Missile sirens are not typically the starting point for a discussion about sanctions law, but that is where my recent reflection began. When alerts shook Bahrain in the middle of the night amid regional escalation, the experience made one thing unmistakably clear: geopolitics is no longer abstract; it is an operational risk that businesses must plan for.

Across the world at the ASEAN 2025 Summit, my colleague Razin Nizar witnessed similar realities playing out on a diplomatic stage — shifting alliances, new trade arrangements, and renewed sanctions commitments.

These parallel experiences frame a reality we now see every day in legal practice: global sanctions and counter-terrorism laws are rapidly evolving, and financial services, from banks to fintechs to VASPs, must evolve with them.

This article distils our latest MoonCast discussion into a structured, legal-editorial analysis for clients, compliance teams, and industry professionals navigating this complex regulatory landscape.

1. The Evolution of Global Sanctions and Counter-Terrorism Frameworks

Prior to 9/11, counter-terrorism laws were largely domestic and reactive. Financial institutions were not expected to police global security risks in real time.

After 9/11, this changed irrevocably.

Key transformations included:

• USA PATRIOT Act: dramatically expanding financial-sector oversight and reporting

• UN Security Council: accelerating sanctions regimes

• FATF: evolving from AML standard-setter to a core global supervisory authority

• OFAC/EU/UK authorities: modernising designation lists and enforcement mechanisms

Financial institutions, and now fintechs and digital asset platforms, became embedded in a global enforcement architecture.

2. FATF Black List vs Grey List: A Regulatory Distinction with Operational Consequences

Although FATF does not directly impose fines, its classifications have sweeping implications for regulated entities.

Black List — “High-Risk Jurisdictions Subject to a Call for Action”

Institutions may be required to:

• Apply counter-measures, including restrictions on transactions

• Impose heightened reporting

• Reassess or discontinue higher-risk customer relationships

Grey List — “Jurisdictions Under Increased Monitoring”

Institutions must apply:

• Enhanced due diligence

• Additional monitoring and classification

• More stringent risk-mitigation measures
  

These measures affect not only institutional processes but also the lives of ordinary citizens seeking basic financial access. Financial exclusion resulting from jurisdictional risk has become an increasingly visible issue.

3. Enforcement Trends: Why Sanctions Compliance Matters More Than Ever

Regulators worldwide have intensified sanctions enforcement:

• BNP Paribas paid nearly USD 9 billion for facilitating transactions involving sanctioned jurisdictions

• HSBC faced significant enforcement actions, contributing to its withdrawal from retail banking in parts of the GCC

• A leading Malaysian e-money operator was fined for onboarding two sanctioned individuals — demonstrating that even isolated failures carry disproportionate regulatory impact

For fintechs and VASPs, the lesson is unequivocal:

Sanctions compliance is not about probability; it is about impact.

4. Blockchain and Terrorism Financing: Risks, Solutions, and Regulatory Adaptation

A common misconception is that blockchain inherently increases terrorism-financing risk. In practice, blockchain’s transparency often enhances traceability.

Key insights:

• On-chain forensics enable precise tracing of illicit activity

• Travel Rule compliance now requires VASPs to transmit originator and beneficiary information, aligning digital assets with wire-transfer standards

• Wallet-level sanctions allow regulators to act faster and with greater granularity

• Analytics firms like Chainalysis and TRM Labs continually assist in identifying terrorism-linked wallet networks

5. What Effective Sanctions Compliance Looks Like Inside a Fintech or VASP

Sanctions compliance is a dynamic operational function, not a static policy.

1. Minimum Standards & Lists

Institutions must maintain and monitor:

• UN Sanctions List

• OFAC SDN & SSI lists

• EU and UK sanctions regimes

• Local and regional lists

• Sector-specific or thematic lists (e.g., export controls)

2. Database Updating

Regulators interpret “without delay” as within hours, not days.

Late updates have already triggered penalties internationally.

3. Screening Requirements

• At onboarding (CDD/KYC)

• On a risk-based, ongoing basis

• For cross-border transactions

• Upon trigger events (UBO changes, adverse media, etc.)

4. Implementation Methods

• Manual processes (practical only at small scale)

• Integrated third-party tools

• Blockchain analytics for crypto-exposed institutions

6. The Future: Fragmentation, Divergence, and New Risk Dimensions

Sanctions regimes are no longer aligned globally. Political dynamics — including the Gaza–Israel conflict and changes within ASEAN, the EU, and the Gulf states — have resulted in fractured regulatory approaches.

Emerging challenges include:

1. Expanded and diversified sanctions lists

Regional sanctions may differ from — or even conflict with — global regimes.

2. Increased compliance obligations

Multijurisdictional operations now require mapping and managing parallel, inconsistent frameworks.

3. Conflicts of law

Institutions may face obligations that cannot be simultaneously satisfied.

7. Sanctions and Arbitration: Understanding Public Policy Constraints

A recurring question in legal practice is whether sanctions-related freezes can be challenged via arbitration. The answer is often no — but the reasoning is critical.

Key principles:

• Arbitration cannot compel a party to breach sanctions laws

• Public policy considerations override contractually agreed dispute-resolution mechanisms

• Challenges are typically limited to procedural fairness or incorrect designation, not the validity of sanctions themselves

• Drafting of arbitration clauses must anticipate sanctions exposure, especially in cross-border transactions involving sensitive sectors
  

Arbitration remains essential for commercial disputes — but it cannot be relied upon to reverse or bypass sanctions frameworks.

8. Practical Guidance for Industry Stakeholders

Based on the evolving regulatory environment, firms should:

1. Reassess terrorism-financing risk

Move away from probability-based assumptions and focus on high-impact scenarios.

2. Map legal and operational exposure

Understand all relevant jurisdictions connected to clients, shareholders, operations, and licences.

3. Update screening frameworks

Implement tools capable of real-time list updates and robust cross-jurisdictional checks.

4. Invest in governance

Empower MLROs and ensure compliance functions have sufficient independence and resources.

5. Prepare for regulatory divergence

Conduct scenario planning for conflicting sanctions obligations or rapidly changing political environments.

6. Draft resilient contracts

Ensure arbitration and dispute-resolution clauses reflect sanctions-related constraints.

Conclusion: Global Awareness as a Core Compliance Control

The intersection of law, politics, and financial technology has never been more pronounced. Businesses operating in fintech, banking, or digital assets must adopt global awareness as a core compliance control, not an optional exercise.

Sanctions and counter-terrorism frameworks will continue evolving rapidly — and firms that anticipate these shifts will be the ones best positioned to maintain regulatory integrity and operational resilience.

Watch the Full Discussion

For a deeper exploration of these issues, you can watch or listen to the full MoonCast episode:

🎧 Spotify: https://open.spotify.com/episode/055hWy08MT6tGLx9qXqZZ3?si=37446b2298a842f1

Need Guidance Navigating Sanctions, AML/CFT, or Digital Asset Regulation?

Global sanctions, counter-terrorism laws, and AML/CFT frameworks are becoming more complex, more fragmented, and more intertwined with politics than ever before. For fintechs, VASPs, payment institutions, and cross-border businesses, missteps are no longer a technical issue — they are existential.

If your organisation needs support with:

• Sanctions screening frameworks

• FATF and travel-rule implementation

• VASP/PSP licensing (EU, UK, GCC, Asia)

• AML/CFT governance and risk assessments

• Digital-asset compliance and blockchain forensics

• Arbitration strategy in sanctions-impacted disputes

• Cross-border structuring and regulatory strategy

LPO&Law  is here to help.

Our combined expertise covers the full spectrum of legal, regulatory, and compliance advisory across Europe, the Middle East, and Asia, supporting clients from early-stage fintechs to multinational financial institutions.

Whether you are preparing for licensing, strengthening internal controls, navigating multi-jurisdictional sanctions exposure, or building compliant digital-asset infrastructure, we are ready to support you.