£160K Sanctions Slip-Up: Bank of Scotland Fined After Name Variation Lets Sanctioned Individual Evade UK Restrictions

The UK’s civil financial sanctions enforcement agency has fined Bank of Scotland £160,000 for processing payments on behalf of former Russian official Dmitrii Ovsiannikov, who is sanctioned by the UK for his past role as governor of occupied Sevastopol.

Overview

• On November 10, 2025, the UK's Office of Financial Sanctions Implementation (OFSI), part of HM Treasury, imposed a £160,000 monetary penalty on Bank of Scotland PLC (a subsidiary of Lloyds Banking Group, or LBG) under
• Section 146 of the Policing and Crime Act 2017.
• This penalty stems from breaches of the Russia (Sanctions) (EU Exit) Regulations 2019, specifically regulations
• Reg 11 (dealing with funds) and
• Reg 12 (making funds available).
• The breaches occurred between February 8 and 24, 2023, involving a  designated person,
• A British citizen designated by the UK on December 31, 2020, opened the account at Halifax (a trading division of Bank of Scotland) on February 6, 2023,
• Using a UK passport with spelling variations in their name (common in Russian-to-English transliterations).
• And
• 24 payments totalling £77,383.39 processed to or from a personal current account held by an individual designated under the Russia sanctions regime.
• 4 credits (£76,000 from another Bank of Scotland account, breaching regulation 12) and
• 20 debits (£1,383.39, breaching regulation 11).
• The account remained unrestricted from
• February 6 to 24, 2023, despite a Politically Exposed Person (PEP) alert on February 7 and a PEP review starting February 20, which identified sanctions links but failed to escalate due to human error (misinterpreting the individual as delisted from both UK and EU lists, when only the EU delisted them).
• This led to failures in automated sanctions screening, allowing unrestricted access to the account for over two weeks.
• An automatic Politically Exposed Person (“PEP”) alert was generated on 7 February 2023, as part of LBG’s automatic PEP screening.
• The variation of the designated person’s name used to open the Account was a match against an entry contained within the commercial PEP List that LBG downloaded for the purpose of enhancing its PEP screening.
• LBG did not use a commercial sanctions list to enhance its sanctions screening.
• Although OFSI does not prescribe that firms must procure commercial lists, OFSI does consider that it is reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancements using relevant and available information.
• A PEP review was commenced on 20 February 2023.
• A manual adverse media check was conducted which identified that the customer was a designated person. However, due to human error, the customer was assessed as being removed from both the UK and the EU sanctions list, as opposed to only the EU list.
• At the time of the breach, there was not an explicit instruction to escalate all potential sanctions connections to a relevant sanctions team.
• OFSI considers this relevant as many sanctioned individuals are also PEPs, so it is not unreasonable to expect that a PEP review may also identify a potentially sanctioned customer – should a firm’s automatic sanctions screening fail to detect them.
• OFSI considers that,
• From 20 February 2023, the bank possessed information that would have enabled them to identify the Account was owned by a designated person.
• The Account remained unrestricted until 24 February 2023, when the customer was identified as a designated person only after an internal 4 investigation of a related account.
• Between 20 and 24 February 2023, the Account was credited with £75,000.

The big issue = spelling variation

• The failure stemmed from a legitimate spelling variation in the designated person's name as it appeared on their UK passport compared to the entry on the OFSI Consolidated List. This variation included:
• A changed character and an additional character in the forename.
• A missing middle name.
• A changed character in the surname.
• These differences were described as common equivalents in Russian-to-English transliterations. The bank's automated sanctions screening system failed to reconcile or match these variations, partly due to lacking enhancements (e.g., no use of commercial sanctions lists or internal enrichments to handle such discrepancies). This allowed the account to be opened and transactions to proceed without triggering alerts until later manual reviews.

The case highlights several important lessons for firms to:

• Ensure that sanctions screening tools are sufficiently enriched with relevant information to optimise their capabilities.
• Firms with greater sanctions risk exposure may benefit from commercial packages, such as commercial sanctions lists to enrich their sanctions screening.
• Address the inherent risks of automated screening with robust contingency procedures and clear escalation routes, particularly in higher risk areas such as those involving Politically Exposed Persons.
• Keep sanctions training under regular review, so that its content accurately reflects relevant regulatory and geopolitical developments.
• Consider prompt, voluntary disclosure of potential breaches. OFSI seeks to reward prompt and complete voluntary disclosures through penalty discounts.

Compliance and Risk Briefing: OFSI Penalty on Bank of Scotland PLC for Russia Sanctions Breaches

Key Breaches and Contributing Factors

• Root Causes:
• Screening System Failures: Automated sanctions screening did not trigger alerts due to inability to reconcile name variations (e.g., character changes, missing middle name). LBG relied solely on the OFSI Consolidated List without enhancements from commercial sanctions lists or internal data (though it used a commercial PEP list for PEP screening).
• PEP Review Errors: During the February 20 review, adverse media checks confirmed the sanctions designation, but the account was not escalated to a sanctions team. No explicit policy required escalation of sanctions concerns in PEP processes.
• Training Gaps: Mandatory and advanced sanctions training was outdated, not reflecting post-2022 Russia sanctions risks.
• Timeline Issues: From February 20, LBG had information implying sanctions risks ("reasonable cause to suspect"), yet £75,000 was credited before restrictions on February 24 (triggered by an unrelated internal investigation).

These failures enabled the designated person to circumvent UK sanctions, making funds available and processing transactions that "blunted" the restrictions.

Risk Assessment

• Severity and Aggravating Factors:
• High-value funds (£76,000) made directly available to a designated person.
• Circumvention of sanctions on a strategically important regime (Russia, post-2022 invasion).
• Reasonable cause to suspect from February 20, yet continued processing.
• Lack of list enhancements for sanctions screening (aggravated by possession of relevant data via PEP lists).
• Absence of explicit escalation procedures for sanctions in PEP reviews.
• Outdated training not addressing contemporary risks.
• Repeated breaches (24 transactions over >2 weeks).
• Mitigating Factors:
• Prompt voluntary disclosure (initial notification March 10, formal March 16).
• Cooperation with OFSI's investigation.
• Broader Risks:
• Sanctions Evasion: Highlights vulnerabilities to name variations/transliterations, especially for dual-language names (e.g., Russian). Firms with high sanctions exposure risk similar penalties without robust fuzzy matching or list enhancements.
• Operational Risks: Reliance on automated systems without strong manual contingencies increases error rates, particularly in overlapping PEP/sanctions processes.
• Regulatory Risks: Strict liability means even unintentional breaches can lead to penalties up to £1,000,000 or 50% of breach value (whichever higher). Russia sanctions remain a UK foreign policy priority, amplifying scrutiny.
• Reputational Risks: Public penalties like this can erode trust, especially for large groups like LBG.
• Strategic Implications: Post-Ukraine invasion, the sanctions landscape has evolved rapidly; outdated controls heighten non-compliance risks.

The statutory maximum was £1,000,000, but OFSI deemed £160,000 proportionate post-discount.

Compliance Lessons

From OFSI's "Notes on Compliance":

• Utilize all available information (e.g., commercial lists, internal data) to enhance sanctions screening and manage risks from name variations.
• Establish robust escalation procedures for sanctions concerns, especially in high-risk areas like PEP reviews (many sanctioned individuals are PEPs).
• Regularly review and update sanctions training to reflect regulatory/geopolitical changes (e.g., post-2022 Russia risks, strict liability).
• Reward for voluntary disclosure: Prompt reporting can yield up to 50% penalty reductions in "serious" cases.
• UK sanctions apply extraterritorially to UK persons/entities; delegated compliance (e.g., to group level) doesn't absolve the breaching entity.

This case underscores that while automated tools are essential, they must be supplemented by human oversight, enriched data, and agile policies.

Compliance Actions List

🔗 Read the full public penalty notice here:

https://lnkd.in/eHVjGSXU

https://assets.publishing.service.gov.uk/media/697741f167ae94b3280137ee/Penalty_Publication_Notice_LBG_2026.pdf