OFSI has issued a £160,000 monetary penalty to Bank of Scotland Plc (part of Lloyds Banking Group) after the bank processed payments linked to an account held by a UK-designated person under the Russia sanctions regime.
The headline is simple. The lessons are not.
What happened
Between 8 and 24 February 2023, Bank of Scotland processed 24 payments totalling £77,383.39 to or from a personal current account held by a designated person.
OFSI concluded this involved breaches of the Russia (Sanctions) (EU Exit) Regulations 2019, including:
- Regulation 11 (dealing with funds), and
- Regulation 12 (making funds available).
OFSI imposed the penalty on 10 November 2025, and published the notice on 26 January 2026.
The operational failure was not just “automation”
The notice is a useful case study because the breakdown is concrete.
1) A name variation bypassed sanctions screening
The account was opened at Halifax (a trading division of Bank of Scotland) using a UK passport that contained a spelling variation of the customer’s name compared with the OFSI Consolidated List. OFSI notes these were character changes typical of Russian-to-English transliteration.
OFSI highlights two contributors:
- the system did not reconcile the character changes, and
- the sanctions screening lacked sufficient “enhancement” (by the firm or via commercial third parties) to reconcile the spelling variants.
2) PEP controls spotted the risk, but the process did not land it
A PEP alert was generated and later review work identified the customer as designated, but the account remained unrestricted until 24 February 2023. OFSI also points to the absence (at the time) of explicit instructions to escalate potential sanctions connections to a sanctions team, even though many sanctioned individuals are also PEPs.
3) Human error compounded the gap
OFSI records that during a manual check, the customer was mistakenly assessed as removed from both the UK and EU lists, rather than only the EU list.
Where screening programmes break in the real world
This case is a reminder that sanctions compliance is increasingly about data quality, matching logic, and escalation design, not only policy.
It also sits in a stricter enforcement environment. OFSI flags that the breaches occurred after the strict liability amendments, and that Russia sanctions are a strategic priority for the UK.
The practical lessons are all about stress testing
OFSI’s “notes on compliance” are essentially a checklist for firms.
Here is how they translate into action:
Enrich screening, in line with risk
OFSI encourages firms to use all information available to optimise controls relative to risk exposure, including enriched screening and commercial list providers where appropriate.
Build contingency routes for automated screening
Automation fails in predictable ways. The control is not “better automation”, it is what happens when the tool hesitates, partially matches, or misses. Clear escalation routes matter most in higher-risk areas like PEP-related activity.
Keep training current with geopolitics
OFSI explicitly criticises training content that does not reflect the contemporary sanctions landscape, including heightened Russia sanctions risk post-2022.
This is also why “sanctions compliance” cannot be treated as static.
Consider voluntary disclosure early
Lloyds Banking Group disclosed the breach to OFSI and received the full 50% voluntary disclosure discount, reducing the penalty (OFSI states it would otherwise have been £320,000).
Use synthetic data to test transliteration and spelling variants
This case is a textbook example of why “testing” cannot mean running a couple of obvious sanctioned names through a sandbox.
Firms should be stress testing sanctions screening using synthetic data sets that include:
- common transliteration variants (especially Cyrillic-to-Latin),
- missing or reordered middle names,
- keyboard-adjacent substitutions and lookalike characters,
- edge cases that appear in real onboarding journeys (passport spellings, legacy CRM records, third-party payment references).
That is how you find whether your matching threshold, normalisation rules, and alias enrichment are actually doing what you think they are doing.
Is £160,000 peanuts?
Some will look at £160,000 and call it peanuts, especially for a major banking group. But deterrence is not only about the number.
Two points worth remembering:
- OFSI’s assessment sets out multiple aggravating factors, and categorises the case as “serious”.
- The statutory maximum penalty in this case was £1,000,000, and public enforcement creates reputational and supervisory consequences that often outlast the fine.
A quick compliance checklist you can lift into your programme
- Review sanctions matching logic for transliteration and spelling variance risk, and measure miss-rate in testing.
- Enrich sanctions data in line with exposure, and document the rationale for your approach.
- Align PEP and sanctions workflows so that a PEP hit can trigger sanctions escalation when screening misses.
- Tighten escalation routes with explicit playbooks and ownership, including out-of-hours coverage for higher-risk areas.
- Refresh training based on current geopolitical risk, not last year’s slide deck.
- Decide in advance what “prompt disclosure” means internally, so the clock does not start during a debate.
VinciWorks sanctions training
Our online sanctions compliance courses give your staff the tools they need to understand and comply with sanctions requirements in these volatile times.
