FCA Sanctions Screening Findings 2026: What firms must do now
What the FCA found when it tested firms' sanctions screening systems
Since February 2022, the FCA has assessed the sanctions systems and controls of over 150 firms in the financial services sector covering both financial and trade sanctions.
Within this report it ran a Sanctions Screening Testing (SST) workstream, independently testing the calibration and configuration of firms’ screening systems using data from REP-CRIM returns, the annual financial crime reports firms submit to the FCA.
This matters because it shifts the standard of proof. Vendor assurance and self-reported confidence are no longer enough. The FCA tested whether systems actually detect sanctioned parties, and found that many do not, in precisely the conditions sanctions evaders exploit.
What the FCA found
In testing, 90% of alerts correctly identified the relevant sanctioned party where the name matched exactly. Where names appeared in slightly different forms, such as minor spelling variations, 75% of alerts correctly identified the sanctioned party.
The FCA identified specific, recurring configuration failures:
- Fuzzy matching that broke on variation: Honorifics, titles and suffixes reduced match scores below alert thresholds. Inadequate phonetic and spelling-variation rules failed to recognise legitimate name variants.
- Limited handling of non-Latin names: Where firms conducted limited testing and oversight, some could not reliably detect obfuscated or variant names, including those in non-Latin scripts.
- Names excluded from screening entirely: One-word names and names containing digits were excluded by default. Long names exceeded system character limits and failed without generating an alert.
- Inconsistent data ingestion: Firms removed titles inconsistently, or merged them incorrectly into name fields, when ingesting the UK Sanctions List.
- Unexplained exclusion: Firms or their vendors excluded categories of sanctions list data, in some cases with no documented rationale, recent review or senior management oversight.
- Reliance on vendor defaults: Firms provided limited challenge or validation of vendor configuration and logic. In several cases, firms had to rely on the vendor to explain why a name failed to alert.
- Inadequate vessel screening: Screening controls that required specific prefixes or formats failed to detect vessel names presented in simpler forms.
The most common root causes of reported breaches were deficiencies in screening and alert management, alongside weaknesses in due diligence and the management of frozen assets.
Why this is happening now
The UK sanctions regime has expanded sharply in scope and complexity since 2022. The total value of assets reported as frozen in the UK rose from £24.4bn in 2023-2024 to £37bn in 2024-2025.
Demands on screening systems have grown accordingly. Reported breaches still relate primarily to the Russian regime, but the FCA notes increasing exposure to Iran and North Korea, alongside sanctions regimes that target specific issues rather than a single country, such as anti-corruption, human rights and counter-terrorism.
The report points repeatedly to firms relying on historic vendor settings without reassessment, configurations set at implementation and never retested against this changed risk landscape.
What good practice looks like
The FCA’s strongest performers shared a clear set of characteristics:
- Periodic calibration and quality assurance testing, conducted on a defined cycle rather than as a one-off exercise at implementation.
- Retesting after material change, e.g list updates, system upgrades or changes to matching logic.
- Root cause analysis following screening mismatches to establish whether the problem is configuration, data quality or matching logic.
- Genuine vendor oversight challenging and validating vendor configuration, and retaining the internal competence to evaluate what vendors report.
- Supplementary internal watchlists and intelligence feeds alongside primary screening lists, particularly to identify ownership and control relationships.
The FCA was equally clear on alert management. Effective screening is undermined if alerts are not resolved promptly. Around 44% to 47% of firms resolved alerts within one working day, but over a quarter took three to five days to close name screening alerts, and around a fifth took the same time for payment alerts. Strong practice meant structured alert frameworks supported by internal service level agreements, documented investigation rationales and clearly defined escalation between the first and second lines of defence.
How compliance teams should respond
The FCA’s findings point to the fact that screening is a control function that requires ongoing governance.
- Test to fail, not to pass: Assurance that only checks exact matches against known designations confirms the system works in its easiest conditions. Effective testing introduces name variations, transliterations, alternative scripts, partial matches and complex ownership chains.
- Calibrate to your risk profile: Thresholds and fuzzy matching parameters should reflect the firm’s customer base and geographic exposure.
- Document everything: Exclusions need a documented rationale and approval. Testing results and configuration changes need an auditable trail. When a supervisor asks why a name was not matched, the answer must be explainable and evidenced.
- Resolve alerts faster: Alert resolution should be tracked, reported to senior management and benchmarked against internal SLAs and regulatory expectation.
- Extend beyond financial sanctions: Free-text payment field screening, vessel tracking and dual-use goods assessments are now within supervisory scope. Firms treating screening as a name-based financial sanctions exercise alone are exposed.
Speak to the team
If you would like to assess how your screening programme compares to the practices the FCA identified, AML Analytics provides independent testing and auditable benchmarking of screening performance.
Speak to the team to discuss how we can support your sanctions screening programme.