A £160,000 Wake‑Up Call: What Happens When Sanctions Controls Miss the Mark

· Sanctions

Picture this: a customer walks into a bank and opens up an account, providing his passport as identification. Nothing unusual — except that the name on his passport is a slight variation from the version of his name that appears on a UK sanctions list. The bank’s screening system doesn’t catch this variance and a manual reviewer fails to pick up on red flags. Over the next two weeks, 24 payments quietly flow through the customer's account.

This is what happened at Bank of Scotland during February 2023, and which ultimately led the UK's Office of Financial Sanctions Implementation ("OFSI") to fine the bank £160,000 for breaching Russia sanctions.

What happened

Bank of Scotland processed over £77,000 of payments linked to an individual who was designated under UK Russia sanctions, running afoul of Regulation 11 (dealing with funds of a designated person) and Regulation 12 (making funds available to a designated person) of the Russia (Sanctions) (EU Exit) Regulations 2019. OFSI identified several failures in the bank’s sanctions controls, consisting of both technical and non-technical internal controls gaps.

The first control failure occurred at the account opening stage, when the bank's screening software failed to detect the individual's designation status due to spelling variations in his passport. The UK passport he presented to open his bank account contained a different spelling of his name than the version included in the sanctions screening list (his passport name used different characters in his first and last names and included an additional character in his first name). According to OFSI, these character changes are common in Russian to English translations but the bank did not use a commercially available sanctions list to enhance its sanctions screening process.

Section image

The bank did, however, use a commercially available list to screen for politically exposed persons ("PEPs"), which flagged the account as belonging to a PEP the day after it was opened. The PEP alert triggered a manual review of the customer account. The bank's manual reviewer mistakenly concluded that the individual had been removed from the UK sanctions list. In reality, the individual had been removed from the European list, but not the UK list.

OFSI further noted that Bank of Scotland lacked "explicit PEP procedural instructions for colleagues to escalate all potential sanctions connections for review," which "likely exacerbated the risk of the Account remaining unrestricted" due to the significant overlap between PEPs and sanctioned individuals. OFSI's penalty publication also noted that the bank's "mandatory and advanced sanctions training was out of date and did not reflect risks associated with the contemporary sanctions landscape, such as the heightened risk posed by Russia sanctions post-2022."

So how was this oversight ultimately spotted? The Russian customer's account remained unrestricted until the customer was identified as a designated person as part of an investigation that had been occurring with respect to another account. Lloyds Banking Group, Bank of Scotland's parent company, then voluntarily disclosed the breach to OFSI, which credited this voluntary disclosure for reducing Bank of Scotland's fine from £320,000 to £160,000.

Compliance Takeaways

Screening Lists should be Pressure-Tested

Firms are advised to honestly assess whether their current sanctions screening solutions can cope with spelling and transliteration variations. Where the risk is great enough, adopting a commercially available screening system may be the best option. Though OFSI technically doesn't require regulated firms to adopt commercially available sanctions screening solutions, OFSI's penalty publication strongly implied that maintaining an entirely in-house screening operation may fall short of what is needed for sanctions compliance. OFSI's not-so-subtle preference was spelled out multiple times throughout its notice:

  • "Although OFSI does not prescribe that firms must procure commercial lists, OFSI does consider that it is reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancements using relevant and available information."
  • "Although OFSI notes that there is no explicit regulatory requirement in relation to commercial lists, OFSI does consider it reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancement using relevant and available information."
  • "Utilising enriched screening and commercial list providers, in addition to the OFSI Consolidated List, may help firms with greater sanctions risk exposure to better manage their sanctions risks."

Once a firm implements a sanctions screening system, the firm (or its screening vendor) should periodically test this system to ensure it is robust enough to capture things like spelling variations, common translation pitfalls, typos, and formatting differences (in other words, screening systems should be capable of fuzzy matching!).

Automation Alone is Inadequate

OFSI's penalty notice made it clear that firms must have explicit escalation procedures in place that detail the steps that should be taken once a screening alert is triggered. The team that is first notified of a screening match should know the specific team to which they can escalate, and how and when such an escalation should occur. Screening can be automated to an extent, but human intervention is still expected for matches.

Sanctions Training Materials should Reflect Current Events

The Bank of Scotland had a sanctions training program in place, but this training had not been updated to reflect the enormous changes that took place after Russia's 2022 invasion of Ukraine. This invasion triggered a deluge of new designations under the UK, EU, and US sanctions regimes, significantly curtailing the ability of banks to do business with Russian actors. Though OFSI did not expect or require the Bank of Scotland to extensively train all employees by creating a post-invasion deep dive, it did expect that the bank's existing sanctions education would be updated to reflect the vastly heightened risk environment that materialized post-2022.

Prompt Disclosure Cut the Fine in Half

Once an organization uncovers sanctions violations, it must always determine whether to disclose the breaches to its regulator(s). In this case, Bank of Scotland's parent company, Lloyd's Banking Group, disclosed the violations to OFSI within two weeks of their discovery. OFSI considered this notification to be prompt and voluntary, and rewarded Lloyd's Banking Group by reducing the original penalty by 50% - the maximum reduction possible. Whether, when, and how to self-report are all going to be heavily context-dependent, but this case exemplifies the potential benefits of doing so.

Subscribe
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save