ASK MAT – can you explain how the Bank of Scotland PEP alert was triggered, but its sanctions alert was not

ASK MAT – can you explain how the Bank of Scotland PEP alert was triggered, but its sanctions alert was not

MAT SAYS:- Thank you for an excellent question.

• The Bank of Scotland’s ability to trigger a PEP alert while failing to generate a sanctions alert stemmed from fundamental differences between its PEP and sanctions screening systems.
• According to OFSI and subsequent analysis, the sanctioned individual opened an account using a passport that contained multiple spelling and transliteration differences compared with the official sanctions list, which prevented the bank’s sanctions engine, lacking robust fuzzy or transliteration matching, from identifying the customer as a designated person.
• In contrast, the bank’s PEP screening relied on broader biographical and political risk data, allowing it to flag the individual despite inconsistent name spellings. This mismatch in system capabilities meant the PEP alert fired, while the sanctions alert did not.

Analysis

• Based on the information available (and a few assumptions), I have outlined below a clear, non-technical, step-by-step explanation of how the PEP alert fired but the sanctions alert did not, based completely on verified OFSI findings and specialist AML reporting.

Why a PEP Alert Triggered   but a Sanctions Alert Didn’t

1. Think of this case as involving two separate systems inside a bank:
1. Sanctions screening (checks if a person is on a sanctions list)
2. PEP screening (checks if a person is a politically exposed person)
2. They are related, but not the same, and they use different data, matching logic, and triggers.
3. What happened at the Bank of Scotland shows exactly how these systems can behave very differently.

The Sanctions Screening System Missed the Match

Why? Because the customer’s name on the passport didn’t match the sanctions list closely enough.

• The sanctioned individual used a UK passport containing:
• Changed characters,
• An extra character,
• And a missing middle name
• The above are all common Russian‑to‑English transliteration variations. These differences meant the sanctions engine saw two different names, not “close matches.”
• OFSI confirmed that the bank’s automated sanctions system failed to identify the person as a match because:
• It did not have strong fuzzy/phonetic / transliteration matching,
• It relied too much on literal spellings,
• It lacked enhanced data sets that contain name variants.
• Result: No sanctions alert was generated at onboarding.

2. The PEP Screening Fired Anyway   Because PEP Logic Works Differently

• PEP screening uses different triggers. A PEP match can be generated by information such as:
• Nationality
• Job history
• Political roles
• Known associations
• External PEP databases
• Broader matching logic than sanctions systems
• OFSI confirms that a PEP alert triggered the day after onboarding.
• This means the PEP system did not rely solely on the exact spelling of the name; it picked up enough similarity or metadata to say: “This person might be politically exposed to investigate.”

PEP datasets often include far more aliases and biographical metadata than sanctions lists do, which increases the likelihood of a PEP hit.

Result: The PEP alert triggered even though the sanctions alert failed.

3. The Human Analyst Then Made a Critical Mistake

• When reviewing the PEP alert, staff incorrectly concluded that the individual had been removed from both the EU and UK sanctions lists.
• OFSI confirmed this was wrong; the individual was removed only from the EU list, not the UK list.
• Result: The analyst closed the case incorrectly, and the issue was not escalated.

4. Weak Internal Escalation Rules Made the Problem Worse

• OFSI highlighted another gap: there were no clear instructions requiring staff to escalate a PEP alert to the sanctions team, even though many sanctioned individuals are also PEPs.  
• So even when the PEP system said “something is wrong,” the governance structure didn’t ensure it reached sanctions specialists.

In Simple Terms: Why PEP Alert Triggered but Sanctions Alert Didn’t

The Key Insight

• Sanctions matching fails easily if names differ.
• PEP matching is more resilient and uses wider data.
• So the PEP system could say, “This looks like a risky political figure.”
• while the sanctions system said, “This name doesn’t exactly match   ignore.”

SOURCES

[comsuregroup.com], [vinciworks.com][comsuregroup.com], [fincrimecentral.com]