In its latest enforcement actions for breaches of Russian financial sanctions, the UK’s Office of Financial Sanctions Implementation (OFSI) has imposed penalties on a bank and its customer in respect of the same transactions. In doing so, OFSI demonstrated it will take a holistic approach to enforcement, scrutinising and, where appropriate, penalising all parties involved in a transactions chain rather than focusing solely on the entity initiating the payment.
Both cases were resolved under OFSI’s new settlement procedure introduced in February this year and the outcomes give an indication as to what organisations suspecting or being involved in a sanctions breach can expect from OFSI going forward. The agency also gave informal guidance in its two penalty notices, noting in particular that the responsibility to ensure that sanctions compliance measures are effective lies with entities themselves, notwithstanding that they have engaged third-party agencies to conduct screening for them.
The Breaches
Apple Distribution International Limited (ADI)
ADI is a subsidiary of US technology company Apple Inc, based and operating from Cork in Ireland. In 2022 it instructed its bank, the UK-based branch of Deutsche Bank AG (the Bank), to make two payments to Okko LLC, a Russian app developer. At the time of the payments, Okko was owned by JSC New Opportunities. That company was designated under UK sanctions on 29 June 2022, meaning that Okko became owned or controlled by a designated person within the meaning of regulation 7 of the Russia Sanctions Regulations and was therefore subject to restrictions and prohibitions under the sanctions regime.
ADI had instructed the Bank to make the first payment to Okko three weeks before New Opportunities was designated. That payment was eventually processed and payment made on the day of the designation. On that same day, ADI instructed the Bank to make a further payment to Okko, which was ultimately released to Okko on 28 July 2022. Together the payments totalled £635,618.75. (Two earlier payments made to Okko, when it was owned by PSJB Sberbank, also a designated person, were taken into account but not penalised as breach of sanctions as they predated the entry into force of the strict liability regime.) On realising the potential breach, ADI self-reported the transactions to OFSI on 4 October 2022. OFSI ultimately held them to be in breach of the Russia Regulations as they were payments to a person or entity “who is owned or controlled … by [a] designated person” within the terms of Regulation 12. Following settlement discussions, the case was resolved on 10 March 2026 by the imposition on ADI of a £390,000 fine. This was arrived at by applying a 35% discount to reflect ADI’s voluntary disclosure and settlement to OFSI’s proposed baseline penalty of £600,000.
The Bank
In processing the payments as instructed by ADI, the Bank had also breached Regulation 12 of the Russia Regulations. It voluntarily disclosed the payments to OFSI in September 2022 and on 12 September 2025, OFSI issued the Bank with a Notice of Intention to impose a monetary penalty. Following the introduction of OFSI’s new enforcement framework in February 2026, the Bank entered formal settlement discussions with OFSI and a settlement was reached on 30 April 2026. Taking everything into account, OFSI considered it reasonable and proportionate to impose a baseline penalty of £300,000, to which it applied a 45% discount to reflect the Bank’s voluntary disclosure and settlement of the case. It therefore imposed a final penalty of £165,000.
OFSI’s Observation
In both cases, OFSI noted the high value of the payments made and that they were made directly to an entity wholly owned and controlled by a designated person. It noted that sanctions imposed by the UK in respect of Russia were and remain a strategic priority for the UK and its foreign policy. Making payments in breach of the regulations undermine the asset freeze and diminish its intended impact on Russia’s behaviour. OFSI identified a number of other factors of relevance to the two entities’ culpability:
Reliance on third party screening providers and other failings
ADI relied in part on third‑party providers for ownership and control data, including sanctions screening and due diligence. OFSI acknowledged the value that these services can provide and recognised that their use in a diligence program is “good compliance practice”. However, it found that ADI’s own sanctions framework at that time was “not sufficiently calibrated” to the increased Russia-related sanctions risks following the events of February 2022 and that it relied on a self-certification model and ownership due diligence by a third-party vendor. OFSI noted that while companies may delegate compliance functions to third-party providers in this context, ultimate responsibility for sanctions compliance remains with the company itself.
The Bank was also using a third-party screening provider to conduct sanctions due diligence on its behalf. However, the third-party provider had failed to incorporate information about Okko’s ownership in its screening and no alert was generated at the time of the payments. The Bank also conducted sanctions due diligence through a variety of other methods but it had failed to address or uncover how ADI assessed sanctioned party ownership-related risk, (in particular, ADI’s reliance on a self-certification model), nor did it update its onboarding questionnaire to explicitly reference Russia sanctions. Whilst acknowledging that the Bank had no general legal requirement to conduct due diligence on its customers’ customers, OFSI had concerns with the Bank’s risk management procedures at the time the payments were processed and considered that they were likely to have contributed to the breaches occurring.
Mitigating factors
Nonetheless, OFSI acknowledged that it might not be possible for entities to respond to new sanctions immediately where transactions were ongoing. There was only a very short period of time between the designation of New Opportunities and when the payments were made in which to discover the situation and stop the transactions.
The bank was able to show that it had enhanced its screening measures since the breaches occurred, including expanding sanctions list coverage with respect to Russia and improvements to risk-based due diligence procedures. ADI had also committed to improving its sanctions compliance framework, including implementing a new process requiring Russian paid app developers to provide direct and indirect ownership and control information at onboarding and periodically thereafter.
Moreover, OFSI considered that neither ADI nor the Bank had any intent, knowledge nor cause actually to suspect that the payments would be in breach of the Russia Regulations. It therefore found that the breaches were “serious” as opposed to “very serious” in both cases.
Key lessons for firms
- UK financial sanctions apply to any conduct in the UK and to all UK persons (including legal entities established under UK law) anywhere in the world. That includes non-UK firms such as ADI, which was based in Ireland, that use UK financial institutions to conduct payments, even if they are managing the account from outside the UK. Firms must ensure they comply with those UK financial sanctions that are in force.
- Firms remain ultimately responsible for screening payments and ensuring compliance with financial sanctions. While use of third-party sanctions screening and ownership diligence providers is often invaluable, there are inherent risks. Firms need to account for the limitations of any third-party screening tools they use.
- Firms should ensure they maintain suitably robust customer due diligence frameworks to enable them to identify and understand ownership and control, both at the outset of a relationship and on an ongoing basis. They should be able to demonstrate strong onboarding procedures and regular, risk-based customer reviews, especially for higher risk jurisdictions such as Russia. Ongoing monitoring should take account of changes in ownership and control that may give rise to heightened sanctions risk.
- Firms concerned about potential sanctions breaches should carefully examine OFSI’s new enforcement procedures. Making a complete, detailed and prompt voluntary disclosure of potential breaches to OFSI and cooperating fully with any subsequent investigation can result in a discount of up to 50% of any financial penalty when combined with use of the Early Account Scheme. The two penalties under consideration were both resolved under the new settlement procedure, which can give a further discount of 20%. But it remains the case that prevention is better than cure. Ensuring the implementation and effective operation of appropriate sanctions due diligence and screening procedures, particularly if these have previously been found wanting, remains key.
For further information, please contact:
Satindar Dogra, Partner, Linklaters
satindar.dogra@linklaters.com
