The imposition of sanctions following Russia’s war on Ukraine resulted in a flurry of commercial cases. While these commercial decisions have been useful in guiding parties’ approach to sanctions implementation, the clearest guidance on OFSI’s approach comes from enforcement cases, which have been rarer.
In one such recent case, OFSI has imposed a £390,000 penalty on Apple Distribution International Limited (ADI), an Irish-incorporated subsidiary of Apple Inc., for making funds available to an entity owned or controlled by a designated person in breach of regulation 12 of the Russia (Sanctions) (EU Exit) Regulations 2019.
This is the first case under OFSI’s settlement regime and is a useful illustration of how UK sanctions can apply to non-UK entities, as well as OFSI’s approach in practice.
Background
ADI operates Apple’s App Store in Europe and the Middle East. It collects revenues from the App Store and instructs payments to app developers through a UK bank account; one of those developers was a Russian media streaming business, Okko LLC (Okko).
Okko had previously been owned by Sberbank, Russia’s largest bank, which the UK designated in April 2022. In May 2022, Sberbank sold Okko to a newly created entity, JSC New Opportunities, which was itself designated on 29 June 2022. From that point, Okko was again subject to asset-freeze restrictions as a wholly owned subsidiary of a designated person.
ADI made two payments to Okko from the UK account: Payment A was instructed on 6 June 2022 and released on 30 June 2022; Payment B was instructed on 30 June 2022 and released on 28 July 2022, by which point JSC New Opportunities had been designated for approximately a month. The total amount transferred was £635,618.75.
Jurisdiction and strict liability
ADI is not subject to UK sanctions law as it is incorporated in Ireland. However, its conduct was treated as occurring in the UK on the basis that ADI had instructed a UK bank to make the payments. As UK sanctions regimes apply to any conduct within the UK, the instruction of a UK bank triggers the application of UK sanctions.
The strict liability regime was introduced in 2022, by means of amendments to the Policing and Crime Act 2017, after which an entity is liable for breaches of sanctions regimes even if it had no knowledge of the breach or reasonable cause to suspect one. Given the payments to Okko were made following its designation, OFSI found that ADI was liable despite the fact that it had neither knowledge of the breach nor reasonable cause to suspect one. Under the Enforcement Guidance, OFSI found the breach to be “serious” rather than “most serious”. Further, in its assessment of the case, OFSI considered several factors, and assessed their relevance to aggravation or mitigation, which then informs how seriously OFSI views a case.
Aggravating factors
In this case, OFSI found that there were several aggravating factors.
First, ADI had a compliance framework in place which relied on self-certification and third-party due diligence providers; OFSI’s view was that it was inadequate for the sanctions climate at the time of breach because of Russian corporate ownership changing rapidly following the invasion of Ukraine. Contemporaneous open-source reporting described Sberbank’s sale of its assets and highlighted that JSC New Opportunities had been created specifically to acquire them. These factors were not identified by the third-party due diligence mechanisms in place.
OFSI also concluded that ADI failed to affirmatively request ownership information from Russian developers, which would have materially increased the chance of identifying the risk, and was considered an aggravating factor. OFSI also reiterated that ADI, as the entity making the payments, remained responsible for the adequacy of its own controls and had ultimate responsibility for ensuring sanctions compliance.
The fact that ADI made two previous payments to Okko in April 2022 (while it was designated), prior to the strict liability regime coming into force, was also considered an aggravating factor. Lastly, Russia sanctions were also treated as a strategic UK priority, which added to the weight given to the seriousness of the breach.
Mitigation
There were also several mitigating factors in this case. OFSI accepted that ADI had neither intent, knowledge, nor reasonable cause to suspect the breach. Payment A was completed on the day of designation, in a window so narrow that OFSI acknowledged automated systems would not necessarily be expected to catch it.
ADI also made a voluntary disclosure in October 2022, cooperated fully with the investigation, and subsequently enhanced its framework, including introducing a process to require Russian developers to provide direct and indirect ownership information at onboarding and periodically thereafter. Those steps were considered as mitigating factors when OFSI calculated the penalty.
Penalty and settlement
The baseline penalty was £600,000 against a statutory maximum of £1,000,000. A reduction of 35% was applied to reflect voluntary disclosure and ADI’s agreement to settle under the transitional arrangements, producing a final penalty of £390,000. The position has since changed. Under OFSI’s updated February 2026 enforcement guidance, voluntary disclosure is capped at 30% and a separate 20% discount applies for settlement.
Settlement itself is a new mechanism, and this is the first time OFSI has used it. Settlement requires the subject to pay the penalty as imposed and to waive rights of review and appeal to the Upper Tribunal. In return, the subject may contribute to the published case summary and will receive the settlement discount if agreement is reached within 30 business days. Firms facing investigation should consider whether to engage early to obtain the 20% discount.
Conclusion
Firms are under continued obligation to comply with sanctions. Where any part of the conduct engages the UK’s jurisdiction, including the payment mechanics, UK sanctions come into operation. Parties should note the following:
- Ongoing awareness of, and compliance with, UK sanctions regimes remains necessary. The strict liability regime means lack of knowledge of the breach or intent to cause it is not an excuse.
- Any act taking place within the UK requires compliance with UK sanctions, including the use of UK banks. Any business routing payments through UK financial infrastructure should treat UK sanctions obligations as directly applicable to it.
- Firms have a continuing obligation to assess ownership and control, especially where ownership structures are complex, opaque, or subject to change.
- Third-party providers are helpful, but they do not displace responsibility away from the party using them. The firm using the provider is still responsible for a sanctions breach, if the data is incomplete or delayed. Merely adopting third-party vendors will not reduce a firm’s liability.
- Where a potential breach is identified, voluntary disclosure remains one of the most effective tools available to obtain a reduced penalty and OFSI expects disclosure promptly after discovery. Firms should also be aware of the settlement framework following the demonstration of its practical application. Given that the discount narrows if settlement is not reached within 30 business days, there is a real incentive to engage early.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.