Legal development

OFSI publishes second financial sanctions threat assessment report

By Sophie Law

10 April 2025

Share Share
Panels in the sunshine
Share

    On 3 April 2025, the UK's financial sanctions authority, the Office of Financial Sanctions Implementation (OFSI), published the second of its sector-specific assessments of threats and vulnerabilities relating to UK financial sanctions (read our summary of the first threat assessment here).  

    The second report focusses on the legal services sector, which comprises legal services providers of all sizes and types, including solicitors' firms, barristers' chambers, notarial service providers, and sole practitioners, as well as, notably, trust and company service providers (TCSPs).

    As with the first report, this report provides information on suspected sanctions breaches and is intended to assist with prioritisation as part of a risk-based approach to compliance. The assessment does not cover the breadth of potential breaches arising from the activities of UK legal services providers but is based on specific threats and patterns of non-compliance which OFSI has observed since February 2022. 

    Role of legal services providers

    The report highlights that UK legal services providers play a crucial role in ensuring compliance with UK financial sanctions both within and outside their sector. They provide services to a range of UK and international clients, including, in some cases, designated persons subject to UK asset freezes (DPs). In providing services to DPs, OFSI states that legal services providers are uniquely positioned to identify suspected breaches.  

    Since February 2022, the legal services sector has submitted the second highest number of suspected breach reports to OFSI by sector, accounting for 16% (compared with 65% submitted by the financial services sector), of which 98% were submitted by solicitors’ firms and barristers’ chambers.

    Key judgements

    The assessment identifies four key judgements concerning threats to sanctions compliance relevant to UK legal services providers:

    1. It is highly likely that UK TCSPs have not self-disclosed all suspected breaches to OFSI.
    2. It is almost certain that most non-compliance by UK legal services providers has occurred due to breaches of OFSI licence conditions.
    3. It is almost certain that complex corporate structures, including trusts, linked to Russian DPs and their family members have obfuscated the ownership and control of assets which could be frozen under UK financial sanctions.
    4. It is likely that Russian DPs have transferred the ownership and control of assets to non-designated individuals and entities. In some cases, this could breach UK financial sanctions.

    We summarise our key take-aways in respect of each of the judgements below.

    Judgement 1: UK TCSPs and Non-Disclosure

    OFSI's assessment indicates that UK TCSPs have likely not self-disclosed all suspected breaches. 

    Larger legal services providers (i.e. solicitors’ firms and barristers’ chambers) account for a significant portion of the suspected breach reports submitted to OFSI. Only 2% of the suspected breach reports submitted to OFSI came from TCSPs and other legal service providers. OFSI has also received suspected breach reports which concerned TCSPs but were not self-disclosed by them. 

    Although self-reporting by legal services providers is typically timely, OFSI has also observed significant delays in self-reporting of breaches, in particular in relation to the Myanmar and Libya regimes.

    Judgement 2: Non-Compliance Due to Licence Conditions

    The assessment highlights that most non-compliance by UK legal services providers is due to breaches of OFSI licence conditions.  Common issues include:

    • transactions exceeding licence value limits, 
    • transactions made after licence expiry, and
    • failures in complying with the reporting requirements in licences.

    In particular, OFSI encourages all legal service providers to ensure that all activities in connection with winding down their operations in Russia are conducted in line with general and specific licence permissions. In this respect, we recommend that firms consider whether they can take any lessons from the recent monetary penalty imposed on the Russian branch of a UK law firm in connection with that firm's exit from Russia. 

    Judgement 3: Complex Corporate Structures

    Complex corporate structures, including trusts linked to Russian DPs and their family members, have been used to obfuscate the ownership and control of assets. These structures complicate the identification of assets that should be frozen under UK financial sanctions. 

    Legal services providers including TCSPs in particular, should conduct thorough due diligence to uncover the true ownership and control of assets, in particular those held through complex ownership structures linked to Russian DPs, their family members and associates.

    Judgement 4: Post-Designation Transfers

    Russian DPs have been observed transferring ownership and control of assets to non-designated individuals and entities post-designation, including removing themselves from complex corporate structures. This has led to uncertainty as to whether such assets should be frozen under UK financial sanctions. 

    OFSI cautions that attempts to transfer assets in this way could be considered enabler activity and may breach UK financial sanctions if they are made on behalf of, or for the benefit of, a DP. The report includes a case study which reflects this scenario.

    Other threats to compliance

    Red Flags

    The report encourages firms to undertake robust due diligence. This should be nothing new for most legal services providers. However, OFSI also includes an extensive list of 'red flags' which could arise in a variety of situations in the legal services sector. Legal services providers should consider this list carefully.

    Intermediary Jurisdictions

    Since February 2022, 23% of suspected breach reports involving UK legal services providers have included an intermediary jurisdiction nexus (similar to the 25% of breach reports by financial services firms). OFSI states that such jurisdictions are those which were traditionally favoured by Russian DPs due to the increased privacy in their legal and financial systems, or those where Russian investors have commercial links.

    The jurisdictions appearing most frequently in these suspected breach reports include: British Virgin Islands (BVI); Cyprus; Guernsey; and Switzerland.  OFSI has also observed links between suspected breaches involving UK legal services providers and the Isle of Man; Jersey; Cayman Islands; Austria; and the United Arab Emirates (UAE).

    OFSI encourages vigilance from UK legal services providers when the identified 'red flags' appear in conjunction with an intermediary jurisdiction nexus.

    Professional Enablers

    The role of professional enablers featured heavily in OFSI's first threat assessment focussing on the financial services sector. Perhaps unsurprisingly, we see a similar emphasis in this second report: a number of the 'red flags' are directed at both professional and non-professional enablers. OFSI also highlights that legal services providers are well placed to identify attempts by Russian DPs and their enablers to breach UK financial sanctions.

    Historical Interests In The UK

    The report also identifies that historical interests of designated Russian businesses, including banks and conglomerates, in the UK may present risks for sanctions compliance. For example, steps taken by those Russian businesses to exit the UK since February 2022. The same is said of the UK's position as a hub for international litigation, including Russian litigants. 

    OFSI encourages legal service providers to ensure that any such activities are undertaken in compliance with UK financial sanctions, including licence conditions.

    What should legal service providers do next?

    Overall, the assessment emphasises the importance for UK legal service providers of:

    • robust due diligence, and a risk-based approach to compliance; and
    • timely and comprehensive self-disclosure of suspected breaches.

    For many legal service providers, issues around legal professional privilege often present difficult questions when it comes to reporting, especially when it relates to activity by a client. OFSI's view on legal privilege is tucked away in a footnote in the report. It confirms that reporting obligations do not apply to information to which legal professional privilege is attached. However, it goes on to say that:

    "OFSI expects legal professionals to carefully ascertain whether legal privilege applies and which information it applies to. OFSI may challenge a blanket assertion of legal professional privilege where it is not satisfied that such careful consideration has been made".

    Similarly to its first threat assessment, OFSI encourages legal services providers to conduct lookback exercises to identify any suspected breaches which have not been reported, in particular TCSPs, smaller providers and sole practitioners. Any suspected breaches should be reported promptly to OFSI (and the National Crime Agency, where relevant). This is likely to result in more favourable enforcement outcomes: prompt and detailed self-disclosure resulted in a 50% reduction to a civil monetary penalty imposed on a UK legal service provider by OFSI last month. 

    OFSI also notes that there are a number of resources relevant to legal services providers, including material published by the Solicitors' Regulation Authority and Financial Conduct Authority on sanctions compliance.  The threat assessment encourages review of this material, and contains useful links to it.

    Authors: Tom Cummins, Partner; Sophie Law, Senior Associate

    Key Contacts