A multinational headquartered in the United Kingdom runs trade through Australia, the United States, and three EU member states. Its compliance team operates a single global screening programme built around OFAC's five-pillar framework. A routine internal review reveals that the programme has never been mapped against OFSI's published expectations. The gap is not theoretical: OFSI now publishes an annual review of financial sanctions implementation and has issued monetary penalties running into tens of millions of pounds. Which standard governs? Where do the regimes align, and where does the divergence create real legal risk?
Sanctions compliance programmes under OFSI are governed by the Sanctions and Anti-Money Laundering Act and OFSI's own enforcement and implementation guidance. OFSI expects a risk-based programme with senior ownership, adequate resources, ongoing screening, and a clear breach-reporting function. That model shares architecture with the OFAC five-pillar standard and the EU's sector-specific expectations – but the divergences on ownership and control tests, reporting timelines, and the treatment of knowledge and intent mean that a programme built for one regime does not automatically satisfy another.
This analysis maps OFSI's programme requirements against OFAC and the EU standard, identifies the points of genuine divergence, and sets out the practical steps a cross-border business should take to close the gaps.
What does OFSI require from a sanctions compliance programme?
OFSI's core expectation is a risk-based compliance programme proportionate to an organisation's exposure – not a one-size document, but a functioning internal control. The legal basis sits in the Sanctions and Anti-Money Laundering Act, which gives OFSI the authority to impose civil monetary penalties and to publish its enforcement decisions. OFSI's implementation and enforcement guidance sets out the factors it weighs when assessing a suspected breach, and those factors map directly onto the building blocks of an effective compliance programme.
OFSI identifies several components it consistently considers relevant. There must be a named senior individual with responsibility for financial sanctions. Policies and procedures must be written, current, and operational – not archived. Staff who interact with counterparties, payments, or financial instruments must receive training calibrated to their role. Screening must be systematic and must cover not just direct counterparties but also ownership and control chains. Records must be maintained in a form that allows OFSI to reconstruct a decision after the fact.
What distinguishes OFSI's approach from a purely rule-based model is the weight it places on knowledge. OFSI can impose a civil penalty where a person knew or had reasonable cause to suspect that a transaction involved a designated person. That knowledge element means a compliance programme must do more than prevent prohibited transactions – it must create and preserve evidence of the enquiries made and the conclusions reached. In our experience, that evidentiary function is the element most often underweighted by businesses whose programmes were built around a screening-pass / screening-fail binary.
How does the OFAC five-pillar standard compare?
OFAC's framework, set out in its published compliance commitments guidance, identifies five essential components of an effective sanctions compliance programme: management commitment, risk assessment, internal controls, testing and auditing, and training. That structure is well known, widely adopted, and forms the baseline expectation for US persons and for non-US businesses with US nexus. The overlap with OFSI's expectations is substantial – both require senior ownership, written controls, and systematic screening. The differences, however, are consequential.
The first divergence is on the ownership test. Under OFAC, an entity is treated as blocked when one or more Specially Designated Nationals own it 50 percent or more in the aggregate. The test is mechanical and does not depend on whether the blocked person exercises control. OFSI applies an ownership-and-control test: a person subject to an asset freeze under the relevant UK thematic regulations is treated as caught if a designated person owns or controls it. Control can be established through means other than majority ownership – through board composition, contractual rights, or the ability to direct activities. A compliance programme that screens only for the OFAC 50 percent threshold will miss entities that OFSI treats as within scope. That is a gap that creates direct liability exposure for UK-nexus transactions.
The second divergence is on voluntary disclosure. Under OFAC, a voluntary self-disclosure (VSD) – a proactive report of a potential violation before the regulator identifies it – is a significant mitigating factor in the penalty calculation. OFAC's framework distinguishes egregious from non-egregious cases and adjusts the penalty base accordingly. OFSI has a mandatory reporting obligation: once a person knows or suspects that they hold funds or economic resources belonging to, or held for or on behalf of, a designated person, they must report to OFSI. That obligation is not optional and is not triggered by the strength of the suspicion – reasonable cause to suspect is sufficient. A compliance programme must therefore include a clear internal escalation and external reporting path, not simply a decision tree for whether to approach the regulator voluntarily.
The third divergence is on record-keeping. Both regimes require businesses to maintain records, but the applicable periods and triggers differ by regime and by the type of activity. A programme built on a single record-keeping standard calibrated to the shorter period in any one regime will be non-compliant in at least one other jurisdiction. The safer design is to apply the most demanding standard across the board – a point we return to below.
The position above covers the standard structural case. Your organisation's specific counterparty exposure, the sectors and geographies involved, and the financial instruments in use will all shift the analysis. For an initial assessment of how your current programme maps against OFSI's expectations and those of the other regimes in scope, contact Calder & Vance at info@caldervance.com.
Where does the EU standard sit in the comparison?
The EU sanctions regime operates through directly applicable Council regulations, which impose obligations on persons within the EU's jurisdiction – including non-EU businesses transacting through the EU financial system or within EU territory. The EU does not publish a single consolidated compliance programme framework equivalent to OFAC's five-pillar guidance. Instead, programme expectations emerge from the regulations themselves, from sector-specific supervisory guidance issued by national competent authorities, and from the EU's anti-money-laundering rules, which increasingly intersect with sanctions obligations.
The EU ownership-and-control test tracks the OFSI model rather than the OFAC mechanical threshold. An entity owned or controlled by a designated person is caught even if the designated person's direct holding falls below a majority. The EU's position is that a designated person who effectively controls an entity – whether through voting rights, contractual arrangements, or other means – renders the assets of that entity subject to the freeze. Practitioners advising on EU matters frequently encounter transactions where the OFAC screen produces a clean result but the EU and OFSI analyses identify a control relationship that requires further work.
One feature of EU programme design that differs from both OFAC and OFSI is the role of the EU Blocking Regulation. Where the relevant Council regulation or EU decision conflicts with a non-EU sanctions measure, EU persons may be subject to obligations that prevent compliance with that non-EU measure. A multinational operating under US, UK, and EU authority simultaneously must map these conflicts explicitly in its programme. Failing to do so creates a position where compliance with one regime is structurally non-compliant with another – a risk that cannot be resolved by a single-regime programme design.
What does a cross-regime programme look like in practice?
A cross-regime sanctions compliance programme that satisfies OFSI, OFAC, and EU expectations simultaneously requires a deliberate design choice at each point of structural divergence. The programme cannot be built by taking the lowest common denominator from each regime. Where the regimes diverge, the stricter obligation governs the programme design – with documented rationale for any jurisdiction-specific carve-out that reflects a genuine, legally supported difference.
In a recent matter, a financial-services business operating across UK, EU, and US markets had built its screening programme around the OFAC 50 percent ownership threshold. An internal review triggered by a correspondent banking query identified three counterparties that fell outside the OFAC screen but within the OFSI and EU control tests. We assessed the ownership and control chains, produced a written analysis for the compliance committee, and redesigned the screening logic to capture control relationships as well as majority ownership. The matter illustrated a pattern we see regularly: the OFAC framework is thorough and well-documented, but its mechanical ownership test creates a blind spot for the control-based analyses required under OFSI and EU rules.
The practical structure of a cross-regime programme typically covers the following elements.
- Governance and senior ownership: a named individual accountable to the board, with documented authority to halt transactions and to escalate to external counsel. Both OFSI and OFAC treat the absence of senior commitment as an aggravating factor in enforcement.
- Risk assessment: a documented assessment of the business's exposure by regime, by counterparty type, by geography, and by product or instrument. The risk assessment drives the calibration of every other element.
- Screening logic and lists: systematic screening against the SDN List (OFAC's list of Specially Designated Nationals and blocked persons), the UK Consolidated List, and the EU Consolidated List, with automated or manual aggregation across directly listed entities, entities caught by the 50 percent rule, and entities caught by the OFSI / EU control test.
- Knowledge and suspicion protocols: a documented internal process for recording the enquiries made when a screening alert is raised, the analysis conducted, and the conclusion reached – so that the organisation can demonstrate to OFSI the basis for any decision not to report.
- Reporting path: a clear escalation route for OFSI's mandatory reporting obligation, including a defined time standard consistent with the reporting window under the applicable rules.
- Testing and audit: periodic testing of screening logic, sample-based review of decisions, and external testing where the internal function lacks independence. OFAC's framework treats testing as an independent pillar; OFSI's enforcement guidance treats the absence of testing as a programme weakness.
- Training: role-based training that covers the ownership and control tests under each regime in scope, not just the most widely known OFAC standard.
- Record-keeping: retention policies calibrated to the most demanding requirement across all regimes in scope, with records maintained in a retrievable form.
If a transaction has already been flagged, or a reporting question has arisen and the clock is running, an early review by specialist counsel can preserve options that narrow significantly with time. Contact Calder & Vance at info@caldervance.com for a confidential review.
What are the principal risk flags for cross-border businesses?
The risk flags most commonly encountered in cross-border sanctions compliance work divide into structural weaknesses and transactional blind spots. Both categories generate exposure; the structural weaknesses tend to produce the larger and more systemic enforcement risk.
Structural weaknesses include: a programme that has not been reviewed since its initial implementation and has not been updated to reflect programme changes at OFSI, OFAC, or the EU; a screening function that operates in a single jurisdiction without a mechanism for mapping results from one regime onto the obligations of another; a governance model in which sanctions is treated as an operational compliance matter rather than a senior risk with board visibility; and a training programme that covers the OFAC standard in detail but provides only summary coverage of the OFSI ownership-and-control test and the EU control-based analysis.
Transactional blind spots include: intermediate entities in a payment chain that are not themselves direct counterparties but that carry a designated beneficial owner; financial instruments – bonds, notes, or trade-finance instruments – where the issuer or the underlying obligor is within scope but the product is not caught by a straightforward name-screen; and correspondent relationships where the originating institution's screening standards differ from the receiving institution's obligations. A cross-border programme must address each of these categories explicitly.
There is a persistent myth that a programme designed to satisfy the OFAC standard will, by extension, satisfy OFSI and the EU. That is incorrect. The OFAC framework is well-structured and rigorous, but its mechanical ownership test and its voluntary rather than mandatory disclosure posture differ in ways that matter under OFSI. A business that relies on OFAC-only compliance for its OFSI obligations is exposed to a penalty calculation that will not give credit for an OFAC-compliant programme if the OFSI-specific elements are absent. We regularly advise businesses transitioning from an OFAC-centric to a multi-regime programme design, and the adjustments required are consistently more substantial than anticipated.
When and how should a business engage external sanctions counsel?
External sanctions counsel adds most value at two points: at the design or re-design stage of a programme, and when a potential breach or reporting question has arisen. In both cases, the engagement produces a documented record of professional advice received – a factor that OFSI, OFAC, and EU authorities treat as relevant to the penalty analysis where a violation is identified.
At the design stage, external counsel can map the organisation's actual exposure across regimes, test the existing screening logic against the control-based tests under OFSI and EU rules, and produce a gap analysis against each regime's published programme expectations. That work produces a structured remediation plan – not a theoretical benchmark, but a prioritised set of changes calibrated to the specific risk profile of the business.
When a potential breach has arisen, the calculus is different and more urgent. OFSI's mandatory reporting obligation requires action once there is knowledge or reasonable cause to suspect. The programme must have a defined response – who assesses the alert, who makes the reporting decision, who communicates with OFSI, and who preserves the records that document the process. External counsel supports each of those steps and can also assess whether voluntary disclosure to OFAC or notification to the relevant EU authority is warranted in parallel, given the cross-regime reach of many transactions.
Our practice assists at both stages. We assess eligibility, prepare and manage the submission to OFSI, and advise on parallel obligations under OFAC and EU rules where the transaction has multi-regime exposure. We also test the screening logic, map ownership and control across the relevant corporate structures, and redesign the programme to meet the applicable standards across all regimes in scope.
Related practices
- Sanctions compliance audit and testing – Australia – independent testing of screening logic and programme design under the Australian autonomous sanctions regime.
- Sanctions compliance programmes under the UN regime – analysis of the UN Consolidated List obligations and how they interact with national programme requirements.
- Counterparty due diligence under the Australian sanctions regime – how the Australian DFAT regime applies the ownership and control test in cross-border due diligence.