When Contractor Payments Become a Sanctions Risk

Since February 2022, the EU, US and UK have imposed unprecedented sanctions on the Russian financial sector, as well as on a number of banks in Belarus and third countries. As of today, twenty EU sanctions packages, multiple US Executive Orders and the UK’s OFSI regime form a comprehensive system of restrictions covering dozens of banks and the payment infrastructure behind them.

This document examines specific risks for companies in the EU, US and UK that work with service providers handling contractor payments. Two operating models are common in this market:

•  Contractor of Record (COR), also known as Agent of Record (AOR): a service provider that contracts with the contractor under its own name and acts as the legal counterparty between the client and the contractor. The COR is not the contractor’s employer, but it assumes responsibility for correct worker classification (contractor vs. employee), sanctions screening, tax documentation and payment processing.

•  Contractor Management, also known as a Payroll provider, Contractor Payroll Software, Contractor Payment Platform or Contractor Management System: a service provider that supplies the client with the technical and payment infrastructure for engaging contractors, without entering into any contractual relationship with the contractors.

If a service provider in either of these models routes funds to sanctioned banks or relies on prohibited payment infrastructure, the risk transfers to the client as well, regardless of who is formally the contractor’s counterparty.

This risk extends beyond the client’s own current payments. It covers historical payouts made before the provider changed its policy, as well as situations where the provider continues to handle sanctioned routes for other clients.

Key point: it is not only the service provider that bears liability, but also its clients.

An important point to keep in mind: sanctions on the major Russian banks have been in force since March 2022, not since the 19th package. Each new package widens the scope, but the underlying prohibitions have already been in place for four years.

2022: the first wave

On 12 March 2022, the EU sanctioned the first seven Russian banks: VTB Bank, Bank Otkritie, Novikombank, Promsvyazbank, Bank Rossiya, Sovcombank and VEB. Alfa-Bank effectively fell within the scope of restrictions at that point as well, since sanctions had been imposed on its principal shareholders. At the same time, the US imposed full blocking sanctions (SDN) on VTB, VEB and Sberbank. The UK’s OFSI sanctioned Alfa-Bank, Gazprombank, Sberbank and others. The result was a clear prohibition on settlements with these banks.

In March and June, four Belarusian banks were sanctioned: Belagroprombank, Bank Dabrabyt, Development Bank of the Republic of Belarus and Belinvestbank.

On 14 June, three further banks fell under EU sanctions: Sberbank, Credit Bank of Moscow and Rosselkhozbank.

The US also broadened its secondary sanctions to cover foreign financial institutions.

What this means in practice: any payment to VTB, Sberbank, VEB, Otkritie, Sovcombank, Promsvyazbank, Bank Rossiya and others has been a sanctions violation since March 2022, not since October 2025 (the 19th package).

2025: a wide expansion

Over the course of 2025, the largest number of Russian banks to date came under sanctions. The EU’s 16th package brought 13 banks under restrictions from 17 March 2025, including AkBars Bank, Uralsib, Tochka Bank and others.

On 9 August, another 22 banks were added to the list, including T-Bank, Bank Saint Petersburg, Bank Zenit, Dom.RF Bank, LOKO-Bank and others. Notably, T-Bank had already been under EU blocking sanctions by that point.

The 19th package added five further Russian banks under a full transaction ban (Alfa-Bank, MTS Bank, Absolut Bank, Zemsky Bank, Istina) and eight banks from third countries (Tajikistan, Kyrgyzstan, the UAE, Hong Kong). In addition to the banks, the National Card Payment System (NSPK) came under sanctions, prohibiting all card-based transfers from 25 January 2026.

2026: the 20th package

The EU’s 20th package added a further 20 Russian banks to the list of sectoral sanctions (which prohibit any transactions), along with one bank in Azerbaijan, one in Laos and two in Kyrgyzstan.

In summary: as of May 2026, 70 Russian banks, four Belarusian banks and nine banks in third countries are subject to sectoral sanctions. The entire Russian card infrastructure (NSPK / Mir / SBP) is prohibited.

Under Article 5h of Council Regulation (EU) No 833/2014, EU persons are prohibited from engaging, directly or indirectly, in any transaction with entities listed in Annex XIV, or with any entity owned or controlled by such persons (a holding of more than 50%). All of the banks listed above fall within that scope.

Source: Council Regulation (EU) No 833/2014, Article 5h

“It shall be prohibited to engage, directly or indirectly, in any transaction with legal persons, entities or bodies listed in Annex XIV or with any legal person, entity or body established in Russia whose proprietary rights are directly or indirectly owned for more than 50% by an entity listed in Annex XIV.”

Under Article 2 of Council Regulation (EU) No 269/2014, any operation by an EU resident that gives a sanctioned bank access to funds, or runs through such a bank’s accounts, may be treated as a sanctions violation or circumvention. Even where the funds are not intended for the bank itself but pass through it or are paid for the benefit of one of its clients, this creates the risk that the EU person is “making funds available” to a sanctioned entity.

Source: Council Regulation (EU) No 269/2014, Article 2

“All funds and economic resources belonging to, owned, held or controlled by any natural or legal persons, entities or bodies, or natural or legal persons, entities or bodies associated with them, as listed in Annex I, shall be frozen. No funds or economic resources shall be made available, directly or indirectly, to or for the benefit of natural or legal persons, entities or bodies, or natural or legal persons, entities or bodies associated with them, as listed in Annex I.”

EU persons (whether legal entities or natural persons, including directors and beneficial owners of those entities) must act in good faith and take every reasonable step to avoid breaching the sanctions regime. They must also oversee the activities of their subsidiaries and affiliated structures, including those outside the EU, to ensure compliance with equivalent restrictive measures.

Source: Council Regulation (EU) No 833/2014, Article 12

“It shall be prohibited to participate, knowingly and intentionally, in activities the object or effect of which is to circumvent prohibitions in this Regulation, including by participating in such activities without deliberately seeking that object or effect but being aware that the participation may have that object or effect and accepting that possibility.”

Source: Council Regulation (EU) No 833/2014, Article 8a

“Natural and legal persons, entities and bodies shall undertake their best efforts to ensure that any legal person, entity or body established outside the Union that they own or control does not participate in activities that undermine the restrictive measures provided for in this Regulation.”

In summary: even where an EU person processes payments, or builds the infrastructure enabling payments, to sanctioned banks not directly but through an affiliated entity outside the EU, that conduct must be treated as sanctions circumvention. The EU person facilitates the transaction and thereby participates, indirectly, in an operation with a sanctioned entity. Regulators view affiliated structures as a single economic unit, and the separation of jurisdictions does not relieve liability.

When a client pays its service provider, and the provider routes the funds to a sanctioned bank in favour of one of the client’s contractors, the client becomes a link in the chain of violators. Knowingly delegating this responsibility to the provider can be treated as an attempt to circumvent sanctions, and not knowing which specific bank received the contractor payment is not a defence.

The duty of due diligence on counterparties

Article 12 of Regulation (EU) No 833/2014 expressly requires EU companies to take all reasonable steps to avoid breaches, including verification that:

•  the contractor is not a person on the EU sanctions lists;
•  the contractor does not receive funds through, or into, sanctioned banks.

Why registration outside the EU, US or UK provides no protection

A number of service providers register operating or payment entities in third countries that have not joined the sanctions regimes (Kazakhstan, the UAE, Armenia), assuming this insulates them from sanctions risk. It does not. The presence of an affiliated company in a third country, through which payments to sanctioned banks are actually made, does not protect either the provider or its clients. Regulators assess the entire payment chain, including all affiliated structures, the ultimate beneficiary and the receiving bank.

EU, US and UK sanctions have extraterritorial reach. They apply to any company, transaction or operation with a meaningful connection (a “nexus”) to these jurisdictions. Use of the relevant national currency (USD, EUR, GBP), payment for services, or involvement of EU/US/UK citizens or residents (including holders of residence permits): each of these establishes a nexus.

Retroactive liability: payments made before the 19th package

One of the most common questions when choosing a service provider sounds like this: “If the provider only changed its policy after the 19th package (October 2025 to January 2026), does that mean its earlier payments were lawful, with no liability for the client?” The answer depends on which banks the funds were actually routed to.

Sanctions existed long before the 19th package. Most systemically important Russian banks, including VTB, Sberbank, VEB, Otkritie, Sovcombank, Promsvyazbank and Bank Rossiya, were placed under sanctions in March 2022. Alfa-Bank came under US sanctions in April 2022. Any payment to these banks after the relevant dates was a violation of EU, US or UK sanctions, regardless of how the service provider positioned itself or when it changed its policy.

A change of approach by the provider does not lift liability from the client. If a provider publicly declares compliance only after a particular sanctions package, but until then has been processing payments to banks already under restrictions, that is not an indulgence for its clients. The duty to conduct due diligence on counterparties (including verifying payment routes) sits with the client under Article 12 of Regulation (EU) No 833/2014, from the moment the relevant sanctions take effect. Not knowing where the funds ultimately went is not a defence.

What clients should do if a retroactive risk surfaces. If there is reason to suspect that funds may, in the past, have reached a sanctioned bank, we recommend the following steps: (1) request documentation from the service provider showing the receiving banks for the entire period of cooperation; (2) carry out a retrospective check against the current SDN list (OFAC), Annex XIV (EU) and OFSI (UK) sanctions lists; (3) if a violation comes to light, consult a specialist sanctions lawyer.

A separate situation deserves particular attention: where, before changing its policy, the service provider openly advertised payments through intermediary structures in third countries (Central Asia, Armenia, the UAE) as a way of delivering funds to Russian contractors to sanctioned banks. This routing pattern qualifies as sanctions circumvention regardless of which specific banks were formally part of the chain. Client awareness of such a scheme is treated as an aggravating factor in any investigation.

European Union

Directive (EU) 2024/1226 (in force since May 2024, with a transposition deadline of 20 May 2025) for the first time harmonised criminal liability for sanctions violations across all EU member states:

•  Natural persons: up to 5 years’ imprisonment.
•  Legal persons: fines of up to 5% of worldwide turnover or €40 million, whichever is higher.
•  Additional measures: business operating bans, withdrawal of licences, exclusion from public procurement and asset confiscation.

United Kingdom (OFSI)

In the UK, sanctions violation is a strict liability offence. Any breach, even an inadvertent one, is a criminal offence. Lack of knowledge is not a defence.

•  Up to 7 years’ imprisonment.
•  Fines: up to £1 million or 50% of the value of the breach.

United States (OFAC)

OFAC applies both civil and criminal penalties, and these can reach non-US companies as well:

•  Civil penalties: up to $20 million or twice the value of the transaction.
•  Criminal: up to 20 years imprisonment.
•  Statute of limitations: extended from 5 to 10 years.
•  Secondary sanctions: OFAC may add any foreign financial institution or company that facilitates transactions with sanctioned persons to its SDN list.

Examples:

•  GVA Capital, $216 million (June 2025). OFAC fined the investment firm almost $216 million for the deliberate breach of US sanctions. After Russian businessman Suleiman Kerimov was designated SDN, GVA continued to manage his assets, routing them through offshore vehicles and nominees. The firm pressed on despite explicit warnings from legal counsel about the sanctions exposure, and later failed to produce the full set of materials requested under subpoena. Regulators identified systemic compliance breakdowns: documents were disclosed slowly and incompletely, internal controls were absent, and US sanctions law was effectively disregarded.

•  Standard Chartered Bank, £20.47 million (2020). The bank issued loans to Turkish Denizbank, more than 50% owned by sanctioned Sberbank, and was fined £20.47 million as a result.

•  Apple Distribution International, £390,000 (2026). Apple’s Irish subsidiary used a UK bank to transfer £635,618 to the Russian streaming service Okko, which by the time of the payment was owned by sanctioned JSC Novye Vozmozhnosti.

A critically important question that rarely comes up when choosing a service provider: is it enough that the provider does not make payments to sanctioned banks for this specific client?

If a client can document that its own payments have never been directed to sanctioned banks or routed through sanctioned infrastructure (NSPK / Mir / SBP), direct sanctions liability is generally unlikely to arise. However, working with a service provider that simultaneously serves other clients through sanctioned routes creates a separate category of risk for the client. These risks are predominantly reputational and operational, rather than narrowly legal. This category is the most often underestimated, even though in practice it materialises most consistently.

What actually happens when a service provider is compromised:

•  Increased scrutiny from banks. When a service provider becomes the subject of a public investigation or regulatory proceeding, the risks reach beyond the provider itself and extend to its clients. The client's own bank may notice a transactional link to a company that is publicly associated with possible sanctions breaches or circumvention. In practice, this can mean additional queries from the bank, payment delays, enhanced due diligence (EDD), temporary account restrictions and, in some cases, a reassessment of the client's risk rating or termination of the banking relationship.

•  Reputational consequences. Mentions of the provider in journalistic investigations, adverse media or sanctions cases inevitably extend to its clients in the eyes of investors, auditors, counterparties and bank compliance teams. Formally, the client may have nothing to do with the violation, but in public perception its association with a non-compliant provider does not separate cleanly from the violation itself.

•  Operational burden during investigations. Even without direct liability, a client may need to provide documentary proof that its own payment routes are clean as part of a wider investigation into the provider, supplying statements, counterparty lists, contracts and correspondence. That is not a sanctions risk in the strict sense, but it is a real cost in legal time, internal resources and management attention.

Then there is wilful blindness as a separate concern. If publicly available sources (journalistic investigations, adverse media databases, reviews, regulatory warnings) already report that a provider has processed sanctioned payments for other clients, continuing to work with that provider after such reports cannot easily be explained by lack of awareness. At that point, the assessment of the client’s conduct shifts from “a violation the client could not have known about” to “a knowing acceptance of risk”, and the reputational risk can begin to convert into a direct sanctions risk, particularly where a regulator concludes that the client had reasonable grounds to suspect the scheme.

The practical takeaway: even where a client’s own payment routes are entirely clean, the provider’s payment infrastructure is a shared trust perimeter. Choosing a service provider that handles sanctioned flows for other clients means accepting the reputational and operational consequences of someone else’s breach, even without one of your own.

Case 1: routing through a company in Armenia

An EU-based client pays its contractors in Russia through a service provider that is also registered in the EU. The provider’s structure includes a company registered in Armenia, which is not itself subject to EU sanctions.

The payment chain works as follows: the client pays the European entity of the service provider; the European entity, directly or by way of a netting arrangement against mutual claims, settles with the Armenian company; the Armenian company then makes the actual payouts to the contractors’ Russian accounts, including accounts at sanctioned banks.

As discussed earlier, even though the actual payout is made by an entity in a non-sanctioning jurisdiction, the fact that the European service provider knowingly allows payments to reach a sanctioned bank is treated as sanctions circumvention and a serious breach.

The client is also breaching sanctions in this situation: aware of where the contractors are based, the client failed to exercise proper care and did not establish the final receiving account.

Case 2: routing through a company in the UAE

A US client pays its Russian contractors through a service provider with operating entities in the US, the UK and the UAE.

The flow follows a similar pattern: the client pays a UK or US company, while the actual payout to contractors is made by the UAE entity, in many cases from an account at a sanctioned bank and, typically, into contractor accounts at sanctioned banks as well.

Both elements indicate a serious sanctions violation, since the service provider has knowingly built a payment infrastructure that allows the client to bypass sanctions restrictions.

Case 3: use of NSPK / Mir / SBP

An EU client pays its Russian contractors through a service provider with companies in the EU, the UK and the UAE. As before, the final payout to contractors is made by the UAE entity from an account at a Russian bank.

Payouts to contractors are made onto cards at non-sanctioned Russian banks. However, given that all card payments inside Russia are processed through the National Card Payment System (NSPK), which was sanctioned by the EU as part of the 19th package, any transfer to a card (whether or not the receiving bank is itself sanctioned) breaches EU sanctions.

Case 4: retroactive liability after a change of policy

An EU client has, since 2023, paid its Russian contractors through a service provider registered in the EU, with companies in the US, the UK and the UAE.

Until October 2025, payments are routed through the provider’s structures in third countries and reach the contractors’ accounts at Russian banks, including banks that have been under EU sanctions since March 2022.

After the 19th package is adopted, the provider announces a change of policy and compliance with the new requirements. That change does not close out the client’s sanctions risk for the previous period. Payments made by the client through sanctioned banks before the policy update remain within the zone of retroactive liability: the duty of due diligence under Article 12 of Regulation 833/2014 has been in force since the relevant sanctions took effect, not since the provider revised its policy.

Conclusions from the cases

Service providers that, knowingly or through a lack of expertise in sanctions, build payment infrastructure enabling circumvention put their clients at risk first.

Even where a client has confirmed that its contractors do not receive funds at sanctioned banks or onto cards at Russian banks, the client remains exposed to reputational risk and to closer attention from banks, regulators, business partners and investors.

Payouts to distributed teams typically make up a material part of a company’s budget, which means these payments will not go unnoticed by banks. The choice of service provider is therefore a meaningful part of your compliance and sanctions risk profile, particularly where you work with private contractors from higher-risk countries. Beyond comparing fees, we recommend reviewing at least the following before choosing a provider:

1.  Ask whether the service provider, even in theory, offers payouts to sanctioned banks or onto cards at Russian banks. If that option exists, it is a clear signal of potential high risk, even if your own contractors are not planning to receive funds at such banks.

2.  Confirm the payment routes: which entity and which bank you will be paying, and which entity and which bank the contractors will be paid from. It is essential that the entities making the payouts to contractors do not hold accounts at sanctioned banks themselves.

3.  Screen the UBOs and directors of your provider against sanctions lists. In current conditions, it makes sense to do this periodically for any counterparty connected, in any way, to higher-risk countries.

4.  Cross-check what you find against public sources (adverse media), forum reviews and other resources.

5.  Always document the entire screening process. If a question ever arises from a bank or regulator, you will at least be able to demonstrate that you exercised proper care.

Sources

Primary legal sources (EU):

•  Council Regulation (EU) 2026/506 of 23 April 2026 (20th package)
• Council Regulation (EU) No 833/2014 (consolidated version, 23 October 2025)
•  Council Regulation (EU) No 269/2014 (consolidated version)
•  Council Regulation (EU) 2025/2033 of 23 October 2025 (19th package)
•  Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures
•  European Commission FAQ on Russian sanctions (consolidated version, 29 October 2025)
•  European Commission Best Practices on the Implementation of Restrictive Measures (12 December 2024)

Primary legal sources (UK):

•  The Russia (Sanctions) (EU Exit) Regulations 2019
•  OFSI Penalty Report – Standard Chartered Bank (31 March 2020)
•  OFSI Penalty Notice – Apple Distribution International (19 March 2026)
•  OFSI General Guidance for Financial Sanctions (current edition)

Primary legal sources (US):

•  31 CFR Part 501 Appendix A – Economic Sanctions Enforcement Guidelines
•  50 U.S.C. § 1705 (IEEPA penalties, 10-year statute of limitations after H.R. 815)
•  OFAC Enforcement Release – GVA Capital Ltd. (12 June 2025)
•  OFAC Enforcement Release – IPI Partners, LLC (2 December 2025)
•  OFAC Guidance on Extension of Statute of Limitations (22 July 2024)
•  Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with US sanctions (March 2024)

Authoritative secondary sources (law firms):

•  Skadden, Arps, Slate, Meagher & Flom – analyses of EU 16th / 18th / 19th / 20th packages
•  White & Case – EU 18th sanctions package alert
•  Mayer Brown – EU 20th package analysis
•  Paul, Weiss – GVA Capital and IPI Partners analyses
•  Crowell & Moring – OFSI Apple penalty analysis
•  Kirkland & Ellis – OFSI Standard Chartered analysis
•  Baker McKenzie Global Sanctions Blog – multi-package coverage

Government monitoring sources:

•  Council of the EU – Sanctions Timeline (consilium.europa.eu)
•  European Commission DG FISMA – sanctions implementation page