When Should Businesses Check Customer Sanctions? A Complete UK, US, and EU Guide for 2026

Sanctions screening is one of those compliance obligations that catches businesses off guard. Unlike anti-money laundering (AML) requirements - which typically apply to defined categories of “obliged entities” or “relevant persons” - financial sanctions apply broadly across all businesses and individuals within each jurisdiction’s reach.

Getting it wrong carries serious consequences in every major jurisdiction. In January 2026, the UK’s Office of Financial Sanctions Implementation (OFSI) fined the Bank of Scotland £160kfor processing just 24 payments linked to a designated person under the Russia sanctions regime. In February 2026, the US Treasury’s Office of Foreign Assets Control (OFAC) settled with IMG Academy - a Florida school - for $1.7m after it received tuition payments routed from Mexican cartel-linked sanctioned parties. In the EU, Directive 2024/1226 has introduced harmonised criminal penalties across all member states, with fines for companies reaching up to 5% of worldwide turnover or 40m euros.

The message is consistent across all three regimes: it is the absence of a screening process that constitutes the breach, not whether a sanctioned person was actually encountered.

This guide sets out who needs to comply, the core rules in each jurisdiction, when to check, and what happens if you don’t.

Which Businesses Need to Check Sanctions?

The Short Answer: Everyone

Across the UK, US, and EU, sanctions obligations apply far beyond the traditional regulated sectors. While financial institutions, gambling operators, and professional services firms face the most intensive regulatory scrutiny, the underlying prohibitions are universal.

United Kingdom

Under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), all UK persons and entities - and UK persons operating anywhere in the world - must comply with financial sanctions. This obligation exists independently of whether a business is regulated under the Money Laundering Regulations 2017.

That means if you are a startup with three employees, a sole trader, a SaaS company, or a multinational bank, the same prohibition applies: you cannot deal with funds or economic resources owned, held, or controlled by a designated person, and you cannot make funds or economic resources available to them.

United States

OFAC sanctions apply to all “US persons” - defined as US citizens, permanent residents, entities organised under US law (including their foreign branches), and anyone physically present in the United States. Crucially, OFAC’s reach extends beyond the financial sector. The February 2026 settlement with IMG Academy - a school and training facility - prompted OFAC to state explicitly that the case “highlights the pervasiveness of sanctions risk across a wide variety of sectors and institutions,” even for entities “operating largely domestically.”

In addition to the primary SDN (Specially Designated Nationals) List, OFAC maintains seven other restricted party lists with varying prohibitions. Thanks to secondary sanctions provisions, non-US businesses can also face consequences if they facilitate significant transactions with sanctioned persons or jurisdictions.

European Union

EU sanctions are enacted through Council Regulations that have direct effect across all 27 member states. All persons and entities within the EU, as well as EU nationals abroad, must comply. The scope of obliged entities has been expanding - the EU Anti-Money Laundering Regulation (AMLR), which applies from July 2027, extends AML obligations (including sanctions screening) to new categories including crypto-asset service providers, crowdfunding platforms, and even professional football clubs.

The EU sanctions list has grown rapidly, with around 5,400 designations as of mid-2025, of which over 3,400 were added since 2022 in response to Russia’s invasion of Ukraine.

Sectors Under Heightened Scrutiny

While sanctions compliance is universal, certain sectors face additional regulatory attention across all three jurisdictions:

• Financial institutions - banks, payment service providers, insurance companies, and investment firms.
• Gambling and betting operators - classified as high-risk under AML frameworks and subject to sector-specific regulators (UKGC, state gaming commissions, Malta Gaming Authority, etc.).
• Legal and accountancy professionals - subject to updated guidance in the UK (SRA, February 2026) and regulated under AML directives in the EU.
• Estate agents and high-value dealers - caught by AML regulations and the broader sanctions regime.
• Technology, energy, and shipping businesses - particularly exposed to trade sanctions, sectoral restrictions, and dual-use goods controls.
• Crypto and fintech businesses - OFSI published a cryptoassets-specific threat assessment in 2025; OFAC has actively pursued crypto-related enforcement; the EU’s MiCA regulation brings CASPs into scope.

The critical point bears repeating: even businesses outside these categories must comply. Providing office space, software access, consulting services, or platform access to a designated person can constitute making economic resources or property available - and that is a sanctionable offence in all three jurisdictions.

What Are the Main Laws and Rules?

United Kingdom

Primary legislation: The Sanctions and Anti-Money Laundering Act 2018 (SAMLA) is the overarching framework. Individual sanctions regimes (Russia, Iran, counter-terrorism, etc.) are implemented through separate statutory instruments.

Enforcement bodies: OFSI (financial sanctions, civil enforcement), OTSI (trade sanctions), HMRC (criminal enforcement of trade sanctions), NCA (criminal enforcement of financial sanctions).

Key list: The UK Sanctions List (UKSL) became the single consolidated source for all UK designations on 28 January 2026, replacing the previous multi-list system.

Liability standard: Strict liability for civil penalties since 2022. OFSI does not need to prove knowledge or intent - only that a breach occurred.

Maximum penalties:Currently the greater of £1m or 50% of the breach value, but OFSI announced in January 2026 that it intends to double this to the greater of £2m or 100% of the breach value (pending legislation). Criminal prosecution can carry up to seven years’ imprisonment.

United States

Primary legislation: The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) provide the statutory basis. Individual sanctions programmes are implemented through Executive Orders and OFAC regulations (31 CFR Parts 500-599).

Key lists: The SDN (Specially Designated Nationals and Blocked Persons) List is the primary list, but OFAC maintains seven additional restricted party lists with differing requirements.

Liability standard: Strict liability for civil penalties. OFAC does not need to prove intent or knowledge - only that a prohibited transaction occurred. In fiscal year 2024, civil enforcement actions resulted in penalties exceeding $1.5bn.

Maximum penalties:Civil penalties can reach the greater of approximately $368k per violation or twice the value of the transaction. Criminal penalties for wilful violations can reach $1m per violation and up to 20 years’ imprisonment under IEEPA.

European Union

New criminal enforcement framework: Directive 2024/1226, adopted in April 2024, establishes harmonised minimum rules for criminal offences and penalties for sanctions violations across all EU member states.

Maximum penalties under Directive 2024/1226: For natural persons, prison sentences of up to five years. For legal persons (companies), fines of up to 5% of worldwide turnover or 40m euros, whichever is higher.

Key distinction - the EU Blocking Statute:EU Regulation 2271/96 (the “Blocking Statute”) prohibits EU persons from complying with certain extraterritorial US sanctions. This can create genuine compliance conflicts for businesses operating across both jurisdictions. Specialist legal advice is essential in these situations.

When Should Sanctions Be Checked in the Customer Lifecycle?

Sanctions screening is not a one-off exercise at onboarding - it must occur at multiple stages throughout the customer relationship.

1. Onboarding (Before First Transaction)

Every new customer, client, or counterparty must be screened before any business relationship is established and before any funds change hands.

For gambling operators, the bet365 enforcement action (see case study below) made this particularly clear: the UKGC explicitly stated that operators should undertake financial sanctions checks on new customers prior to their first deposits.

For US-regulated financial institutions, OFAC screening must happen in real time before transactions are processed. OFAC guidance is explicit: delayed screening - processing payments before the OFAC check completes - is a violation even if the screen ultimately shows no match.

2. Transaction and Payment Screening

High-value or cross-border transactions should trigger real-time screening of both sender and receiver. In the US, federal banking examination guidance requires real-time OFAC screening of wire transfer instructions for all federally regulated banks. Batch screening is not compliant for real-time payment systems.

3. Periodic Rescreening

Existing customer databases must be rescreened regularly - at a minimum whenever the relevant sanctions lists are updated. Given the pace of new designations (particularly under Russia-related programmes), many compliance teams run daily or weekly batch screens.

This is not optional. The EU sanctions list has seen over 3,400 new designations since 2022. The UK Sanctions List is updated frequently. OFAC publishes updates to the SDN List on a rolling basis. A customer who was clean at onboarding may become designated at any time.

4. Trigger Event Rescreening

A material change in a customer’s circumstances should prompt a fresh screen. Examples include:

• Change of name, address, or nationality.
• Change in beneficial ownership structure.
• Identification of new risk indicators (adverse media, PEP status).
• Customer entering a new sanctions-sensitive jurisdiction.
• Changes to the nature or volume of the customer’s transactions.

5. Ongoing Monitoring

Beyond discrete screening events, businesses should maintain ongoing monitoring processes that can flag changes to the sanctions landscape as they affect the existing customer base. This includes monitoring for new sanctions packages, changes to existing designations, and updates to guidance from enforcement bodies.

What Happens If You Don’t Check?

United Kingdom

OFSI can impose civil monetary penalties on a strict liability basis. The maximum civil penalty is being doubled to the greater of £2m or 100% of the breach value (pending legislation). Sector regulators impose additional penalties. The UKGC fined bet365 £582.12kfor, among other things, failing to conduct sanctions checks before first deposits. The discount framework rewards early self-reporting: the Bank of Scotland’s £160k fine was reduced by 50% following prompt voluntary disclosure.

United States

OFAC enforcement is aggressive and carries the heaviest financial penalties of the three jurisdictions. In fiscal year 2024, civil enforcement actions exceeded $1.5bnin total penalties. The DOJ highlighted sanctions evasion as one of its top ten white-collar enforcement priorities in 2025. Criminal penalties can reach $1m per violation and up to 20 years’ imprisonment.

European Union

Directive 2024/1226 has fundamentally changed the enforcement landscape. For the first time, all member states must treat intentional sanctions violations as criminal offences with harmonised minimum penalties. Companies face fines of up to 5% of worldwide turnover or 40m euros, and individuals face up to five years’ imprisonment. Germany’s transposition notably introduced a 20-fold increase in maximum corporate fines for reckless dual-use goods violations, from 500k euros to 10m euros.

Reputational Damage (All Jurisdictions)

Across all three regimes, enforcement outcomes are increasingly published. Being publicly named carries significant consequences for relationships with banks, payment providers, partners, investors, and customers.

Case Study: bet365 (2024)

The bet365 enforcement action is one of the most instructive recent examples for businesses asking when and how to screen for sanctions. While it is a UK case, the principles apply universally.

What happened:During a compliance assessment in March 2022, the UKGC identified failures across bet365’s AML and social responsibility controls for the period between May 2021 and September 2022.

The sanctions-specific finding: bet365 had failed to conduct financial sanctions checks on all new customers prior to their first deposits. This was a breach of Licence Condition 12.1.1, which requires operators to have appropriate policies, procedures, and controls to prevent money laundering and terrorist financing.

The outcome: A regulatory settlement of £582.12k, split between bet365’s gaming and sports betting entities. The entire amount was directed to socially responsible causes.

The critical detail:The UKGC’s review found no evidence that any sanctioned person had actually deposited funds with bet365, and no evidence of criminal spend. The fine was for the procedural failure alone - the absence of the screening process was itself the breach.

The universal lesson:This principle - that the absence of a screening process constitutes the breach, regardless of whether a sanctioned person was encountered - is consistent across all three jurisdictions. OFAC’s strict liability standard, OFSI’s strict liability framework, and the EU’s criminalisation of serious negligence all point in the same direction: you cannot rely on luck.

Practical Steps for Getting Sanctions Screening Right

For businesses setting up or reviewing their sanctions compliance framework, the following steps represent good practice regardless of jurisdiction:

1. Screen before transacting. No customer should be able to deposit funds, receive services, or enter a business relationship before being screened against the relevant sanctions lists.
2. Screen against all applicable lists. UK businesses should check the UK Sanctions List. US persons must check the OFAC SDN List and related lists. EU businesses must check the EU Consolidated List. Cross-border businesses may need to screen against all three plus UN lists.
3. Automate where possible. Manual screening is error-prone and difficult to evidence. Automated screening tools that run against updated lists and maintain audit trails are strongly preferred by regulators in all jurisdictions.
4. Rescreen regularly and on trigger events. Batch rescreening against updated lists should run at least weekly. Material changes to customer data should trigger immediate rescreening.
5. Account for name variations. Implement fuzzy matching, alias handling, and transliteration logic. The Bank of Scotland and numerous OFAC enforcement cases demonstrate that name-spelling discrepancies are a common root cause of breaches.
6. Document everything. OFSI, OFAC, and EU national authorities all expect businesses to demonstrate their screening processes, record compliance decisions, and evidence ongoing assessment and improvement.
7. Build escalation pathways. When a potential match is identified, there must be a clear process for escalation, investigation, and - if necessary - reporting to the relevant authority.
8. Understand the 50% Rule (US). Entities 50% or more owned by a designated person are treated as sanctioned even if they do not appear on the SDN List. This requires due diligence on beneficial ownership structures.
9. Train staff. Everyone involved in customer onboarding, payments, or account management should understand the sanctions obligations applicable in their jurisdiction.
10. Treat it as strict liability. Do not assume that good intentions or ignorance will protect the business. In the UK and US, civil penalties apply on a strict liability basis. In the EU, serious negligence is now a criminal offence for certain categories of goods.

Key Sanctions Lists and Resources

United Kingdom

• UK Sanctions List (UKSL) - the single consolidated source since January 2026
• OFSI - Financial Sanctions Guidance
• OFSI Enforcement and Monetary Penalties Guidance (February 2026)
• Gambling Commission - Compliance

United States

• OFAC Sanctions List Search
• OFAC Sanctions Programmes and Country Information
• OFAC FAQs and Basic Information

European Union

• EU Sanctions Map
• EU Consolidated Sanctions List
• Directive 2024/1226 - Criminal Offences and Penalties

Summary

Sanctions screening is a legal obligation for every business in the UK, US, and EU - not just those in regulated sectors. It must happen before the first transaction and continue throughout the customer relationship, with regular rescreening and event-triggered checks.

The enforcement landscape is intensifying in all three jurisdictions. The UK is doubling maximum penalties. The US continues to impose the heaviest financial penalties globally on a strict liability basis. The EU has harmonised criminal sanctions across all member states for the first time, with fines reaching up to 5% of worldwide turnover.

The bet365 case demonstrates that you do not need to have actually dealt with a sanctioned person to face regulatory action. The absence of the process is the breach. For any business handling customer funds - whether in gambling, fintech, e-commerce, or professional services - sanctions screening at onboarding is non-negotiable.

For businesses operating across borders, the complexity multiplies. Overlapping regimes, the EU Blocking Statute, US secondary sanctions, and divergent list coverage all require careful navigation. But the starting point is the same everywhere: screen before you transact, rescreen regularly, document everything, and treat it as strict liability.

This article is for informational purposes only and does not constitute legal advice. Businesses should seek independent legal advice on their specific sanctions compliance obligations in each jurisdiction in which they operate.