Sanctions Are Not a Paper Exercise: The Risks of Complacency in 2025

Simon Harbord, Senior Associate at Teal Compliance explains the risks of complacency when it comes to Sanctions.

Date

By Simon Harbord, Senior Associate, Teal Compliance

Sanctions compliance is not just a concern for large international firms, it applies to every law firm regulated by the SRA, no matter their size or client base. Unlike AML, there is no detailed set of prescriptive rules, yet breaches of the sanctions regime carry strict liability and can lead to severe penalties, regulatory enforcement, and reputational damage.


Recent cases show that even well-intentioned firms with policies in place can be caught out by missed checks, human error, or a failure to keep up with changes to the regulations. The SRA has made clear that sanctions compliance links directly to core Principles and the Code of Conduct, so firms cannot afford to be complacent.
This blog explains the risks, the practical steps firms should take to protect themselves, and how Teal Compliance can support you with risk assessments, policies, training, and audits.

Why sanctions compliance matters

Those regulated by the SRA will be familiar with the annual AML and sanctions data collection exercise. But ticking that box once a year is not enough. All firms are subject to the sanctions regime, regardless of size or type of work.

The difference between AML and sanctions obligations

AML requirements are prescriptive: ID checks, risk assessments, and source of funds. Sanctions are different. There is no detailed list of regulatory steps, yet breaches carry strict liability and serious consequences.

The SRA’s position on sanctions

The SRA has made it clear that firms must:

  • Act with integrity and uphold public trust (Principles 1, 2 and 5).
  • Have proper governance and systems in place (Code of Conduct 2.1).
  • Report serious breaches (Code of Conduct 3.9).

Failure to comply with sanctions can also amount to a breach of the SRA’s standards and regulations.

LEGAL COMPLIANCE AUDIT

What’s at stake: fines and enforcement

OFSI (the Office of Financial Sanctions Implementation) can impose penalties of up to £1m or 50% of the value of the breach. High-profile fines, such as the £465,000 penalty against Herbert Smith Freehills CIS LLP, show that no firm is immune.

Law Firm Sanctions Checklist from Teal Compliance

Who is most at risk?

The SRA has highlighted that firms dealing with the following are at heightened risk:

  • Multi-jurisdictional transactions, especially offshore.
  • Complex corporate structures and beneficial ownership.
  • High-net-worth clients or politically exposed persons.
  • Trust and company services.
  • Charities operating in sanctioned jurisdictions.
  • High-value transactions (property, art, shipping, aviation).

But sanctions are not just a problem for large or specialist firms, recent cases show smaller firms can be caught out too.

 

How breaches happen

Breaches can occur in everyday practice, for example:

  • Transferring damages to a designated person without a licence.
  • Relying on the other side’s due diligence instead of your own.
  • Ignoring non-UK sanctions regimes.
  • Holding funds for a client who later becomes sanctioned.

Screening and controls

Compliance starts with knowing your clients, their ownership and control structures, and any counterparties. At a minimum, firms must screen against the UK consolidated sanctions list and ensure re-screening whenever it updates.

Electronic screening tools are helpful, but staff must understand their limitations, especially around ownership and control. LSAG guidance emphasises that “ownership” extends beyond shareholding percentages to those exercising influence or control.

 

Recent enforcement cases

  • Ashfords LLP – fine linked to sanctions risk failures in client onboarding.
  • Steptoe International (UK) LLP – rebuked for failing to comply with licence conditions under the Russia Regulations.
  • Russells Solicitors – fined for lack of sanctions and PEP checks.

These cases show that both large and small firms are under scrutiny, and even inadvertent errors can lead to disciplinary action.

 

What firms should do

To mitigate sanctions risk, firms should:

  • Document a Sanctions Risk Assessment.
  • Produce a Sanctions Policy.
  • Train staff on sanctions.
  • Carry out screening and re-screening.
  • Keep records and audit processes.
  • Engage with banks and PI insurers to understand their stance on sanctions.
  • Update Terms of Business/Client Care Letters to cover sanctions issues.

How Teal Compliance Can Help

We can support your firm with:

  • Drafting Sanctions Risk Assessments and Policies.
  • Delivering staff training.
  • Auditing your processes and procedures.
  • Providing ongoing advice through our Ask Teal service.
Free Discovery Call with Teal Compliance

ARTICLE in FULL

To read my full, unadulterated article, please grab a coffee and get comfortable as it’s below.

Those regulated by the SRA will be familiar with their annual anti-money laundering and sanctions data collection exercise and might think that’s all you need to worry about – you’ve filled it in and can now forget about it until next August when the 2026 questionnaire needs completing? That might not be a good idea! 

All firms are subject to the sanctions regime, regardless of the type of services they provide and no matter how large or small they are. So, what measures have you taken to protect yourselves from being caught out? You don’t have foreign clients, you don’t get involved in shipping, you have no PEP’s, no high risk cases to see here. But are you complacent? 

AML regulations mean ID, risk assessments and source of funds checks. We all know that, right. The Regulations say so, the LSAG guidance says so, and Regulators are disciplining firms for not complying. Sanctions on the other hand, don’t come with a list of Regulations you have to comply with, that detail all the steps to take, like with AML. Despite carrying strict liability offences for breaches, you aren’t actually required to do much, but as the SRA say ‘guidance is to help you understand your obligations and how to comply with them. We will have regard to it when exercising our regulatory functions’.

Yes, the SRA will take into account the guidance they have provided and if there’s a problem, they are likely to see non-compliance with the guidance as an aggravating factor. They mention that they ‘take compliance with the sanctions regime very seriously and may take enforcement action where appropriate. While sanctions compliance is mainly focused on achieving ongoing compliance with the legislation of the sanction regime, authorised firms and solicitors need to bear in mind that they are also required to comply with our standards and regulations’. Such as:

  • Principles 1, 2 and 5 – requiring you to act in a way that upholds the constitutional principle of the rule of law and the proper administration of justice; and  in a way that upholds public trust and confidence in the solicitors profession and in legal services provided by authorised persons; and with integrity. 
  • The Code of Conduct for Firms 2.1 – ensuring proper governance and related systems are in place and 3.9 – requiring you to report serious breaches of regulatory arrangements.

Specifically, the SRA have referred to the requirement to comply with ‘all the SRA‘s regulatory arrangements, as well as with other regulatory and legislative requirements, which apply to you’. So that means ensuring you don’t breach the legislative requirements of the sanctions regime. 

Remember also that ‘you (must) identify, monitor and manage all material risks to your business. Is it a material risk to be acting for (or against) a sanctioned person, where you don’t have a licence and things go wrong. Perhaps an OFSI fine, your PI insurers won’t cover a claim, or your bank won’t handle the sanctioned funds? 

Then there’s OFSI – the Office of Financial Sanctions Implementation can impose financial penalties for breaches, being the greater of £1,000,000, or 50% of the value of the sum involved in the breach. You have probably seen the case of Herbert Smith Freehills CIS LLP (“HSF Moscow”) which was fined for breaches of UK financial sanctions imposed on Russia, linked to its illegal invasion of Ukraine. OFSI imposed a penalty of £465,000. Yes HSF is a large firm and was active in Moscow, but all firms can be found out.  

OFSI has indicated that while the regime is strict liability, it will take a risk-based approach to enforcement. Where a breach has occurred, preventative measures are likely to provide some mitigation. So what mitigation measures do you have in place? 

The SRA has stated that firms at heightened risk are likely to be involved in:

  • multi-jurisdictional transactions, particularly those involving offshore jurisdictions
  • arranging complex corporate structures which could have persons as ultimate beneficial owners
  • dealing with high net-worth individuals, or those who hold or have held political office
  • providing trusts and company services
  • charities, particularly those based in, or providing services to, a jurisdiction subject to a sanctions regime
  • high-value transactions including not only real property but assets such as artwork, vessels and aircraft, shipping and aviation.

However, they also mention that ‘until recently, sanctions risk tended to apply only to a small number of specialist firms doing business with clients in affected jurisdictions. This is no longer the case and firms cannot afford to assume that sanctions do not pose a risk to them’. So it’s, not just firms like HSF that are at risk, its everyone (see the case of Russells Solicitors, below!).

So how could you commit a breach? For example…

  • By transferring a payment of damages from your client to a designated person without a licence in place (or receiving damages from them). Transactional monies likewise.
  • Relying on the other side in a transaction, or third parties, to have effective systems in place to screen for designated persons. This is unlikely to provide you with a complete defence if you breach the sanctions regime. You can’t rely on them! Do they screen adequately when onboarding? Do they re-screen to see if the client has been added to the list?
  • Thinking its just UK sanctions you need to worry about – the EU, US and UN for example have sanctions regimes too. 
  • Holding those funds in the client account that you haven’t quite got round to returning and the client becomes sanctioned. 

In order to make sure you are complying with the sanctions regime, you should understand who your clients are, who they are owned/controlled by, and potentially the counterparties and any third parties providing funding. Counter-parties and third parties present a risk because if they are designated persons, or are owned or controlled by designated persons, the funds they introduce into a transaction may need to be frozen and made unavailable to, or for the benefit of, the designated person.

At the most basic level you should check the identities of clients (and for non-natural persons anyone with control over the entity or more than 50 per cent ownership) and counterparties against the UK consolidated sanctions list. But you don’t have any of the high risk elements and your client is local. What about – Former Putin-appointed governor jailed for breaching UK sanctions. Here we have a person with a UK passport living in the UK. The SRA have stated that ‘the OFSI consolidated list contains a significant number of people who are British citizens and have a last known address in the UK’. So are you screening? Are your staff trained? Do you have procedures to deal with this? 

You should make sure that staff using and therefore relying upon electronic screening systems know of their capabilities and limitations. Ownership and control of corporate clients may not be apparent from the search terms used and the data held. Judgement is needed to determine whether anyone controls a business in ways that aren’t down to shareholdings. As LSAG guidance says, ownership is a wider concept than simply identifying the beneficial owners and that you must take reasonable measures to understand the ownership and control structure. You must identify individuals with control and directing power – not necessarily via % ownership of shares. 

If LSAG is expecting this for AML compliance its likely to be seen as the standard for sanctions compliance too. If you don’t follow the above, your policies, controls and procedures need to explain why not. You can’t see sanctions and AML in isolation – regulators don’t!

Ashfords LLP was fined in November 2023. The AML aspect got the headlines, but if you read the decision – SRA | Ashfords LLP – 508761 | Solicitors Regulation Authority – you will note that sanctions compliance played a part:

  • A retrospective search carried out by the firm, during its own investigation, identified a potential link between one of the purported beneficial owners and an entity subject to UK sanctions.
  • Electronic AML searches had not been carried out by the firm for this individual at the time of the purchases, and consequently the firm did not take steps to mitigate sanctions risk. As such, in the absence of documents and information obtained by the firm, to satisfy its customer due diligence and sanctions regime obligations, there was a significant risk that these purchases were funded through a sanctioned entity.

Steptoe International (UK) LLP was rebuked by the SRA (SRA | Steptoe International (UK) LLP – 635838 | Solicitors Regulation Authority) in June 2025. The reason for this was that despite the firm self-reporting a breach that and whilst ‘appropriate licences had been obtained in respect of these matters and the firm had policies and processes in place, the firm failed to comply with all conditions of the relevant licences, owing to inadvertent human error’. 

So here we have a firm trying to be compliant, screening for sanctions and obtaining the required licences from OFSI, the SRA found that ‘by failing to comply with Regulation 67(2) of the Russia Regulations, the firm has breached Paragraph 3.1 of the SRA Code of Conduct for Firms 2019 which states you keep up to date with and follow the law and regulation governing the way you work. There you go again – a sanctions breach is also a breach of the Code of Conduct. The firm simply hadn’t spotted changes in the Russia Regulations – are you checking them? 

Finally, the case of Russells Solicitors – SRA | Russells – 054717 | Solicitors Regulation Authority. Here a sole practitioner undertaking conveyancing, wills and probate was given a £9656 fine for a variety of breaches including a ‘lack of checks on politically exposed persons, including sanctions checks’. Yes, you need to check! 

What to do:

You should undertake PEP and Sanction screening and undertake additional checks for e.g. adverse media (Google).  Ensure re-screening each time the OFSI list changes – opponents/counterparties too (whilst risk based, you should document what the risks would be and why you don’t/do such checks). 

It would be wise in the context of sanctions to obtain evidence of the ownership and control structure (in English), company documentation (Mems & Arts), and company accounts (we suggest three years’ worth of accounts) as you would in order to comply with AML requirements, including obtaining certified copies of the individuals passports and proof of address – even if it’s a litigation matter. 

  • Document a Sanctions Risk Assessment
  • Produce a Sanctions Policy
  • Train your staff
  • Screen and re-screen
  • Keep records
  • Audit your processes and procedures to ensure they cover what is needed and they are understood and being followed.

This is mitigation.

Also:

  • Ask your bank what its policy is if you get sanctioned funds – be prepared.
  • What is your PI insurers position if there is a sanctions element to a claim – ask.
  • Do your Terms of Business or Client Care Letter address the requirement to delay work, stop acting, ask for a licence, and mention additional fees if relevant?

Thanks for reading this, Simon.

More
articles

Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch