Calder & Vance International Sanctions & Compliance Counsel

Enforcement & Investigations · OFSI

OFSI vs EU: Voluntary self-disclosure: the key divergences

A payment firm operating between London and a European hub processes a routine transaction. Three days later, the compliance team identifies a potential match against a designated counterparty. The transaction may have moved funds that were subject to a financial-sanctions prohibition. What happens next – and under which regime – determines whether the firm faces a significant civil penalty, a reduced settlement, or a finding that the self-reporting itself demonstrates adequate controls.

As of March 2026, voluntary self-disclosure (the proactive reporting of a potential sanctions breach to the relevant authority before that authority discovers it independently) operates under two distinct regimes in the United Kingdom and the European Union. Under OFSI, disclosure is a codified mitigation factor with a published reduction criterion. Under the EU regime, the position is administered at Member State level, producing material divergence across jurisdictions. The practical consequence for a cross-border business is that the same underlying act may be handled very differently depending on which authority takes the lead.

This analysis maps the two regimes criterion by criterion – the legal basis, the procedure, the mitigation effect, the reporting window, and the strategic risks – and closes with the questions a compliance officer or General Counsel should ask before filing either disclosure.

What is the legal basis for voluntary self-disclosure under each regime?

Under OFSI, the authority to receive and act on voluntary disclosures derives from the Sanctions and Anti-Money Laundering Act 2018 and the OFSI enforcement guidance issued under it. OFSI's published enforcement guidance sets out that a voluntary self-disclosure – a proactive, unsolicited report made before OFSI opens its own investigation – is one of the factors it weighs when determining monetary penalty. The guidance distinguishes between a report made before OFSI becomes aware and one made after OFSI has begun inquiring. Only the former is treated as voluntary for the purpose of mitigation.

The EU position is more diffuse. EU Council regulations create the primary prohibitions, but enforcement is a Member State competency. Each Member State designates its own competent authority and sets its own administrative and criminal enforcement procedures. There is no single EU-wide voluntary self-disclosure standard equivalent to the OFSI guidance. What exists at EU level is a general principle that cooperation with the competent authority and proactive remediation are relevant to penalty, but the weight given to each element varies substantially between, for example, the Netherlands, Germany, and France.

For a business with a UK nexus and EU operations, this structural difference is the first and most consequential divergence. Filing under OFSI does not discharge any obligation that may arise under the relevant Member State regime, and vice versa.

How does the OFSI voluntary self-disclosure procedure work in practice?

The OFSI disclosure procedure requires the reporting entity to submit a written report to OFSI identifying the apparent breach, the parties involved, the goods or funds affected, and the steps taken to contain and remediate. OFSI's enforcement guidance frames the voluntary report as an aggravating or mitigating factor within a penalty calculation, not as an immunity or safe harbour. Disclosure does not prevent OFSI from opening a full investigation, and it does not guarantee a reduced penalty.

In our experience, the quality of the disclosure document matters considerably. A report that is factually complete, identifies the root cause, and demonstrates remediation already under way is treated differently from one that is terse or speculative. OFSI retains discretion over the weight it gives to any disclosure, and that discretion is exercised against the full picture of the breach – its nature, duration, the sophistication of the respondent, and the systemic risk it created.

There is a timing element that practitioners must manage carefully. OFSI's guidance draws a distinction between a disclosure made promptly and one made after a significant delay. The guidance does not state a rigid window in calendar days, but the principle is clear: the earlier the disclosure, the stronger the mitigation argument. A disclosure made only after the firm has received a third-party query, a regulator's letter, or press contact risks being characterised as reactive rather than voluntary. Has your compliance team set an internal escalation deadline for apparent-breach identification?

A further procedural point: OFSI expects the disclosing entity to have conducted at least a preliminary internal review before filing. Filing a report that says only "we are not yet sure whether a breach occurred" provides little mitigation and may invite OFSI to open its own investigation without the benefit of a clear factual picture.

How does the EU voluntary self-disclosure procedure compare?

Because enforcement is decentralised across Member States, the EU disclosure procedure is best understood as a patchwork rather than a single system. In jurisdictions with a formalised written-disclosure mechanism, the procedural expectations broadly resemble OFSI's: identify the breach, describe the circumstances, confirm remediation. In jurisdictions that rely primarily on criminal prosecution for sanctions violations, the concept of a pre-emptive civil self-disclosure is less developed, and the strategic calculus differs markedly.

Several Member States have adopted guidance or practice notes indicating that proactive cooperation with the competent authority reduces the administrative penalty. Others treat proactive disclosure primarily as a factor in prosecutorial discretion – relevant to whether a criminal referral is made, not to the quantum of a penalty. The distinction matters to a cross-border business because the risk profile of disclosure in a criminal-enforcement jurisdiction differs substantially from that in a purely administrative one. In a criminal-enforcement jurisdiction, a written admission submitted as a voluntary disclosure can in principle be used as evidence in subsequent proceedings.

We regularly advise clients with EU operations to map the enforcement posture of each Member State competent authority before filing any disclosure. The answer to "should we disclose?" is not the same in every EU capital. The answer to "how should we disclose?" varies even more.

One element that is consistent across the EU is the interaction with the EU General Court and the Court of Justice. Where a business seeks to challenge a designation or a penalty decision, the procedural history – including any voluntary disclosure – forms part of the record before the Court. A disclosure that was well-structured and timely supports the narrative of a good-faith actor; a disclosure that was delayed or incomplete can undercut it.

What is the mitigation effect of voluntary self-disclosure under each regime?

Under OFSI, the enforcement guidance explicitly recognises that a genuine voluntary self-disclosure is a factor that can reduce the penalty. OFSI's published position is that a voluntary disclosure, made before OFSI is aware of the breach, is a significant mitigating factor. The guidance does not state a fixed percentage reduction – and businesses that expect a formulaic discount often find the reality more fact-specific – but the practical effect of a well-constructed disclosure, combined with a cooperative posture throughout the investigation, can be material.

Contrast this with the US regime. Under OFAC, the relevant guidance indicates that a voluntary self-disclosure of an apparent violation can reduce the base penalty by a significant proportion where the disclosure is the first time OFAC becomes aware. That figure is expressly referenced in OFAC's enforcement guidelines and provides a more predictable mitigation anchor than OFSI's discretionary approach. For a business exposed to both OFAC and OFSI – a common position for banks and payment firms – the asymmetry between a more rule-bound US discount and OFSI's discretionary mitigation requires careful calibration of the joint disclosure strategy.

At EU level, the mitigation effect of disclosure is, as noted, Member State-specific. In administrative-enforcement jurisdictions that have issued guidance, a voluntary disclosure in advance of investigation can achieve reductions broadly comparable to OFSI's published position. In jurisdictions without formal guidance, the effect is determined by the competent authority's internal practice and is less predictable. This unpredictability is itself a strategic variable: a business disclosing to multiple EU authorities simultaneously must accept that the same disclosure will be received and weighted differently in each jurisdiction.

The cross-border overlay is critical. Where a matter triggers OFSI jurisdiction and the jurisdiction of one or more EU Member State authorities, the disclosing entity should not assume that filing in London satisfies its obligation in Brussels, Paris, or Frankfurt. Each authority administers its own regime. Coordination between jurisdictions is limited in practice, even when the underlying breach is the same transaction.

What are the principal risk flags for a cross-border voluntary self-disclosure?

The first risk is the asymmetric-record problem. A voluntary disclosure is a formal written statement. Once filed, it cannot be withdrawn. If the internal investigation is incomplete at the time of filing, the disclosure may contain inaccuracies or omissions that the authority later uses to question the firm's credibility or the adequacy of its controls. The solution is a structured pre-disclosure review – scope the facts carefully before submitting.

The second risk is concurrent exposure. A breach that touches both OFSI and an EU competent authority may also trigger OFAC jurisdiction if the transaction involved US-dollar clearing, US-origin goods, or a US-person counterparty. In our practice, we have acted for businesses that identified an OFSI disclosure obligation and then, on closer examination, found that the same transaction also carried potential OFAC exposure. The filing strategies under OFSI and OFAC are not identical. A disclosure document optimised for OFSI may not serve the same function before OFAC, and the timing of the two disclosures requires coordination.

The third risk is the use of disclosure evidence in related proceedings. In some EU Member States, the voluntary disclosure document may be discoverable in civil litigation brought by a counterparty or affected third party. In the UK, privilege considerations and the use of disclosure materials in regulatory proceedings require careful structuring from the outset. Treating the disclosure document as a purely regulatory filing, without considering its broader evidentiary footprint, is a common error.

A fourth risk is internal remediation timing. Disclosing before remediation is complete can extend the investigation because OFSI or the Member State authority may require updates as the remediation progresses. Disclosing after remediation is complete allows the entity to present a finished account, but delay risks the "voluntary" character of the disclosure. The balance depends on the specific facts, the estimated investigation timeline, and the remediation's complexity.

Do your compliance procedures include a decision protocol for when an apparent breach escalates to a disclosure recommendation, and who owns that decision at board level?

How do the two regimes treat repeat disclosures and systemic failures?

OFSI's enforcement guidance addresses the question of repeat breaches and systemic failures expressly. A single isolated breach disclosed promptly, with root-cause analysis and demonstrated remediation, is treated differently from a pattern of similar breaches indicating that the firm's screening or controls programme is structurally deficient. A second disclosure within a short period – even if both are technically "voluntary" – may signal to OFSI that the compliance programme has not been corrected, which can reduce or eliminate the mitigation benefit of the disclosure itself.

Under the EU regime, the treatment of repeat disclosures follows a similar logic at the Member State level, but the monitoring of repeat breaches across jurisdictions is not systematically coordinated. A firm that has disclosed a breach to a Dutch competent authority is not automatically flagged to the French competent authority if a separate breach arises there. In practice, however, major financial institutions operate in a supervisory environment where their overall compliance posture is known to regulators. A pattern of disclosures across jurisdictions, even if each individual disclosure is well-managed, can affect the supervisory relationship more broadly.

In our cross-border practice, we advise clients to track all disclosures – to OFSI, to EU Member State authorities, and to OFAC – in a single register, with the remediation status of each breach recorded. This not only supports the next disclosure, if one is required, but demonstrates to any authority reviewing the overall compliance picture that the firm has managed its exposure systematically.

A common misconception: voluntary self-disclosure is an automatic amnesty

A frequently held belief among in-house compliance teams is that filing a voluntary self-disclosure effectively closes the matter or guarantees a penalty that is substantially below the maximum. This is not how either OFSI or the EU Member State regimes operate.

OFSI is explicit that a voluntary disclosure is one factor among several. The nature of the breach, its duration, the sophistication of the disclosing entity, the harm caused or risked, and the quality of remediation all affect the outcome. A voluntary disclosure made by a large financial institution in respect of a systematic control failure will not produce the same result as one made by a small trading company in respect of an isolated error – even if both are filed promptly and completely.

At EU level, some Member State authorities are empowered to take no further action on a self-disclosed breach in low-severity cases, which can create the impression of an amnesty. However, that outcome is a discretionary exercise, not a right. The conditions under which it is exercised are not always published, and they differ between jurisdictions. Relying on a "no action" outcome without having legal counsel assess the specific facts in the specific jurisdiction is a significant risk.

The correct framing is this: a voluntary self-disclosure, properly structured and timed, is the best available tool for managing a sanctions enforcement risk. It is not a guarantee of any particular outcome. Proceeding on the basis that it is may lead to a disclosure that is less rigorous than it should be – which achieves the opposite of the intended effect.

Related practices

Frequently asked questions

Where do the regimes diverge on voluntary self-disclosure?
The most significant divergence is structural: OFSI operates a single, national regime with published enforcement guidance that codifies the mitigation value of disclosure. The EU has no equivalent single-authority mechanism. Enforcement is conducted by each Member State's competent authority under its own procedures, producing material variation in the weight given to a voluntary disclosure, the format required, the timing expectations, and whether disclosure is treated as a factor in a civil penalty or in prosecutorial discretion for criminal enforcement. A business exposed to both regimes must manage two distinct disclosure strategies simultaneously.
Which regime is stricter on voluntary self-disclosure?
Neither regime is straightforwardly stricter. OFSI's approach is more transparent – the mitigation factor is published – but remains discretionary and can be reduced where the breach is serious or systemic. Certain EU Member State regimes, particularly those with active criminal-enforcement postures, impose greater procedural risk on the act of disclosure itself, because a written admission may carry evidential weight in criminal proceedings. The strictness of the EU regime depends substantially on which Member State competent authority has jurisdiction. A business cannot assess relative strictness without first identifying which authority – or authorities – will receive the disclosure.
What should a cross-border business do about voluntary self-disclosure?
A cross-border business that identifies a potential sanctions breach should, as an immediate step, scope the jurisdictional reach: which regimes are triggered, and which authorities are competent? That scoping exercise determines both the filing obligation and the sequence. Legal advice should be obtained before any disclosure is filed, because the disclosure document itself creates a formal record with consequences that extend beyond the immediate regulatory response. For businesses with concurrent OFSI and EU exposure – and potential OFAC jurisdiction where US-dollar clearing or US-person involvement is present – a coordinated multi-regime disclosure strategy is the appropriate standard.

Talk to Caldervance

For a scoped view of your exposure, contact info@caldervance.com.

Discuss your matter

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@caldervance.com.