- within Consumer Protection, Litigation and Mediation & Arbitration topic(s)
Last month Bracewell highlighted the latest sets of Russia-related sanctions imposed by the United Kingdom, European Union and United States, explaining the potential far-reaching implications of what are the strongest measures against Moscow to date (the October 2025 Sanctions). As discussed, those sanctions packages included various licenses meant to help companies adjust to the prohibitions, such as allowing wind down activities for certain transactions. Now that key deadlines are approaching, organizations must ensure they have adapted to the new sanctions landscape. Having in place an effective and up-to-date sanctions compliance program (SCP) both enables compliance now and mitigates the risk of breaches of these ever-evolving sanctions regimes.
Below we set out the key license deadlines for the October 2025 Sanctions and discuss key elements to consider in evaluating your organization's SCP.
License Authorizations and Expirations
Licenses can provide a variety of relief pathways, but it is critical to understand that they are not blanket permission slips or "grandfather" clauses. They are typically time-limited and apply to specific parties or transactions. Entities must review carefully and consult with legal representatives to determine the applicability of any licenses.
The following chart lists dates upon which licenses relevant to the October 2025 Sanctions expire — that is, the date on which the conduct authorized in derogation of the sanctions is no longer permitted — and when prohibitions otherwise become effective
| Date | Authority | Action |
| Nov. 21, 2025 | US |
Deadline to wind down transactions concerning Rosneft, Lukoil and their subsidiaries. GL 126 Deadline to divest or transfer debt or equity issued or guaranteed by Rosneft, Lukoil or its subsidiaries to a non-US person. GL 127 Deadline to wind down period certain transactions relating to Lukoil retail services outside of Russia. GL 128 |
| Nov. 28, 2025 | UK | Deadline to wind down transactions concerning Rosneft, Lukoil and their subsidiaries. GL INT/2025/7539056 |
| Dec 13, 2025 | US | Deadline to negotiate and enter contingent contracts with Lukoil or any of its affiliates for the sale, disposition, or transfer of Lukoil International GmbH (LIG) or any entity in which LIG owns, directly or indirectly or in the aggregate, a 50 percent or greater interest (collectively, LIG Entities). GL 131 |
| Apr. 25, 2026 | EU | Effective date of EU ban on short-term liquefied natural gas and liquefied petroleum gas contracts. CR (EU) 2025/2033 |
| Apr. 29, 2026 | US | Cessation of transactions with Rosneft German subsidiaries. GL 129 |
| Jan. 1, 2027 | EU | Effective date of EU ban on long-term liquefied natural gas and liquefied petroleum gas contracts. CR (EU) 2025/2033 |
| Oct. 22, 2027 | UK | Cessation of business operations with Rosneft German subsidiaries. GL INT/2025/7598960 |
Key Components of SCPs
SCPs should be risk-based and organization specific, not one-size-fits-all. Nevertheless, certain key components are considered essential by both UK1 and US2 regulators.3
Senior Management Commitment and Tone From the Top
Promoting and fostering a culture of compliance is typically most effective when that tone is set from the top. Individuals who make decisions about how a substantial part of the activities of the organization are managed or organized, such as members of senior leadership, executives and/or the board of directors, should promote a culture of compliance throughout the organization, including by demonstrating the value of compliance to the organization and awareness of the seriousness of breaches. To foster a culture of compliance, senior management should, at a minimum:
- clearly articulate the expectation of compliance;
- create and promote reporting lines;
- actively review and approve the organization's compliance program;
- ensure the organization's compliance function is well equipped to perform its role (i.e., through adequate resourcing) and that the compliance function has sufficient authority and autonomy to implement and enforce its policies and procedures.
Regulators are also increasingly evaluating the degree to which organizations' compensation schemes are designed to foster a compliance culture. For example, among other approaches, an organization can offer promotions or bonuses for improving compliance, or recoup previously awarded compensation if the recipient is found to have been responsible for wrongdoing.
Risk Assessment and Due Diligence
A risk assessment forms the foundation of an SCP by helping the organization identify key risks and dedicate resources accordingly. Risk assessments should be carried out on a regular basis and cover the full range of business activities.4
More specifically, risk assessments inform the nature, level, and extent of due diligence required for various parts of the organization. Common areas of risk to consider in regard to sanctions include country, sectoral and transactional. Organizations should also be mindful that certain sectors, e.g., the freight and shipping sector, may have specific guidance on the level and extent of due diligence expected by counterparties or regulators that should inform the organization's level and extent of its own approach. For example, enhanced due diligence screening is appropriate for transactions where goods are identified as at higher risk of circumvention of sanctions and export controls. Government regulators frequently publish lists and advisories identifying high-risk areas to which organizations should be attuned and responsive.
While the particular due diligence measures employed should depend on the risk assessment, this process typically involves, as to counterparties:
- sanctions list screens;
- open-source research;
- review of relevant documents;
- KYC questionnaire; and
- some degree of interface with management.
Where practicable and proportionate to the level of risk identified, screening should go beyond direct counterparties such as customers, service providers and goods suppliers and extend to related parties such as beneficial owners, company directors, transaction counterparties and other similarly material parties. Due diligence may also need to be monitored and refreshed, depending on the nature of the relationship, through data gathering, audits and periodic compliance certifications.
Internal Controls and Reporting
Robust internal controls contribute to the success of the SCP by establishing that the organization's policies or procedures will be enforced consistently and proportionally.
Clear reporting mechanisms throughout the organization, coupled with whistleblower protection policies, are key components of a strong SCP. Organizations should also have a plan to consider reporting to regulators in the event of an actual or potential sanctions breach, given the potential of leniency (more so in the United States rather than the United Kingdom) for early and complete voluntary self-disclosures (VSDs), which we have previously discussed. It is worth noting that, in October 2024, OFAC and OFSI signed a memorandum of understanding for information sharing. Accordingly, entities that discover conduct that potentially violates both regimes may wish to consider reporting to both agencies simultaneously, rather than running the risk that the information in a VSD to one becomes evidence for prosecution by the other. Similarly, in the European Union, Article 16 of Directive 2024/1226 sets out the requirement for Member States to facilitate cross-board cooperation and mutual legal assistance in criminal matters where sanctions violations are across multiple EU jurisdictions.
Testing and Auditing
Organizations must regularly test sanctions controls and procedures, both regarding daily operations and on less frequent transactions, to evaluate whether the controls and procedures function as intended and are evolving in response to changing risk factors and government expectations. Any identified gaps should be swiftly addressed. Such monitoring is especially necessary in response to the dynamic and fast-paced nature of global sanctions regimes.
This may take the form of internal and/or external audits. The scope of an internal audit is dependent on the needs and objectives of a business and external audits (carried out by an independent party) are often utilized in establishing stakeholder confidence. Increasingly, organizations are relying on data-led — and even AI — approaches, especially for internal audits. While this can be an effective and efficient method, organizations should weigh the benefits against the risks of such programs.
Training
Employees must understand the importance of compliance, and be sufficiently informed of the steps for which they are responsible and the measures to take upon identifying a potential breach. Training may need to be tailored for certain parts of an organization (therefore delivered on a risk-basis), and all relevant employees should be trained on a periodic basis. The training sessions themselves should extend beyond the law to include real-life scenarios and case studies to provide personnel with practically useful information and tools. Records should also be kept of all training delivered and regularly audited so that gaps can be appropriately filled.
Conclusion
The best way for companies to keep compliant with and abreast of these dynamic global sanctions regimes is having a robust and tailored SCP. The existence of such programs is also a mitigating factor should a violation ever come to light, potentially reducing the classification of the breach and any associated monetary penalty.
Footnotes
1. See OFSI's UK financial sanctions general guidance; UK's Joint Money Laundering Steering Group guidance; The Wolfsberg Guidance on Sanctions Screening.
2. See OFAC's Framework for Compliance Commitments.
3. While EU law does not proscribe parameters of an SCP, the standards applicable across the UK and US are a suitable benchmark in ensuring compliance with EU sanctions laws and regulations.
4. OFAC has a helpful risk matrix that can be used to evaluate compliance programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
