Sanctions compliance in Europe: navigating complexity with confidence

Sanctions compliance has rapidly evolved from a niche area of regulatory focus into a critical and high-risk concern for financial services firms. As geopolitical tensions rise and sanctions regimes become more expansive and ever changeable, firms operating across borders must navigate an increasingly fragmented and high-stakes landscape.

In advance of the launch of Forvis Mazars’ financial crime insights, which will launch this summer with a sanctions specific survey, we explore related topics in this article.

From understanding the context behind differing sanction types and implementing screening systems to responding to breaches, this article explores how financial services firms – and others exposed to financial crime risk – can approach sanctions compliance with strategic clarity and operational rigour.

Stay tuned for updates on our sanctions insights survey.

Sanctions screening technology: balancing effectiveness and efficiency

Screening remains the front line of sanctions compliance. It is the primary control used to prevent a firm from directly or indirectly engaging with sanctioned individuals, entities, vessels, or instruments. But as sanctions lists grow longer and more nuanced, and as regulators expect not only screening but also monitoring of ultimate beneficial ownership and control, the challenge has shifted: it’s no longer just about whether a system works — but whether it works well.

Financial institutions face a familiar dilemma: high-quality, comprehensive screening generates large volumes of false positives, creating resource burdens and alert fatigue. Meanwhile, manual, insufficient or outdated systems risk failing to flag sanctioned parties altogether.

To strike the right balance, firms must focus on several core areas:

• Name matching algorithms: deploying the concepts of fuzzy matching, phonetic logic, and transliteration (which taken into account variations in spelling, pronunciation and translation) to avoid both under- and over-matching.
• Real-time vs batch screening: real-time screening is essential for payments, while batch approaches are often used for client onboarding and periodic reviews. Both must be tuned to the firm’s risk appetite.
• List management: ensuring screening lists are timely, complete, and reflect relevant EU, UK, and US sanctions where applicable.
• Ownership and control screening: integrating data to identify indirect exposure via subsidiaries or trusts, including the EU’s 50% rule and OFSI’s control guidance.
• Sectoral sanctions and complex instruments: screening for designated debt or equity instruments, crypto assets, and transactions involving sanctioned regions adds complexity.
• Artificial intelligence driven alert resolution and investigation: the use of AI to support the resolution of alerts as well as any investigation steps required, can free up capacity for specialists to focus efforts on high-risk activities.

Firms should be able to demonstrate not only that screening is occurring, but that the technology is properly calibrated, tested, and aligned with the business’s risk profile. Increasingly, regulators expect evidence of tuning, threshold calibration, and the governance process around suppression rules and whitelisting.

AI in sanctions compliance: enhancing alert resolution and investigations

As financial institutions face soaring alert volumes from increasingly complex sanctions regimes, artificial intelligence (AI) and machine learning (ML) are being deployed to enhance efficiency, reduce false positives, and support more accurate investigations.

In particular, AI is showing value in two areas:

Alert prioritisation and triage

Natural language processing (NLP) and behavioural algorithms can help firms distinguish between likely false positives (e.g. common-name mismatches) and true risks. By learning from past investigator decisions, AI can enable these tools to triage alerts based on contextual relevance, such as jurisdictional risk or customer behaviour patterns.

Investigation support and decisioning

AI tools can assist compliance analysts by auto-summarising previous case notes, flagging inconsistencies, suggesting next steps, or linking entities across datasets (e.g. media monitoring, transaction history, ownership structures). This accelerates case resolution and enables more defensible outcomes.

However, AI is not without its risks.

“Regulators — including the FCA and EBA — have warned against opaque “black box” decision-making, over-reliance on automation, and failure to conduct sufficient human oversight. Firms must be able to explain and evidence how AI-driven decisions are made, especially in a regulatory or legal dispute.”

Luke Firmin, Head of Financial Crime, Forvis Mazars in the UK

What firms should do

• Pilot AI in low-risk areas (e.g. false positive triage) before wider deployment across sanctions compliance functions.
• Establish explainability protocols, ensuring that AI-generated outcomes are auditable and clearly understood by human reviewers.
• Govern AI models rigorously, with validation, bias testing, and involvement from compliance, risk, and data science teams.

Types of sanctions: understanding the broader context

Not all sanctions are created equal — and not all apply equally. Financial institutions must distinguish between the different categories and legal frameworks at play.

Key sanction types include:

• Trade sanctions: restrictions on importing/exporting specific goods, services, or technologies to or from certain countries or regions.
• Asset freezes (designations): the most common and high-risk type, prohibiting any funds or economic resources from being made available to named individuals or entities.
• Sectoral sanctions: often targeting financial or energy sectors (e.g. Russian defence companies), these limit access to capital markets or certain services rather than full asset freezes.
• Travel bans: relevant primarily to border agencies, but still material for financial institutions when working with politically exposed persons (PEPs).
• Thematic sanctions: increasingly used to target human rights violations, corruption, cybercrime, or terrorism, such as the EU Global Human Rights Sanctions Regime.

Understanding the legal basis behind a sanction is vital. For example, a financial institution operating in both the EU and UK may need to treat the same counterparty differently depending on whether it is sanctioned under UK regulations (via OFSI) or under an EU Council Regulation.

Post-Brexit divergence is already creating operational complexity.

“Some designations differ; licensing and reporting obligations vary; and dual/multiple sanctions implementation (needing to comply with more than one sanctions regime) is fast becoming the norm for cross-border firms which makes regulatory compliance quite complicated.”

Sylvie Matherat, Senior Global Advisor, Forvis Mazars in France

Responding to sanction breaches: practical measures for financial services firms

Despite best efforts, sanctions breaches do occur, through system failures, control gaps, or third-party relationships. What matters next is how a firm responds, which can be critical for mitigating the associated risks.

Immediate actions:

• Freeze and report: firms must immediately freeze assets and economic resources of designated persons and report the breach to the relevant competent authority, depending on the type of breach that has occurred (e.g. OFSI in the UK for financial sanctions or national authorities in the EU).
• Internal escalation: establish a clear incident escalation protocol involving legal, compliance, and senior management. Breaches may constitute not just regulatory violations but potential criminal offences.
• Root cause analysis: investigate whether the breach was the result of process failure, data quality issues, third-party activity, or system misconfiguration.
• Regulatory notification: even where no funds were disbursed, many regulators expect firms to disclose near misses or systemic weaknesses as part of their supervisory relationship.
• Remediation: implement control enhancements, including screening rule recalibration, process redesign, staff training, or client offboarding where necessary.

Longer-term measures:

• Scenario testing: regular testing of known sanctions typologies or simulated breaches helps identify vulnerabilities and demonstrate proactive compliance.
• Third-party oversight: increased focus is being placed on correspondent banks, fund distributors, fintech partners, and KYC utilities – all of whom may pose indirect sanctions exposure.
• Governance and accountability: boards and senior managers are expected to take ownership of sanctions risk. Minutes, audit trails, and risk assessments should evidence active engagement.

Penalties for non-compliance: European enforcement and regulatory trends

Historically, European enforcement of sanctions breaches has lagged behind that of the United States. But this is changing — and fast.

The UK’s Office of Financial Sanctions Implementation (OFSI) has stepped up both civil penalties and naming decisions under its enforcement powers. Notable recent cases include financial institutions and crypto firms penalised for dealing with designated parties in breach of asset freeze prohibitions.

Meanwhile, in the EU, the European Public Prosecutor’s Office (EPPO) and national competent authorities are increasingly coordinating to investigate and prosecute sanctions evasion, particularly in the context of Russian sanctions. Proposed regulations aim to harmonise penalties across the EU for sanctions breaches, with discussions around criminal liability for firms and individuals.

Typical penalties may include:

• Monetary fines: in the UK, the greater of 50 per cent of the estimated value of funds or economic resources or £1 million, and similar thresholds across the EU.
• Regulatory sanctions: including enforcement actions, licence restrictions, public censure, or mandatory remediation programmes.
• Criminal liability: certain breaches (e.g. knowingly facilitating funds to sanctioned persons) may be prosecuted as criminal offences in many jurisdictions.
• Reputational harm: firms caught up in sanctions scandals often suffer lasting brand and market trust damage.

Crucially, enforcement bodies are placing increased emphasis on adequate systems and controls. Even if a breach occurs, the presence of robust, documented, and risk-based procedures can significantly mitigate penalties.

Building sanction resilience in an evolving landscape

Sanctions compliance is no longer a back-office control: it’s a strategic risk management function that touches every corner of a financial institution’s operations — from onboarding and payments, to trade finance and third-party risk.

For firms operating in Europe, the complexity is deepening: regulatory divergence post-Brexit, rapid-fire changes to designations, multi-layered ownership structures, and an evolving enforcement appetite mean that complacency is no longer an option.

To remain compliant and competitive, financial services firms should:

• Invest in intelligent, risk-sensitive screening and governance structures.
• Ensure incident response protocols are clear, fast, and cross-functional.
• Educate staff not only on who is sanctioned — but why, and how sanctions fit into the wider geopolitical and compliance landscape.
• Recognise that sanctions compliance is an ongoing obligation, not a one-time implementation task.

“In an era where financial systems are increasingly weaponised for foreign policy ends, getting sanctions compliance right isn’t just a regulatory necessity — it’s a moral and strategic imperative.”

Gregory Marchat, Group Head of Financial Services Advisory, Forvis Mazars in the UK

Do sign up to our Global RegCentre newsletter in order to receive updates on the launch of Forvis Mazars’ financial crime insights tool, which will launch this summer focused on Sanctions compliance and provide insights on where your approach to Sanctions compliance may need to be enhanced and allow meaningful comparison against peers.