OFSI Annual Review 2024–25: Preparing for the UK Sanctions List Transition
Strategic context & evolving expectations
OFSI’s Annual Review for 2024-25 (published 15 October 2025) reaffirms the aim of UK autonomous sanction regimes: ‘UK financial sanctions must remain targeted, impactful and credible, while enabling legitimate business to operate with certainty’.
The report structures OFSI’s priorities under three pillars:
Compliance – emphasising clarity of guidance, outreach and engagement.
Capability – increasing internal capacity, data/analytics, system improvements.
Enforcement & deterrence – signalling that delays or weaknesses in sanctions controls will attract regulatory scrutiny.
A key development: the UK is moving toward a single consolidated list for all UK sanctions designations — shifting from the OFSI list to the unified UK Sanctions List (UKSL) by 28 January 2026. Firms are advised to start adapting their sanction compliance systems now and not wait until the UKSL launch date.
The broader regulatory ecosystem is evolving: e.g. increased funding for economic deterrence, establishment of the Office of Trade Sanctions Implementation (OTSI) to cover trade-sanctions enforcement, and enhanced cross-agency cooperation.
What this means for firms
Sanctions compliance is now more than a legal checklist; it is an operational, systems-wide and governance issue. Firms need to ensure their frameworks are “future-proofed” for expanded scope, transitions (introductions of the UKSL) and higher regulatory expectations.
Key developments & business implications
Here are the major areas highlighted in the Review with specific business implications:
Guidance, sectors & outreach
OFSI emphasises that it has expanded guidance and FAQs to help businesses understand obligations, including in non-traditional sectors.
Sectors flagged: art market/high-value dealers, cryptoassets, real estate/letting agents, insolvency practitioners, supply-chain intermediaries.
Implication: If your business participates in or supports these “new-focus” sectors, you must review whether you fall into the scope of “relevant firms” and ensure your risk-assessment, policies and training reflect sector-specific typologies.
Licence, exceptions, reporting & list transitions
The Annual Review reminds firms of the annual frozen-asset snapshot requirement (for funds or economic resources held/controlled for designated persons) as at 30 September each year.
The upcoming shift to the UKSL means that screening systems and vendor/supplier tools must transition, and identifiers (e.g., OFSI Group ID) will change.
What this means for firms
Firms should check that licence/exception workflows are current, that responsible persons are appointed for reporting, and that screening/system architecture is transitioning toward the UKSL. Internal processes need to reflect not just “do we licence?” but “are we ready for list-transitions, and can our systems handle the change?”
Enforcement, investigations, and key risk-areas
The Review records that OFSI handled 394 suspected breach cases in 2024-25, and had 240 active investigations as of April 2025.
A notable enforcement action: In July, OFSI fined Markom Management Limited £300,000 for sanctions breaches, demonstrating its commitment to strong enforcement. In September, it issued a Disclosure Notice to Vanquis Bank Limited for allowing a designated person access to funds for eight days. Separately, the NCA achieved its first convictions for violating Russia-related sanctions. Together, these actions highlight the government’s determination to enforce compliance and deter future breaches.
OFSI has published a consultation document proposing changes to its enforcement processes, including potential introduction of a settlement scheme and higher penalty maxima. This consultation closed on 13 October 2025, OFSI are currently analysing the feedback they received.
What this means for firms
Firms must ensure timely screening, freezing, and reporting. Delays or dependencies on third parties are explicitly highlighted as risks. Firms should also be ready and prepared for heightened penalties as a consequence of OFSI’s consultation on changes to the Office of Financial Sanctions Implementation’s civil enforcement processes for financial sanctions and the oil price cap. Self-disclosure remains beneficial but cannot substitute robust systems.
Supply-chain, circumvention & global cooperation
The Review underlines increased focus on circumvention typologies (use of proxies, indirect flows, opaque structures) and stronger international cooperation in enforcement.
The weekly sanctions update of September/October 2025 notes UK Government re-imposed 121 Iran (Nuclear) regime designations (1 October 2025) and issued several general licences under the Iran regime.
What this means for firms
If your business has international operations or supply-chain exposure, you must assess indirect sanctions-risk (third-party intermediaries, sub-contractors, layered corporate structures). Contractual terms, vendor due-diligence, transparency of ownership and origin become key controls.
Practical action checklist for firms
Here’s a practical list of actions you should consider implementing now, in light of the updated Review:
Key risk-areas emphasised by OFSI
From the updated Review and accompanying announcements, the top-risk areas for firms are:
Delay in freezing accounts/functions of designated persons — firms are being specifically flagged for delays (even of just days) in acting on alerts or designations.
Over-reliance on third-parties (screening, due-diligence) without internal oversight — e.g., the Colorcon case emphasised responsibility regardless. (see link to enforcement notice)
Weak screening/monitoring of non-traditional sectors and indirect flows — art market, cryptoassets, supply-chain intermediaries are increasingly in focus.
Inadequate documentation or audit-trail of decisions, especially when relying on shifts in list formats, identifier changes or outsourcing screening.
Failure to adapt systems for the list-transition (UKSL) by Jan 2026 — this is a concrete regulatory project with deadlines.
Lack of supply-chain visibility — firms are expected to track indirect exposure, offshore shelters, proxies, third-country entities.
Looking ahead: what to watch
Monitor the outcome of OFSI’s consultation on enforcement processes, particularly changes to penalty frameworks, settlement regimes and likely higher penalty exposure.
The UKSL transition deadline of 28 January 2026 is approaching — early adaptation is advised (do not delay).
Continued evolution of sanctions regimes (Russia, Iran, dual-use goods, commodity-flows) and the increasing role of trade sanctions (via OTSI) means business must track non-financial sanctions too.
Growing regulatory expectation that firms move from reactive to proactive sanctions risk-management: scenario planning, supply-chain mapping, third-party transparency, training, audit-trail.
Increased public enforcement and transparency (‘teachable moments’) — firms should anticipate that sanctions failures will feature publicly and be used as case-studies.
Advisory summary for decision-makers
For boards and senior management: the updated message is clear - sanctions compliance is no longer a niche compliance discipline but a core operational and strategic risk area. The 2024-25 Review signals elevated expectations, system transitions and stronger enforcement orientation.
Confirm your firm’s sanctions-control framework is future-ready, not just “meets current policy”.
Prioritise timeliness, visibility and audit-trail: screening, freezing, reporting must work swiftly and reliably.
Expand scope: understand that non-traditional sectors, indirect flows, supply-chains and international operations now carry meaningful risk.
Ensure the technology and data architecture (screening systems, list-handling) are aligned to the UKSL transition and wider capability demands.
Promote a culture of transparency, self-disclosure, and continuous improvement: the shift toward enforcement implies that complacency will no longer suffice.
Ensure governance: Board/exec oversight, regular reporting of metrics (e.g., screening hit-rates, freeze-response times, vendor due-diligence coverage) and escalation paths for suspected breaches.