| THEME | EXAMPLES OF GOOD PRACTICE | EXAMPLES OF POOR PRACTICE |
| Due diligence and ongoing monitoring | - Regular updates to client due diligence (CDD) policies
- Sanctions-specific information requests, ensuring relevant questions on trade and financial sanctions are included.
- Consider sanctions risks in deciding the frequency of assessing specific customers.
| - Use of third parties to carry out aspects of CDD without adequate oversight, governance, assurance and testing arrangements in place over the third-party controls.
|
| Alert management | - Clear internal documentation and standard team practices.
- Periodic testing and quality assurance of alert investigations to ensure policies are effective and embedded.
| - Reliance on external or intermediary screening solutions without sufficient internal oversight.
|
| Transaction and name screening | - Periodic calibrations to enable obfuscated and variant names to be detected.
- Validation or periodic testing of screening solutions, including after material list or system changes.
| - A limited understanding of how vendor screening logic or configurations operate in practice – i.e. simply relying on the automated system without effective human oversight.
|
| Management of frozen assets and license compliance | - Maintaining clear, documented processes to quickly identify, implement and maintain requirements set out in sanctions licenses and comply with asset freezing.
| - Inadequate procedural documentation.
- A lack of appropriate account restrictions during investigation into potential matches.
- An absence of clearly defined service-level agreements for account freezing and transaction blocking.
|
| Governance and management oversight | - Keeping management policies up to date.
- Collecting and monitoring data on customer exposure to high-risk jurisdictions.
| - Reliance on group entities to provide sanctions risk compliance services, with limited oversight and insufficient management information on overseas branches and offices to check their compliance with UK sanctions.
|
| Risk assessment | - Using risk assessments that consider both financial and trade sanctions as well as proliferation financing risks.
| - Quantifying sanctions exposure or risk without documented and supporting rationale.
|
| Screening infrastructure: policies and list management | - Maintenance of clear and up-to-date sanctions screening policies that define screening scope, frequency, escalation thresholds and governance arrangements.
- In relation to list management, firms should ensure they have clear contractual and operational arrangements with vendors.
| - Reliance on historic vendor settings without appropriate oversight.
- Insufficient controls to ensure updates to screening systems lists are complete and effective.
|
| Proactive detection and investigation | - Providing staff training which clearly outlines sanctions red flags and how to spot and escalate suspicious behaviour.
| - Excluding key sanctions evasion typologies in the firms’ risk assessments, policies and procedures, or controls design.
|
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2025-11-20-17-41-18-176-691f52bea5303aa7b7bcd639.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2026-06-05-09-32-06-862-6a229796a648a3a4131eccfa.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2026-04-09-08-16-03-598-69d760438614c88cffd8985a.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2026-03-27-17-15-40-414-69c6bb3c9e72e31654f41cf9.jpg)