The Ownership Window: What Deutsche Bank’s £165,000 Fine Reveals About KYB Monitoring

The Office of Financial Sanctions Implementation fined Deutsche Bank’s London branch £165,000 this week for breaching UK financial sanctions. The breach involved two payments, in June and July 2022, totaling £636,000, made on behalf of a client to Okko, a Russian online video streaming service owned by JSC New Opportunities, a sanctioned entity. 

As the FT reported this week, OFSI noted that Deutsche relied in part on a third-party provider for sanctions screening, and that the provider did not flag issues with Okko’s ownership. OFSI was clear that the responsibility remained with the bank. 

The fine is small relative to Deutsche Bank’s size. The reason it matters is what the underlying timeline says about how the industry monitors corporate ownership. 

The Window Was Weeks, Not Years 

Okko was owned by Sberbank, Russia’s largest bank, from August 2018 until May 2022. In May 2022 it was sold to JSC New Opportunities, a Moscow-based entity that had been created just a few weeks earlier. New Opportunities was placed under UK sanctions in June 2022. 

Deutsche processed the two payments in June and July 2022. 

The window between a clean controlling owner and a sanctioned controlling owner was a matter of weeks. That is the timeline that should be sitting on every KYB team’s desk this week, because the structural question it raises is not specific to one bank or one vendor. 

Static Snapshots Are the Industry Default 

Most KYB monitoring, as it is operated today, runs off a snapshot. A bank onboards a corporate customer, walks the ownership tree to the ultimate beneficial owner, captures the structure, and screens those captured entities against sanctions and adverse-media feeds. The screening then repeats daily, weekly, or monthly, but it repeats against the same captured entities. 

If one of those entities is sold, restructured, or replaced at the controlling-entity level, the screening continues against the entity that used to be there. The bank’s monitoring is not wrong. It is screening exactly what it was told to screen. It is simply screening a structure that no longer exists. 

I want to be real: this is not a Deutsche failure story. Deutsche runs one of the better-resourced compliance teams on the planet. The third-party sanctions screening relied on by Deutsche is the same category of tooling used across the industry. If that tooling missed the change of control at Okko, the question worth sitting with is what every other bank’s monitoring is missing right now, on counterparties whose ownership has quietly shifted since the original onboarding capture. 

Pay-Per-Retrieval Registries Compound the Problem 

The static-snapshot issue gets sharper in jurisdictions where the local company registry charges a fee per document pull. Russia is the obvious example for this case. The same dynamic operates across parts of the Europe, several offshore centres, and a number of emerging-market registries in Asia, Africa, and Latin America. 

In those jurisdictions, database providers do not refresh records speculatively. Refreshing means paying the registry fee, in volume, for documents that may never be queried. So the record sitting inside a typical compliance database is whatever was retrieved the last time a paying customer asked for it. That could be six months ago. It could be three years ago. 

The bank using the database thinks it is looking at a refreshed feed. It is looking at a cached file, and the cache horizon is not visible from the outside. 

This is the gap that an ownership change in May 2022, in Moscow, would walk straight through. Nobody was being negligent. The data path itself was not built to catch that kind of event. 

What Continuous, Primary-Source KYB Looks Like 

The fix is not more screening volume. Running the same stale data through more frequent screens does not produce a different result. 

The fix is screening the right thing. That means three changes in how KYB monitoring is architected: live retrieval from primary registries rather than reliance on cached vendor copies; change-triggered re-screening, where a detected ownership change at any layer of the structure forces a re-walk of the tree; and jurisdictional coverage that does not quietly skip the markets where retrieval is expensive, because those are precisely the markets where the static-snapshot problem is worst. 

That said, this is not a theoretical wish list. It is the architecture Know Your Customer Limited was built to operate. Fresh retrieval from primary registries, including in the jurisdictions database vendors do not refresh, with re-screening triggered by detected change or by calendar interval. 

The Question OFSI Has Quietly Asked 

Fewer than twenty OFSI fines have been issued since 2019. The rarity is part of what makes this case worth reading carefully. OFSI is not in the business of citing every technical breach. When it does cite one, the citation is doing more work than the fine amount suggests. 

What OFSI has said, in effect, is that responsibility for sanctions compliance does not transfer to a third-party screening vendor, even when a major bank uses one in good faith. That is a clarification of accountability. It is also, by implication, a clarification of standard, and the standard implied is meaningfully harder to meet than what most KYB tooling currently delivers. 

This is the kind of structural issue that keeps surfacing on RegTalks: the gap between what compliance teams believe their monitoring stack is doing and what it actually does, in the jurisdictions where it matters most. Deutsche has paid £165,000 to make the gap visible. The harder question is who is paying for it quietly, in the cases that have not yet been written up.