How can we help you?

Amid evolving geopolitical tensions and expanding sanctions regimes, the General Counsel (GC) plays a vital role in overseeing effective sanctions compliance frameworks, particularly in the United States (US), United Kingdom (UK) and European Union (EU). Regulators including the Office of Foreign Assets Control (OFAC), the Office of Financial Sanctions Implementation (OFSI), and the European Commission (EC) expect companies to implement risk-based, well-documented, and actively managed compliance frameworks.

Sanctions frameworks have expanded significantly over the last decade. However, enforcement has lagged. Regulators are now closing that gap through more stringent investigations, stronger rules, and substantially increased financial penalties. It is more important than ever that GCs have a robust cross-disciplinary control framework. In this insight piece, we consider the key elements that GCs should build into an effective sanctions compliance framework.

The current geopolitical landscape

Modern geopolitical conflicts have triggered unprecedented sanctions regimes. Following Russia's invasion of Ukraine in 2022, the EU and UK imposed phased restrictive measures targeting energy trade, including the disconnection of key Russian banks from SWIFT, asset freezes, and restrictions on energy and technology exports. The US initially coordinated closely but subsequently diverged, declining to support a tightened oil price cap while imposing extensive blocking sanctions on Russian entities and individuals. This transatlantic divergence in scope and calibration reflects differing levels of economic exposure, with EU measures being particularly constrained by underlying energy security concerns. The conflict in the Middle East has compounded this fragmentation, with expanded sanctions targeting Iranian energy, trade, and financial assets under the Iran Transactions and Sanctions Regulations (31 CFR Part 560). Although recent proposals contemplate limited sanctions relief on oil exports as part of a provisional 60‑day ceasefire framework, these regimes do not operate in parallel: a single transaction may be permissible under one regime yet prohibited under another. GCs must therefore navigate three distinct frameworks, scrutinise counterparties for indirect exposure through third-party sanctions breaches, and ensure consistent Specially Designated Nationals (SDN) screening is embedded within their compliance programmes. OFAC has increasingly pursued enforcement actions against attorneys and in-house counsel who fail to identify sanctions risks - in December 2025, a US-based attorney was fined $1 million for 122 apparent violations arising from fiduciary services provided to a trust linked to a designated Russian oligarch, creating personal professional exposure in addition to corporate liability.

Clear policies and procedures

EU Regulation 2024/1624 requires obliged entities to have internal policies and procedures to address financial crime risks (including, in practice, sanctions exposure), and the European Banking Authority Guidelines on sanctions compliance (November 2024) confirm that a sound framework requires transparency and consistency. In the US, OFAC's Framework for Compliance Commitments similarly emphasises written policies and procedures as a core component of any effective programme. In the UK, OFSI guidance reinforces the expectation that organisations maintain documented policies proportionate to their risk profile. Clear policies and efficient procedures translate complex legal obligations into practical guidance across the business, and should account for screening requirements, escalation protocols, and regulatory reporting obligations.

Comprehensive risk assessments and governance oversight

GCs should treat comprehensive risk assessments as a foundational element of their compliance framework. In January 2026, OFSI penalised the Bank of Scotland £160,000 for weaknesses in its sanctions controls, including failures in screening configuration, escalation procedures, and the identification of name variations. Notably, OFSI did not expressly characterise the issue as poor risk assessment, but the case underscores the importance of robust risk assessment and escalation procedures. GCs must maintain adequate visibility of their institution's risk exposure. Frameworks must evaluate geographical exposure, customer profiles, products and services, and distribution channels. Regulators expect documented risk assessments reviewed periodically to account for shifts in the risk landscape.

Regulators consistently treat governance failures as an aggravating factor in enforcement proceedings. The UK Sanctions and Anti-Money Laundering Act 2018 establishes the legal framework for UK sanctions regimes and underpins compliance obligations. There must be absolute clarity as to who bears responsibility for sanctions compliance and at what level of seniority. Ownership of sanctions risks must be vested in the board or senior leadership, with formal accountability structures ensuring commercial interests do not override compliance obligations.

Group-wide alignment

In a group structure, a sanctions breach can be triggered by a single subsidiary: where that subsidiary becomes owned or controlled by a sanctioned party, other group entities transacting with it may inadvertently breach sanctions. This risk persists even where the subsidiary operates in a different jurisdiction, as liability can extend across the entire group - particularly where a US entity or employee is involved, given OFAC's extensive extraterritorial reach. This was illustrated by a ~$200m OFAC settlement against a large multinational group: the breach triggered liability under US sanctions on Iran, which prohibit the import and export of Iranian goods. Despite applicable KYC obligations, the group failed to identify red flags in its supply chain, having relied on third-party regional intermediaries who had indirectly sourced liquefied petroleum gas of Iranian origin. Although it was a subsidiary operating outside the United States that committed the breach, the case demonstrates how compliance failures within a single entity can expose the wider group to regulatory and enforcement risk — particularly where US jurisdiction is engaged. OFAC assesses compliance at the group level: a sanctions compliance framework must therefore operate as a cohesive unit.

Effective screening and due diligence

Screening is one of the most operationally significant elements of a sanctions compliance framework. GCs should screen all individuals, entities and transactions against all relevant lists, such as the OFAC SDN List, OFSI Consolidated List, EU lists, and any other applicable regimes. A strong due diligence process will allow GCs to review corporate structures, monitor transactions (especially where the transactions touch high-risk jurisdictions), and ensure due diligence extends to third parties and supply chains. Historically, regulators have been unwilling to accept that a third party is responsible for a breach. For any operational business, screening is the most viable line of defence between the compliance framework on paper and the real-world consequence of a breach.

Strong training and rapid breach response

Training bridges the gap between written policies and real-world application. GCs should ensure their people recognise sanctions risks and understand how to resolve them efficiently. Awareness should be embedded throughout the organisation through regular updates - such as newsletters or alerts reflecting new sanctions developments - targeted training for high-risk functions (including sales, procurement, and finance), and role-specific training tailored to risk exposure. A well-trained workforce constitutes both a powerful mitigating factor and a tangible operational control. The Bank of Scotland action further demonstrates that OFSI will consider outdated or inadequate sanctions training as an aggravating factor in its assessment of a breach.

Contractual alignment

Sanctions compliance must be reflected in an organisation's contractual arrangements across all transaction types. In the context of banking and finance, sanctions wording is embedded throughout the LMA provisions, most notably within the definitions (including "Sanctioned Persons" and "Sanctions Authority"), representations, undertakings, and events of default (EoD). The standard LMA drafting reflects a risk allocation exercise between borrower and lender, calibrated to the transaction's geographic risk profile. A sanctions EoD entitles lenders to cancel their commitment, accelerate the loan, and refuse further utilisations, making it a commercially significant protective mechanism. In the current geopolitical landscape, GCs must ensure these clauses are understood, appropriately tailored, and effectively negotiated.

Similarly, in commercial transactions involving vendor agreements, the compliance and sanctions control function must, at a bare minimum, ensure that the representations and confirmations given are in compliance with applicable sanctions regimes, as it bears legal and operational responsibility for the verification of any representations made. Where special purpose vehicles (SPVs) are involved, there is an enhanced obligation on the sanctions control function to ensure contractual alignment, given that an SPV typically lacks independent operational substance and the control function therefore constitutes the primary safeguard against sanctions risk. If a representation given by an SPV proves to be false, liability is likely to shift to those within the organisation who held responsibility for sanctions oversight (including the directors and key managerial personnel) and failed to identify or escalate the relevant risk.

Contracting parties must also consider the risk (and consequences) of a lender itself becoming subject to sanctions during the financing term. Recent LMA guidance (February 2026) provides, in the context of syndicated loan transactions, a framework for risk allocation where a lender becomes sanctioned mid-transaction. The most immediate risk is that a sanctioned lender's failure to fund a utilisation would render it a defaulting lender, triggering breaches of its representations and warranties and almost certainly an EoD. This creates a difficult paradox: while the illegality provisions entitle the sanctioned lender to cancel its commitment and demand immediate repayment, sanctions may simultaneously prohibit the borrower from making that repayment - meaning the very act of compliance could itself constitute a breach.

The above highlights the critical connection between robust internal policies and contractual sanctions provisions. Beyond banking transactions, GCs must ensure that vendor and procurement contracts contain appropriate sanctions representations and warranties. At a minimum, directors of vendor entities should certify compliance with all applicable sanctions regimes, and organisations should adopt standardised sanctions compliance questionnaires as part of onboarding and periodic review. GCs must ensure their organisation can make a sanctions representation at execution and sustain it throughout the life of the contract - what was acceptable then may no longer be so, and screening practices must evolve accordingly.

Effective screening also supports anti-money laundering and anti-bribery compliance whilst guarding against the inadvertent facilitation of transactions with high-risk or sanctioned parties. GCs should therefore prioritise compliance auditing, ensuring alignment between internal controls and contractual obligations across all relevant jurisdictions and group entities.

Looking ahead

The regulatory landscape surrounding sanctions is not static, and neither can a GC's approach be. A defensible sanctions compliance framework is one that is risk-based, integrated, and supported by strong governance - with the GC playing a central role in ensuring its legal robustness and operational effectiveness.

How we can help

Navigating sanctions compliance requires specialist expertise that bridges regulatory complexity with practical, commercial advice. Our sanctions and financial regulation practice advises financial institutions, government-related entities, corporates and investors across the UK, the Middle East, ASEAN and South Asia on the full range of global sanctions regimes, cross-border regulatory risk and engagement with regulators. We assist organisations in building robust compliance frameworks — covering risk assessments, governance structures, due diligence processes and counterparty risk management — as well as supporting clients through internal investigations, regulatory enquiries and enforcement action. We also design and deliver tailored training programmes and workshops for leadership teams, including CXOs and boards, to ensure that sanctions risk is understood and managed at every level of an organisation. To find out more about our team, please click here.