Eight Days Too Late: Lessons from OFSI’s 5TH 2025 Enforcement Against Vanquis Bank

On 8 September 2025, the UK’s Office of Financial Sanction Implementation (OFSI) published a Disclosure concerning breaches of Regulations 11 and 12 of the Counter-Terrorism (Sanctions) (EU Exit) Regulations 2019 (Regulations) by UK-registered and Financial Conduct Authority-regulated Vanquis Bank Limited (VBL). 

This civil enforcement action from OFSI is the fifth of 2025 (and the second Disclosure notice of the year) and is a step up from the single enforcement action OFSI took in 2024.

While indicative of action being taken by the enforcement authority, this instance offers another example of OFSI’s emphasis on encouraging organisations to establish effective, robust, and appropriate compliance procedures, systems, and controls to mitigate the risk of violations.

Here’s a summary and breakdown of key compliance lessons from the OFSI Disclosure Notice issued on 8 September 2025 regarding Vanquis Bank Limited (VBL):

Summary of the Breach

• Regulations Breached:
• Regulation 11: Prohibition on making funds available to designated persons.
• Regulation 12: Prohibition on dealing with funds owned, held, or controlled by designated persons.
• Incident:
  
  • Withdrew cash.
  • Made purchases using their credit card.
• VBL failed to restrict access to a designated person’s account for eight days after receiving a pre-notification from OFSI.
• During this time, the individual:
• Outcome:
• OFSI assessed the breach as moderately severe but did not impose a monetary penalty. Instead, it published a Disclosure notice under Section 149(3) of the Policing and Crime Act 2017 (PACA).

Key Compliance Failures

1. Delayed Action Despite Pre-Notification
• OFSI had warned VBL that a customer was likely to be designated the next day.
• VBL’s internal alert was not reviewed until eight days later, allowing prohibited transactions.
2. Screening System Issues
• VBL used two suppliers: one for sanctions lists and another for automated screening.
• Alerts were falsely closed as duplicates, delaying escalation and review.
3. Resource Misallocation
• Staff were redeployed to handle a surge in manual alerts, delaying first-line review of critical alerts.

Mitigating Factors Considered by OFSI

• VBL voluntarily disclosed the breach and cooperated fully.
• The cash withdrawal occurred within 24 hours of designation.
• No evidence of deliberate circumvention.
• VBL’s products were assessed as low-risk, being limited to UK residents.

Compliance Lessons for Industry

1. Act Swiftly on OFSI Notifications
• Even pre-notifications require immediate internal escalation and review.
• Institutions must be ready to freeze assets before formal designation.
2. Ensure Screening Systems Are Robust
• Avoid false positives/duplicates that delay action.
• Regularly test and audit automated systems.
3. Maintain Adequate Staffing for Sanctions Response
• Ensure first-line and second-line teams are resourced to handle spikes in alerts.
• Avoid diverting staff from critical sanctions functions.
4. Voluntary Disclosure Is Valued
• OFSI may consider cooperation and transparency as mitigating factors.
• Prompt reporting can reduce enforcement severity.
5. Understand Your Risk Profile
• Even low-risk products (e.g., UK-only credit cards) can be exposed to sanctions breaches.
• Risk assessments must be dynamic and reflect real-time threats.

OFSI Risks in Relation to International Card Schemes

6. You should be aware that the OFSI has issued in the past a card scheme warning, as shown below
• https://www.gfsc.gg/sites/default/files/inline-files/OFSI%20Guidance%2018.09.25.pdf

Sanctions Compliance Checklist – Lessons from VBL Disclosure (OFSI, 8 Sept 2025)

Here’s a Compliance Checklist based on the OFSI Disclosure Notice regarding Vanquis Bank Limited (VBL), designed to help UK financial institutions strengthen their sanctions controls:

1. Immediate Action on OFSI Notifications

• Establish protocols to escalate pre-notifications from OFSI within hours.
• Freeze or restrict access to accounts before formal designation if risk is high.

2. Screening System Integrity

• Ensure screening tools do not auto-close alerts as duplicates without review.
• Conduct regular audits of alert-handling logic and escalation paths.
• Use integrated systems for sanctions list updates and alert generation.

3. Staffing and Resource Allocation

• Maintain dedicated sanctions compliance staff, even during alert surges.
• Avoid diverting first-line reviewers from sanctions-related duties.
• Train staff to recognise and prioritise high-risk alerts.

4. Voluntary Disclosure Protocols

• Create internal procedures for voluntary disclosure to OFSI.
• Document all actions taken post-breach for transparency.

5. Product Risk Assessment

• Reassess risk exposure of all products—even those limited to UK residents.
• Include sanctions risk in product design and approval processes.

6. Governance and Oversight

• Ensure senior management is briefed on sanctions risks and OFSI expectations.
• Include sanctions compliance in board-level risk reviews.

7. Recordkeeping and Audit Trail

• Maintain detailed logs of alerts, decisions, and actions taken.
• Ensure audit trails are accessible for internal and external review.

8. Training and Awareness

• Conduct regular training on sanctions regulations and OFSI enforcement trends.
• Include case studies (e.g., VBL) in training materials to reinforce lessons.

The OFSI Disclosure notice concerning Vanquis Bank Limited (VBL) was officially published on 8 September 2025 by the Office of Financial Sanctions Implementation (OFSI).

References

Disclosure notice: 08 September 2025 - GOV.UK https://www.gov.uk/government/publications/disclosure-notice-08-september-2025

Publication of a Report Vanquis Bank Limited - GOV.UK https://assets.publishing.service.gov.uk/media/68beb534de0987fe84e0dd0f/VBL_Disclosure_Notice_08SEPT2025.pdf