Bank of Scotland Fined for Russia Sanctions Breaches

1 Imposition of Monetary Penalty – Bank of Scotland PLC SUMMARY 1. On 10 November 202 5, t he Office of Financial Sanctions Implementation (“OFSI”), part of HM Treasury, imposed a penalty of £ 16 0,000 on a UK registered company, Bank of Scotland Plc (“ Bank o f Scotland ”), in accordance with section 146 of the Policing and Crime Act (“PACA”) 2017. Bank of Scotland is a subsidiary of the Lloyds Banking Group (“LBG”). 2. The penalty was imposed for breaches of the Russia (Sanctions) (EU Exit) Regulations 2019 (“ the Russia Regulations ”), namely regulation 11 (dealing with funds) and regulation 12 (making funds available). 3. Between 8 February and 24 February 2023, Bank o f Scotland processed 24 payments, totalling £77,383.39, to or from a personal current account held by an indivi dual designated under the Russia Regulations (“the Ac count”). Bank o f Scotland processed four payments which were credited to the Account between 8 Februar y and 24 February 2023, totalling £76,000.00. Bank o f Scotland also processed 20 payments which were debited from the Acc ount between 13 February and 23 February 2023, totalling £1,383.39. OFSI has concluded that the processing of these 24 payments breached regulation 11 of the Russia Regulations. 4. The four payments that Bank o f Scotland processed to the Account were transferred from a separate account held at Bank o f Scotland. OFSI has concluded that, by processing these four payments to the Account, Bank o f Scotland has breached regulation 12 of the Russia Regulations. 5. OFSI imposed a monetary penalty on Bank o f Scotland because it was satisfied that, on the balance of probabilities, Bank o f Scot land breac hed prohibitions imposed by financial sanctions legislation. 6. LBG formally disclosed these breaches on behalf of its subsidiary, Bank o f Scotland, on 16 March 2023. As such, OFSI consider ed that Bank of Scot land was eligible for a voluntary disclosure discount and the full 50% voluntary disclosure discount was subsequently applied. 7. Following the issuance of a Notice of Intention to impose a penalty of £175,000 on 28 August 2025 (“the Notice”), and consideration of representations from LBG re ceived on 2 October 2025, on 10 November 2025, OFSI considered it appropriate to revise the final penalty amount from £175,000 to £160,000. A penalty of £320,000 would have been imposed were it not for the voluntary disclosure discount.

2 8. Under the provisions of PACA, any person who has a monetary penalty imposed on them is entitled to a ministerial review. Under these provisions, the minister may: a. uphold the decision to impose the pe nalty and its amoun t; b. uphold the decision to impose the penalty, but alter the amount; or c. cancel the decision to impose a penalty. 9. LBG, on behalf of Bank of Scotland, did not request a Ministerial Review. BACKGROUND 10. The Account was opened at Halifax Bank (“Halifax”). Halifax is a trading division of Bank of Scotland. OFSI determined that Bank of Scotland is the legal entity responsible for the breaches in this case, as it is the legal entity that processe d the payments that were in breach of the Russia Regulations. Bank of Scotland is a wholly owned subsidiary of LBG, with compliance functions managed and directed at group level by LBG. 11. OFSI considers that the responsibility of ensuring compliance with sanctions legislation rests with the entity directly responsible f or the breach. Therefore, whilst UK entities may delegate compliance functions to third parties, including parent comp anies in a larger group structure, both mitigating or aggravating conduct demonstrated by those relevant compliance functions will be assesse d as the conduct of the breacher. 12. LBG, on behalf of Bank of Scotland, notified OFSI of a potential breach on 10 March 2023, and formally disclosed the breach to OFSI on 16 March 2023. 13. In assessing this case, OFSI applied the curr ent version of the ‘Financial sanctions enforcement and monetary penalties guidance’ (the “Enforce ment Guidance”), last updated in November 2024. 14. All breaches in this case occurred after the strict liability amendments to PACA came into effect. THE BREACHES 15. On 6 February 2023, a person designated by the UK on the 31 December 202 0 opened the Account at Halifax. The designated person, a British citizen, used a UK passport for identification when opening the Account. Th is passport contained a spelling variation of the designated person ’s name. Specifically, the variation within the UK passport to that within the OFSI Consolidated List w as a changed character and an additional character in the forename, a missing middle name and a changed character in the

3 surname. The character changes a re common equivalents in Russian to English translations. 16. However, an automatic sanctions alert was not triggered against the Account at the account-opening stage, nor at any stage between 6 and 24 February 2023, during which time access to the Account was unrestricted. OFSI considers that two key issues contributed to the screening system being unable to identify a potential match: a. the screening system did not reconcile the character changes between the spelling variations; and b. secondly, the sanctions screening system lacked sufficient enhancement, from either commercial third parties or the bank itself, to reconcile the spelling variations. 17. OFSI considers that t he inability of the automatic sanctions screening system to identify the designated person may have been prevented by resolving either of these two issues. 18. An automatic Politically Exposed P erson (“PEP”) alert was generated on 7 February 2023, as part of LBG’s automatic PEP screening. Th e variation of the designated person’s name used to open the Account was a match against an entry contained within the commercial PEP List that LBG downloade d for the purpose of enhancing its PEP screening. LBG did not use a commercial sanctions list to enhance its sanctions screening. Although OFSI does not prescribe that firms must procure commercial lists, OFSI does consider that it is reasonable to expect that firms with greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhanceme nts using relevant and available information. 19. A PEP review was commenced on 20 February 2023. A manual adverse media check was conducted which identified that the customer was a designated person. However, due to human error, the customer was assessed as being removed from both the UK and the EU sanctions list, as opposed to only the EU list. At the time of the breach, there was not an explicit instruction to escalate all potential sanctions connec tions to a relevant sanctions team. OFSI considers this relevant as many sanctioned individuals are also PEPs, so it is not unreasonable to expect that a PEP review may also identify a potentially sanctioned customer – should a firm’s automatic sanctions scree ning fail to detect them. OFSI considers that, from 20 February 2023, the bank possessed information that would have enabled them to identify the Account was owned by a designated person. However, the Account remained unrestricted until 24 February 2023, when the customer was identified as a designated person on ly after an internal

4 investigation of a related account. Between 20 and 24 February 2023, the Account was credited with £75,000. 20. OFSI finds that two factors significantly contributed to the Account remaining unrestricted from 6 to 24 February 2023: a. That an automatic sanctions alert was not generated against the customer at the account-opening stage on 6 February 2023; and b. That the Account was no t escalated during a PEP review on 20 February 2023, when the identity of the customer was established. CASE ASSESSMENT 21. OFSI will take several factors into account that could be assessed as aggravating or mitigating when determining how seriously it views a case (the “case factors”). Within these case factors, OFSI will make an overall assessm ent as to the breach severity a nd the conduct of the person who has breached. With reference to these factors set out in OFSI’s Enforcement Guidance, the aggr avating factors in this case were: a. Bank of Scotland ’s actio ns made £76, 000. 00 directly available to a designated person, which OFSI considers to be a relatively high value of funds to be credited to a personal bank account (case factor B). b. The payments to and from the Ac count blunted the financial restrictions imposed upon a designated person and enabled them to successfully circumvent UK financial sanctions (case factor C). c. In 2023, sanctions imposed by the UK in respect of Russia were, and remain, a strategic priority for the UK and its foreign policy (other relevant case factor within severity). d. From 20 February 2023, the bank possessed information that inferred the Account was owned by a sanctioned individual. From this date, OFSI considers that the bank had reasonable cause to suspect that payments to or from the Account would be in breach of financial sanctions (case factor D). e. LBG’s failure to detect a transliteration variant of a designated individual’s name, despite being in possession of this information, significantly contributed to the cause of this incident. Although OFSI notes that there is no explicit regulatory requirem ent in relation to commercial lists, OFSI does

5 consider it reasonable to expec t that firms wit h greater sanctions exposure sufficiently enhance their lists used to assist in sanctions screening, either by using a commercial package or undertaking their own enhancement using relevant and available information. In this instance, LBG’s lack of commercial sanctions list at the time of the bre ach, and for an extended period afterwards, is considered aggravating in conjunction with the fact LBG did not enrich its sanctions screening with all relevant and available information in the bank’s possession (case factor E). f. The absence of explicit PEP procedural instructions for colleagues to esc alate all potential sanctions connections for review likely exacerbated the risk of the Account remaining unrestricted. This consideration is made in conjunction with the fact that many sanctioned individuals are also PE Ps (case factor E). g. W hile LBG’s mandatory training required escalation of sanctions breaches and queries, it s mandatory and advanced sanctions training was out of date and did not reflect risks associated with the contemporary sanctions landscape, such as the heightened risk posed by Russia sanctions post - 2022 (case factor E). h. Lastly, 24 separate transactions were p rocessed over the course of more than two weeks, which OFSI assesses as repe ated breaches of the Russia Regulations (case factor I). 22. These factors were weighed against the mitigating factors in the case, which were as follows: a. LBG formally reported the 24 payments to OFSI voluntarily on behalf of Bank o f Scotland on 16 March 2023. The initial disclosure of a potential breach was made promptly after the breaches occurred and was done so on a voluntary basis (case factor J). 23. Other case factors were considered either not relevant, or on balance to be neither aggravating nor mitigating. LBG responded to all OFSI’s requests for information during the course of the investigation, providing docume nts and responses as requested. 24. In the context of these factors, and in accordance with the Enforcement Guidance, OFSI assessed this case overall to be “serious” as opposed to “m ost serious”.

6 25. OFSI values voluntary disclosure and expec ts suspected breaches to be disclosed as soon as reasonably practicable after discovery. OFSI’s Enforcement Guidance states that a discount of up to 50% will be granted for prompt and complete voluntary disclosure in a case assessed as serious. OFSI considered that LBG provided a prompt and complete voluntary disclosure of the breaches assessed in this case. Therefore, OFSI considered the threshold to be met in this case and provided the full 50% discount. 26. The total breach value in this case was £ 77,383.39. The permitted statutory maximum penalty was therefore £1,000,000. OFSI considered it re asonable and proportionate to impose a final post-discount penalty of £160,000. NOTES ON COMPLIANCE 27. UK financial sanctions apply to any conduct in the UK and to all UK persons (includin g legal entities established under UK law) anywhere in the world. Firms must ensure they comply with th os e UK financial sanctions that are in forc e. This case highlights important compliance lessons for a wide range of industry stakeholders. 28. First, OFSI strongly encourages firms to utilise all information available t o them in order to optimise sanctions controls relative to their risk. Firms are advised to assess and employ appropriate resources to enhance the effectiveness of such systems. In this instance, LBG had demonstrably taken measures to implement sanctions scree ning; however, its automated systems failed to de tect a spelling variation of a designated individual ’s name. Utilising enriched screening and commercial list providers, in addition to the OFSI Consolidated List, may help firms with greater sanctions risk exposure to better manage their sanctions risks. 29. Second, this case illustrates th at there are inherent risks associated with automated sanctions screening, so it is essential that firms establish robust and explicit contingency procedures. Internal policies should provide robust and explicit guidance to staff regarding the escalation of potential sanctions concerns. This is particularly pertinent for areas of business that are more exposed to sanctions risk, such as those involving PEPs. Firms must ensure that they provide clear escalation procedure s so that any sanctions concerns, particularly in relation to potentially designated persons, are promptly escalated to an approp riate team. 30. Third, it is imperative that all training materials re lating to sanctions are regularly reviewed and updated. The Russian invasion of Ukraine, combined with OFSI’s approach to breaches with strict liability, has significantly altered the sanctions environment. Training content must be regularly reviewed and updated to accurately

7 reflect relevant regulatory and geographical developments to ensure continued compliance. 31. Fourth, this case is an example of prompt, voluntary disclosure of a potential breach of sanctions. LBG, on behalf of Bank of Scotland, made an initial notification within two weeks of identifying a potential breach. OFSI seeks to reward prompt and comp lete voluntary disclosures through penalty discounts. 32. Further information and guidance on UK financial sanctions can be found on OFSI’s website: https://www.gov.uk/government/organisations/office- of -financial-sanctions- implementation