UK Cracks Down on Cyber Sanctions: OFSI Launches First Investigations into Financial Firms' Violations

In a significant escalation of enforcement efforts, HM Treasury's Office of Financial Sanctions Implementation (OFSI) has revealed it is probing up to five potential breaches of the UK's cyber sanctions regime.

This marks the first such investigations since the framework was established over five years ago, sending shockwaves through the financial services sector.

A Milestone in Cyber Sanctions Enforcement

• The disclosures, obtained through a Freedom of Information (FOI) request under the Freedom of Information Act 2000, highlight a pivotal shift from theoretical deterrence to active regulatory action.
• All suspected violations involve financial services firms, underscoring the sector's vulnerability to increasingly sophisticated cyber threats.
• The UK's Cyber (Sanctions) (EU Exit) Regulations 2020 target individuals and entities engaged in malicious cyber activities, applying across the UK and to all UK persons overseas.
• To date, no breaches have been publicly identified, raising questions about the regime's effectiveness.
• Law firm Mishcon de Reya noted that this absence of enforcement may have stemmed from limited detection tools rather than a lack of violations.
• OFSI attributes its ability to uncover these cases to improved monitoring, including advanced cryptocurrency-tracing tools and expanded data analytics. These innovations have empowered regulators to spot previously undetectable infractions, particularly in complex payment chains and digital transactions.
• Officials have declined to provide specifics on the cases or confirm the exact number, citing the risk of compromising ongoing and future investigations.

Data from 2025

• However, insights from broader sanctions data suggest a focus on Russia-linked activities:
• In 2025,
• OFSI recorded 394 suspected breaches across all sanctions programs,
• with 83.5% (329 cases) related to Russian sanctions.
• Financial services firms accounted for 36% of total suspicions,
• totalling 142 cases.

Severe Penalties and Regulatory Risks

• Non-compliance with the cyber sanctions regime carries heavy consequences. Financial institutions could face:
• Civil Penalties: Fines up to £1 million or 50% of the breach value, whichever is greater.
• Criminal Sanctions: Unlimited fines and up to seven years' imprisonment for executives.
• Beyond OFSI's powers, the Financial Conduct Authority (FCA) can impose additional measures, including fines, mandatory remediation, or the withdrawal of regulatory permissions.
• To date, no warning letters, monetary penalties, or criminal referrals have been issued in these cyber-specific cases. Yet, the mere initiation of investigations signals a new era of scrutiny.

Implications for Financial Firms and Ransomware Victims

• This development serves as a wake-up call for the industry. Mishcon de Reya advises firms to reassess their compliance infrastructure, with a focus on urgently:
• Strengthening sanctions screening for intricate payment networks, cryptocurrency dealings, and ransomware-related exposures.
• Implementing robust due diligence frameworks to identify sanctioned cyber threat actors.
• Reviewing internal reporting mechanisms and conducting risk assessments around potential ransomware scenarios.
• Organisations grappling with cyber-attacks, especially ransomware, face acute legal perils.
• The regime prohibits making funds or economic resources—including cryptocurrencies—available to designated persons, directly or indirectly. Paying a ransom to sanctioned cybercriminals is a serious offence, even if the payer is unaware of the designation.
• Currently, the UK's cyber sanctions list includes 95 entries: 82 individuals and 13 organisations, many of which are linked to state-sponsored or criminal cyber operations.

Looking Ahead: A Call for Vigilance

• As cyber threats evolve, so too must compliance strategies. These investigations underscore the UK's commitment to combating malicious cyber activities through financial levers. Financial services firms should act swiftly to strengthen their defences to avoid becoming the next target of regulatory enforcement.
• This revelation not only boosts the credibility of the sanctions regime but also emphasises the intersection of cybersecurity and financial regulation in safeguarding national interests.  

Sources

• Mishcon de Reya = https://www.mishcon.com/news/ofsi-investigates-first-cyber-sanctions-breaches-after-five-years-of-dormancy
• OFSI (blog) = https://ofsi.blog.gov.uk/2026/01/28/ofsi-and-partners-clamp-down-on-the-abuse-of-cryptoassets/
• OFSI (Cryptoassets Threat Assessment report, PDF) https://assets.publishing.service.gov.uk/media/687e6362791bb4d8c309a06e/OFSI_Cryptoassets_Threat_Assessment.pdf
• STEP UK News Digest, 2 February 2026: UK’s maximum penalties for breaching financial sanctions to rise to GBP2 million https://www.step.org/industry-news/uks-maximum-penalties-breaching-financial-sanctions-rise-gbp2-million