In late January, the UK’s Office of Financial Sanctions Implementation (OFSI) published one of its first enforcement outcomes of 2026 when it fined the Bank of Scotland £160,000 for breaching the UK’s Russian sanctions regime.
For most regulated firms, sanctions breaches are a scenario that most compliance teams will dread. When they do surface, breaches aren’t often due to deliberate evasion, but a missed red flag, a name variation, or overlooked alert.
The fine imposed on the Bank of Scotland fits that pattern precisely.
In this article, we look at what went wrong at the Bank of Scotland, how sanctions risk plays out in a real setting, and why regulators remain as unforgiving as ever when basic expectations aren’t met.
What happened?
The breach traces back to February 2023, almost three years before the penalty was published. Over a 16-day period, the Bank of Scotland processed 24 payments totalling over £77,000 through a personal current account held by an individual subject to UK Russia sanctions.
That individual was Dmitrii Ovsyannikov, a former Deputy Minister of a Ministry of the Russian Federation (2019-2020) and regional Governor of the City of Sevastopol (2016-2019), appointed by President Vladimir Putin. Ovsyannikov has been designated under UK sanctions since 2017 and was subject to an asset freeze and prohibitions on making funds available to him.
Despite that designation, Ovsyannikov was able to open a current account with Halifax, part of the Bank of Scotland and Lloyds Banking Group and use it to receive and send funds. OFSI later concluded that each of the transactions processed through the account constituted a breach of the UK Russia sanctions regulations.
The activity only came to light after a separate screening processes flagged the account holder as a politically exposed person (PEP). By that point, however, the payments had already been made.
Bank of Scotland’s parent company, Lloyds Banking Group, disclosed the issue to OFSI in March 2023, triggering the investigation that ultimately led to January’s fine.
What went wrong?
At the centre of this case is a problem that will be familiar to many compliance teams: identity matching.
When the account was opened, the identity documents provided by Ovsyannikov question included a spelling variation of his name compared with the entry on the UK sanctions list. This meant the account was not flagged as a potential match by the bank’s automatic sanctions screening system.
The penalty notice issued by OFSI shared the banks failure to “detect a transliteration variant of a designated individual’s name, despite being in possession of this information.” An oversight that OFSI claimed “significantly contributed to the cause of this incident.”
As a result, the account operated normally for over two weeks. Payments were processed in and out without restriction, despite the prohibitions that apply once an individual is designated under UK sanctions.
The fact that the issue was only identified through a different screening route (rather than sanctions screening itself), highlights the fragmentation that can exist between onboarding checks, sanctions screening tools and ongoing monitoring if such systems operate in silos.
The wider enforcement context
This fine landed at a time of heightened focus on Russia sanctions enforcement, including criminal prosecutions of sanctions evasion. In the first ever UK prosecution of Russian sanction breaches, Ovsyannikov himself was convicted in April 2025 and sentenced to 40 months in prison for breaching sanctions and laundering money through UK bank accounts.
This only added to the profile of the Bank of Scotland case as it didn’t involve a historic designation or low-risk individual. Ovsyannikov was a high-profile, publicly sanctioned individual be able to use UK financial infrastructure after sanctions had been in place for years.
OFSI acknowledged Lloyds Banking Group’s voluntary disclosure and applied the maximum 50% reduction to the penalty as a result. Without that disclosure, the fine would have been £320,000. The regulator explicitly highlighted the Group’s prompt disclosure as a mitigating factor, citing how they “seek to reward prompt and complete voluntary disclosures through penalty discounts.”
What AML compliance teams can learn from this case
The Bank of Scotland case revolved around what looked like a simple, routine new client. A personal current account and standard onboarding processes, yet a simple name mismatch caused a fatal flaw in the Bank of Scotland’s Anti-Money Laundering (AML) compliance process.
One lesson is clear: sanctions screening is only as effective as its ability to deal with real-world data. Transliteration issues, spelling variations, cultural context, and incomplete records are everyday realities, particularly where sanctions lists include non-Latin names and characters.
What’s more, client onboarding processes cannot operate in isolation. In this case, sanctions screening did not flag Ovsyannikov, but a separate PEP check eventually did. That lag created a window which allowed £77,383 to be processed via a sanctioned individual. If you’re using multiple systems or a manual process, the handoffs between different Know Your Customer (KYC) checks matter as much as the checks themselves.
This case also reinforces the regulator’s position on liability. OFSI doesn’t need to prove a firm’s intent, recklessness or knowledge to impose a penalty. If funds reach a designated person, the breach exists.
Finally, the outcome shows how disclosure decisions can shape enforcement outcomes – the Bank of Scotland’s voluntary reporting halved the penalty. However, early escalation remains critical, and it should not be a substitute for prevention.
If you want to take the friction out of sanctions screening, our intuitive KYC and KYB platform automates individual and company verification with real-time access to global sanctions, PEPs, and adverse media data. It reduces manual research and duplicated efforts, keeping your onboarding checks accurate and current without adding to your team’s workload.
Streamline risk, detect fraud and automate compliance with ID-Pal. Find out more here.
