Since Russia’s 2022 invasion of Ukraine, sanctions enforcement has been in focus, front and centre for UK regulators. OFSI’s fine against the Bank of Scotland is a clear reminder that even firms with existing sanctions screening procedures can make errors. In this case, it only took a few flaws in the screening process for a sanctioned individual to slip through the cracks leading to a major breach and fine.
A story of compliance failure
The Bank of Scotland is a major subsidiary of the Lloyd’s banking group, handling roughly 20-25% of the UK’s retail banking traffic. Despite this, the company’s screening process for individuals on the UK’s sanctions failed to identify one designated person.
The designated person, a British citizen, used a UK passport for identification when opening the Account. This passport contained a spelling variation of the designated person’s name. Specifically, the variation within the UK passport to that within the OFSI Consolidated List was a changed character and an additional character in the forename, a missing middle name and a changed character in the surname.
Subsequently, the designated person used this account to process 24 payments in February 2023 totalling about 77,000 pounds. When the breach was found, Lloyds immediately disclosed this to the Office of Financial Sanctions Implementation immediately who began an investigation.
Because OFSI considered the sum that the bank allowed the designated person to process was considered rather large, along with other factors, OFSI calculated the appropriate fine to be £320,000, with the permitted maximum penalty in this case being £1 million. However, OFSI allowed a discount of up to 50% of the fine in the case of voluntary disclosure, and in this case the full 50% was applied leading to a fine of £160,000 being issued in November 2025.
Moreover, this case is a reminder to companies that screening software can be fooled in some cases, and companies should use enhanced checks when necessary in order to comply with regulations:
What does sanctions compliance mean for your business?
Firstly, the essence of UK sanctions law is that financial and trade sanctions apply to everyone in the UK. Sanctions screening by businesses is required so that sanctions issued by the UK government are actually enforced. Therefore, failing to report a suspected or known breach is a criminal offense. From January 28 2026, the UK Sanctions List (UKSL) is the only authoritative source for sanctioned individuals (designated persons).
If your firm’s sanctions screening procedures are doing their job properly then any prospective client/business which is sanctioned or is controlled by a sanctioned individual will be uncovered early on before you have had business dealings with them. Your firm will reject their business in the initial screening phase.
Indeed, OFSI guidance recently clarified in its FAQ 133 that if you refused business to them at the initial screening stage, had limited contact with the designated person (DP), and no meaningful information from them was obtained then no report is required. Conversely, if the DP was identified in the onboarding or client due diligence stages, you obtained meaningful information about them, any potential sanctions risk/circumvention concerns, or if you have any information or suspicions of any sanctions breaches or aliases then OFSI does require a report. And this is not only the case for any designated persons, but also for any organisation that they control.
What might a breach look like?
In the case of a failure of screening (as with the Bank of Scotland), services were provided for a designated person. However, this is not the only way in which sanctions breaches can occur, they may be more subtle:, it may be a case of indirect supply. For example, if it were uncovered that a customer in Turkey was selling them to a Russian company, this could constitute a breach.
Furthermore, it could be uncovered that an entity which you are doing business with is controlled by a DP, either directly, or through a complex ownership structure that gives them effective control over the company. Finally, accidentally allowing the DP access to assets that should be frozen can be considered a major breach.
What if a breach is detected?
If a breach is detected, then the first thing to do is to stop all transactions, and freeze any related funds, if necessary using a suspense account.
Then the company needs to immediately report the breach to the relevant authority (either OFSI, or the office for trade sanctions implementation- OTSI) via their online forms. Immediate voluntary reporting of such a breach will likely result in a lower fine, and so is the best way for companies that have breached sanctions to mitigate penalties, similarly to what transpired in the case of the Bank of Scotland.
OFSI’s recent changes:
For the purpose of mitigating penalties, firms should also be aware of the recent changes that OFSI have implemented to their mechanism for the issuing of fines that have come into effect as of February 2026. Notably the previous maximum of a 50% reduction for voluntary reporting has been reduced to 30%, and OFSI will also take into account “subsequent co-operation” in the investigation, and not just the act of voluntary exposure.
OFSI has introduced an early account scheme (EAS) which provides for an up to 20% discount if the firm provides a comprehensive explanation and evidence bundle quickly. Combined with another up to 20% reduction if firms agree to a settlement scheme, where they forgo their rights to ministerial review and judicial appeal for a maximum reduction of up to 70%. Finally, OFSI have changed the statutory maximum penalty, raising it to £2 million and 100% of the value of the breach, aimed at encouraging the uptake of these new options and enhancing the deterrent effect of penalties.
Key takeaways for businesses:
Businesses must have robust sanctions checks, and be aware that sanctioned individuals may use tricks such as aliases, and different spelling to get past screening checks. It is not simply enough to run the name of a client through screening software. Companies need to be aware of the ways in which this software/ their procedures may be flawed, and act accordingly.
In the event of a match, firms must exercise judgement on whether a report is necessary. This judgement ought to take into account the extent of their dealings with the DP, and what information about the DP was collected.
In the event of a breach, firms must immediately and voluntarily report this to the relevant regulator in the hopes of taking full advantage of the voluntary disclosure discount on any penalties imposed.
Firms should invest in staff training on sanctions compliance, so that they can effectively screen for potential breaches before they even happen, and so that they know what the correct procedures are in the case of an encounter or breach.
