change capability to deliver effective operational risk and compliance frameworks. Our team of specialists assists organisations with protecting their brand and reputation by proactively advising on their vulnerability to financial crime, fraud and corruption, professional misconduct, and other financial business risk issues.

1. “Deputy Attorney General Lisa O. Monaco Delivers Keynote Remarks at 2022 GIR Live: Women in Investigations,” U.S. Department of Justice, June 16, 2022,

 2. “EU to Make Breaking Sanctions Against Russia a Crime, Seizing Assets Easier,” by Jan Strupczewski, Reuters, May 25, 2022,

3. “U.K. Accused of Being Toothless in Sanctions Enforcement,” by Rupert Neate and Jessica Elgot, The Guardian, February, 24, 2022,

4. Civil Penalties and Enforcement Information, U.S. Department of the Treasury,

5. “U.S. Fines Italian Lender UniCredit $1.3 Billion in Sanctions Probe,” Arab News, April 16, 2019,

6. “BNP Paribas Admits Guilt and Agrees to Pay $8.9 Billion Fine to U.S.,” Iran Watch, June 30, 2014,,when%20processing%20transactions%20through%20the%20U.S.%20financial%20system.

7. “OFAC Settles with Toll Holdings Limited for $6,131,855 Related to Apparent Violations of Multiple Sanctions Programs,” Department of the Treasury, April 25, 2022,

8. “Treasury Sanctions Nicaraguan State Mining Company,” U.S. Department of the Treasury, June 17, 2022,

9. “EU Sanctions Enforcement,” by David Savage, Global Investigations Review, July 13, 2021,