In January 2026, OFSI published the details of an £160,000 monetary penalty imposed on Bank of Scotland Plc, a subsidiary of the Lloyds Banking Group, for breaching the Russia financial sanctions regime.
The lessons in this case go beyond one bank and one customer. OFSI’s published outcomes demonstrate how OFSI assesses breaches, the circumstances surrounding them, and how weaknesses in screening, escalation and training are taken into account when breaches have occurred. These lessons can help firms better understand how to run sanctions controls in practice, and how weaknesses in screening, escalation and training can expose firms to the risk of breaching.
UK financial sanctions apply to any conduct in the UK and to all UK persons (including UK legal entities) anywhere in the world.
Lesson 1: Screening data and configuration really matter
OFSI strongly encourages firms to utilise all information available to them to optimise sanctions controls relative to their risk. Firms are advised to assess and employ appropriate resources to enhance the effectiveness of such systems.
In this case, Lloyds Banking Group had taken measures to implement sanctions screening. However, its automated sanctions systems failed to detect a spelling variation of a designated individual’s name.
What this means for you:
- Ask whether your screening can cope with spelling and transliteration variants.
- Where your risk justifies it, consider enriched screening and commercial list providers alongside the new UK Sanctions List.
Lesson 2: Automation is not a safety net
This case illustrates that there are inherent risks associated with automated sanctions screening. It is essential that firms establish robust and explicit contingency procedures.
Internal policies should provide robust and explicit guidance to staff regarding the escalation of potential sanctions concerns. This is particularly pertinent for areas of business that are more exposed to sanctions risk, such as those involving Politically Exposed Persons (PEPs).
What this means for you:
- Make sure front‑line teams know when to escalate, who to contact and how – not just that they “should escalate”.
Lesson 3: Training must match today’s sanctions landscape
The sanctions landscape has evolved significantly since the Russian invasion of Ukraine in February 2022, and continues to develop with ever-shifting geopolitical events. It is imperative that all training and associated materials relating to sanctions are regularly reviewed and updated.
What this means for you:
- Training content must be regularly reviewed and updated to accurately reflect relevant regulatory and geographical developments to ensure continued compliance.
Lesson 4: Voluntary disclosure can shape the outcome
This case is an example of prompt, voluntary disclosure of a potential breach. Lloyds Banking Group, on behalf of Bank of Scotland, made an initial notification within two weeks of identifying a potential breach. OFSI seeks to reward prompt and complete voluntary disclosures through penalty discounts, which alongside co-operation can result in a discount of up to 30% under new guidance.
What this means for you:
- You should report suspected breaches to OFSI as soon as practicable.
- Where full disclosure is not possible, a person should make an early disclosure with partial information on the basis that they are still working out the facts and will make a further and full disclosure as soon as possible.
- Reporting breaches protects the integrity of financial sanctions and assists government and law enforcement agencies in tackling serious crime.
What firms should do next
This case shows that OFSI is focused not only on whether firms have sanctions controls, but on how effectively those controls operate in practice. From the way screening data is configured, to how concerns are escalated, how often training is refreshed, and how quickly potential breaches are reported.
Firms with UK touchpoints, including those operating internationally, should:
- review their sanctions screening, escalation procedures and training considering these lessons
- ensure they understand and comply with their reporting obligations, including reporting “as soon as practicable” where required.
You can read the full penalty notice here: https://www.gov.uk/government/publications/imposition-of-monetary-penalty-bank-of-scotland-plc
Further information and guidance on reporting information to OFSI is available here: https://www.gov.uk/government/organisations/office-of-financial-sanctions-implementation