Print Article

SRA Guidance on Sanctions Risk Assessment


The SAR has issued guidance Nov 2022) that explains its expectations and provides practical advice to firms on avoiding breaches of the UK's sanctions regime and to firms that wish to work within it, for example, those providing services under a licence from the Office of Financial Sanctions Implementation (OFSI)

The guide includes a guide on the SRA expectation of sanction risk assessments.  This guide follows below.

Sanctions risk assessment

  1. The sanctions regime is one of strict liability, and taking a risk-based approach will not necessarily protect you if you breach the sanctions regime (even unintentionally.)
  2. Some scenarios are more likely to lead to a breach of the sanctions regime or encountering a designated person or frozen asset. Risk is heightened when more than one of these is present.
  3. The SRA expect firms to make a proportionate effort to prevent unintentional or accidental sanctions breaches.
  4. The SRA has assessed the greatest risk below to determine where more significant effort may be needed.
  5. You should take proportionately greater effort to ensure they are not breaching sanctions in the scenarios below:

Sanctions risk factors

Jurisdiction – some jurisdictions carry a higher risk than others. In judging which jurisdictions are at higher risk, the SRA would include:

  1. Any jurisdiction with a dedicated regime in the UK Consolidated list
    • i.e. Iran, Iraq, Myanmar, Russia, Belarus, Afghanistan, Central African Republic, Bosnia and Herzegovina, DPRK, DRC, Guinea, Guinea-Bissau, Libya, Mali, Sudan, South Sudan, Venezuela, Yemen and Zimbabwe
  1. Any jurisdiction with significant exposure to the other UK sanctions regimes, such as those addressing.
    • Human rights or
    • Daesh.
  1. Jurisdictions that, while not the subject of a dedicated regime, have a significant footprint of designated persons.
    • One way to check this is by using the Ctrl+F 'find' command to check the number of mentions for each country on the consolidated sanctions list. For example,
    • Syria has almost one thousand mentions, while Norway has three.
  1. Jurisdictions where there are well-established financial links with a jurisdiction with a named regime, for example,
    • Moldova and Cyprus have had strong economic links with Russia.
  1. Jurisdictions are listed by other regimes (for example, the EU and the US) but not by the UK.
    • The implication is that there is a risk that the UK will move to harmonise its regime with other international regimes. So, a person designated by a non-UK regime is at risk of being designated by the UK regime in future.
  1. Jurisdictions noted as being able to provide services or entities that help to hide ownership – in many cases, these may also be high-risk for money laundering, for example, the UK's high-risk third country list and offshore services centres like the British Virgin Islands and Belize.

Some individuals/entities are more likely than others to be sanctioned. This can be difficult to predict, but the following may help you to consider what the risk may be:

  • Do they meet the definition of a Politically Exposed Person under the AML legislation?
  • Are they established in or have significant links to a jurisdiction with a UK sanctions regime addressing it?
  • Do they have a personal or professional relationship with a designated person, including family members?

When alongside one of the previous risks (for example, jurisdictional), designation as an ultra-high net worth individual should be seen as an aggravating risk factor (i.e. investable assets of $30 million or more)

  1. Transactions aimed at purchasing expensive luxury goods, such as works of art, private planes, boats, or high-end cars.
  2. Transactions for education funding, for example, via private schools or universities, with higher amounts indicating higher risk.
  3. Offering transportation/freight work, such as aviation or maritime work.
  4. Offering immigration and transactional work (these areas have consistently been reported as the most at-risk areas of legal service in terms of unwittingly encountering a designated person)
  5. Offering reputation management services, mainly linked to litigation.
  6. Charities and other entities that may be able to offer a range of services across borders and if linked to higher-risk jurisdictions.
  7. Payments are made directly to or received from a counterparty or third party.
  8. An entity has been controlled or majority-owned by a designated person. Even if divestment or sale has occurred, this can be a smokescreen where control or ownership may appear to have changed, but the designated person is still exercising control.
  9. Jurisdictions that do not have an obvious relevance to the client or matter.

As well as the above, any structure or legal arrangement that may make it more challenging to identify the individuals behind it creates a raised sanction risk.

  • Trusts, international connections/exposure, any opaque structure, or even uncertainty around the ultimate source of funds used (for a transaction or simply for fees) all increase the risk of sanctions.
  • Crypto assets (including cryptocurrencies and non-fungible tokens) can also raise the risk of sanctions. However, it can be possible to mitigate this by doing thorough and practical research on the transaction history of the crypto assets.

In assessing the risk of non-compliance with sanctions in your firm, the SRA expects you to determine your firm against the above criteria, including having controls in place to identify each of the scenarios correctly and, wherever possible, mitigatory measures.

Where risks are identified, mitigations to consider using include:

  • Monitoring the source bank account of the client (different to the source of funds), which may be used to pay as this may create other issues, for example, is the bank itself sanctioned.
  • Regular coordination and exchange of expertise within the firm, for example, regular roundtables of fee earners and staff to discuss risk.
  • Reviewing the sanctions risk assessment, policies, controls and procedures to ensure they are sufficient to address the risks identified.
  • Subscribing to relevant updates, for example, OFSI or sanctions/compliance blogs or
  • Seeking independent legal advice or tailored external training on an issue.

Red flags for attempted circumvention of the sanction’s regime

The list below is not exhaustive; many of these are red flags for AML purposes.

Where you encounter such a red flag, you should understand if there is a legitimate reason for the occurrence of the flag. You should also consider whether the presence of a red flag requires your firm to make a report to OFSI and/or to exit the client relationship.

Relevant red flags are:

  • Transaction is unusual, opaque, complicated or particularly large.
  • Client is aggressive or in some way resistant to applying controls.
  • There is no apparent reason for the matter, particularly for the involvement of a specific jurisdiction – this can be particularly important for trade, aeroplane and shipping sanctions given their often international scope.
  • A client or counterparty changes their name by deed poll without a reasonable explanation, such as marriage, end of a marriage or change in gender and/or sexual identity.
  • Use of newly opened accounts or entities in a transaction that does not make sense in the context of the matter.
  • Indications of sham litigation (i.e. manufactured disputes where the transfer of assets is facilitated by settlement) are present, for example:

    • The dispute is being resolved without apparent conferral between the parties
  • Due diligence has not been renewed, and/or the client resists refreshing it.
  • Restructuring without a clear business rationale – (structure, assets, name).
  • Use of corporate vehicles to obscure ownership, source of funds and jurisdictions involved, for example, shell companies.
  • Involvement of third parties (for example, providing payments), which could hide designated persons.

While not red flags, when combined with other red flags or higher-risk indicators, the following characteristics will likely exacerbate existing risks:

  • Newly established companies.
  • Setting up trusts in the name of children and subsequent property transfer.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email