Risk Insights Newsletter
Posts
Sanctions Breach by Process, Not Design

Sanctions Breach by Process, Not Design

and what we can learn from it

Alexey Tyurin
September 21, 2025

This week, I’ve been thinking about something less exciting but deeply consequential: operational drift.

That slow erosion of process integrity that creeps in gradually, until one day, it quietly breaks something that matters. In financial crime compliance, it rarely announces itself.

You don’t notice it… until you do.

The One That Got Away

The UK’s OFSI recently published a notice concerning Vanquis Bank Limited (VBL), a UK-regulated financial institution, that failed to freeze a designated person’s account for eight full days after official notification.

Sounds somewhat mundane, until you learn that the regulator gave VBL heads up on the upcoming designation, flagging that the individual might have been a customer of VBL.

Have you heard of this FYI practice? Me, neither. Quite terrific if you think about it, as the regulator makes the job of any given compliance team much easier…

In theory.

What Happened?

Here’s the timeline:

Day 0: OFSI issues pre-notification to VBL.
Day 1: Individual is designated. Sanctions list updated.
Day 2, 8:30am: VBL’s screening system flags a potential match.
Day 2, 9:43am: The individual withdraws £200.
Day 6: Another transaction is processed.
Day 8: VBL finally confirms the match and restricts access.
Day 13: Breach is reported to OFSI

So what went wrong?

VBL had redeployed their sanctions review staff to manually triage a backlog created by a previous tech issue, a known fault in their alert system that was wrongly flagging duplicate alerts. This reallocation delayed review of the match alert, even after the system had detected it.

In other words, this wasn’t a data gap. It was an operational design failure.

Reflections

VBL’s assumption was that its UK-only credit card business posed a “low sanctions risk.” That view likely influenced a decision to screen once per day and to deprioritize alert triage when problems emerged.

But as OFSI put it:

“The failure to ensure business continuity was within VBL’s control.”

Source: the OFSI report

Sanctions compliance lives at the intersection of automation, oversight, and staffing. All three must function, especially when national security or counter-terrorism is involved.

The good news? OFSI chose not to impose a monetary penalty. The regulator cited VBL’s cooperation, the low value of the breach, and the firm’s voluntary disclosure.

Still, it is a cautionary tale.

If you're relying on SLAs, vendors, or automation, make sure you also have the resilience to catch the one alert that matters most.

Thanks for reading.

Alexey