When sanctions controls fail, it’s usually a BWRA problem

Written By Stefania Cirignano
Close up of woman's eye behind glasses. Title overlaid reads "Risk assessment reframed - when sanctions controls fail, it's usually a BWRA problem"

A familiar enforcement story, but a less familiar question

The recent £160,000 monetary penalty imposed by the Office of Financial Sanctions Implementation (OFSI) on Bank of Scotland, a subsidiary of Lloyds Banking Group, will inevitably be read through a familiar lens. Early reactions tend to gravitate towards the mechanics of the failure: shortcomings in sanctions screening, missed alerts, outdated training materials, or instances of human error. Others will rightly highlight the mitigating factors, including the firm’s voluntary disclosure and cooperation with the regulator, and will see the case as an example of enforcement working broadly as intended.

All of that is understandable. Yet it risks obscuring a more interesting (your mileage may vary on this word) and, in my view, more instructive issue. Based on the information available in the public notice, I would surmise that the more fundamental problem exposed by this case lies not in identifying which control failed, but in how sanctions risk itself was understood and articulated within the firm. That, ultimately, is a Business-Wide Risk Assessment (BWRA) question.

Not a single failure, but a pattern

At first glance, the facts appear relatively straightforward. A designated individual opened a retail account, sanctions screening did not identify the individual as sanctioned due to spelling variations arising from transliteration, and a series of transactions were processed before the issue was detected. Looked at in isolation, this can appear like a discrete operational failure.

However, OFSI’s notice makes clear that this was not a single breakdown, nor a momentary lapse. Multiple opportunities to identify and interrupt the risk were missed across different stages of the customer lifecycle, involving both automated systems and human review.

When incidents unfold in this way, it is tempting to focus on the controls themselves: which system failed, where escalation did not occur, or which training module should have been refreshed sooner. But controls are not independent artefacts. They are designed, calibrated, and governed in response to an organisation’s underlying understanding of its risk exposure. When multiple controls fail in sequence, it is usually a signal that something upstream was not sufficiently clear or robust.

Generic sanctions risk versus contextual exposure

One of the most striking aspects of the OFSI notice is the emphasis placed on context. The case did not arise in a vacuum. Russia sanctions were, at the relevant time, a strategic priority for the UK. The customer was a British national using a UK passport. The name variations that caused screening challenges were consistent with well-known Russian-to-English transliteration patterns. The individual was also identified as a politically exposed person.

None of these factors are novel, and none would be unfamiliar to an experienced sanctions practitioner. Taken together, however, they describe a specific and heightened sanctions exposure profile, rather than a generic one.

A stronger sanctions BWRA would have made that distinction explicit. Rather than treating sanctions risk as a broad, homogeneous category, it would have articulated how and where sanctions risk crystallises in the firm’s business model and operating environment. It would have recognised that retail onboarding is not inherently low-risk in a heightened Russia sanctions context, that name-based screening controls are structurally vulnerable where transliteration is common, that PEP processes often function as a critical backstop when sanctions screening is imperfect, and that reliance on manual judgement at key points materially influences residual risk.

Without that articulation, controls tend to be assessed in isolation. They are tested individually, documented individually, and defended individually. Weaknesses only become visible once an incident has already occurred.

Why risk events matter more than control descriptions

This is where the distinction between controls and risk events becomes particularly important. Many sanctions BWRAs still lean heavily towards cataloguing controls rather than articulating the underlying risk events they are intended to mitigate.

Had this case been framed explicitly as a risk event (for example, the provision of financial services to a designated individual in circumstances where identity attributes, customer context, and geopolitical factors increase the likelihood of sanctions evasion) the assessment would have been forced to confront a different set of questions. It would have required a clearer articulation of the conditions under which the risk becomes plausible, where the firm relies on automated detection versus human judgement, and what assumptions are being made about data quality and identity resolution.

Those questions are uncomfortable, because they surface dependencies and trade-offs that are often left implicit. But that is precisely the value of a BWRA when it is working well: it brings those assumptions into the open before they are tested by events.

It is also worth pausing on a more inconvenient possibility. It is highly likely that the firm’s BWRA did identify the risk of onboarding sanctioned individuals, and equally likely that name screening was bluntly assessed as an “effective” control against that risk. That, in itself, is not implausible.

The issue is what that effectiveness judgement was anchored to. If effectiveness is assessed in the abstract, without explicit reference to transliteration risk, data limitations, dependency on PEP processes, or reliance on manual judgement, then the assessment can be technically correct while still being strategically misleading. In other words, the control may be operating as designed, but against a simplified version of the risk.

Transliteration as an exposure driver, not a root cause

Much of the commentary around this case has focused on transliteration, and understandably so. Spelling variation was a direct contributor to the failure to identify the designated individual. However, there is a risk of drawing the wrong lesson from that observation.

The issue was not simply that transliteration was handled poorly. Transliteration risk is a well-understood exposure driver in sanctions risk, particularly in relation to Russia. A BWRA that had explicitly recognised that exposure would have used it to justify stronger, layered controls, rather than treating it as an edge case to be addressed tactically.

In practice, higher sanctions exposure should have translated into a deliberate combination of controls: enhanced sanctions lists or internal alias libraries, explicit linkages between PEP identification and sanctions escalation, clear rules governing when automated screening failures must be overridden, and defined tolerances for the use of manual judgement at critical decision points. None of these measures are novel or controversial. What matters is that they are designed and governed as a coherent system, proportionate to the level of risk that has been articulated.

Escalation and judgement are BWRA design choices

The same point applies to escalation. One of the recurring themes in the notice is the absence of clear escalation expectations when potentially relevant information was identified. The PEP review process surfaced indicators that should have prompted further scrutiny, yet there was no explicit instruction to escalate potential sanctions connections where uncertainty remained. Reliance on discretionary judgement at that point materially increased residual risk.

This is not simply a procedural gap. If escalation is a control, then its conditions of use are part of its effectiveness. A meaningful sanctions BWRA should be explicit about where discretion is acceptable, where it is not, and what information triggers mandatory escalation. Leaving those questions unanswered is not a neutral design choice; it is a risk decision, whether or not it is labelled as such.

From descriptive artefact to decision-shaping tool

It would be easy to view this case as a sanctions-specific problem. But the broader pattern will be familiar across financial crime domains. When BWRAs become descriptive artefacts (documenting risks, controls, and policies without interrogating exposure and dependencies) they struggle to shape real decisions. They tend to explain incidents after the fact, rather than helping organisations anticipate where risk is most likely to crystallise.

By contrast, a sanctions BWRA that genuinely earns its keep articulates context-specific exposure, frames risks as events rather than control failures, makes control dependencies explicit, and sets clear expectations around escalation and judgement. In doing so, it allows senior management to understand not just what controls exist, but why certain controls, and certain combinations of controls, matter more in particular contexts.

A constructive closing

This was not a case of an institution that had done nothing. Controls existed, processes were in place, and training had been delivered. But it illustrates what happens when sanctions risk is treated as a static compliance obligation rather than a dynamic exposure shaped by geopolitics, data realities, and business context.

The opportunity, for all firms, is to use cases like this not merely to fine-tune individual controls, but to revisit how sanctions risk is articulated at the BWRA level. Because when the risk is properly understood, the right controls, and, crucially, the right combinations of controls, tend to follow.

Stefania Cirignano
Next

Do we have a customer risk rating problem?