ASK MAT – How could the Bank of Scotland have missed a sanctioned Russian PEP — Even With Screening Tools

ASK MAT – How could the  Bank of Scotland have missed a sanctioned Russian PEP — Even With Screening Tools

Mat says –

• Great questions, and the simple answer is, even though the bank was using screening software,
• Two failures occurred at the same time:
• In summary, the Bank of Scotland missed a sanctioned Russian PEP because:
• The individual’s name appeared differently from the sanctions list
• The screening tool was not configured to detect transliteration/spelling variants
• Human error during the PEP review incorrectly closed the case
• Escalation and governance controls failed to compensate for system weaknesses

This case demonstrates that effective sanctions compliance requires:-  

• Advanced screening technology and
• Skilled human oversight, especially in jurisdictions with high name variation risks.
• Robust escalation processes

KEY FACTS – A SUMMARY

Below is a clear, concise executive summary explaining how Bank of Scotland missed a Russian PEP/sanctioned individual despite using screening tools, based strictly on verified enforcement findings.

1. As confirmed by OFSI enforcement findings, the Bank of Scotland’s failure to detect a sanctioned Russian PEP — despite having automated screening tools — resulted from a combination of
• Technical shortcomings and
• Human error,
2. The sanctioned individual used a passport with significant name variations
• The designated person opened an account using a UK passport containing multiple spelling differences compared with the official sanctions listing — including changed characters, an added character, and a missing middle name, all commonly associated with Russian‑to‑English transliteration.
• These discrepancies prevented the bank’s automated screening system from identifying the person as a match.  
3. The bank’s screening tool lacked advanced matching capabilities
• OFSI found that the bank had not enhanced its sanctions screening solution with commercial data sets, nor had it implemented robust fuzzy, phonetic, or transliteration matching.
• As a result, the system relied too heavily on literal spellings and failed to capture common variants of Russian names, leaving a critical blind spot in its detection.
4. A PEP alert did generate, but human error prevented escalation
• A PEP alert triggered the day after onboarding.
• However, during manual review, staff incorrectly concluded that the customer had been delisted from both UK and EU sanctions. In reality, the customer had been removed only from the EU list, not the UK list.
• This mistake prevented escalation and kept the account active for over two weeks.
5. Weaknesses in escalation, governance, and layered controls amplified the failure
• The combination of inadequate screening logic, insufficient list enhancement, and manual review errors created a multi-layer failure.
• Over 24 prohibited payments totalling £77,383.39 were processed during this period, leading to OFSI’s £160,000 penalty.

Sources -  [skadden.com], [assets.pub…ice.gov.uk]  [natlawreview.com][skadden.com]

Longer read

The sanctioned person used a passport with name variations

This is the root cause cited by OFSI.

• The individual was a UK-designated person, but the passport used to open the account had spelling differences compared with the name on the sanctions list.
• These variations included:
• Changed characters
• An extra character
• Missing middle name
• Common Russian‑to‑English transliteration differences

Why this matters:

• Many screening tools rely on exact or close‑match spellings.
• If the bank had not activated fuzzy matching, the tool would not detect variants of Russian names.

This is exactly what happened.

The bank’s sanctions screening tool was not sufficiently enhanced

OFSI found that:

• The bank did not use a commercial sanctions data set
• Its internal list was not enhanced to catch name variations
• The tool lacked strong phonetic / transliteration matching (e.g., common Russian equivalents)

In short:

• The technology was too “literal.”
• It could not recognise the same name written in two slightly different ways.

A PEP alert did fire — but human error blocked escalation.

• On 7 February 2023, the bank’s automated PEP screening generated an alert. However:
• The reviewer mistakenly believed the individual had been removed from both the UK and EU sanctions lists
• In reality, only the EU had delisted them — the UK had not
• The reviewer therefore incorrectly closed the PEP review
• So even when the system caught something, human error overrode it.
• Combined effect: the customer passed through controls, and the account stayed open

Because of both:

• Screening system limitations (no fuzzy matching, no commercial enhancements), and
• Human review mistakes,

The customer’s account remained active for over two weeks, resulting in 24 prohibited payments totalling £77,383.39 being processed.

The Simple Bottom Line

They missed the Russian PEP because the sanctioned person used a slightly different spelling of their name, and the bank's screening tool wasn’t smart enough to catch it — and then a human reviewer made a mistake that prevented escalation.

This is why:

• Many banks now require fuzzy matching,
• Enhanced commercial sanctions data,
• Stronger Russian transliteration mapping, and
• Robust second‑line review for PEP/sanctions cases.

Sources

[fincrimecentral.com], [global.mor…ngstar.com][comsuregroup.com] [fincrimecentral.com] [fincrimecentral.com], [global.mor…ngstar.com]

THREE SUPPORTING COMSURE BRIEFINGS

COMSURE  EXPLAINER

Why a sanctioned Russian PEP was missed — and what it means for financial institutions

Between 8 and 24 February 2023, Bank of Scotland processed 24 payments on an account belonging to a UK-designated individual, resulting in a £160,000 OFSI penalty. The failure occurred despite the bank's use of screening tools. Two key issues explain why the automated systems did not detect the sanctioned individual:

1. Name variation defeated the screening tool

The sanctioned person opened an account using a UK passport with spelling differences from the sanctions list, including altered characters, an extra character, and a missing middle name — all common Russian‑to‑English transliteration changes. The bank’s screening software lacked sufficient fuzzy matching or enhanced data to recognise these variants, so no sanctions alert was triggered.

2. A PEP alert fired — but human error stopped escalation

A PEP alert was triggered the next day, but manual review incorrectly concluded the customer had been delisted from both the UK and EU lists. In reality, the person had been delisted only from the EU list, not the UK list. This prevented escalation, leaving the account active for over two weeks and enabling the prohibited transactions.

What this means for firms

This case demonstrates that effective sanctions controls require:

• Smarter matching, not just static screening lists
• Human review that understands sanctions nuances
• Layered controls, including name‑variant logic, phonetic matching, and adverse‑media checks

A sanctions framework fails not only when a system breaks, but also when humans miss what the system tries to highlight.

COMSURE  “LESSONS LEARNED”

LESSONS LEARNED: Bank of Scotland Sanctions Breach (Feb 2023)

1. Screening tools alone are not enough

• The bank’s system failed to detect a designated individual due to name variations.

• No fuzzy or phonetic matching was applied — a common blind spot in sanctions screening.

2. Transliteration differences create real risk

• Russian names frequently change when converted to English.
• Systems relying on exact matches will miss high-risk individuals.

3. Human review must be accurate and informed

• A PEP alert was triggered, but human error incorrectly closed the review.
• Misinterpreting sanctions listings (EU vs UK) allowed the account to remain active.

4. Controls must be layered

• Screening should be supplemented with commercial data sets, media checks, and enhanced matching logic.
• OFSI expects enhanced screening where exposure risk is high. 5. Governance and escalation matter

• The issue persisted for over two weeks, showing gaps in escalation and oversight.

COMSURE  RISK MITIGATION CHECKLIST FOR NAME‑MATCHING FAILURES

A practical, ready-to-use control checklist.

RISK MITIGATION CHECKLIST: Preventing Name‑Matching Failures in Sanctions Screening

1. Enhance Technical Screening Controls

✔ Enable fuzzy matching (typographical differences)
✔ Enable phonetic and transliteration matching (e.g., Russian → English)
✔ Use commercially enhanced sanctions data sets
✔ Add watchlists for known name variations
✔ Ensure screening tools can manage multiple scripts (Cyrillic / Latin)  

1. Reinforce Human Review

✔ Train analysts on multiregime differences (EU vs UK delistings, etc.)
✔ Require dual‑control sign‑off for sanctions/PEP alerts
✔ Provide analysts with transliteration reference tables
✔ Use structured checklists for sanctions escalation  

1. Strengthen Onboarding Controls

✔ Cross-check identity documents for name discrepancies
✔ Trigger manual sanctions review when name variation risk exists
✔ Apply mandatory adverse media checks on Russian/PEP profiles

1. Improve Governance and Oversight

✔ Conduct periodic model validation of screening tools
✔ Perform quality assurance on closed alerts
✔ Review escalation performance (speed, accuracy, documentation)
✔ Maintain a register of false negatives to guide improvements [natlawreview.com][skadden.com]

1. Vendor & System Assurance

✔ Obtain written confirmation of data‑source updates
✔ Test name‑variation matching using known sanctions cases
✔ Confirm vendor coverage for alternative spellings and aliases

Sources

 [skadden.com] [natlawreview.com][skadden.com], [assets.pub…ice.gov.uk][assets.pub…ice.gov.uk][natlawreview.com][natlawreview.com]