Financial Regulation - In the know: Financial Crime – May 2026

The enforcement action centred on the bank’s systems and controls to detect and report suspicious trading activity following the introduction of a new automated order system. During June–October 2024, the firm allowed clients to execute CFD trades with a notional value of approximately $3.05 billion on a newly introduced direct market access trading system, but none of these trades were captured and ingested into the bank’s automated surveillance tools, which meant that potential suspicious activity was not being automatically flagged to the firm’s Compliance team.  Although the firm also had a manual monitoring system operating in parallel, the FCA found that this had an inherent weakness if used as a single line of defence.  After the technical issue was addressed and trades on the new platform started to be ingested into the automated surveillance system, the firm took a series of measures to improve its market abuse surveillance.  However it took some months for remediation work to be fully carried out.  When the firm re-ran surveillance of trades following implementation of the new system, it generated a significant number of insider dealing and market manipulation alerts, resulting in multiple reports to the FCA of suspicious trading.  In March 2025, the firm entered into a VREQ agreeing not to onboard new CFD clients, and in May 2025 decided to unwind its CFD business which was subsequently closed.

The FCA expects firms to regularly assess their trading surveillance arrangements, systems and procedures to ensure they remain appropriate and proportionate to the scale, size and nature of the firm’s business activity. In this case, the FCA identified a series of interlinked failings, including failures to:

• adequately test the new order system to ensure that increased CFD trading was captured and ingested from its implementation
• undertake sufficient risk assessment and change management once the issue was identified, meaning the firm’s Board was not provided with a clear view of the market abuse risks arising from the growth in CFD activity;
• provide adequate management information to the Board by way of trend analysis and comparisons;
• rectify known system issues, particularly given the FCA had contacted the firm about certain transactions
• ensure adequate policies and procedures were in place in relation to (i) the review and escalation of suspicious activity (including a lack of audit trail of escalated concerns) and (ii) the review and management of alert calibration to ensure effective surveillance capabilities;
• escalate concerns to the Compliance team in accordance with the Compliance policy (concerns were escalated by brokers to their respective head of desk).

The bank had a second manual monitoring system in place, which identified potentially suspicious transactions, but the FCA note that this “first line of defence” manual system had inherent weaknesses and should not be solely relied upon.

The FCA’s Final Notice emphasises the role of governance in cases of this type matters.  The Authority found that the bank had introduced a direct market access platform without performing any additional risk assessment or pre-launch testing of its surveillance capability. Further, the firm’s Board and Compliance function were aware of rapid growth in CFD volumes, yet the surveillance capacity was limited.  The FCA found among other issues that the firm did not have a ‘documented calibration review policy’, and the reviews it did carry out were limited and did not highlight issues with the surveillance system.  Further, for part of the period in issue, the firm did not have a written procedure setting out the procedure for employees to follow should the surveillance system trigger an alert.  The FCA also considered that the review and reporting mechanisms that the firm did have did not contain sufficient management information to enable the board to monitor, review and identify issues accurately.

Firms should take this opportunity to test whether their market abuse controls, surveillance arrangements and escalation processes would withstand similar scrutiny, particularly where historic or legacy issues are involved. We would be happy to discuss the lessons from this decision and how they translate into practical steps for strengthening control frameworks and investigation readiness. Our team regularly supports firms in reviewing controls, responding to FCA enquiries and managing market abuse investigations.

Back in July 2025, OFSI announced that it had fined Markom Management Ltd £300,000 for breaching Crimea-related sanctions. The underlying conduct dated back to 2018, when Markom instructed a Moscow based bank to return an overpayment to a sanctioned individual in the course of providing fiduciary and administrative services. In OFSI’s view, the firm had reasonable cause to suspect the sanctions risk and lacked adequate understanding of its obligations; prioritising operational convenience over sanctions analysis as an aggravating factor. What is notable for financial institutions is not the existence of the breach, but how OFSI characterised the role Markom played. Markom was not party to the original sale transaction and was not transferring its own funds – rather it had an approval role to the making of a payment which took place entirely outside the UK. This is a primary example of OFSI’s willingness to penalise firms that facilitate transactions, even if they aren't a principal party to them.

OFSI’s penalty on Apple Distribution International Ltd (ADI), published in March 2026, demonstrates a further expansion of OFSI’s enforcement remit. It is an example of how non-UK companies can be within OFSI’s reach if there’s a UK link. 

In this case, ADI used a UK bank account it controlled to send two large payments to a Russian streaming platform in June and July 2022. At the time, the streaming platform was wholly owned by a UK-designated entity (JSC New Opportunities), and OFSI found, therefore, that the transfers breached UK sanctions. Unlike Markom, this breach occurred after the introduction in the UK of the civil enforcement regime for UK sanctions, so the fact that ADI did not know or intend to breach UK rules was not a defence.  OFSI acknowledged that ADI had relied entirely on corporate affiliates to functionally implement relevant payment processes and the sanctions screening and due diligence measures, but concluded that ADI’s failure to understand or acknowledge heightened risk relating to Russia payments post invasion of Ukraine as well as the failure to affirmatively request ownership details or identify open‑source media articles which clearly indicated the transfer of the streaming platform to a UK sanctioned party had caused a serious breach.  OFSI significantly discounted the maximum possible fine to reflect ADI’s voluntary disclosure and co-operation.

Both cases confirm a broader trend: OFSI is focusing on how sanctions breaches happen in practice, not just on paper compliance. The latest enforcements reinforce the extra-territorial nature of UK sanctions, both for non-UK persons acting in the UK and UK persons operating globally. 

The Markom penalty shows that limited facilitation through negligence or haste will not escape scrutiny and the ADI case demonstrates OFSI’s willingness to view omissions as actionable breaches under the civil liability enforcement regime. Going forward, enforcements are likely to test whether firms can react quickly to designation changes, whether they perform deep ownership-and-control due diligence (beyond simple screening), and whether governance arrangements empower the right people to halt transactions when red flags appear. These are no longer theoretical scenarios: OFSI’s recent guidance and statements suggest there is an active enforcement focus on these issues.

Firms should review their sanctions risk exposure, governance and decision making frameworks to ensure they remain robust. To discuss sanctions enforcement risk and investigations, please contact Harriet Territt.

A central theme is that EDD will now be required only for “unusually complex or unusually large” transactions – replacing the old rule that any complex transaction triggered EDD. This change means firms must use judgement: “complex” alone isn’t enough – it’s the unusual nature or scale that matters. Regulators will expect firms to calibrate internal standards so that staff can distinguish genuinely atypical or high-risk dealings from routine complex transactions. 

Mandatory EDD for geographic risk has been narrowed to countries on the FATF “Call for Action” list meaning a business in a “jurisdiction under increased monitoring” is no longer automatically high-risk. But firms remain obliged to assess such exposure and apply appropriate controls based on their own risk assessments. Country risk assessment frameworks will need updating to reflect this change.

Another key change is that, if a bank fails, competitor banks can onboard affected customers quickly without full prior CDD. In effect, a bank taking on customers from an insolvent institution can let them transact immediately, verifying identity as soon as practicable thereafter. Importantly, this carve-out applies only under strict conditions, excludes higher-risk customers and requires appropriate safeguards. The FCA and Bank of England expect firms to incorporate such scenarios into playbooks (and HMT has signalled that industry guidance via JMLSG will flesh out how to operationalise this whilst managing attendant risks). 

Several amendments are intended to strengthen system-wide cooperation and contingency measures. In particular, the MLR supervisors (including the FCA and HMRC) will gain clearer gateways to share information with Companies House and the Financial Regulators’ Complaints Commissioner. 

The amendments also tackle a number of areas where there are issues of interpretation with the existing MLRs and/or where perceived ‘regulatory gaps’ had emerged. One headline change explicitly brings the sale of “off-the-shelf” companies within the scope of regulated Trust or Company Service Provider (TCSP) activity. In short, anyone selling ready-made companies must now conduct CDD on the buyer, just as if they were forming a company for a client.  Financial institutions dealing with acquisition of such companies, for instance, will need to recognise this as a risk point now. TCSP work is in our experience already a focus for authorities and this change could in our view lead to more enforcement attention. 

The new draft SI also extends registration to non-UK trusts that bought UK land pre-October 2020 (closing a historic gap), and introduces a de minimis exemption for low-value trusts. Low-risk trusts (for example, those below a certain asset value and with UK-tax neutral status) may no longer need to register for AML supervision. At the same time, there are some technical fixes, such as, removing Stamp Duty Reserve Tax as a sole trigger for registration, which aim to ensure truly low-risk trusts aren’t swept into the regulatory perimeter unnecessarily. Firms must know which trusts now must register and which are exempt. 

For cryptoasset businesses, the changes align the MLRs with the new FSMA crypto regulatory regime. A new rule will require crypto firms to perform counterparty due diligence for “correspondent” relationships (for example, when a UK crypto exchange deals with an overseas exchange or custodian). HM Treasury is allowing a 9-month implementation period for this obligation, acknowledging operational lead time – the FCA will expect this built into firms’ control frameworks by October 2027.

The draft SI also addresses a number of other, more technical, issues. For example, all monetary thresholds in the MLRs (for identifying customers, transaction monitoring, etc.) will convert from euros to sterling values. Key thresholds – such as the general £10,000 threshold for high-value transactions – are now set in GBP. 

Boards and Senior Managers should treat these regulatory tweaks as an opportunity to reinforce oversight: ensure that policies are updated, risk assessments revisited, and front-line training refreshed to reflect the new MLR obligations. 

A number of the forthcoming changes to the MLRs are technical in nature and will need careful consideration at the point of implementation.  Firms would be well advised to act now to start reviewing their existing policies, controls and procedures. Please contact the authors if you would like assistance with this; we will be happy to support clients through necessary compliance changes. 

In February 2026, OFSI rolled out its strengthened sanctions enforcement guidance, following a public consultation on civil enforcement processes. The changes include a new Early Account Scheme (EAS) offering penalty discounts for early co-operation, a revised case assessment matrix with a four-tier seriousness grading (including a specific factor for the “strategic priority” of the sanctions regime breached), and updated emphasis on circumvention risks and firms’ management of sanctions risk. OFSI also introduced a formal settlement scheme and increased discounts for voluntary disclosure and cooperation, aligning its approach more closely with other regulators. These are clear signals that OFSI is moving to a more assertive yet efficient enforcement posture – focusing on the most serious or strategically significant breaches. There is also a growing premium on robust internal controls, since “knowledge and management of financial sanctions risk” is now explicitly a penalty factor. Higher maximum fines (to be doubled via legislation) and streamlined fixed penalties for minor reporting breaches reinforce the message that even technical compliance gaps can trigger sanctions consequences.  

In parallel, OFSI conducted an evidence gathering exercise around the sanctions “ownership and control” test. This review, which closed on 20 April 2026, asked financial institutions and others for input on how the rules treating entities “owned or controlled” by designated persons work in practice. In particular, it is looking at “hypothetical control” scenarios (where a designated person’s influence is possible but not explicit) and the impact of the current broad test on compliance costs, legal risk and de‑risking by firms. While this suggests authorities recognise both the complexity and potential over-reach of the current regime, it also highlights that sanctions compliance is increasingly about nuanced beneficial ownership judgments. For compliance teams and sanctions officers, it’s a signal to be prepared for further guidance or rule changes that aim to prevent sanctions circumvention via complex corporate webs. 

In 2025, the FCA undertook a multi firm review of client due diligence (CDD), enhanced due diligence (EDD) and ongoing due diligence controls, publishing its findings on 8 April 2026. Firms would be well advised to review the FCA’s findings of good and poor practice and consider whether they can learn from them.  The FCA’s findings of poor practice included policies that lack practical guidance for staff, unclear periodic/event‑driven review triggers, weak version control, and failures to evidence what EDD steps were actually taken, or to specify when senior management approval is required.

The FCA found that few firms had enough practical detail for staff in their policies and procedures. Gaps identified included insufficient guidance on EDD measures, acceptable alternative KYC documents, frequency of periodic CDD reviews, and what staff were expected to do in event driven reviews.

Another key theme was poor compliance monitoring and audit practices. Some firms could not explain how they monitored CDD quality.  The failure to separate initial CDD and second line assurance functions on the same files was flagged.  Some firms also failed to specify customer types or scenarios requiring senior management approval. There was a lack of record-keeping of EDD measures taken and the purpose and nature of business relationships. Weak version control further undermined audit trails.

The FCA viewed positively firms that operated regular and proportionate review cycles of CDD controls. Stronger firms also had clear requirements for senior management approval and senior oversight through compliance committees.    

To demonstrate strong CDD controls, firms should conduct independent third-line thematic assessment and testing as appropriate, including through external experts.  Firms should then document their findings and how they have acted upon them.