OFSI Publishes Sanctions Breach Report on Vanquis Bank Limited

OFSI has published a disclosure report against Vanquis Bank Limited for breaches of the Counter-Terrorism Sanctions EU Exit Regulations 2019, after the bank failed to promptly restrict a designated person’s account following designation. OFSI assessed the misconduct as moderately severe and opted to publish rather than impose a monetary penalty. The incident underscores the risk of funds being made available to a designated person when screening and escalation controls lack operational resilience.

On 8 September 2025 OFSI confirmed that Vanquis Bank Limited allowed cash withdrawal and a subsequent transaction in the eight days between the customer’s designation and the eventual account restriction. During this window the designated person retained full access to credit, resulting in direct availability of funds contrary to regulations 11 and 12. Although comparatively low in value and without evidence of deliberate circumvention, OFSI emphasised that even low-value access can create a direct terrorist financing risk in the domestic counter-terrorism regime.

The chronology reveals process fragility. OFSI gave prior notice that a suspected Vanquis customer would be designated, then updated the Consolidated List and issued e-Alerts on the day of designation. A potential match alert was generated the next morning, yet staffing constraints and remediation backlogs meant the first-line review did not occur for eight days, allowing a £200 cash withdrawal the day after designation and a card purchase five days later. The alert was finally confirmed and the account restricted on day eight, with self-reporting to OFSI on day thirteen.

OFSI highlighted aggravating factors including the pre-notification that should have prompted heightened vigilance, the direct making available of funds, the prolonged access window, and the expectation that an FCA-regulated firm maintains robust financial crime systems. Mitigation included voluntary and complete reporting, the proximity of the first withdrawal to designation, the absence of deliberate circumvention, and the isolated, low-value nature of the breach. OFSI concluded that the time taken to restrict the account was inappropriate, noting the firm’s responsibility to ensure business continuity even amid remediation exercises.

For industry, the compliance message is unambiguous. Firms must ensure immediate and effective controls to freeze and restrict designated persons’ funds and should treat any pre-designation alerts as triggers for heightened operational readiness. Sanctions screening must be resourced for surge conditions, with contingency plans that keep first-line triage and escalation intact during remediation backlogs. OFSI reiterates that if a breach is known or suspected, firms should inform the authority promptly and follow statutory steps to freeze, refrain from dealing, and report without delay.

Why This Matters for Sanctions Compliance

Financial institutions continue to face fast-moving designation events, particularly in terrorism-related regimes where even small sums can pose acute risk. This case shows that outsourcing list data and automation does not absolve firms of the need for end-to-end responsiveness, staffing resilience and clear day-one playbooks. Boards should test whether their sanctions operating model can withstand concurrent remediation, spikes in alerts and after-hours designations that require action at the start of the next business day.

Read the disclosure notice here.