UK Fines Apple’s Irish Subsidiary £390k for Paying Sanctioned Russian Streaming Service

On 19 March 2026, the UK’s Office of Financial Sanctions Implementation (OFSI, part of HM Treasury) imposed a £390,000 civil monetary penalty on Apple Distribution International Limited (ADI), Apple’s Irish-registered subsidiary that handles App Store and developer payments across Europe and the Middle East.

The breach involved two payments ADI instructed in June and July 2022 (total value £635,618.75) to Okko LLC, a Russian online video-streaming service. At the time:

• Okko was 100% owned by JSC New Opportunities, a Russian company that UK sanctions authorities designated on 29 June 2022 (UKSL ref RUS1489) because of its involvement in digital services previously linked to Sberbank.
• One payment was processed on the very day of designation; the second a month later.

ADI instructed the payments to be made through a UK-based bank account it controlled. It did not cancel the instructions once the designation was in force, so the funds were released to Okko. ADI voluntarily disclosed the issue (and some similar earlier payments) to OFSI on 4 October 2022. After investigation and representations, OFSI and ADI settled the case on 19 March 2026 under OFSI’s brand-new settlement framework (introduced only 10 days earlier). This was OFSI’s first-ever settlement of a monetary penalty case.

No penalty or breach finding was imposed on the US parent company, Apple Inc.

Why did this breach UK sanctions law?

UK Russia (Sanctions) (EU Exit) Regulations 2019, Regulation 12 prohibits making funds (or economic resources) available, directly or indirectly, to a person who is owned or controlled by a UK-designated (sanctioned) person.

This is a strict liability offence under section 146 of the Policing and Crime Act 2017. OFSI only needs to prove the breach on the balance of probabilities; intent is not required.

Key jurisdictional hook (“UK nexus”): Even though ADI is an Irish company, OFSI treated the failure to cancel the payment instructions as conduct in the UK. UK financial sanctions apply to:

• Any conduct that takes place in the UK (including use of UK banks), and
• To all UK persons anywhere in the world.

Instructing and not cancelling a payment via a UK bank account counts as UK conduct. This is the same principle that allows OFSI to reach foreign firms that merely touch the UK financial system.

Why ADI got it wrong (according to OFSI):

• Its sanctions screening for Russian app developers was too weak: it relied on self-certification by developers plus third-party due diligence providers.
• It did not proactively ask for up-to-date beneficial ownership information.
• It missed the ownership change of Okko (public press articles existed but were not picked up by ADI or its providers).
• Russia sanctions were a high strategic priority in 2022, so the risk was foreseeable.

Penalty calculation

• Total breach value: £635,618.75 → statutory maximum £1 m.
• OFSI’s baseline assessment: £600,000 (serious but not “most serious” case).
• 35% discount for voluntary disclosure + early settlement → final penalty £390,000.

Consequences for ADI / Apple and for other jurisdictions (including Jersey)

For ADI/Apple

• Reputational hit and a six-figure fine (third-largest civil penalty OFSI has ever issued).
• But the voluntary disclosure and quick remediation (external due diligence, tighter onboarding checks for Russian developers, etc.) significantly reduced the amount.
• Apple publicly stated it takes sanctions compliance “extremely seriously” and proactively reported the issue.

Broader lessons OFSI itself highlighted (these are now official compliance guidance):

1. UK nexus is real and wide  any non-UK company using UK banks or financial infrastructure must comply with UK sanctions.
2. Due diligence must be risk-based and proactive, especially on ownership/control in high-risk jurisdictions like Russia. Third-party tools are helpful, but they are not a defence if they are incomplete.
3. Voluntary disclosure and cooperation are strongly rewarded (discounts + settlement route).
4. Firms bear ultimate responsibility; you cannot fully outsource compliance.

Specific implications for Jersey (and similar jurisdictions)

Jersey (a Crown Dependency and major international financial centre) aligns its sanctions regime almost exactly with the UK. It implements UK Russia sanctions (and all other UK autonomous sanctions) directly through the Sanctions and Asset-Freezing (Jersey) Law 2019 (SAFL) and related orders. It uses the same UK Consolidated List of designated persons.

Key differences in enforcement

• Jersey does not have OFSI-style civil monetary penalties for sanctions breaches. Breaches are generally criminal and prosecuted through the Royal Court (fines and/or up to 7 years’ imprisonment).
• However, Jersey Financial Services Commission (JFSC) can still impose civil penalties on regulated persons for related AML/compliance failings.

Why this UK case matters in Jersey

• The “UK nexus” principle applies equally in Jersey: if a Jersey entity, bank, or trust uses UK (or Jersey) financial infrastructure, or if a Jersey person is involved, Jersey authorities can (and do) enforce.
• Jersey regulators and compliance professionals have already flagged this exact case as a “beware the UK nexus” warning. Any company or payment processor operating in or through Jersey that touches high-risk jurisdictions (e.g., Russia) must now double-check its beneficial ownership screening and cancellation procedures.
• Expect heightened scrutiny by Jersey’s Economic Crime and Confiscation Unit and JFSC on similar App Store/developer / streaming payments routed through Jersey structures.
• Multinationals with Jersey subsidiaries or banking relationships will likely review their global sanctions programmes to make sure they meet the standard OFSI just enforced against Apple Ireland.

In short:

• This is a clear signal from UK authorities (and by extension, aligned regimes like Jersey) that using any part of the UK or UK-aligned financial system brings you under UK sanctions rules, even if you are based in Ireland, the US, or anywhere else.
• The penalty is not enormous for a company the size of Apple, but the precedent and compliance lessons are significant.

Sources

•  https://assets.publishing.service.gov.uk/media/69ca1da04321776215360a1c/ADI_Public_Penalty_Notice.pdf