A payment firm processes thousands of transactions daily. One instruction passes through. The beneficiary is not on any list. But the beneficiary's parent – a company in another jurisdiction – was designated under UK financial sanctions last quarter. The firm paid. That is an OFSI breach. The question is not whether it could have been caught. It is whether the controls were adequate to catch it.
Payment-processing controls under OFSI must do more than run names against a sanctions list. The Office of Financial Sanctions Implementation (OFSI, the UK authority responsible for financial-sanctions licensing and enforcement) expects firms to screen ownership chains, apply a designated person (an individual or entity listed under UK financial sanctions) ownership and control test, and maintain records sufficient to demonstrate compliance. As of mid-2026, OFSI's enforcement posture has sharpened, and firms that rely on first-layer screening alone are exposed.
This guide sets out the legal basis, the step-by-step controls a payment firm should have in place, the points at which OFSI diverges from OFAC and EU requirements, and the risk flags that counsel encounters most frequently in practice.
What is the legal basis for OFSI's payment-screening obligations?
OFSI derives its authority from the Sanctions and Anti-Money Laundering Act (SAMLA), supported by the thematic regulations made under it. Those regulations impose prohibitions on making funds available, directly or indirectly, to or for the benefit of a designated person. The word "indirectly" is the operative one for payment processors. A payment that passes through an undesignated intermediary but ultimately benefits a designated person is still a breach. No manual intent to circumvent is required.
Firms regulated in the UK – banks, payment institutions, electronic-money institutions, and increasingly virtual-asset service providers – are caught as a matter of domestic law. But the reach extends. A firm incorporated outside the UK may still be caught if it has a UK nexus in the transaction: a UK correspondent, a sterling leg, or a UK branch. In our experience, firms headquartered in the EU or the Gulf routinely underestimate how far the UK's nexus analysis extends when a payment touches London clearing.
OFSI's enforcement guidance makes clear that ignorance of a designation is not a defence. What matters is whether the firm had systems adequate to identify the risk. That framing – systems adequacy, not intent – shapes everything about how a payment-controls programme should be built.
The position above covers the standard case. Your facts – the counterparty, the payment route, the currency clearing point, the beneficial owner behind the payee – can change the analysis considerably. For an initial assessment of your exposure under OFSI, contact Calder & Vance at info@caldervance.com.
Step 1 – Map your payment flows and identify where screening must occur
Before a firm can design effective controls, it must know where in its payment chain a designated person could appear: as payer, payee, intermediary, beneficial owner, or a person for whose benefit a payment is made. That mapping exercise is the first step, and it is frequently skipped.
A payment-flow map should capture every point at which customer data is available: on-boarding, the payment instruction itself, the beneficiary field, any correspondent or nested institution, and any underlying trade-finance documentation. For a straightforward consumer payment, this may be simple. For a correspondent-banking arrangement or a trade-finance instruction, the chain extends well beyond the named parties on the SWIFT message.
In our cross-border practice, we regularly advise payment firms that their screening coverage has gaps at exactly the points where sanctions risk concentrates: the beneficiary's beneficial owner; the instructing correspondent's customer base; and the purpose of the payment, which can transform an otherwise permissible transaction into a "benefit" transfer. Mapping is not a one-time exercise. As payment products change and new currencies and corridors are added, the map must be updated.
Step 2 – What should an OFSI-compliant screening programme actually screen?
A compliant screening programme under OFSI screens more than the named parties on the payment instruction. It addresses the full designated-person ownership and control test, beneficial ownership, and the transaction's purpose.
The named-parties screen is the baseline. Every payment instruction should be screened against the UK Consolidated List – the authoritative record of persons designated under UK financial sanctions – before execution. The List is maintained by OFSI and updated without fixed notice. Firms must hold a current version and must not rely on cached data that may be days old.
Beneficial ownership is the layer most firms handle poorly. OFSI applies an ownership and control test: a non-listed entity is treated as a designated person if a designated person owns or controls it. Unlike OFAC's mechanical 50 percent or more aggregate-ownership rule, OFSI's test also captures control – even where ownership is below any numerical threshold. Control can arise through board composition, veto rights, or contractual arrangements. That distinction matters enormously in practice. A firm that screens only for majority ownership may miss a company where a designated person exercises control through a minority stake.
The EU position under the relevant Council Regulations uses a comparable ownership and control approach. OFAC's rule is ownership-only and numerical. Where a transaction has US, UK, and EU dimensions – which is common in correspondent banking – the strictest of the applicable tests governs.
Step 3 – How do fuzzy matching and list management affect the quality of screening?
List accuracy and matching logic are two separate problems. Both must be solved. A firm with a perfect list but a weak matching algorithm will miss designations. A firm with good matching but a stale list will miss recent additions.
OFSI designations can take effect immediately, without prior notice to the designated person. A firm that updates its screening list weekly, or that relies on a third-party data feed with a multi-day lag, operates a control with a structural gap. The update frequency should reflect the risk profile of the firm's customer base and payment corridors. For firms active in higher-risk corridors, daily updates at minimum are the standard we advise our clients to implement.
Fuzzy matching – the algorithm that catches name variants, transliterations, and aliases – is where a significant number of real misses occur. Designated persons appear in the payment instruction under a transliteration, a trade name, or a slightly altered spelling. A matching threshold set too high will produce excessive false positives; too low and it will miss genuine hits. Tuning the threshold is a calibration exercise that should be documented and reviewed regularly, not set once at go-live.
Aliasing is a particular concern. OFSI lists designated persons with their known aliases. If those aliases are not loaded into the screening system alongside the primary name, the control is incomplete. We have acted for firms where the gap between the List entry and the system's loaded data was the direct cause of a missed hit.
What is the ownership and control test under OFSI, and how does it differ from OFAC?
The ownership and control test is central to OFSI compliance, and it is the point of greatest divergence from OFAC practice. Getting it right – or wrong – often determines whether a payment firm is exposed.
Under OFSI, the prohibitions extend to entities owned or controlled by a designated person, whether or not the entity itself is listed. "Owned" means a designated person holds more than 50 percent of the shares or voting rights, directly or indirectly. "Controlled" is broader: it captures any arrangement by which a designated person can direct or significantly influence the entity's affairs. The control limb is not numerical. It is factual.
OFAC's 50 percent rule (OFAC's rule treating entities owned 50 percent or more by blocked persons as themselves blocked) operates differently. It is a mathematical test on ownership only. Control as an independent basis for treating a non-listed entity as blocked is not the same as OFSI's control limb. A company in which a designated person holds a veto right but a minority ownership stake may be caught by OFSI but not by OFAC – or vice versa. For a payment firm routing instructions between the US and UK, both analyses must run in parallel.
The EU ownership and control test is closer to OFSI's in design. But the specific guidance from OFSI, from OFAC, and from the EU institutions on applying these tests has diverged on edge cases. Where a transaction has a multi-regime footprint, the firm must apply the strictest prohibition that governs it. This is not optional. A firm that applies only OFAC's rule to a payment with a UK clearing leg is not OFSI-compliant.
Step 4 – Records, reporting, and OFSI's disclosure obligations
Once a firm identifies a hit – a payment that is or may be linked to a designated person – three parallel obligations arise: freeze the funds, report to OFSI, and keep records. The sequence matters. Reporting without freezing, or freezing without reporting, each creates its own exposure.
OFSI's reporting obligation applies when a firm knows or has reasonable cause to suspect that it holds funds or economic resources owned, held, or controlled by a designated person. The obligation to report is not contingent on certainty. Reasonable suspicion is the threshold. A firm that investigates a potential hit for weeks before reporting – while the funds remain available – is in a difficult position if OFSI later determines the report should have been made earlier.
Record-keeping under the relevant OFSI guidance requires firms to maintain records of their compliance activity. Those records need to demonstrate not just what screening was run, but how the results were analysed, who made the decision, and on what basis a payment was released or blocked. In our experience, the documentation of release decisions is the most commonly under-developed element. A firm can show OFSI that it screened; it cannot always show that the screening result was properly adjudicated.
A voluntary disclosure – where a firm proactively reports an apparent breach to OFSI before enforcement action begins – can be a significant mitigant. OFSI's enforcement guidance acknowledges the role of voluntary disclosure in its penalty assessment. If a payment has already been processed and a concern has since been identified, an early review of the disclosure position can preserve options that narrow with delay.
If a transaction has already been flagged, or a payment has been processed and the exposure identified subsequently, contact Calder & Vance at info@caldervance.com for a confidential review of your disclosure and enforcement position.
Step 5 – Cross-border payment controls: where OFSI, OFAC, and the EU diverge
Payment firms operating across the US, UK, and EU must comply simultaneously with three distinct sanctions regimes. Each has a different ownership test, a different list update process, and a different reporting architecture. Building a single control that satisfies all three is possible, but it requires the controls to be calibrated to the most demanding requirement on each dimension.
On ownership thresholds: OFAC uses 50 percent aggregate ownership as the numerical trigger. OFSI adds a control limb that is not numerical. The EU regulations use a comparable combined test. The practical implication for a payment firm is that the ownership and control analysis for any counterparty must be capable of capturing minority-stake control, not just majority ownership.
On list currency: OFAC, OFSI, and the EU each publish and update their lists independently. Designations do not always align. A person may be designated by OFSI but not by OFAC. A payment denominated in US dollars but instructed by a UK firm may attract OFAC jurisdiction through the US nexus and OFSI jurisdiction through the UK nexus. Screening against only one list is not adequate.
On reporting: OFAC's reporting obligations for blocked property differ in detail from OFSI's. The EU member states' reporting requirements vary depending on the implementing national authority. A firm with a multi-regime reporting obligation needs a clear internal protocol that maps each regulatory requirement to a named owner and a defined timeline.
Switzerland (through SECO), Australia (through DFAT), Canada (through GAC), and Singapore each operate autonomous sanctions regimes with their own list publication and enforcement processes. For firms with payment flows touching those jurisdictions, a further layer of screening is required. In our practice we regularly advise payment firms on the interaction between OFSI and these additional regimes, particularly where a designated person appears on the UK list but not on the SECO or DFAT list – or vice versa.
Risk flags in payment-processing controls: what OFSI looks for
OFSI's enforcement focus has shifted in recent years toward systemic control failures rather than individual missed payments. A firm that can demonstrate a properly designed and tested programme – even if a single payment slipped through – is in a materially better position than a firm with no documented controls at all. That distinction shapes the risk flags worth addressing first.
The most common risk flags in our experience are:
- Screening limited to named parties on the payment instruction, without coverage of beneficial owners or control relationships
- List data that is not updated promptly following new OFSI designations
- Fuzzy-matching thresholds that have not been calibrated or reviewed since the screening system was deployed
- Release-decision documentation that records the outcome but not the reasoning
- No escalation path for hits that are uncertain – the investigation is informal and undocumented
- Correspondent-banking relationships where the firm relies on the correspondent's assurance that its customer base has been screened
A common misconception among payment firms is that OFSI enforcement targets only large financial institutions. OFSI has demonstrated a willingness to act against smaller payment institutions and electronic-money businesses. Size is not a proxy for compliance priority.
A second misconception is that a de minimis transaction value reduces the regulatory risk. OFSI does not have a formal de minimis threshold equivalent to some other regimes. A low-value payment to a designated person is still a breach. The penalty may reflect the low value in mitigation, but the breach itself does not disappear.
Related practices
- Compliance audit and testing – independent review of your screening programme against OFSI and multi-regime standards
- Payment-processing controls under OFSI: advanced guide – licensing, voluntary disclosure, and enforcement defence for payment firms
- Payment-processing controls under the UN regime – how UN Security Council designations interact with domestic UK, EU, and US obligations