When Your Own Payroll Becomes a Sanctions Risk: Learning from OFSI’s Penalty on Colorcon

The Office of Financial Sanctions Implementation (OFSI) has issued a £152,750 penalty against Colorcon Limited, a UK-registered pharmaceutical coatings company, for breaches of the Russia (Sanctions) (EU Exit) Regulations 2019.

At first glance, the facts seem almost administrative: payroll and supplier payments made by a Russian representative office. But this decision, and OFSI’s reasoning, send a clear signal to UK firms that even seemingly routine payments can trigger a breach when sanctions are in play.

This is a case that every UK business with Russian exposure should study closely.

The Background

Between March and December 2022, Colorcon made 123 payments totalling around £191,000 to employees, contractors, and service providers in Russia. Many of these payments went through Alfa Bank, Promsvyazbank, Sberbank, and VTB Bank, all of which were designated under UK sanctions.

Although Colorcon was in the process of winding down its Russian operations, OFSI concluded that the company had “made funds available to, and for the benefit of” designated entities by using their banking services.

The fact that the payments were for legitimate business purposes (salaries, rent, insurance premiums) didn't matter. Nor did the fact that the underlying recipients were not sanctioned individuals.

Because the transactions were processed via sanctioned banks, the breach threshold was met.

The Regulatory Framework

Under UK sanctions law, any UK person, including UK-incorporated entities and their overseas branches, is prohibited from directly or indirectly making funds available to a designated person or entity.

Colorcon’s London head office therefore fell squarely within scope. OFSI was clear that UK sanctions obligations extend globally to all activities of UK entities, even when conducted through local offices abroad.

Some of Colorcon’s payments fell under General Licence INT/2022/2055384, which allowed firms to wind down business in Russia for a limited period. However, most of the payments were made after the licence expired or outside its terms.

The company also failed to submit required reports under that licence, itself an aggravating factor in OFSI’s decision.

The Key Findings

OFSI categorised the case as “serious” warranting a substantial penalty. Among the main points highlighted:

• Policy gaps: Colorcon’s sanctions policy had not been materially updated since 2018.

• No screening at the payment level: There was no process to identify whether recipient banks were designated.

• False assurance: The company assumed Russian banks would apply UK sanctions controls, an assumption OFSI found unreasonable.

• Delayed disclosure: Colorcon waited around four months after becoming aware of potential breaches before reporting to OFSI, reducing its voluntary-disclosure discount from 50% to 35%.

• Persistent activity: Breaches occurred across nine months, rather than as an isolated event.

After considering both aggravating and mitigating factors (including cooperation, the legitimate nature of the payments, and Colorcon’s ultimate decision to exit Russia) OFSI applied the discount and finalised the penalty at £152,750 (from an initial £235,000).

Why It Matters

This enforcement is not about deliberate evasion. It is about systemic oversight failure, and OFSI is signalling that “inadvertent” or “technical” breaches still attract meaningful penalties.

Many UK groups maintain representative offices or subsidiaries in Russia and other high-risk jurisdictions. For them, the Colorcon case underlines that compliance responsibility cannot be delegated or geographically compartmentalised.

The financial and reputational consequences of getting it wrong can far outweigh the perceived operational ease of “just continuing as usual”.

Practical Lessons for Firms

Coventium’s analysis of the case highlights ten key takeaways that firms should reflect on immediately:

1. Sanctions obligations travel with you

   A UK company’s overseas operations are not exempt. Activities anywhere in the world are covered by UK sanctions law.

2. Routine payments are still “funds made available”

   Payroll, rent, or insurance payments routed through a designated bank count as breaches, regardless of the purpose.

3. Don’t assume local banks are screening for you

   Russian and other sanctioned-region banks may not align with UK requirements. Verification is your responsibility.

4. General Licences are limited and conditional

   Firms must monitor expiry dates, ensure reporting obligations are met, and keep evidence of compliance.

5. Screen everything

   Screening should cover counterparties, intermediaries, and especially the banks through which payments are routed.

6. Keep sanctions policies current

   A policy last reviewed before 2022 is a red flag. Firms should review and update at least annually, or when new regimes emerge.

7. Document all decisions

   Internal audit trails showing checks, advice sought, and rationale for actions are crucial for mitigation if issues arise.

8. Report quickly and fully

   Voluntary disclosure is only valuable if made promptly. Four months was deemed too long in Colorcon’s case.

9. Treat wind-downs as high-risk projects

   Exiting Russia, or any sanctioned region, creates complex payment flows. Firms should project-plan and legally vet every step.

10. Training and governance matter

    All relevant staff, not just the MLRO, must understand how sanctions apply to operational processes like payroll, HR, and procurement.

Broader Implications

The Colorcon penalty is part of a clear trend: OFSI is becoming more assertive, and its expectations are maturing. The tone of the notice shows a regulator now less forgiving of “honest mistakes” when systems and controls were plainly insufficient.

In a tightening sanctions environment, particularly with Russia, Iran, Belarus, and emerging proliferation financing risks, UK firms must recognise that sanctions compliance is not simply a matter for the compliance team. It is a board-level responsibility, requiring ongoing oversight of overseas operations, local staff, and payment mechanics.

Final Thoughts

Colorcon’s experience illustrates how sanctions exposure can arise in the most routine aspects of business. It serves as a cautionary tale for any UK company still navigating the practicalities of maintaining, winding down, or disentangling itself from Russia.

The message from OFSI is unmistakable: sanctions compliance is non-negotiable. A lack of intent is no defence where systems and oversight fall short.

References:

OFSI penalty notice: https://assets.publishing.service.gov.uk/media/68db9df2ef1c2f72bc1e4bf0/Colorcon_Penalty_Notice.pdf

The Russia (Sanctions) (EU Exit) Regulations 2019: https://www.legislation.gov.uk/uksi/2019/855/contents

Russia Sanctions Guidance (updated September 2025): https://www.gov.uk/government/publications/russia-sanctions-guidance/russia-sanctions-guidance