OFSI Blog: Bank of Scotland £160,000 Sanctions Breach Penalty — Key Points

In January 2026, OFSI published the details of a £160,000 monetary penalty imposed on Bank of Scotland Plc,[BOS] a subsidiary of the Lloyds Banking Group, for breaching the Russia financial sanctions regime. 

• You can read the full penalty notice here: https://www.gov.uk/government/publications/imposition-of-monetary-penalty-bank-of-scotland-plc.

THE BOS BREACHES

• On 6 February 2023, a person designated by the UK on 31 December 2020 opened the Account at Halifax.
• The designated person, a British citizen, used a UK passport for identification when opening the Account.
• This passport contained a spelling variation of the designated person’s name.
• Specifically, the variation within the UK passport compared with that in the OFSI Consolidated List was
• A changed character in the forename,
• An additional character in the forename,
• A missing middle name, and
• A changed character in the 2 surnames.
• Character changes are common equivalents in Russian translations of English.
• However, an automatic sanctions alert was not triggered against the Account at the account-opening stage, nor at any stage between 6 and 24 February 2023, during which time access to the Account was unrestricted.
• OFSI considers that two key issues contributed to the screening system's inability to identify a potential match: 
1. The screening system did not reconcile the character changes between the spelling variations; and 
2. The sanctions screening system lacked sufficient enhancement, from either commercial third parties or the bank itself, to reconcile the spelling variations.
• OFSI considers that the inability of the automatic sanctions screening system to identify the designated person may have been prevented by resolving either of these two issues.
• An automatic Politically Exposed Person (“PEP”) alert was generated on 7 February 2023, as part of LBG’s automatic PEP screening.
• The variation in the designated person’s name used to open the Account matched an entry in the commercial PEP List that LBG downloaded to enhance its PEP screening.
• LBG did not use a commercial sanctions list to enhance its sanctions screening.
• Although OFSI does not prescribe that firms must procure commercial lists, OFSI does consider that it is reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancements using relevant and available information.
•  A PEP review was commenced on 20 February 2023.
• A manual adverse media check was conducted, which identified that the customer was a designated person.
• However, due to human error, the customer was assessed as removed from both the UK and the EU sanctions lists, rather than only the EU list.
• At the time of the breach,
• There was no explicit instruction to escalate all potential sanctions connections to a relevant sanctions team.
• OFSI considers this relevant, as many sanctioned individuals are also PEPs, so it is not unreasonable to expect that a PEP review may also identify a potentially sanctioned customer if a firm’s automatic sanctions screening fails to detect them.
• OFSI considers that,
• From 20 February 2023, the bank possessed information that would have enabled it to identify that a designated person owned the Account.
• However, the Account remained unrestricted until 24 February 2023, when the customer was identified as a designated person only after an internal 3 investigation of a related account.
• Between 20 and 24 February 2023, the Account was credited with £75,000. 
• OFSI finds that two factors significantly contributed to the Account remaining unrestricted from 6 to 24 February 2023:  
1. That an automatic sanctions alert was not generated against the customer at the account-opening stage on 6 February 2023; and 
2. The account was not escalated during a PEP review on 20 February 2023, when the customer's identity was established.

OFSI BLOG ADVISES ON LESSONS TO LEARN

• The lessons in this case go beyond one bank and one customer.
• These lessons can help firms better understand how to run sanctions controls in practice and how weaknesses in screening, escalation, and training can expose them to the risk of breaching sanctions.
• UK financial sanctions apply to any conduct in the UK and to all UK persons (including UK legal entities) anywhere in the world.

Lesson 1: Screening data and configuration really matter

1. In this case, Lloyds Banking Group had implemented sanctions screening.
1. However, its automated sanctions systems failed to detect a spelling variation of a designated individual’s name.
2. What this means for you:
1. Ask whether your screening can cope with spelling and transliteration variants.
2. Where your risk justifies it, consider enriched screening and commercial list providers alongside the new UK Sanctions List.

Lesson 2: Automation is not a safety net

1. This case illustrates the inherent risks associated with automated sanctions screening.
2. Firms must establish robust and explicit contingency procedures.
1. Internal policies should provide robust, explicit guidance to staff on the escalation of potential sanctions concerns.
2. This is particularly pertinent for business areas more exposed to sanctions risk, such as those involving Politically Exposed Persons (PEPs).
3. What this means for you:
1. Make sure front-line teams know when to escalate, who to contact and how – not just that they “should escalate”.

Lesson 3: Training must match today’s sanctions landscape

1. The sanctions landscape has evolved significantly since the Russian invasion of Ukraine in February 2022, and continues to develop with ever-shifting geopolitical events.
1. It is imperative that all training and associated materials on sanctions be regularly reviewed and updated.
2. What this means for you:
1. Training content must be regularly reviewed and updated to accurately reflect relevant regulatory and geographical developments to ensure continued compliance.

Lesson 4: Voluntary disclosure can shape the outcome

1. This case is an example of prompt, voluntary disclosure of a potential breach.
2. Lloyds Banking Group, on behalf of Bank of Scotland, made an initial notification within two weeks of identifying a potential breach.
3. OFSI seeks to reward prompt and complete voluntary disclosures with penalty discounts, which, alongside co-operation, can result in a discount of up to 30% under new guidance.
4. What this means for you:
1. You should report suspected breaches to OFSI as soon as practicable.
2. Where full disclosure is not possible, a person should make an early disclosure with partial information on the basis that they are still working out the facts and will make a further and full disclosure as soon as possible.
3. Reporting breaches protects the integrity of financial sanctions and assists government and law enforcement agencies in tackling serious crime.

What firms should do next?

1. This case shows that OFSI is focused not only on whether firms have sanctions controls, but on how effectively those controls operate in practice.
2. From how screening data is configured to how concerns are escalated, how often training is refreshed, and how quickly potential breaches are reported.
3. Firms with UK touchpoints, including those operating internationally, should:
1. Review their sanctions screening, escalation procedures and training, considering these lessons
2. Ensure they understand and comply with their reporting obligations, including reporting “as soon as practicable” where required.

Practical Takeaways for Firms (From OFSI)

Source

https://ofsi.blog.gov.uk/2026/02/23/sanctions-compliance-in-practice-lessons-from-ofsis-160000-bank-of-scotland-penalty/

https://www.gov.uk/government/organisations/office-of-financial-sanctions-implementation