When is a breach not a breach? Applying the SRA Sanctions guidance after Dentons

In February 2026 the Solicitors Regulation Authority published updated guidance on complying with the UK sanctions regime.  This was followed in April 2026 by the Office of Financial Sanctions Implementation’s (OFSI) publication of its Strategy 2026–29. While neither document alters the underlying legal framework, both are significant in shaping how that framework is expected to operate in practice: the SRA guidance articulates the standards and systems firms are expected to have in place to ensure compliance, while the OFSI strategy signals a move towards more proactive, intelligence-led and coordinated enforcement across regulators and law enforcement bodies.

It is timely then that the Court of Appeal has handed down its decision in Dentons UK and Middle East LLP v SRA Ltd [2026] EWCA Civ 508, reaffirming an important counterweight in the regulatory balance: not every breach of a compliance obligation will amount to regulatory misconduct. Disciplinary liability remains contingent on an assessment of the seriousness and context of the alleged breach.

The result is a growing tension between increasingly exacting regulatory expectations and the enduring requirement of proportionality in disciplinary proceedings.

The SRA guidance: what it gets right (and where it falls short)

The SRA’s lengthy new guidance is explicit in its purpose of explaining obligations and setting out expectations for compliance. Helpfully, it identifies a series of core measures which firms should implement as the foundation of an effective compliance framework, providing a practical, if somewhat onerous, starting point for firms to ensure they meet their obligations.

Despite recognising the challenges presented by an increasingly complex sanctions landscape in the UK, the SRA makes clear that failure to follow its guidance may be considered an aggravating factor in any enforcement action for breaches of the sanctions regime.   In an era where OFSI intends to work more closely with regulators to ensure complementary enforcement action, this significantly elevates the practical importance of the Guidance by effectively positioning it as a benchmark against which firms’ conduct will be judged.

Much of the content of the Guidance will be familiar to practitioners. Sanctions breaches are criminal offences. The regime applies broadly, including beyond traditional AML-regulated work. Firms are expected to undertake appropriate due diligence and maintain effective controls.

There are, however, areas where the new Guidance adds much needed practical clarity and offers examples of best practice. In particular, it draws a useful distinction between the sanctions regime and the AML regime, emphasising that sanctions obligations apply to all firms, regardless of AML scope; and operate on a stricter footing, with due diligence mitigating risk but not constituting a defence.

The Guidance also reflects recent supervisory experience, with detailed discussion of best practices including:

• Creation of central inboxes for sanctions-based queries within the firm to serve as a single point of contact as well as a repository of answered questions for the future.
• The formation of sanctions committees with experts in sanctions and compliance aimed at ensuring better control over payments, licence compliance, applications and reporting.
• Keeping the finance team informed and engaged.
• Monitoring changes to general licence conditions and ensuring adherence with updated reporting deadlines. 

However, the real significance of the Guidance lies not in what it says, but in how it says it. The tone is notably cautionary – at times almost dissuasive - with repeated emphasis on the complexity and risk inherent in sanctions-related work.  The underlying signal is unmistakable: firms may choose to operate in this space, but they will be held to a very high standard if they do so.  For law firms, the practical implication is clear. Compliance failures are not only likely to be treated seriously, but – given the ambition of an increasingly coordinated enforcement landscape – also more likely to be identified.

This negative slant gives rise to a more fundamental difficulty. The guidance repeatedly stresses that breaches of sanctions may occur irrespective of intent, and that due diligence is not a defence. At the same time, it places considerable weight on the adequacy of firms’ systems and controls. The effect is to blur the distinction between legal liability, which may arise on a strict basis, and regulatory culpability, which has traditionally depended on an assessment of seriousness of a breach. The implicit suggestion is that an inadvertent breach, coupled with deficiencies in compliance processes, may itself justify significant regulatory scrutiny.

There are also internal tensions within the document. The Guidance expects firms to undertake extensive due diligence, including identifying ownership and control structures and monitoring changes over time. At the same time, the SRA acknowledges the practical difficulty of doing so in complex, multi-jurisdictional contexts. In effect, it sets a high bar for compliance while recognising that achieving it may not always be straightforward.

The SRA’s discussion of “sanctions risk factors”, particularly in relation to jurisdictions, is a good illustration of both the strengths and the limits of the Guidance. On one level, the identification of these factors is helpful. It provides a non-exhaustive list of indicators which may elevate risk, including links to jurisdictions with existing sanctions regimes, concentrations of designated persons, and/or exposure to jurisdictions subject to sanctions by allied regimes such as the EU or US. 

This section raises a more difficult question, however: what is the guidance actually advising firms to do with this information?

Taken at face value, several of the listed factors—particularly those relating to jurisdictions with indirect exposure or the possibility of future designation—are extremely broad. For example, the suggestion that firms should treat jurisdictions sanctioned by non-UK regimes as higher risk, on the basis that the UK may in future align its position, introduces a form of forward-looking regulatory risk which is inherently uncertain. Similarly, the emphasis on jurisdictions with “financial links” to sanctioned states risks extending the concept of exposure well beyond clearly defined legal boundaries.

The practical implication is far from clear. The Guidance does not expressly advise firms to avoid acting in such circumstances. Nor could it, without straying into questions of access to legal services. Yet the aggregate effect of the examples, read in the context of the broader tone of the Guidance, is to suggest a much more cautious position: that firms engaging with such jurisdictions do so at materially heightened risk.

This gives rise to a degree of ambiguity. Is the SRA’s message that firms should refrain from acting in higher-risk jurisdictions altogether? Or, if they choose to proceed, they should do so only with enhanced due diligence and monitoring? Or is it simply recognising that the general complexity of the risk landscape in sanctions-related work will carry little weight in a case of regulatory scrutiny? 

The guidance does not neatly resolve that question. Instead, it appears to operate as a form of ex ante risk transfer. By setting out an expansive list of potential risk indicators—some grounded in current legal exposure, others in possible future developments—it places firms and practitioners on notice of the breadth of the risks they are expected to manage in respect of sanctions. The implicit position is that, having been warned, practitioners bear the responsibility for navigating those risks appropriately

This approach is consistent with the wider tone of the Guidance. It does not prohibit participation in higher-risk work, but it makes clear that doing so requires a high degree of vigilance, and that failure to anticipate or manage evolving risk will be viewed critically. In that sense, the section functions less as prescriptive guidance and more as a statement of regulatory expectation: not “do not act”, but “act only if you are confident you can justify having done so.”

Related to this is a lack of clarity as to thresholds. The Guidance reinforces expectations of self-reporting and early escalation but offers limited assistance on the critical question of when a breach becomes sufficiently serious to warrant regulatory action or notification. Historically, there has been a meaningful distinction between technical or inadvertent breaches and those giving rise to disciplinary consequences. The Guidance appears to narrow that space but does not clearly define its limits. 

The counterweight: seriousness in Dentons

Against this increasingly exacting backdrop, the Court of Appeal’s recent decision in Dentons is of particular importance and provides some welcome reassurance that the seriousness of any breach remains a relevant consideration.

The Court rejected the proposition that a breach of the Money Laundering Regulations automatically constitutes a breach of Principle 7 of the SRA Code of Conduct. Instead, it held that the Solicitors Disciplinary Tribunal must consider the seriousness of the conduct and the surrounding circumstances before finding a regulatory breach.

This is a significant reaffirmation of principle. It confirms that:

• legal breaches and regulatory breaches are not co-extensive;
• disciplinary liability requires an evaluative judgment;
• seriousness and culpability remain central.

In doing so, the Court aligned with established authority emphasising that professional discipline is concerned with serious and reprehensible conduct, not mere technical non-compliance.

A key question for practitioners acting under the new SRA sanctions guidance is whether there remains a meaningful distinction between an inadvertent breach of sanctions; and reportable or sanctionable regulatory misconduct. The SRA Guidance appears to narrow that gap quite considerably. Its emphasis on robust systems and proactive compliance suggests that failures in process may themselves be treated as serious.

However, the decision in Dentons makes it clear that the gap has not disappeared entirely. A breach will only engage the Principles where it is sufficiently serious in context.

The difficulty for practitioners lies in the zone of uncertainty between the regulatory expectations raising the standard of acceptable conduct including in respect of processes and judicial authority preserving a threshold for disciplinary liability. 

Conclusions and practical implications for practitioners

Three practical implications have been identified as a result of the SRA’s updated Guidance. 

First, systems and documentation are critical. Regulatory scrutiny will focus not only on outcomes but on whether the firm can demonstrate a coherent, risk-based approach to compliance.

Secondly, inadvertence is not a safe harbour. Even unintentional breaches may attract serious consequences where a firm’s systems are deemed inadequate or out of step with the SRA Guidance.

Thirdly, liability is not automatic—but risk is heightened. While the Court of Appeal in Dentons preserves an important safeguard of seriousness of any breach, firms cannot assume that it will protect them from scrutiny or enforcement action.

The SRA’s sanctions guidance and OFSI’s new strategy signal a step change in regulatory posture: more exacting expectations, more proactive enforcement, and greater scrutiny of firms operating in this space.

At the same time, the Court of Appeal in Dentons confirms that the foundations of professional discipline remain intact. Not every breach amounts to misconduct.

For practitioners, the challenge lies in navigating the space between the two. Expectations are rising, enforcement is becoming more proactive, and scrutiny is only likely to intensify.