Sanctions Screening Regulatory Requirements in 2026: What Four Regulators Now Expect
In short: Across the first half of 2026, four regulators in four jurisdictions, the FCA, HKMA, Gibraltar Gambling Commissioner, and UAE CMA, published findings and guidance from the thematic reviews of sanctions screening systems. Their conclusions converge on one requirement, firms must now prove their screening works through independent, documented, risk-based testing. Having an advanced system is no longer sufficient. You must be able to evidence why it made the decisions it did.
What are the sanctions screening regulatory requirements for 2026?
In 2026 Q1 and Q2, the Hong Kong Monetary Authority (HKMA), the UK’s Financial Conduct Authority (FCA), the Gibraltar Gambling Commissioner (GGC), and the UAE Capital Market Authority (CMA) each published findings from testing sanctions screening systems across the firms they supervise. These reports span three sectors and four jurisdictions, yet their findings and expectations are strikingly similar.
Firms are now expected to prove their sanctions screening system works, increasingly through independent third-party testing. It is no longer just about having an advanced screening system; it is about the demonstrability of that system and evidencing why it made the decisions it did.
What did the regulators find when they tested screening systems?
Every regulator reached the same core result: sanctions screening systems perform well on exact name matching but notably worse when tested against manipulated data sets.
- FCA: in its own testing, 90% of alerts correctly identified the sanctioned party on exact-name matches, but only 75% once names appeared “in slightly different forms, such as minor spelling variations.”
- GGC: performance against manipulated data was “significantly weaker” across the sector, and some firms even failed to identify “exact sanctions entries”, described as “a critical control weakness.”
- CMA: across 46 systems tested, performance was strong on exact matches but showed “variability” under “more complex matching scenarios,” including alternative name forms and Arabic–Latin transliteration variants.
Manipulated data-set testing is critical to stress-test a sanctions screening system’s fuzzy matching logic. It enables optimal tuning and reveals whether your system can withstand realistic sanctions evasion tactics.
Are screening weaknesses leading to enforcement action?
Yes. The FCA reports that the most common causes of sanctions breaches were “deficiencies in sanctions screening and alert management.” In Gibraltar, the Commissioner found that the ineffectiveness of one licence holder’s screening system “had crossed the enforcement threshold,” resulting in a regulatory settlement. Where a system fails quietly, the firm, not the vendor, carries the breach.
Can accountability for screening be outsourced to the vendor?
No. On accountability, the regulators are unanimous. Buying a sanctions screening system from a third party does not transfer responsibility for whether it works. The risk is never outsourced to the vendor, it remains with the institution. Each supervisor expects firms to actively test and challenge the technology they rely on, rather than trust it by default.
- GGC: the same technology produced “materially different results” depending on configuration; firms must “actively engage with, test, and challenge third-party providers, rather than relying solely on the performance of ‘black box’ solutions.”
- FCA: identified firms “relying on historic vendor settings without reassessment” as an example of poor practice.
- UAE CMA: “reliance on third-party vendors does not mitigate” a firm’s responsibility for effectiveness.
The CMA put it most plainly. Reliance on a third-party vendor does not lessen the obligation on the institution to ensure its screening is effective, and senior management remains answerable for it.
How often must sanctions screening systems be tested in 2026?
Regulators now expect regular, risk-based testing and validation, including following system changes or where performance concerns arise. Testing should be independent, evidence-based and appropriately documented.
- HKMA: conduct regular testing to demonstrate “explainable, effective and efficient” controls, at least annually; recommends appointing an external professional firm and requires firms to be satisfied as to the “independence and expertise” of whoever tests. Results may be requested by the regulator.
- UAE CMA: testing must be “independent, evidence-based and appropriately documented,” with outcomes reviewed at senior level.
- Gibraltar GGC: “regular and documented testing of screening systems using both control and variation-based datasets,” with full auditability of results.
The 2026 sanctions screening requirements, summarised
Taken together, the four reviews point to a consistent set of expectations. Regulators now expect institutions to:
- Test regularly – not simply rely on vendor assurances.
- Use independent experts – for objectivity and defensibility.
- Document everything – risk assessments, tuning decisions, test results, and remediation.
- Align testing with risk – higher-risk businesses, or recent geopolitical events, should trigger more frequent validation.
- Address AI explainability – black-box systems are increasingly unacceptable without clear audit trails.
Regulators are looking for demonstrable sanctions screening programmes that can handle manipulated data and be evidenced to show how and why each decision was made. This is now a global supervisory expectation across sectors.
Prove your sanctions screening system meets 2026 requirements
The reviews describe a precise set of weaknesses, poor performance on manipulated names, untested vendor configurations, and an absence of documented evidence. AML Analytics independently tests sanctions screening systems for effectiveness, efficiency and explainability, using control and manipulated datasets that expose exactly these weaknesses.
Testing can be used to benchmark your system against other financial institutions and produces the documented evidence supervisors now demand. We give you the independent, defensible proof that satisfies the FCA, HKMA, GGC and CMA expectations set out above.
Speak to the team to discuss how independent testing can evidence your sanctions screening programme against the 2026 regulatory requirements.
Sources: HKMA, “Thematic Review of Sanctions Screening Systems,” 16 March 2026
FCA, “Sanctions systems and controls in our firms: our findings,” 28 May 2026
Gibraltar Gambling Commissioner, “Public Statement — Thematic Review of Sanctions Screening Systems and Controls,” 9 June 2026
UAE Capital Market Authority, “Thematic Review of Screening Systems in the UAE Capital Markets Sector,” 2026