Rooting for OFAC: A Sanctions to-don’t list that gets to the ‘root’ of the problem by reviewing recent penalties through lens of new compliance guidance
In guidance published earlier this year (Framework document), the US Treasury Department’s Office of Foreign Assets Control (OFAC) lists 10 “root causes” of inadequate sanctions compliance programs (SCPs) derived from historical enforcement actions it has taken:
- Lack of a formal OFAC SCP
- Misinterpreting, or failing to understand the applicability of, OFAC’s regulations
- Facilitating transactions by non-U.S. persons, including through or by overseas subsidiaries or affiliates
- Exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries
- Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
- Sanctions screening software or filter faults
- Improper due diligence on customers/clients (e.g., ownership, business dealings, etc.)
- Decentralized compliance functions and inconsistent application of an SCP
- Utilizing non-standard payment or commercial practices
- Individual liability
Let’s look back at OFAC’s 2019 enforcement actions and see how they correspond to each of these program faults, based on the behaviors related to each penalty, and OFAC’s assessment of those behaviors. That will give us some sense of how frequently each of these occurs.
Here is a slice of those actions focusing on financial institutions:
Western Union Financial Services, Inc: June 7, 2019
Western Union had a substantial screening program for its agents, but did not similarly scrutinize discrete locations of those agents.
In the case which was the focus of the enforcement, a sub-agent was mischaracterized as a location of one of Western Union’s agents and was therefore not identified as an Specially Designated National (SDN) for a substantial amount of time.
Relevant root causes: 2, 7
State Street Bank and Trust Co: May 28, 2019
State Street utilized a separate screening system, and used personnel other than those in the firm’s central sanctions compliance unit to review matches, for its Retiree Services unit.
Although the system did produce alerts for 45 payments linked to a US citizen resident in Iran, all the items were ultimately approved by compliance personnel who were not sanctions specialists.
Relevant root causes: 2, 8
UniCredit Bank: April 15, 2019
UniCredit’s German, Austrian (as Bank Austria) and Italian operations all used non-transparent payment structures, including use of SWIFT cover payments, to process funds related to parties blacklisted under multiple OFAC sanctions programs.
There is also evidence that at least some transactions processed by the Austrian and Italian operations were altered after being rejected by US financial institutions so that they would be processed without incident.
Additionally, the German offices also made reimbursements under a letter of credit with the apparent knowledge that the goods being shipped would be re-exported to Iran.
Relevant root causes: 5, 9
Standard Chartered Bank: April 9, 2019
Standard Chartered (SCB) had two separate settlements on this date. In the first case, due to an inadequate set of controls that included insufficient due diligence, SCB’s Dubai branch processed a large number of financial transactions that violated sanctions against Iran, Sudan and Syria.
The global settlement also includes evidence of a relationship manager coaching an Iranian person on how to process their transactions, presumably to avoid OFAC penalties. In the second case, SCB’s Zimbabwe affiliate processed financial transactions through its New York branch for parties on the SDN List, as well as those implicated by the 50 Percent Rule.
Root causes referenced: 5, 7, 10, (via KYC 360).