Securities services firms and sanctions: Six steps to managing risk

Securities services firms and sanctions: Six steps to managing riskDecember 11, 2025 | ArticleSecurities firms often overlook sanctions risk management. But in an evolving regulatory environment, leading institutions are ramping up their capabilities to enable more secure growth. When sitting firmly in the post-trade environment, it is not immediately clear why firms such as clearinghouses and custodians should be concerned with managing sanctions risk (see sidebar “What are sanctions?”). Surely that would be handled by banks, brokers, and other parties earlier in the trade life cycle. In fact, that’s not the case. Recent regulatory enforcement actions make it clear that securities services firms with exposure to sanctioned countries carry a high level of responsibility. And the cost of noncompliance is high: In the European Union, regulators have levied fines of €480 million since 2017 (compared with approximately €57 million in the United States), including about €90 million in 2024 alone.1“EU sanctions enforcement has tightened but varies between countries - experts,” Baltic Times, June 11, 2025. About the authorsThis article is a collaborative effort by Alexander Verhagen and Vasiliki Stergiou, with Merel Stout, Saam Youssefi-Rad, and Silvia Tilea, representing views from McKinsey's Risk & Resilience Practice. As of March 2025, there were 82,000 persons (individuals and entities) designated for sanctions globally, a nearly fivefold increase from 2017. In the United Kingdom and European Union, the number of designations doubled between 2020 and 2023. Given those numbers, how well equipped are the world’s leading securities services firms to meet their obligations? What are sanctions?Sanctions are restrictions, such as asset freezes and trade bans, imposed by governments or international bodies to achieve foreign policy or national-security objectives. Securities services firms are directly at risk through dealings with sanctioned individuals, entities, or even securities and indirectly at risk through corporate structures, beneficial ownership, or associated parties. The 2025 edition of the International Securities Services Association (ISSA) Sanctions Benchmark Survey, conducted in collaboration with McKinsey, paints a mixed picture (see sidebar “Our survey methodology”). Providers’ awareness of sanctions risk is reported to be high. But still, they face multiple challenges, such as excessive sanctions complexity, significant manual processes, and weak data capabilities. Our survey methodologyThe International Securities Services Association (ISSA) Sanctions Benchmark 2025 survey, conducted by ISSA’s Financial Crime Compliance Working Group in collaboration with McKinsey, offers a comprehensive overview of the current state of sanctions risk management across the securities services industry. It focuses on four core dimensions: general information about challenges and remediation, coverage and due diligence, operational efficiency and effectiveness, and the use of technology and analytics. A total of 18 participants from across the securities services ecosystem, representing a diverse mix of stakeholders—including the largest internationally active central securities depositories, leading global custodian banks, top asset management firms, local custodians, exchanges, and brokerage firms—took part. The survey is supplemented by expert insights and one-on-one interviews with a subset of participating firms to provide deeper insights into end-to-end sanctions processes and peer practices. With these dynamics in mind, and amid focused regulatory scrutiny, leading securities services’ CEOs and chief risk officers are transitioning away from passive, counterparty-reliant sanctions risk management to more proactive and tech-driven ways of working. In this article, we highlight some of their key focus areas, including a growing role for AI, and discuss potential strategies for moving forward. Firms struggle with evolving demands, and investment varies Growing geopolitical volatility, market interconnectedness, and an increased focus on regulation compliance mean securities services companies are under rising pressure to ensure their oversight capabilities are fit for purpose. Table stakes are that they must closely screen customers, partners, suppliers, and transactions against sanctions lists, as well as maintain processes and internal controls to prevent and detect circumvention efforts. But the reality, our survey shows, is that firms struggle to manage these basic obligations effectively. In aggregate, our survey reveals a mixed picture on sanctions risk management. On one hand, firms say they face a number of challenges, including navigating conflicting regimes and standards, getting hold of high-quality data, and putting in place automated solutions (Exhibit 1). In parallel, many executives acknowledge underlying internal weaknesses. For example, expertise is often too concentrated, and resource allocation is not always optimal, with the survey revealing a highly uneven allocation picture across the industry. On the other hand, all surveyed institutions say they regularly evaluate their sanctions compliance budgets, resources, and capabilities, aiming to stay aligned with shifting regulatory demands, technological advancements, and geopolitical dynamics. Balancing efficiency and compliance in screening Most surveyed firms conduct daily screening of their direct counterparties and clients against sanctions lists. Leading institutions favor delta-based screening. This means they only monitor changes in data, such as new customers, updated information, and new transactions. Through a more selective approach, they hope to both screen more effectively and boost operational efficiency. In addition, firms take a range of approaches to screening against list entries that are new or updated within a specified date range. While most consistently screen static data points—such as the names of direct clients, contractual counterparties, ISINs, and control persons—only a few screen prospectuses and entities further down the securities chain. Approaches are influenced by several factors, including data availability, regulatory interpretations, and overall maturity and level of investment over recent years. Scarce availability of specific metrics to propel decisions KPIs and key risk indicators help managers across the first and second lines of defense proactively allocate resources, mitigate compliance and operational risks, and enhance the customer experience, the survey shows. However, collecting detailed data remains a significant challenge, with many firms falling short of tracking and internally reporting operational metrics at a granular level. For example, it is relatively uncommon to track and report investigation-handling times segmented by product or alerts segmented by location. Nascent sophisticated analytics and gen AI adoption To get a firmer grip on sanctions risk, some institutions are making more concerted use of analytics and AI, applying new tools to both investigations and controls. However, there are considerable differences among firms about the nature, timing, and frequency of activities. While most leverage technology to implement basic anticircumvention controls, only a few adopt more advanced measures, such as circumvention-specific monitoring via network analytics.2Anticircumvention controls aim to prevent sanctions bypassing complex entity ownership structures indirectly (for example, through intermediaries). Similarly, more advanced analytical techniques—such as dynamic case assignment, focused on real-time case routing and solving for alert deduplication—remain relatively uncommon (Exhibit 2). That said, the survey reveals a growing interest in the use of gen AI, including agentic AI, though many institutions are still at an early stage of adoption. The way forward: Six steps toward sanctions-risk-management excellence The 2025 ISSA Sanctions Benchmark Survey underscores the criticality of sanctions risk management in an increasingly demanding regulatory landscape. It shows that institutions are often turning to analytical tools and techniques to enhance their compliance frameworks. But despite recent progress, industry approaches still lag behind other compliance activities. To address the challenge, leading firms are taking six key steps: deploying sophisticated anticircumvention controls to identify circumvention patterns effectively implementing AI to improve the efficiency and effectiveness of screening activities leveraging gen AI, including agentic AI, to automate manual tasks and improve employee and customer experiences while ensuring adequate safeguards (Exhibit 3) enhancing data collection and data availability while adhering to data privacy regulations for better sanctions screening and investigations streamlining operations, including working to reduce false positives and improve tracking of KPIs ensuring adequate resourcing and optimizing the operating model for sanctions compliance Through concerted action across these areas, and a strategic focus on new opportunities, security services institutions can elevate their capabilities and significantly reduce the chances of sanctions violations. Moreover, with the support of AI and automation, they can boost process efficiency and the quality and consistency of outputs, creating an extra moat of protection across the organization. This article is based on findings from the 2025 International Securities Services Association Sanctions Benchmark Survey conducted in collaboration with McKinsey as a knowledge partner.

International Securities Services Association (ISSA) is a global trade association founded in Zurich in 1979 that represents firms active in the securities services industry—including custodians, central securities depositories, broker–dealers, infrastructure providers, and technology firms. ISSA’s mission is to connect industry leaders and stakeholders, collaborate on themes that affect the entire securities services value chain (from issuer to investor), and drive change by developing practical solutions aimed at reducing risk, improving efficiency, and standardizing processes.Alexander Verhagen is a partner in McKinsey’s Brussels office; Vasiliki Stergiou is a partner in the London office, where Silvia Tilea is an expert; Merel Stout is an associate partner in Amsterdam office; and Saam Youssefi-Rad is director of compliance, financial crimes, in the Washington, DC, office. Explore a career with usRelated ArticlesArticleRisk rebalancing: Five important geopolitical-risk questions for CIOsArticleHow CEOs are responding to geopolitical uncertaintyArticle - McKinsey QuarterlyMultinationals at a crossroads: Adapting to a new geopolitical era When sitting firmly in the post-trade environment, it is not immediately clear why firms such as clearinghouses and custodians should be concerned with managing sanctions risk (see sidebar “What are sanctions?”). Surely that would be handled by banks, brokers, and other parties earlier in the trade life cycle. In fact, that’s not the case. Recent regulatory enforcement actions make it clear that securities services firms with exposure to sanctioned countries carry a high level of responsibility. And the cost of noncompliance is high: In the European Union, regulators have levied fines of €480 million since 2017 (compared with approximately €57 million in the United States), including about €90 million in 2024 alone.1“EU sanctions enforcement has tightened but varies between countries - experts,” Baltic Times, June 11, 2025. About the authorsThis article is a collaborative effort by Alexander Verhagen and Vasiliki Stergiou, with Merel Stout, Saam Youssefi-Rad, and Silvia Tilea, representing views from McKinsey's Risk & Resilience Practice. As of March 2025, there were 82,000 persons (individuals and entities) designated for sanctions globally, a nearly fivefold increase from 2017. In the United Kingdom and European Union, the number of designations doubled between 2020 and 2023. Given those numbers, how well equipped are the world’s leading securities services firms to meet their obligations? What are sanctions?Sanctions are restrictions, such as asset freezes and trade bans, imposed by governments or international bodies to achieve foreign policy or national-security objectives. Securities services firms are directly at risk through dealings with sanctioned individuals, entities, or even securities and indirectly at risk through corporate structures, beneficial ownership, or associated parties. The 2025 edition of the International Securities Services Association (ISSA) Sanctions Benchmark Survey, conducted in collaboration with McKinsey, paints a mixed picture (see sidebar “Our survey methodology”). Providers’ awareness of sanctions risk is reported to be high. But still, they face multiple challenges, such as excessive sanctions complexity, significant manual processes, and weak data capabilities. Our survey methodologyThe International Securities Services Association (ISSA) Sanctions Benchmark 2025 survey, conducted by ISSA’s Financial Crime Compliance Working Group in collaboration with McKinsey, offers a comprehensive overview of the current state of sanctions risk management across the securities services industry. It focuses on four core dimensions: general information about challenges and remediation, coverage and due diligence, operational efficiency and effectiveness, and the use of technology and analytics. A total of 18 participants from across the securities services ecosystem, representing a diverse mix of stakeholders—including the largest internationally active central securities depositories, leading global custodian banks, top asset management firms, local custodians, exchanges, and brokerage firms—took part. The survey is supplemented by expert insights and one-on-one interviews with a subset of participating firms to provide deeper insights into end-to-end sanctions processes and peer practices. With these dynamics in mind, and amid focused regulatory scrutiny, leading securities services’ CEOs and chief risk officers are transitioning away from passive, counterparty-reliant sanctions risk management to more proactive and tech-driven ways of working. In this article, we highlight some of their key focus areas, including a growing role for AI, and discuss potential strategies for moving forward. Firms struggle with evolving demands, and investment varies Growing geopolitical volatility, market interconnectedness, and an increased focus on regulation compliance mean securities services companies are under rising pressure to ensure their oversight capabilities are fit for purpose. Table stakes are that they must closely screen customers, partners, suppliers, and transactions against sanctions lists, as well as maintain processes and internal controls to prevent and detect circumvention efforts. But the reality, our survey shows, is that firms struggle to manage these basic obligations effectively. In aggregate, our survey reveals a mixed picture on sanctions risk management. On one hand, firms say they face a number of challenges, including navigating conflicting regimes and standards, getting hold of high-quality data, and putting in place automated solutions (Exhibit 1). In parallel, many executives acknowledge underlying internal weaknesses. For example, expertise is often too concentrated, and resource allocation is not always optimal, with the survey revealing a highly uneven allocation picture across the industry. On the other hand, all surveyed institutions say they regularly evaluate their sanctions compliance budgets, resources, and capabilities, aiming to stay aligned with shifting regulatory demands, technological advancements, and geopolitical dynamics. Balancing efficiency and compliance in screening Most surveyed firms conduct daily screening of their direct counterparties and clients against sanctions lists. Leading institutions favor delta-based screening. This means they only monitor changes in data, such as new customers, updated information, and new transactions. Through a more selective approach, they hope to both screen more effectively and boost operational efficiency. In addition, firms take a range of approaches to screening against list entries that are new or updated within a specified date range. While most consistently screen static data points—such as the names of direct clients, contractual counterparties, ISINs, and control persons—only a few screen prospectuses and entities further down the securities chain. Approaches are influenced by several factors, including data availability, regulatory interpretations, and overall maturity and level of investment over recent years. Scarce availability of specific metrics to propel decisions KPIs and key risk indicators help managers across the first and second lines of defense proactively allocate resources, mitigate compliance and operational risks, and enhance the customer experience, the survey shows. However, collecting detailed data remains a significant challenge, with many firms falling short of tracking and internally reporting operational metrics at a granular level. For example, it is relatively uncommon to track and report investigation-handling times segmented by product or alerts segmented by location. Nascent sophisticated analytics and gen AI adoption To get a firmer grip on sanctions risk, some institutions are making more concerted use of analytics and AI, applying new tools to both investigations and controls. However, there are considerable differences among firms about the nature, timing, and frequency of activities. While most leverage technology to implement basic anticircumvention controls, only a few adopt more advanced measures, such as circumvention-specific monitoring via network analytics.2Anticircumvention controls aim to prevent sanctions bypassing complex entity ownership structures indirectly (for example, through intermediaries). Similarly, more advanced analytical techniques—such as dynamic case assignment, focused on real-time case routing and solving for alert deduplication—remain relatively uncommon (Exhibit 2). That said, the survey reveals a growing interest in the use of gen AI, including agentic AI, though many institutions are still at an early stage of adoption. The way forward: Six steps toward sanctions-risk-management excellence The 2025 ISSA Sanctions Benchmark Survey underscores the criticality of sanctions risk management in an increasingly demanding regulatory landscape. It shows that institutions are often turning to analytical tools and techniques to enhance their compliance frameworks. But despite recent progress, industry approaches still lag behind other compliance activities. To address the challenge, leading firms are taking six key steps: deploying sophisticated anticircumvention controls to identify circumvention patterns effectively implementing AI to improve the efficiency and effectiveness of screening activities leveraging gen AI, including agentic AI, to automate manual tasks and improve employee and customer experiences while ensuring adequate safeguards (Exhibit 3) enhancing data collection and data availability while adhering to data privacy regulations for better sanctions screening and investigations streamlining operations, including working to reduce false positives and improve tracking of KPIs ensuring adequate resourcing and optimizing the operating model for sanctions compliance Through concerted action across these areas, and a strategic focus on new opportunities, security services institutions can elevate their capabilities and significantly reduce the chances of sanctions violations. Moreover, with the support of AI and automation, they can boost process efficiency and the quality and consistency of outputs, creating an extra moat of protection across the organization. This article is based on findings from the 2025 International Securities Services Association Sanctions Benchmark Survey conducted in collaboration with McKinsey as a knowledge partner.

International Securities Services Association (ISSA) is a global trade association founded in Zurich in 1979 that represents firms active in the securities services industry—including custodians, central securities depositories, broker–dealers, infrastructure providers, and technology firms. ISSA’s mission is to connect industry leaders and stakeholders, collaborate on themes that affect the entire securities services value chain (from issuer to investor), and drive change by developing practical solutions aimed at reducing risk, improving efficiency, and standardizing processes.Alexander Verhagen is a partner in McKinsey’s Brussels office; Vasiliki Stergiou is a partner in the London office, where Silvia Tilea is an expert; Merel Stout is an associate partner in Amsterdam office; and Saam Youssefi-Rad is director of compliance, financial crimes, in the Washington, DC, office. Explore a career with us