FinCrime Dynamics newsletter: The sanctions edit

FCA and EBA reviews expose major gaps in sanctions screening. Firms must test calibration, data, and list updates to avoid costly failures.

In 2022-23, due to Russia’s invasion of Ukraine and the scale and complexity of sanctions imposed by the UK Government and international partners, the FCA conducted a review, assessing the systems and controls relating to sanctions compliance for over 90 firms across a range of sectors. 

They focused on five key themes:

1. Governance and oversight
2. Skills and resources
3. Screening capabilities
4. Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures
5. Reporting breaches to the FCA

Let’s drill into #3: Screening capabilities

Financial institutions need to have a complete and in-depth understanding of their sanctions screening filter performance.

However, many firms have a reliance on third-party sanctions screening tools:

The FCA reported several instances where firms lacked understanding of how their sanctions screening tools were calibrated and when lists were updated. This meant that firms were unable to understand whether: 

• They were screening against the correct lists 
• Their systems were missing names that should be identified 
• Their systems were producing too many false positives 
• They were monitoring how quickly they update their lists

The FCA also highlighted instances where systems had not been adequately calibrated. This resulted in it either being too sensitive, causing a high number of false positive names (putting increased strain on already busy teams, making the alert review process operationally inefficient and increasing the risk of errors), or not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected.

Starling grew quickly, from approximately 43,000 customers in 2017 to 3.6 million in 2023. However, measures to tackle financial crime did not keep pace with its growth. When the FCA reviewed financial crime controls at challenger banks in 2021, it identified serious concerns with the anti-money laundering and sanctions framework in place at Starling. In January 2023, Starling became aware that its automated screening system had, since 2017, only been screening customers against a fraction of the full list of those subject to financial sanctions. Starling was fined £28,959,426 for financial crime failings related to its financial sanctions screening.

“Monzo’s customer base has grown rapidly, increasing almost tenfold from around 600,000 in 2018 to over 5.8 million in 2022. However, Monzo’s financial crime controls failed to keep pace with its customer and product growth.” Scope matters – Weakness in any pillar of the AML regime (onboarding, screening or monitoring) can lead to the same Principle 3 breach. Monzo was fined £21 million for failings in financial crime controls.

What does testing a sanctions screening tool entail?

Well, that depends on your solution, but aspects that should be scrutinised include: 

• ensuring the right people have access to the sanctions or watch list data
• Examining data flows for when new sanctions on third-party data files are made available
• How the system filters and matches names
• How potential name matches are handled, investigated and tracked

We’re focusing on the data

This could be data that you get directly from other financial institutions, regulators, law enforcement or from external vendors. Vendors provide different levels of quality and different levels of guarantees. Understanding how your organisation or your data vendor deals with additions, deletions and updates to sanction records is essential. 

As the FCA review showed, many financial institutions will buy data or engage a vendor and just trust that it works. This is not good enough.

What do we test?

1. Patterns and corruptions on inbound data feeds: We replay defects we have spotted in your historic source files (hidden control characters, multi-line cells, unexpected NULLs) to ensure nothing slips past pre-processing.
2. Name variations: This is an exceedingly complicated part of the screening process and probably the most well-known. We introduce cultural diminutives, patronymics and reversed name orderings to verify that your engine handles real-world naming conventions.
3. Typographical errors: We examine familiar mis-keyed characters and transposed letters in names, addresses, and dates of birth to assess whether your fuzzy-matching tolerances are fit-for-purpose.
4. Alias & nickname mapping: We inject widely-used aliases, trading-as names, and ship IMO re-registrations to confirm these links are maintained after your last list refresh.
5. Script & transliteration drift: We swap between Latin, Cyrillic, Arabic and Greek scripts (plus homoglyphs) to test whether your solution normalises Unicode properly.
6. Deliberate data manipulations: We alter ancillary fields to mislead basic rule sets—for instance, pairing a sanctioned city with an unsanctioned country.
7. Partial or truncated data: We shorten names, clip dates, and drop middle initials to mimic tight character limits in upstream systems.
8. Time-lag & list-update testing: We test newly designated entities and re-run the batch to see whether your refresh truly picks them up.

The FCA isn’t the only one looking at sanctions screening. The European Banking Authority (EBA) released its first EU-wide guidelines on sanctions screening. These set out expectations on how firms should design, calibrate, and maintain their screening systems – from governance and oversight through to list management and system performance.

The EBA guidelines come into force in December 2025. Is your firm ready?