The UK Treasury’s Office of Financial Sanctions Implementation (OFSI) said it has imposed a £160,000 monetary penalty on Bank of Scotland plc, part of Lloyds Banking Group (LBG), “for breaching the Russia financial sanctions regime.”

The OFSI said: “Between 8 and 24 February 2023, the bank processed 24 payments totalling £77,383.39 to and from a personal current account held by a UK‑designated person.

“OFSI concluded that the bank breached prohibitions on dealing with, and making funds available to, a designated person …

“A 50% discount was applied in this case for prompt, voluntary disclosure.”

The OFSI added: “The account was opened at Halifax Bank. Halifax is a trading division of Bank of Scotland.

“OFSI determined that Bank of Scotland is the legal entity responsible for the breaches in this case, as it is the legal entity that processed the payments that were in breach of the Russia Regulations.

“Bank of Scotland is a wholly owned subsidiary of LBG, with compliance functions managed and directed at group level by LBG.”

The Edinburgh-registered but London-based Lloyds Banking Group includes Bank of Scotland, Scottish Widows, Lloyds Bank and Halifax.

The OFSI continued: “OFSI considers that the responsibility of ensuring compliance with sanctions legislation rests with the entity directly responsible for the breach.

“Therefore, whilst UK entities may delegate compliance functions to third parties, including parent companies in a larger group structure, both mitigating or aggravating conduct demonstrated by those relevant compliance functions will be assessed as the conduct of the breacher …

“LBG, on behalf of Bank of Scotland, notified OFSI of a potential breach on 10 March 2023, and formally disclosed the breach to OFSI on 16 March 2023 …

“On 6 February 2023, a person designated by the UK on the 31 December 2020 opened the account at Halifax. The designated person, a British citizen, used a UK passport for identification when opening the account.

“This passport contained a spelling variation of the designated person’s name. Specifically, the variation within the UK passport to that within the OFSI Consolidated List was a changed character and an additional character in the forename, a missing middle name and a changed character in the surname. The character changes are common equivalents in Russian to English translations.

“However, an automatic sanctions alert was not triggered against the account at the account-opening stage, nor at any stage between 6 and 24 February 2023, during which time access to the account was unrestricted …

“An automatic Politically Exposed Person (PEP) alert was generated on 7 February 2023, as part of LBG’s automatic PEP screening. The variation of the designated person’s name used to open the account was a match against an entry contained within the commercial PEP List that LBG downloaded for the purpose of enhancing its PEP screening.

“LBG did not use a commercial sanctions list to enhance its sanctions screening. Although OFSI does not prescribe that firms must procure commercial lists, OFSI does consider that it is reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancements using relevant and available information.

“A PEP review was commenced on 20 February 2023. A manual adverse media check was conducted which identified that the customer was a designated person. However, due to human error, the customer was assessed as being removed from both the UK and the EU sanctions list, as opposed to only the EU list.

“At the time of the breach, there was not an explicit instruction to escalate all potential sanctions connections to a relevant sanctions team. OFSI considers this relevant as many sanctioned individuals are also PEPs, so it is not unreasonable to expect that a PEP review may also identify a potentially sanctioned customer – should a firm’s automatic sanctions screening fail to detect them.

“OFSI considers that, from 20 February 2023, the bank possessed information that would have enabled them to identify the Account was owned by a designated person. However, the account remained unrestricted until 24 February 2023, when the customer was identified as a designated person only after an internal investigation of a related account. Between 20 and 24 February 2023, the Account was credited with £75,000.

“OFSI finds that two factors significantly contributed to the account remaining unrestricted from 6 to 24 February 2023:

“a. That an automatic sanctions alert was not generated against the customer at the account-opening stage on 6 February 2023;

“and b. That the account was not escalated during a PEP review on 20 February 2023, when the identity of the customer was established.”