In September 2025, the UK’s Office of Financial Sanctions Implementation (OFSI) issued a formal enforcement notice against Vanquis Bank Ltd, drawing renewed attention to the UK’s sanctions regime and its enforcement.
The breach related to Counter-Terrorism Regulations, under which Vanquis was found to have processed prohibited transactions due to a failure in its internal screening controls.1
The breach was identified after Vanquis discovered that it had permitted financial activity involving an individual designated under UK counter-terrorism sanctions, whereby a misconfiguration of the bank’s sanctions screening system meant that the match went undetected. This resulted in a number of transactions being executed over a period of two years in contravention of UK law.2
The transactions included a cash withdrawal and the purchase of a mobile phone SIM card, both occurring after the customer was added to the UK sanctions list, potentially facilitating further prohibited activity as the account was not frozen until over a week after the designation was made public.3
Vanquis self-reported the breach to OFSI and cooperated fully with the regulator’s investigation. However, OFSI determined that the failings went beyond a simple technical error considering the misconfiguration was not identified through internal monitoring and the bank failed to implement adequate safeguards to ensure its sanctions filters were operating correctly. OFSI concluded that Vanquis failed to maintain an effective and risk-sensitive compliance framework, but issued a public disclosure notice in lieu of a financial penalty.4
Contextualising the enforcement
This matter is the latest in a series of enforcement actions under the UK’s post-Brexit sanctions regime. Since 2020, the UK government has made increased use of its Sanctions and Anti-Money Laundering powers to create and maintain independent sanctions regimes.5
In this case, the breach was entirely domestic, but still triggered OFSI scrutiny because it contravened UK’s counter-terrorism regulations, showing that offending transactions don’t need to be international to be caught out by sanctions regimes.
The FCA has also highlighted weaknesses in how some firms manage sanctions risks. In a 2023 review it noted that many firms were falling short, with poor screening processes, unclear internal procedures, and a lack of senior oversight.6
The action against Vanquis shows that institutions are not immune from punitive measures even when breaches are non-intentional and readily reported. These actions may mitigate financial penalties but will not protect firms from reputational harm. The disclosure process itself is now an enforcement tool, used by regulators to demonstrate the expectations placed on firms, and demonstrate that compliance is not only a legal obligation but a test of operational integrity.