UK Sanctions Watchdog Fines Bank of Scotland £160,000 Over Breach of Russia Sanctions

The Office of Financial Sanctions Implementation has imposed a £160,000 monetary penalty on Bank of Scotland Plc after determining that serious shortcomings in the bank’s financial controls led to repeated breaches of UK sanctions rules. The enforcement action relates to the processing of 24 prohibited transactions connected to a customer designated under the Russia Sanctions (EU Exit) Regulations 2019. Between 8 February and 24 February 2023, the bank allowed £77,383.39 to pass through an account held by a sanctioned individual. While the penalty was reduced by 50 percent due to the bank’s voluntary disclosure of the issue, the case exposed material weaknesses in automated screening systems and internal escalation procedures.

OFISI’s investigation found that the root cause of the breach lay in the failure of the bank’s automated sanctions screening tools to correctly identify a designated person. On 6 February 2023, a British national opened a personal current account using a passport that contained minor name variations when compared with the UK government’s consolidated sanctions list. The passport reflected a changed character, the addition of another character, and the absence of a middle name, all of which are common transliteration differences when names are converted from Russian into English. Because Bank of Scotland had not sufficiently upgraded its screening software or supplemented its checks with commercial data sources, the system failed to generate an alert. As a result, the account remained active and unrestricted for more than two weeks, during which the bank processed multiple incoming and outgoing payments that directly undermined the objectives of UK foreign policy.

The case highlighted a broader vulnerability across the financial sector linked to overreliance on static sanctions lists that do not account for phonetic or spelling variations in international names. Without fuzzy-matching functionality, automated systems can easily miss common naming discrepancies that may be exploited to bypass controls. OFSI also noted that the bank’s decision not to enhance its sanctions checks with external commercial datasets removed an additional layer of defense that might otherwise have identified the customer. The authority concluded that the failure was not a minor technical error but reflected an inadequate assessment of the tools required to manage sanctions risk in a diverse and global customer environment.

In addition to the automated screening failure, the investigation identified serious deficiencies in manual oversight and internal governance. On 7 February 2023, the bank’s systems generated a Politically Exposed Person alert after the customer’s name matched a commercial PEP list. Despite this, the manual review was not completed until 20 February 2023. When the review did take place, a staff member incorrectly concluded that the individual was no longer subject to UK sanctions, confusing removal from the EU sanctions list with removal from the UK list. Compounding the issue, the bank did not have clear procedures requiring staff to escalate potential sanctions matches identified during background checks to a dedicated sanctions team. As a result, even after information suggesting the customer was a designated person was available internally, transactions continued to be processed for several more days.

OFSI viewed this delay as evidence of insufficient urgency and a lack of effective coordination between compliance functions. The authority also pointed to a deficiency in specialist sanctions knowledge, particularly significant in the post-Brexit environment where UK and EU sanctions regimes no longer fully align. The separation between PEP reviews and sanctions screening created siloed processes, meaning that information identified in one area did not automatically trigger action in another. This structural weakness allowed a high-risk individual to continue transacting and significantly increased the bank’s exposure to legal and regulatory consequences.

When determining the level of the penalty, OFSI identified several aggravating factors. Chief among them was the fact that the bank’s failures enabled a relatively substantial amount of funds to be made available to a designated person, thereby reducing the effectiveness of the sanctions regime aimed at exerting pressure on the Russian state. The regulator also expressed concern about the adequacy of the bank’s internal training. Although Lloyds Banking Group required mandatory sanctions training, the materials in use were found to be outdated and insufficiently responsive to the heightened sanctions risks that emerged following Russia’s invasion of Ukraine in 2022. OFSI stressed that firms with international exposure must continually update both their data and their training programs to reflect strict liability obligations.

The repeated nature of the breaches, spanning 24 separate transactions, reinforced the regulator’s view that a financial penalty was necessary as a deterrent. OFSI noted that outdated training left staff relying on assumptions that were no longer valid in a rapidly evolving legal and geopolitical context. This disconnect between senior-level awareness of sanctions risk and frontline execution of compliance duties was identified as a classic indicator of systemic weakness. The authority signaled that future enforcement actions are likely to scrutinize not only individual breaches but also the underlying culture of preparedness within institutions.

The resolution of the case offers a clear warning to the wider financial sector. It demonstrates that reliance on basic government sanctions lists without additional data enrichment presents a significant compliance risk, particularly for banks with large and varied customer bases. The case also illustrates the tangible benefits of voluntary disclosure, as the original £320,000 penalty was reduced by half after the bank reported the breach within weeks of identifying it. Regulators expect institutions to ensure that screening systems are capable of handling transliteration and spelling variations and that alerts in one compliance area automatically trigger reviews in others.

OFSI also emphasized the importance of regularly reviewing and updating training programs so that staff understand the distinctions between different sanctions regimes and the legal consequences of processing even low-value domestic payments for designated persons. Timely reporting and cooperation with regulators were highlighted as critical factors in mitigating penalties, though reputational damage remains an inevitable consequence. The broader message from the enforcement action is that sanctions compliance is an ongoing process requiring continuous technological improvement, effective staff education, and rigorous internal controls. As the UK continues to deploy financial sanctions as a central tool of foreign policy, scrutiny of banks is expected to intensify. The £160,000 fine stands as a clear signal that tolerance for technical lapses has diminished and that strict liability now defines the regulatory landscape.

By fLEXI tEAM