OFSI Imposes £390,000 Penalty on Apple Subsidiary for Russian Sanctions Breaches: Key Compliance Takeaways

The UK’s Office of Financial Sanctions Implementation (OFSI) has published details of a £390,000 penalty it imposed on ADI, an Irish subsidiary of Apple Inc., on 19 March 2026. The penalty relates to two payments totalling approximately £635,000 made in 2022 to Okko LLC, a sanctioned Russian app developer, for App Store revenue. Although the underlying facts are relatively simple, there are several interesting takeaways from OFSI’s penalty notice.

BACKGROUND

Okko LLC was previously owned by Sberbank, Russia's largest bank, which the UK sanctioned in February 2022. In May 2022, Sberbank sold Okko LLC to JSC New Opportunities. Due to concerns around its ties to Sberbank, the UK sanctioned New Opportunities on 29 June 2022. The enforcement action relates to two payments:

1. Payment A: ADI instructed a payment on 6 June 2022, which was not processed until the day New Opportunities was designated. OFSI assessed that there was a narrow window in which the payment could potentially have been cancelled before completion.
2. Payment B: A second payment was instructed on 30 June 2022, and the funds were released approximately a month after Payment A. OFSI indicates that this later payment was a significant factor in deciding to take enforcement action. 

OFSI assessed that ADI’s conduct — in particular, the failure to cancel (an omission) payments to Okko — amounted to conduct in the UK by ADI that was in breach of reg. 12 of the Russia (Sanctions) (EU Exit) Regulations 2019 (Russia Regulations). This provision prohibits making funds available to a person owned or controlled by a designated person.

OFSI took into account that ADI made an earlier payment to Okko (whilst under Sberbank ownership) and another Sberbank subsidiary. However, these were not treated as breaches of the Russia Regulations as they occurred prior to the introduction of the strict liability regime for UK financial sanctions breaches.

ADI voluntarily disclosed the payments to OFSI in October 2022. OFSI took this into account when applying the 35% discount to the original baseline penalty of £600,000 to reach the final penalty figure of £390,000. Following the penalty, ADI enhanced its compliance, including improved ownership checks for Russian developers.

KEY TAKEAWAYS

Non-UK Entities Not Exempt From OFSI’s Jurisdictional Reach

One of the most significant aspects of this case is OFSI's assertion of jurisdiction over a non-UK, Irish-incorporated entity. The use of a UK bank account to make payments was a sufficient UK nexus for OFSI to bring enforcement action against not just the UK bank, but also the instructing non-UK entity. This approach appears functionality similar to causation principles under U.S. sanctions (whereby the Office of Foreign Assets Control (OFAC) can bring enforcement against non-U.S. persons for causing a U.S. person to breach sanctions). OFSI has previously indicated that OFSI has jurisdiction over clearing services in the UK, but that was understood to be jurisdiction over the UK-based bank. It remains to be seen whether OFSI might assert jurisdiction over non-UK remitters or beneficiaries when the sole UK nexus is utilising UK clearing services.  

• Practical Considerations: Any entity — regardless of its place of incorporation — that uses UK banking infrastructure or instructs UK-based payments may become subject to UK financial sanctions. Companies should ensure that, if using such channels, they are monitoring for UK sanctions risks (including indirect ownership and control by UK-sanctioned persons).  

OFSI’s Diligence Expectations

At the time of the breach payments, ADI's processes for assessing sanctioned-party ownership risks focused primarily on (1) a self-certification model and (2) ownership due diligence provided by third-party due diligence vendors. Although OFSI recognised that the use of such vendors is of value and good compliance practice, there are still inherent risks with such an approach, especially where ownership may change frequently or where input data to be screened is incomplete or out of date.

Here, the third-party vendor did not identify the change in ownership in time. Further, at the time the payments were made, multiple open‑source media articles were available that clearly indicated the transfer of Sberbank’s digital assets to New Opportunities. OFSI indicated that ADI’s approach was insufficient, especially given heightened Russian sanctions risks, and ADI should have “affirmatively request[ed] ownership information” from Russian app developers, such as Okko.

• Practical Considerations: Passive reliance on vendor databases and counterparty self-certification is unlikely to be adequate in higher-risk situations, such as when transacting with Russian counterparties post-February 2022. Companies should implement affirmative, periodic ownership information requests from higher-risk counterparties and maintain a programme of open-source media monitoring as a supplementary check.

Liability Sits With Corporate Entity Responsible for Payment

A further important takeaway concerns group structures. ADI relied on its corporate affiliates to implement relevant payment processes and sanctions screening and due diligence measures. OFSI determined that ADI, as the legal entity that instructed the payments in breach of the Russia Regulations, bore legal responsibility. Whilst OFSI recognised that entities may delegate compliance functions to third parties, including corporate affiliates within a larger group structure, both mitigating and aggravating conduct demonstrated by those relevant compliance functions will be assessed as the conduct of the breacher, a conclusion consistent with longstanding anti-money laundering reliance principles for regulated institutions.

• Practical Considerations: Groups that outsource compliance functions to affiliates or shared service centres cannot use delegation as a shield; the breaching legal entity will ultimately own the compliance risk.

Timing Matters, But Does Not Eliminate Risk Entirely

The payment breaches occurred after the strict liability amendments to the Policing and Crime Act 2017 came into effect on 15 June 2022. Under the strict liability regime, knowledge or intent is not required to establish a breach. Although Payment A was processed on the day that New Opportunities was designated, OFSI concluded it was a breach by virtue of the strict liability regime, noting that there was a narrow window in which the payment could potentially have been cancelled before completion. In deciding to take enforcement action in relation to Payment A, OFSI considered it significant that a further breach payment — Payment B — involving the same party occurred approximately a month later.

OFSI treated the timing of Payment A as a mitigating factor, noting that it does not necessarily expect payments completed very close to the time of designation to be stopped by automated screening systems. However, Payment A was nonetheless included as part of the penalty case because of the further breach, Payment B, occurring approximately a month later.

• Practical Considerations: Post-designation, firms have an extremely narrow window to cancel payment instructions. The existence of a subsequent, uncorrected breach to the same counterparty transformed what might otherwise have been treated more leniently into a penalty case. Companies should have real-time designation alert systems capable of triggering payment suspension workflows immediately upon a new designation.

First Use of Settlement Process

This was the first OFSI case resolved by means of settlement. This is a new enforcement scheme introduced in February 2026, under which OFSI and the subject of an enforcement action can agree to resolve a monetary penalty case following a time-bound negotiation. As a condition of settlement, the subject must agree (1) to pay the penalty as imposed; and (2) to waive their rights to a ministerial review and to appeal OFSI’s decision. In return, the subject can – as part of the negotiations – input into the summary of the case that will be published and will be entitled to a 20% discount to the baseline monetary penalty (in addition to any other available discount) if they sign a settlement agreement within 30 business days of settlement discussions commencing.

• Practical Considerations: OFSI’s new settlement scheme creates an incentive to engage constructively with OFSI early in the enforcement process. Firms facing an investigation should consider whether settlement discussions — and the associated penalty reductions — are appropriate, bearing in mind the trade-off of waiving appeal rights.

If you have any questions about this alert, or UK sanctions issues more broadly, please contact the authors.