The headline for compliance teams
On 23 June 2026, OFSI published an update on the latest OFAC-OFSI Enhanced Partnership Exchange. The tone was collaborative: the US and UK sanctions authorities want sanctions to be easier to understand, more effective in practice, and better supported by technology.
For an MLRO, the message is useful but not simple. Closer cooperation does not mean one combined sanctions regime. It means firms should expect more joined-up guidance, better information-sharing and more consistent expectations from two authorities that still apply different legal tests.
That distinction matters commercially. A growing fintech, payments company, marketplace, crypto business or cross-border SaaS platform cannot rely on a generic "global sanctions check" and hope it covers the detail. The business needs one clear operating model, but the controls underneath still need to know when a case is an OFAC issue, an OFSI issue, an AML suspicion issue, or a mix of all three.
OFSI also linked to the joint publication The U.S. and UK Economic Sanctions Authorities: A Comparative Overview, which compares sanctions lists, licences, reporting and recordkeeping. That document is worth reading. This article translates the point into decisions an MLRO can actually use.
The risk is not that OFAC and OFSI are moving closer. The risk is that firms respond by flattening the differences. Sanctions controls can be globally governed, but the legal logic must stay jurisdiction-specific.
What changed, and what did not
| Question | Practical answer |
|---|---|
| Are OFAC and OFSI becoming one regime? | No. They are coordinating more closely, but US and UK sanctions rules remain separate. |
| Does this make compliance easier? | It should make guidance and engagement clearer, but it also raises the standard for firms that operate across both regimes. |
| Can one sanctions workflow cover everything? | The workflow can be unified. The decision rules cannot. |
| Where do firms usually get exposed? | Nexus, ownership and control, reporting, licensing conditions, and weak evidence trails. |
| What should an MLRO prioritise? | Clear escalation, jurisdiction-tagged screening outcomes, separate reporting decisions, and audit-ready case records. |
OFAC vs OFSI: the core difference
OFAC is the Office of Foreign Assets Control within the US Department of the Treasury. It administers and enforces US economic and trade sanctions. OFAC rules often matter where there is a US person, US entity, US-origin goods or services, US-dollar clearing, a US financial institution, or another US nexus. Some US sanctions also create secondary sanctions exposure for non-US persons.
OFSI is the Office of Financial Sanctions Implementation within HM Treasury. It implements UK financial sanctions and certain trade sanctions. UK financial sanctions generally apply to all persons in the UK and to UK persons wherever they are located. Certain firms also have specific reporting obligations.
For a cross-border compliance team, this is not academic. A case may need to be assessed under:
- US sanctions law because a payment clears through the United States;
- UK sanctions law because a UK entity, UK employee, UK bank or UK booking location is involved;
- AML law because the facts create suspicion of money laundering, terrorist financing or proliferation financing;
- more than one of these routes at the same time.
Why this lands on the MLRO's desk
The UK has a more formal MLRO architecture. FCA-regulated firms commonly appoint an MLRO with authority, independence, resources and senior-management access. The UK Money Laundering Regulations also use the concept of a nominated officer for internal suspicious activity disclosures in relevant firms.
The US does not generally use "MLRO" as the statutory sanctions role. Covered institutions usually have a BSA/AML compliance officer for AML programme requirements. Separately, OFAC expects organisations to maintain a risk-based sanctions compliance programme, with management commitment, risk assessment, internal controls, testing, auditing and training.
In practice, sanctions still lands close to the MLRO because the same facts often touch AML, counter-terrorist financing, proliferation financing, customer risk, payments, onboarding and suspicious activity reporting. That does not mean the MLRO must personally own every sanctions decision. It does mean the governance model should remove ambiguity.
A good governance document should say:
- who owns OFAC sanctions controls;
- who owns OFSI sanctions controls;
- who receives sanctions escalations;
- who decides whether a sanctions report is required;
- who decides whether a SAR is required;
- who can freeze, reject, block, stop, release or licence a transaction;
- who reports sanctions risk to the board or risk committee.
If that is unclear during business as usual, it will be painful during an urgent payment stop, a regulator request or a potential breach review.
Where a single global policy breaks down
Many firms already have a global sanctions policy. That is fine. The problem starts when the policy hides the detail that case handlers need.
The same customer, counterparty or payment can produce different answers depending on which authority's rules apply.
| Control area | OFAC angle | OFSI angle | MLRO implication |
|---|---|---|---|
| Sanctions list source | OFAC lists, including SDN and other OFAC sanctions lists | UK Sanctions List and UK regime guidance | Screening data must be sourced, timestamped and mapped by jurisdiction. |
| Ownership and control | OFAC's 50 Percent Rule focuses on aggregate ownership by blocked persons | UK rules include ownership and a broader control analysis | A match file needs jurisdiction-specific beneficial-ownership reasoning. |
| Reporting | Blocked and rejected transaction reporting, annual blocked property reporting, voluntary self-disclosure routes | Relevant firm reporting, frozen asset reporting, breach disclosure and OFSI information requests | Do not assume one report satisfies both authorities. |
| Licensing | OFAC general and specific licences, often programme-specific | OFSI general and specific licences, tied to UK legal grounds and conditions | Licence registers should track authority, scope, conditions, expiry and reporting duties separately. |
| Evidence | OFAC has explicit sanctions recordkeeping expectations | UK records depend on sanctions, AML, supervisory and licence obligations | A 10-year sanctions evidence standard is often a practical global baseline, subject to local data rules. |
| Enforcement | Strict liability civil enforcement and published settlement frameworks | Strict liability civil monetary penalties for post-15 June 2022 breaches, public disclosure and settlement tools | Controls should be built to prevent breaches and evidence decisions, not to prove intent after the fact. |
The commercial point is straightforward: the faster the business moves across borders, the more expensive vague sanctions logic becomes. Every unclear decision becomes rework, delay, legal escalation or avoidable risk.
The reporting trap: sanctions reports are not SARs
One of the most important MLRO lessons is simple: a sanctions report is not the same thing as a suspicious activity report.
In the UK, filing a SAR with the NCA does not automatically satisfy an OFSI reporting obligation. Reporting to a regulator does not automatically satisfy OFSI either. In the US, reporting a blocked or rejected transaction to OFAC is separate from any AML SAR analysis under FinCEN or other applicable rules.
An MLRO file should therefore separate four questions:
- Is there a true sanctions match or sanctions nexus?
- Does the transaction or relationship need to be blocked, frozen, rejected, stopped, licensed or otherwise restricted?
- Is an external sanctions report required, and to which authority?
- Is there also suspicion requiring an AML report?
This separation prevents weak case records such as "reported to compliance" or "SAR filed" from being treated as if they resolved the sanctions issue.
A better operating model
The best model is not a thick policy that nobody uses. It is a practical case workflow that helps analysts, legal, compliance and the MLRO reach the right decision quickly.
Use this structure when a customer, counterparty, beneficial owner, vessel, payment, trade flow or wallet creates possible US or UK sanctions exposure.
| Step | What to decide | Evidence to keep |
|---|---|---|
| 1. Trigger | What caused the review: screening hit, payment alert, ownership change, adverse media, regulator notice, licence condition or staff escalation? | Alert, timestamp, source list, transaction data, customer profile, case owner. |
| 2. Jurisdiction triage | Is there a US nexus, UK nexus, both, or neither? | Booking entity, payment route, currency, bank chain, customer location, staff involvement, goods/services origin. |
| 3. Identity resolution | Is the listed person or entity the same party? | Name logic, identifiers, date of birth, registration number, address, vessel IMO, wallet address, aliases. |
| 4. Ownership and control | Is the customer or counterparty owned or controlled by a designated or blocked person under the relevant rules? | Ownership chart, UBO records, voting rights, control evidence, aggregation analysis, source documents. |
| 5. Action decision | Block, freeze, reject, stop, licence, continue, exit, monitor or escalate? | Legal basis, policy basis, approver, decision time, customer communication, transaction status. |
| 6. Reporting decision | OFAC report, OFSI report, SAR, regulator notification, voluntary disclosure or no external report? | Filing rationale, deadline, submitted form, acknowledgement, narrative, attachments. |
| 7. Remediation | What control failed or changed? | Root cause, data fix, rule tuning, training, governance update, audit action, board reporting. |
- Can analysts tag a case as OFAC, OFSI, dual-nexus or out of scope?
- Can the case file show which list source and list version triggered the alert?
- Can ownership and control be reviewed under separate US and UK logic?
- Can sanctions reports, SARs and regulator notifications be tracked separately?
- Can licence conditions be monitored after the transaction is approved?
- Can senior management see sanctions metrics beyond false-positive volume?
- Can you prove accountability when screening is performed by a vendor, affiliate or outsourced operations team?
Ownership and control: the expensive blind spot
Ownership and control is where many sanctions processes become fragile. A firm may have a single UBO chart, but the legal conclusion can differ between OFAC and OFSI.
Under the OFAC 50 Percent Rule, property and interests in property of entities owned 50 percent or more, directly or indirectly, by one or more blocked persons are treated as blocked even if the entity is not separately listed. Under the UK approach, ownership is important, but control can also matter. The UK analysis may require looking beyond shareholding into rights, influence and factual control.
That means a good MLRO or sanctions case note should not simply say "UBO cleared." It should say:
- which jurisdictional test was applied;
- which ownership percentages were reviewed;
- whether holdings were aggregated;
- whether voting rights or control rights were assessed;
- whether there is evidence of joint arrangements or de facto control;
- whether the conclusion applies to OFAC, OFSI or both.
This is especially important for scale-ups. Early-stage teams often start with customer screening and add ownership analysis later. That may work for low-risk domestic onboarding. It does not hold up well when the business expands into cross-border payments, marketplaces, trade, crypto, or corporate onboarding with complex ownership.
Licensing should not live in email
Both OFAC and OFSI use general licences and specific licences. Both can impose conditions. Both can require reporting or recordkeeping. Both can leave firms exposed if a transaction falls outside the licence scope.
An MLRO does not need to personally draft every licence application. But the financial-crime governance framework should require a live register covering:
- authority: OFAC, OFSI or another sanctions authority;
- licence type: general licence, specific licence, exemption or exception;
- legal basis and sanctions programme;
- covered parties, products, services, payments and jurisdictions;
- permitted and prohibited payment routes;
- conditions, notifications and reporting deadlines;
- expiry date and renewal owner;
- evidence pack location;
- post-transaction review requirement.
This is where a commercial system matters. If licensing decisions sit across email threads, spreadsheets and local folders, the firm may be able to complete the transaction but still struggle to prove why it was allowed.
What senior management should ask the MLRO
The OFSI post talks about clearer guidance, better systems, new technology and more effective stakeholder support. Senior management should convert that into sharper internal questions.
| Board question | Why it matters |
|---|---|
| Can we identify whether each sanctions case has US, UK or dual nexus? | Nexus drives legal obligations, reporting routes and enforcement exposure. |
| Do our systems use current OFAC and UK sanctions list sources? | Stale or unofficial data weakens every downstream decision. |
| Can we explain ownership and control decisions by jurisdiction? | OFAC and OFSI tests can produce different outcomes. |
| Are SARs and sanctions reports tracked separately? | A SAR does not automatically discharge sanctions reporting duties. |
| Do we know which licences we rely on today? | General and specific licences often contain conditions and expiry risk. |
| Can we reconstruct a blocked, rejected or frozen transaction decision? | Enforcement defence depends heavily on evidence quality. |
| Are AI or automation tools used with human accountability? | The authorities support better technology, but firms remain responsible for decisions. |
Where software helps, and where it does not
The OFSI blog explicitly refers to sharing experience with artificial intelligence and emerging technologies to automate routine tasks, support information analysis, improve decision-making and deliver clearer guidance.
That is relevant for MLROs, but it should not be over-sold. Software can help with:
- current sanctions list ingestion;
- name, alias, vessel and entity matching;
- customer and counterparty screening;
- ongoing monitoring when lists or customer data change;
- beneficial-owner and related-party screening;
- case routing and escalation;
- evidence capture and audit trails;
- reporting dashboards for MLROs and senior management.
What software should not do is pretend to make the legal decision on its own. The defensible model is technology-assisted investigation with human-owned disposition, legal escalation and reporting decisions.
For a platform such as Checklynx, the value is not only finding the match. It is helping the team manage what happens next: the case owner, the rationale, the supporting evidence, the escalation route, the decision and the audit record.
The practical answer for MLROs
If your firm has US and UK exposure, treat the 2026 OFAC-OFSI update as a prompt to review the operating model, not as a reason to simplify the legal analysis.
The review does not need to become a large transformation project. Start with five checks:
- Pick three recent sanctions cases and confirm whether the file explains US nexus, UK nexus or both.
- Check whether sanctions reporting decisions are separate from SAR decisions.
- Test whether beneficial ownership is assessed under the right jurisdictional rule.
- Review all active licences and confirm conditions, expiry dates and reporting duties are tracked.
- Ask whether the MLRO report gives senior management a clear view of sanctions exposure, not only AML activity.
These checks quickly show whether the business has a real control framework or just a policy document.
Key takeaways
The OFAC-OFSI partnership is good news for compliance teams because it should make guidance, stakeholder engagement and information-sharing more coherent. It also raises expectations. If two major sanctions authorities are coordinating more closely, fragmented internal controls become harder to defend.
For MLROs, the operating model should be:
- one board-level financial-crime governance framework;
- separate OFAC and OFSI sanctions decision trees;
- separate sanctions and AML reporting workflows;
- jurisdiction-specific ownership and control analysis;
- licence governance with condition tracking;
- evidence that can reconstruct every material decision;
- automation that improves review quality without obscuring accountability.
The short answer: OFAC and OFSI are moving closer operationally. MLROs still need to evidence the legal differences.