On 26 January 2026, the United Kingdom’s Office of Financial Sanctions Implementation (OFSI) published a penalty notice regarding a breach of UK financial sanctions by the Bank of Scotland Plc (Bank of Scotland). OFSI imposed a fine of £160,000 on the Bank of Scotland for dealing with funds and making funds available to a designated person. Below we discuss the rationale for OFSI’s decision and key compliance takeaways for businesses. 

Background 

On 6 February 2023, a Russian-British national opened a bank account at Halifax Bank (Halifax), the Bank of Scotland’s trading division. The individual, an ex-Russian politician, had been a designated person subject to sanctions in the United Kingdom since 2020 for his role in the territorial destabilisation of Ukraine.

The individual, a British citizen, used a UK passport for identification when opening a bank account with Halifax. This passport contained a spelling variation of the individual’s name. The variation within the UK passport to that within the OFSI Consolidated List was a changed character and an additional character in the forename, a missing middle name and a changed character in the surname. OFSI identified that character changes are common equivalents in Russian to English translations. The opening of the account did not trigger an automatic sanctions alert. A politically exposed person (PEP) alert was generated, but, due to human error, the customer was assessed as being removed from both the UK and the EU sanctions list, as opposed to only the EU list.

The Bank of Scotland subsequently processed 24 payments for the account over 16 days in February 2023, with the aggregate value exceeding £77,000.

The Bank of Scotland’s parent company, Lloyds Banking Group (LBG), disclosed the breaches to OFSI in March 2023, approximately two weeks after they occurred.

The Penalty 

OFSI has found that by processing the transactions, the Bank of Scotland breached Regulation 11 (dealing with funds) and Regulation 12 (making funds available) of the Russia (Sanctions) (EU Exit) Regulations 2019.

The Bank of Scotland benefited from a 50% discount for voluntary disclosure, bringing the fine down from £320,000 to £160,000. It was also the sole mitigating factor listed in the penalty notice.

The breach incorporated a range of aggravating factors, including, but not limited to:

• A relatively high value of funds being credited to a personal bank account.
• Payments to and from the relevant account blunted the financial restrictions imposed upon a designated person and enabled him to successfully circumvent UK financial sanctions.
• Sanctions imposed by the United Kingdom in respect of Russia were, and remain, a strategic priority for the United Kingdom and its foreign policy.
• The absence of explicit PEP procedural instructions for employees to escalate all potential sanctions connections for review likely exacerbated the risk of the account remaining unrestricted.

LBG’s mandatory and advanced sanctions training was out of date and did not reflect risks associated with the contemporary sanctions landscape.

Lessons for Compliance 

OFSI’s enforcement action highlights the need for proactive compliance by those subject to the UK sanctions regime. This is particularly important for banks and other business in the financial services industry, which are the essential gatekeepers of the UK financial system.

Organisations should anticipate ways in which sanctions breaches could potentially occur and the following practical steps should be considered:

Enhance Sanctions Screening Systems

Automated screening systems must be capable of identifying spelling and transliteration variations, especially for high-risk jurisdictions and individuals or those for which there are common equivalents in languages. 

Use All Available Information Holistically

Sanctions controls could be optimised by cross-referencing data from PEP screening, customer due diligence and external resources.

Implement Robust Escalation Procedures

Internal policies should provide clear, explicit guidance on escalating potential sanctions and PEP matches, especially when reviews identify links to both categories. 

Regularly Update Staff Training

Sanctions training must be kept up to date to reflect the evolving regulatory landscape and geopolitical risks. Both automated and manual processes should be covered, with an emphasis on contingency escalation and cross-checking information. 

Promptly Disclose Sanctions Breaches to OFSI

However, seek appropriate legal advice in this regard.

Concluding Remarks

The recent wave of OFSI sanctions enforcement demonstrates a strict approach and underscores the need for comprehensive sanctions compliance procedures. To withstand this regulatory scrutiny, organisations should develop robust processes to anticipate and mitigate sanctions risks.

If you have any questions or would like to discuss what the sanctions enforcement regime means for you, please do not hesitate to contact the authors listed above.