From intent to detection
Sanctions enforcement used to be quieter and more predictable. Lists were updated, guidance was published, and enforcement actions focused mainly on clear, deliberate violations.
Over the last decade, that approach has changed. Regulators in the EU, UK, and especially the US now enforce sanctions more aggressively, more publicly, and with far less tolerance for weak controls. Compliance is no longer judged only by whether a firm knowingly dealt with a sanctioned party. Regulators increasingly ask a different question: should the risk have been detected earlier?
One clear signal of this shift comes from US enforcement history. The Office of Foreign Assets Control (OFAC) has repeatedly penalised companies not just for intentional sanctions violations, but for failing to identify them in time. Banks, shipping companies, and fintech firms have faced multimillion dollar penalties where controls failed to flag obvious sanctions risks.
In several cases, regulators acknowledged that firms did not intend to evade sanctions. Yet failures in screening, due diligence, or escalation were still treated as serious breaches.
OFAC's 2022 settlement with cryptocurrency exchange Bittrex illustrates this approach. The exchange agreed to pay more than $24 million to settle allegations that it processed transactions involving sanctioned jurisdictions including Iran, Syria, and Crimea. While OFAC did not find evidence of deliberate evasion, it concluded that customer data, including IP address and location information, should have revealed the exposure earlier.
A new standard for compliance
This reflects a broader change in regulatory expectations. Enforcement is no longer focused purely on the transaction itself. Instead, regulators examine the systems and decisions surrounding it. Internal emails, audit findings, and system gaps increasingly appear in enforcement actions as evidence that risks were visible but not addressed.
In other words, process now matters almost as much as outcome.
The UK has moved in the same direction. With the introduction of strict liability under the Office of Financial Sanctions Implementation (OFSI), firms can face penalties even when they did not know a breach occurred. This lowers the threshold for enforcement and shifts the burden toward proving that monitoring and controls are genuinely effective.
Across the EU, enforcement has historically been less consistent because sanctions are implemented through national authorities. That is beginning to change. Regulators are sharing intelligence more actively and building stronger EU-level coordination to close gaps between jurisdictions.
The overall direction is clear. Authorities are moving toward faster action and less tolerance for delayed remediation.
An expanded scope of risk
Sanctions enforcement is also expanding beyond traditional sanctions regimes. Governments are increasingly using other regulatory tools, including tariffs and investment restrictions, to pursue similar policy goals. For companies, these measures create parallel compliance risks. Firms must still understand ownership structures, counterparties, and supply chains, even when the rule sits outside a formal sanctions framework.
Taken together, the message from regulators is straightforward. Sanctions compliance is no longer about maintaining a static checklist. Regulators increasingly expect firms to identify risk signals early enough to prevent breaches at all, whether through ownership links, indirect exposure through counterparties, payment patterns, or other data that suggests a sanctioned connection may exist.
This shift explains many of the operational challenges compliance teams face today. Ownership rules such as the 50 percent rule expose structural risks that only appear when data is aggregated correctly. Sanctions lists provide essential signals but do not capture the full scope of exposure. And new regulatory frameworks, such as outbound investment controls, increasingly intersect with traditional sanctions monitoring.
For global firms, the real test is not simply whether sanctions rules apply. It is whether their controls can detect exposure early enough to prevent a breach from occurring at all. That increasingly depends on the ability to connect information across counterparties, ownership structures, and transactions.
Teams are expected to analyse far larger volumes of data and relationships than before. Risks that once appeared isolated often only become visible when these signals are linked together through indirect ownership, intermediary entities, or transactional patterns.
In today’s enforcement environment, regulators are not only investigating whether a violation took place. They’re also looking at whether the warning signs were already present, and whether firms had the monitoring capabilities in place to identify them in time.
