On 19 May 2026, the UK's Office of Financial Sanctions Implementation (OFSI) published its penalty notice against Deutsche Bank AG London Branch (DBLB), imposing a final settlement of £165,000 for breaching the Russia (Sanctions) (EU Exit) Regulations 2019.
The payments in question were processed in June and July 2022. The penalty was agreed in April 2026. That is nearly four years between breach and resolution.
And the root cause was not rogue employees, deliberate intent, or a missing sanctions list. It was a third-party screening vendor whose data did not include ownership information for the beneficiary at the time the payments cleared.
The OFSI penalty notice is publicly available on GOV.UK and is worth reading in full. Not because Deutsche Bank is unique, but because the gap it exposed is far more common than most compliance programs want to admit.
What Actually Happened
The timeline requires several moving parts to understand.
In August 2018, Russia's largest bank, PJSC Sberbank, acquired full ownership of Okko, a Russian media streaming company. In April 2022, the UK designated PJSC Sberbank under its Russia sanctions regime.
On 17 May 2022, Sberbank sold Okko to a new entity: JSC New Opportunities. On 29 June 2022 at 11:00 BST, JSC New Opportunities was designated by the UK's Foreign, Commonwealth and Development Office. The moment that designation landed, Okko, now wholly owned by a designated person, became subject to sanctions prohibitions.
Later that same day, DBLB processed Payment A: £356,429.27 to Okko. A month later, DBLB processed Payment B: £279,189.48 to Okko. Total breach value: £635,618.75.
The payments were made through the SWIFT network on behalf of a client, an Irish-incorporated subsidiary of a multinational firm. Okko was that client's customer, not DBLB's direct customer. DBLB had no contractual relationship with Okko and no general legal requirement to conduct due diligence on its client's clients.
DBLB screened both payments. No alert was generated. The OFSI penalty notice explains exactly why:
"The screening lists sourced by DBLB from a third-party screening vendor did not, at that point in time, include data in relation to Okko or its ownership, and therefore the transaction screening conducted did not generate an alert in relation to Okko or its ownership."
OFSI Penalty Notice, Deutsche Bank AG London Branch, 30 April 2026 — GOV.UK
The list had incorporated JSC New Opportunities. But ownership and control data linking JSC New Opportunities to Okko was not present in the screening list at the time of the payments. OFSI also noted that open-source media articles published in May 2022 had reported the ownership transfer, but that DBLB's vendor had not reflected that information in its list data, partly due to the withdrawal of Russian corporate registry access and legislation permitting the suppression of corporate ownership information.
DBLB self-disclosed in September 2022. A 45% discount was applied for voluntary disclosure and settlement under OFSI's enforcement framework. The original baseline penalty was £300,000.
Three Compliance Lessons OFSI Explicitly Called Out
OFSI does not typically editorialize. When it lists lessons learned at the end of a penalty notice, those paragraphs carry the weight of regulatory guidance, because that is effectively what they are.
Third-party screening tools are necessary but not sufficient.
OFSI's language was direct: firms must be aware of, and account for, the limitations of their screening vendors, supplementing with their own processes where appropriate. This is particularly important where sanctions apply as a result of ownership and control. If your screening vendor does not carry current, complete ownership and control data, especially for high-risk jurisdictions where corporate registries are being suppressed or restricted, your automated screening will not catch what it cannot see. The list was present. The ownership link was absent.
Understanding how your customers manage their own sanctions risk is part of your risk management.
OFSI found that DBLB engaged with its client about Russian payment flows between March and May 2022, but did not uncover the client's reliance on a self-certification model for its own downstream customers. OFSI noted that DBLB had been unaware that its customer did not affirmatively request ownership information from its downstream customers. In a high-risk transaction environment, knowing that your client screens its customers is not sufficient. Knowing how they screen, and what their screening actually covers, is part of your own exposure assessment.
Voluntary disclosure quality matters as much as speed.
DBLB did self-disclose promptly in September 2022. But OFSI assessed the disclosure as incomplete, noting it lacked detail and provided limited insight into the reasons for the breach. The maximum available discount under OFSI's guidance was 50%. DBLB received 45%. The time between discovering the breaches and reporting them to OFSI should have afforded DBLB the opportunity to provide a more comprehensive and detailed account of the facts. A prompt disclosure that does not explain the how and why of a breach is still a partial disclosure. OFSI is telling firms: when you report, bring the full picture.
The Bigger Pattern
This is not the first time Deutsche Bank has appeared in AML and sanctions enforcement actions. The Federal Reserve fined Deutsche Bank and its US affiliates $186 million in July 2023 for failing to remediate AML control deficiencies that regulators had flagged since 2015. Prior fines in 2015 and 2017 totalled a further $99 million. The bank has grown its anti-financial crime team to over 2,000 employees globally.
None of that prevented a third-party data gap from generating a sanctions breach in June 2022.
This is the pattern that regulators and compliance professionals repeatedly encounter: institutions can have substantial compliance infrastructure and still face enforcement action because a specific, bounded data or process gap was not identified and supplemented. In this case, the gap was ownership and control data coverage for a newly designated entity's subsidiary, in a jurisdiction where corporate registry access was being actively restricted by the Russian government at the same time sanctions were being expanded.
OFSI acknowledged that context. It did not excuse the breach.
What Robust Sanctions Screening Looks Like
The OFSI penalty notice is essentially a blueprint for what to audit in your own program. Four areas deserve direct attention:
Ownership and control coverage. Does your screening vendor, or combination of vendors, carry beneficial ownership data? Does it update when corporate structures change hands in high-risk jurisdictions? Do you know how often that data is refreshed and what the lag time is between a corporate event and its reflection in your screening lists?
Multi-vendor coverage for high-risk jurisdictions. OFSI noted that DBLB incorporated additional list vendors as part of its post-breach remediation. A single third-party provider for ownership and control data creates a single point of failure. In jurisdictions where registry access is deliberately restricted, additional open-source monitoring and adverse media review becomes a necessary supplement, not an optional layer.
Customer risk profiling that includes their own compliance processes. If your client transacts with high-risk counterparties in sanctioned or high-risk jurisdictions, your CDD and ongoing monitoring program should include an understanding of how they manage their own screening, not just whether they do it.
Speed of alert on newly designated entities. Payment A was processed on the day of designation. OFSI acknowledged the narrow window and treated that timing as a mitigating factor. It was Payment B, processed a month later to the same beneficiary, that moved the case from a possible edge case to a clear compliance failure. Real-time or near-real-time list updates combined with continuous customer monitoring are precisely the controls that exist to close this window.
The Sentinel Perspective
Sentinel's Continuous Customer Monitoring was designed for exactly this scenario: an entity that passes initial screening later becomes, or becomes connected to, a sanctions risk through ownership change, designation of a parent or related entity, or a corporate restructuring event.
Rather than relying solely on transaction-time screening against a point-in-time list, Sentinel monitors your screened customer base on an ongoing basis and generates a New Data Alert when something in the screening landscape changes that affects a customer you have already onboarded. Your team is alerted. The workflow opens. The decision is documented.
That does not replace the need for quality data from your list vendors. It adds a continuous review layer on top of it. The two controls work together. Neither replaces the other.
For institutions with exposure to complex ownership structures, high-risk counterparty jurisdictions, or clients whose own customers present sanctions risk, the OFSI note on ownership and control coverage deserves direct attention. Your screening is only as current as your data, and only as complete as the ownership chains it can trace.
See How Sentinel Closes the Ownership and Control Gap
Request a demonstration tailored to your institution's sanctions screening program and risk profile.
Official References
Truth Technologies provides AML, KYC, OFAC, and sanctions screening compliance solutions through the Sentinel platform. This post is published for informational purposes only and does not constitute legal advice. All facts are sourced from the official OFSI penalty notice linked above.
