In this article
Sanctions screening is one of those compliance obligations that catches businesses off guard. Unlike anti-money laundering (AML) requirements - which typically apply to defined categories of “obliged entities” - financial sanctions apply broadly across all businesses and individualswithin each jurisdiction’s reach.
The enforcement figures above tell the story. In every case, the fine was not for dealing with a sanctioned person - it was for the absence of a process. The UK’s OFSI, the US’s OFAC, and the EU’s national competent authorities all operate on the same principle: strict liability applies, and ignorance is not a defence.
This guide sets out who needs to comply, the core rules in each jurisdiction, when to check, and - critically - how to avoid the common and expensive mistake of conflating sanctions screening with customer due diligence.
Automate your sanctions screening
Mithrandir checks against UK OFSI, US OFAC SDN, and EU consolidated lists in under 100ms. Single checks, bulk onboarding sweeps, and retrospective alerts - all via one REST API at £0.05 per check.
Start screening freeWhich Businesses Need to Check Sanctions?
The short answer: everyone
Across the UK, US, and EU, sanctions obligations apply far beyond the traditional regulated sectors. While financial institutions, gambling operators, and professional services firms face the most intensive regulatory scrutiny, the underlying prohibitions are universal.
United Kingdom
Under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), all UK persons and entities - and UK persons operating anywhere in the world - must comply with financial sanctions. This obligation exists independently of whether a business is regulated under the Money Laundering Regulations 2017.
That means if you are a startup with three employees, a sole trader, a SaaS company, or a multinational bank, the same prohibition applies: you cannot deal with funds or economic resources owned, held, or controlled by a designated person, and you cannot make funds or economic resources available to them.
United States
OFAC sanctions apply to all “US persons” - defined as US citizens, permanent residents, entities organised under US law (including their foreign branches), and anyone physically present in the United States. OFAC’s reach extends well beyond the financial sector. The February 2026 settlement with IMG Academy - a school - prompted OFAC to state explicitly that the case highlights “the pervasiveness of sanctions risk across a wide variety of sectors and institutions,” even for entities “operating largely domestically.”
In addition to the primary SDN List, OFAC maintains seven other restricted party lists. Thanks to secondary sanctions provisions, non-US businesses can also face consequences if they facilitate significant transactions with sanctioned persons or jurisdictions.
European Union
EU sanctions are enacted through Council Regulations that have direct effect across all 27 member states. The EU sanctions list has grown rapidly - over 3,400 new designations since 2022 - and the forthcoming EU Anti-Money Laundering Regulation (AMLR, applying from July 2027) extends obligations to new categories including crypto-asset service providers, crowdfunding platforms, and professional football clubs.
Sectors under heightened scrutiny
While universal, the following sectors face additional regulatory attention:
- Financial institutions - banks, payment service providers, insurance companies, and investment firms.
- Gambling and betting operators - classified as high-risk under AML frameworks; subject to the UKGC, state gaming commissions, Malta Gaming Authority, and equivalent bodies.
- Legal and accountancy professionals - updated SRA guidance (February 2026) and AML directive obligations in the EU.
- Estate agents and high-value dealers - caught by AML regulations and the broader sanctions regime.
- Technology, energy, and shipping businesses - particularly exposed to trade sanctions and dual-use goods controls.
- Crypto and fintech businesses - OFSI published a cryptoassets threat assessment in 2025; MiCA brings CASPs into EU scope.
What Are the Main Laws and Rules?
United Kingdom
Primary legislation: SAMLA 2018, implemented through separate statutory instruments per regime (Russia, Iran, counter-terrorism, etc.).
Enforcement bodies: OFSI (financial sanctions, civil), OTSI (trade sanctions), HMRC (criminal trade sanctions), NCA (criminal financial sanctions).
Key list: The UK Sanctions List (UKSL) became the single consolidated source on 28 January 2026, replacing the previous multi-list system.
Liability:Strict liability since 2022. OFSI does not need to prove knowledge or intent. Maximum civil penalty is being doubled to the greater of £2m or 100% of the breach value (pending legislation). Criminal prosecution can carry up to seven years’ imprisonment.
United States
Primary legislation: IEEPA and TWEA, implemented through Executive Orders and OFAC regulations (31 CFR Parts 500-599).
Key lists:The SDN List is primary, but OFAC maintains seven additional restricted party lists. The “50% Rule” means entities 50%+ owned by a sanctioned person are treated as sanctioned even if not named.
Liability:Strict liability. FY2024 civil penalties exceeded $1.5bn. Criminal penalties can reach $1m per violation and up to 20 years’ imprisonment.
European Union
New criminal framework: Directive 2024/1226 (adopted April 2024) establishes harmonised criminal offences across all member states. Companies face fines of up to 5% of worldwide turnover or 40m euros, whichever is higher. Individuals face up to five years’ imprisonment.
The EU Blocking Statute: EU Regulation 2271/96 prohibits EU persons from complying with certain extraterritorial US sanctions, creating genuine conflicts for businesses operating across both jurisdictions. Specialist legal advice is essential in these situations.
When Should Sanctions Be Checked in the Customer Lifecycle?
Sanctions screening is not a one-off exercise at onboarding - it must occur at multiple stages throughout the customer relationship.
1. Onboarding - before first transaction
Every new customer, client, or counterparty must be screened before any business relationship is established and before any funds change hands. For gambling operators, the bet365 case made this explicit: the UKGC stated that operators must run financial sanctions checks on new customers prior to their first deposits.
For US-regulated financial institutions, OFAC screening must happen in real time before transactions are processed. Delayed screening - processing a payment before the OFAC check completes - is itself a violation even if the screen ultimately shows no match.
Screen at onboarding in under 100ms
Mithrandir’s POST /api/v1/check sits inline in your registration flow - no queuing, no async delays. At £0.05 per check with no minimum spend, it scales from ten customers to a million.
2. Transaction and payment screening
High-value or cross-border transactions should trigger real-time screening of both sender and receiver. In the US, federal banking guidance requires real-time OFAC screening of wire transfer instructions. Batch screening is not compliant for real-time payment systems.
3. Periodic rescreening
Existing customer databases must be rescreened regularly - at minimum whenever the relevant lists update. Given the pace of new designations (3,400+ under Russia-related programmes since 2022), many compliance teams run daily or weekly batch screens. A customer who was clean at onboarding can become designated at any time.
4. Trigger event rescreening
Material changes in a customer’s circumstances warrant a fresh screen, including:
- Change of name, address, or nationality.
- Change in beneficial ownership structure.
- New risk indicators - adverse media, PEP status.
- Customer entering a sanctions-sensitive jurisdiction.
- Material changes to transaction volume or nature.
5. Ongoing monitoring
Beyond discrete screening events, businesses should maintain processes that flag changes to the sanctions landscape as they affect the existing customer base - new sanctions packages, updated designations, and enforcement guidance from OFSI, OFAC, or EU national authorities.
Sanctions vs. CDD and PEPs: A Costly Confusion
One of the most common - and most expensive - operational mistakes regulated businesses make is treating sanctions screening as part of the same process as customer due diligence (CDD) and politically exposed persons (PEPs) checks. They are fundamentally different legal obligations with different triggers, different costs, and different risk frameworks.
The cost of conflating them
Many businesses run full CDD checks - costing £1 or more per record with providers such as GB Group, TransUnion, or Creditsafe - at the point of every new registration, regardless of whether those customers ever transact. Sanctions screening, by contrast, costs a fraction of that and is the obligation that applies to everyone. Conflating the two means paying for CDD checks on customers you have no legal obligation to scrutinise yet.
The fundamental difference
The onboarding trap
The problem typically arises because compliance vendors bundle sanctions screening, PEP screening, and identity verification (CDD) into a single product at a single price. For obliged entities that genuinely need all three layers at onboarding, this can be appropriate. But many businesses - particularly in e-commerce, SaaS, fintech, and professional services - are running that full bundle on every registration, regardless of whether a CDD obligation has actually been triggered.
The result is a compliance spend that far exceeds the legal requirement. A business with 50,000 annual registrations paying £1 per check for a bundled product spends £50,000 on CDD that may not be legally required yet. The same business running a sanctions-only check at registration at £0.05 per check spends £2,500 - and escalates to CDD only when a customer crosses a threshold that actually triggers the obligation.
The right sequencing
For most businesses, the proportionate approach is to layer checks by obligation:
- Sanctions check at registration or first interaction - cheap, fast, strict liability, no risk judgment needed. Run this on every customer, every time. This is non-negotiable.
- PEP screening when your sector rules or risk assessment requires it - for obliged entities under AML regulations, PEP checks are typically required at onboarding. For others, they may be triggered by transaction size or risk profile.
- Full CDD (identity verification, source of funds) at the point the AML obligation crystallises- when a customer crosses the transaction threshold, risk band, or trigger event that requires it under your sector’s AML framework.
A note on bundled vendors
If your current compliance stack bundles sanctions with CDD and you are paying per-check rates above 50p, it is worth reviewing what proportion of those checks are legally mandated CDD versus sanctions screening that could be run separately at a fraction of the cost. Mithrandir is a dedicated sanctions API: UK OFSI, US OFAC SDN, and EU consolidated lists, at £0.05 per check, with no CDD overhead. If you need CDD on top of that, it remains a separate decision triggered by your AML obligations - not a default cost applied to every registration.
What Happens If You Don’t Check?
United Kingdom
OFSI can impose civil monetary penalties on a strict liability basis. Maximum civil penalties are being doubled to the greater of £2m or 100% of the breach value (pending legislation). The UKGC fined bet365 £582.12kfor failing to run sanctions checks before first deposits. The discount framework rewards early self-reporting: the Bank of Scotland’s £160k fine was reduced by 50% for prompt voluntary disclosure.
United States
OFAC enforcement carries the heaviest financial penalties globally. FY2024 civil enforcement exceeded $1.5bnin total penalties. The DOJ listed sanctions evasion as a top ten white-collar priority in 2025. Criminal penalties can reach $1m per violation and 20 years’ imprisonment.
European Union
Directive 2024/1226 requires all member states to criminalise intentional violations. Companies face fines of up to 5% of worldwide turnover or 40m euros. Germany introduced a 20-fold increase in maximum corporate fines for reckless dual-use violations, from 500k euros to 10m euros.
Reputational damage
Across all three regimes, enforcement outcomes are published. Being publicly named carries lasting consequences for banking relationships, payment processing access, investor relations, and customer trust. Publication itself is used as a deterrent - OFSI publishes all enforcement actions, including cases where a penalty was considered but not imposed.
Case Study: bet365 (2024)
The bet365 enforcement action is the most instructive recent example for businesses asking when and how to screen. The universal lesson is straightforward - and expensive to learn the hard way.
What happened
UKGC compliance assessment March 2022 identified failures in AML and social responsibility controls between May 2021 and September 2022.
The finding
bet365 had not run financial sanctions checks on new customers before their first deposits. Breach of Licence Condition 12.1.1.
The outcome
£582.12k regulatory settlement - directed entirely to socially responsible causes.
The critical detail
No sanctioned person had actually deposited. No criminal spend found. The fine was for the absent process alone.
Practical Steps for Getting Sanctions Screening Right
- Screen before transacting. No customer should be able to deposit funds, receive services, or enter a business relationship before being screened against the relevant sanctions lists.
- Screen against all applicable lists. UK businesses check the UKSL. US persons check the OFAC SDN and related lists. EU businesses check the EU Consolidated List. Cross-border businesses may need all three plus UN lists.
- Automate where possible. Manual screening is error-prone and difficult to evidence. Automated tools with audit trails are strongly preferred by regulators in all three jurisdictions.
- Rescreen regularly and on trigger events. Batch rescreening should run at least weekly. Material changes to customer data should trigger immediate rescreening.
- Account for name variations. Implement fuzzy matching, alias handling, and transliteration. The Bank of Scotland case and numerous OFAC enforcement actions trace back to name-spelling discrepancies.
- Document everything. OFSI, OFAC, and EU authorities all expect evidence of the screening process, compliance decisions, and ongoing assessment.
- Build escalation pathways. When a potential match is identified, a clear process must exist for escalation, investigation, and - if necessary - reporting to OFSI, OFAC, or the relevant national competent authority.
- Understand the 50% Rule (US). Entities 50%+ owned by a designated person are treated as sanctioned even if not named on the SDN List. Due diligence on beneficial ownership structures is required.
- Don’t conflate sanctions with CDD. Run sanctions checks on everyone. Escalate to CDD only when your AML obligations require it. Don’t pay £1+ per check for CDD bundled with sanctions screening when a dedicated sanctions API at a fraction of the cost covers the universal obligation.
- Treat it as strict liability. Good intentions and ignorance offer no protection. In the UK and US, civil penalties apply regardless of intent. In the EU, serious negligence is now criminal for certain categories of goods.
Steps 3, 4, 5, and 9 - handled automatically
Mithrandir automates the steps regulators scrutinise most: real-time checks at onboarding, daily list ingestion with retrospective alerts when new designations match your existing base, phonetic fuzzy matching with full alias coverage, and a dedicated sanctions-only price point that removes the need to bundle with CDD when the obligation doesn’t require it.
Key Sanctions Lists and Resources
United Kingdom
- UK Sanctions List (UKSL) - the single consolidated source since January 2026
- OFSI - Financial Sanctions Guidance
- OFSI Enforcement and Monetary Penalties Guidance (February 2026)
- Gambling Commission - Compliance
United States
- OFAC Sanctions List Search
- OFAC Sanctions Programmes and Country Information
- OFAC FAQs and Basic Information
European Union
Summary
Sanctions screening is a universal legal obligation - not a regulated-sector privilege. It applies to every UK, US, and EU business before the first transaction and must continue through periodic rescreening and event-triggered checks throughout the customer relationship.
The enforcement landscape is intensifying: the UK is doubling maximum penalties, the US continues to impose the heaviest sanctions fines globally on a strict liability basis, and the EU has harmonised criminal sanctions for the first time with fines reaching 5% of worldwide turnover.
The second lesson - one that costs many businesses far more than it should - is that sanctions screening and CDD are distinct obligations. The sanctions check is binary, universal, and cheap. CDD is risk-based, targeted, and expensive. Running a £1 CDD bundle on every registration when only a sanctions check is legally required at that stage is a compliance design problem, not a compliance solution.
The starting point is the same everywhere: screen before you transact, rescreen regularly, document everything, and treat sanctions as strict liability. From there, layer CDD and PEPs checks only where and when your AML obligations actually require them.
This article is for informational purposes only and does not constitute legal advice. Businesses should seek independent legal advice on their specific sanctions compliance obligations in each jurisdiction in which they operate.