Posted by Brian Monroe - bmonroe@acfcs.org 07/26/2022
The Inside Track: In new action against bank, OFAC eschews fine in favor of teachable moment on expectations around sanctions screening timing, updates, vendor rules, roles, risks
In this picture, a storm rolls across the state of Oklahoma, just as sanctions enforcement lightning struck one of the regions largest banks.
The skinny:
- A new enforcement action from the sanctions arm of the U.S. government has offered rare insight into the expectations around how quickly operations must update their internal or vendor-driven screening programs when new designations come out.
- One key takeaway from the MidFirst action: some banks may need to have some hard conversations with their sanctions screening vendors. The question: How quickly do you update your screening protocols after OFAC releases new designations?
- If the answer is minutes, your bank might be in the clear. But if the answer is “within hours” or “that same day,” or worse, “weekly or monthly,” the MidFirst action is a not-so-gentle warning that may not be frequent or timely enough to prevent a violation.
The ACFCS Inside Track Series Provides Insight, Guidance and Practical Takeaways from ACFCS Thought Leaders and Association Champions and Partners.
A new enforcement action from the sanctions arm of the U.S. government has offered rare insight into the expectations around how quickly operations must update their internal or vendor-driven screening programs when new designations come out.
The short answer: nigh instantaneously. In the just announced action, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a Finding of Violation (FOV) against MidFirst Bank (MidFirst) for violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMDPSR).
To read the full order, click here.
One key takeaway from the action, which OFAC clearly chose to use as a teachable moment, rather than a statement-making penalty: You can’t always completely rely on your screening vendor to do it all, even though the industry reality is the bigger you are, the more sanctions screening you outsource.
Any lapses in their software mean your bank pays the price, not them.
In that same vein, some banks may need to have some hard conversations with their sanctions screening vendors by asking a very direct and pointed question: How quickly do you update your screening protocols after OFAC releases new designations?
If the answer is minutes, your bank might be in the clear.
But if the answer is “within hours” or “that same day,” or worse, “weekly or monthly,” the MidFirst action is a not-so-gentle warning that may not be frequent or timely enough to prevent a violation.
In the case of MidFirst, things happened quickly.
OFAC released its sanctions update just after 12:30 p.m., with the first bank breach happening just after 2 p.m. and the bulk of the transactions involving designated entities occurring until nearly 6 p.m.
The violations related to maintaining accounts and facilitating 34 payments for two individuals added to OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN) for 14 days post-designation.
Communication breakdown: missed chances for compliance due to vendor ‘misunderstanding’
The violations stemmed from MidFirst’s “misunderstanding of the frequency” of its vendor’s screening of new names added to the SDN List against its existing customer base, according to the order.
Although the unnamed vendor conducted “daily screenings of new customers and of existing customers with certain account changes (e.g., changes to a customer’s name or address), the vendor only screened MidFirst’s entire existing customer base once a month.”
The bank didn’t realize that because it believed that the daily screenings for updates and new customers would screen its entire customer base against additions and changes to the SDN List.
As a result, depending on the timing of additions to the SDN List in relation to the monthly screening, MidFirst “could be unaware for up to 30 days that it was maintaining an account for a blocked person,” according to OFAC.
In this case, the “customers matching two of the September 21, 2020 designations were not discovered until the vendor generated its monthly report on October 5, 2020,” a major issue as how long a sanctions failing festers is a critical determination in final penalty figures.
MidFirst lucky to escape OFAC maw without penalty bite, as sanctions fines against banks have soared
While OFAC actions typically target large banks with a hefty international footprint, the action evinces that banks of any size can run afoul of constantly expanding and contracting sanctions rules.
MidFirst should consider itself lucky as, depending on the violation, even one failing could put a bank in jeopardy of paying tens of thousands, hundreds of thousands or even millions of dollars.
“OFAC treats violations as a serious threat to national security and foreign relations,” according to a Dow Jones penalty calculator, adding that criminal offenders can face monetary fines and prison time up to 30 years.
To read the full story, click here.
Here is a quick OFAC penalty breakdown:
- As of 2020, parties that break the Trading with the Enemy Act, for instance, face fines of about $90,000 per violation.
- Violating the International Emergency Economic Powers Acts come with penalties of about $308,000 per violation.
- Similarly, breaking the Foreign Narcotics Kingpin Designation Act costs about $1.5 million per violation.
The severity of punishments depends on the crime, the number of prior convictions, if the institutions self-reported the failings and if they lied and tried to hide the sanctions breaches from regulators, investigators and OFAC.
Firms that have paid massive penalties—many over $1 billion—include UniCredit Bank, ZTE Corporation, Standard Chartered, Crédit Agricole, Société Générale and BNP Paribas, according to Dow Jones.
So how can a midsize bank in Oklahoma get on OFAC’s radar? Gassing up
It is also not entirely surprising MidFirst Bank found itself in hot water when you look at where it operates and the corporate customers it serves.
The energy sector – in the U.S. and globally – is a frequent target of authorities for corruption, fraud and related failures and is a perennial magnet for kleptocrats and international criminal laundering syndicates.
The institution, based in Oklahoma City, Oklahoma, is the largest privately owned bank in the United States, with $32.1 billion in assets, providing financial services to the state’s burgeoning energy industry.
In Oklahoma, oil and gas extraction is the largest industry, accounting for 8.7 percent of the state’s total GDP of $202.0 billion,” according to media reports. “The industry’s annual economic output totals $17.7 billion, a 9.1 percent increase over the last five years.”
The OFAC action could be a call to action for other banks – and energy firms – in the region to review their customer base in a broader sanctions risk assessment, something that may be a foreign endeavor for many domestic corporations.
This FOV “reaffirms the importance of ensuring the scope and capabilities of outsourced sanctions compliance services are consistent with the financial institution’s assessment of its exposure to sanctions risks,” OFAC stated.
Here are some takeaways and analyses from the action by top industry thought leaders, culled from public statements, interviews and social media posts:
Crystal Noe, head of Noe Compliance, who has more than two decades of experience in AML, sanctions and risk management roles, most recently holding top sanctions compliance posts at FaceBook and Citi.
To read Noe’s original post and be part of the conversation, click here.
On 07.21.22, OFAC issued a Finding of Violation against MidFirst bank for processing 34 payments ($613.8K) on behalf of two SDNs. 98% (604K) of those payments occurred within 6 hours of designation by OFAC.
Transactions were processed on behalf of these SDNs for up to 14 days post-designation. Transactions described within the FOV included Book Transfers (BTs; internal transfers).
BTs had not been included in OFAC “screening” violations before this.
Note, most screening programs rightfully exclude BTs from screening as it is redundant to account screening (and if working appropriately, would only serve to generate false-positives).
The Bank relied on monthly re-screening of its Accounts to address OFAC list updates. (Both, its internal and outsourced account screening controls were processed on a monthly frequency.)
Transactions for existing customers were not screened against OFAC list updates as the screening program relied on its account screening controls.
Does everyone have to immediately run out and buy ‘real-time’ sanctions screening tools?
Not exactly.
Simply put: not every bank can afford it and OFAC knows this.
But the time of a failing, when it appeared, when you found it and what you did after that are all factors that could aggravate or mitigate your penalty exposure.
Note, although some have interpreted OFAC’s disclosure of the “six hour” window as setting a precedence for list update expectations, I disagree.
OFAC included the reference to the six hour window in the “Mitigating Factors” portion of its FOV.
Thus, OFAC understood that although these represented 98% of the SDN’s transactions, because they occurred within hours of designation, OFAC was more tolerant of these transactions (as opposed to those occurring days after designation).
Tips and tactics to prevent this from happening at your institution: Patching holes in your screening
Noe advises that to prevent similar failings and OFAC scrutiny and potential penalties, make sure to always:
Screen new accounts against the full OFAC list,
Re-screen recently updated accounts against the full OFAC list, &
Ensure timely screening of existing accounts against all OFAC list updates…especially if relying on account screening in lieu of real-time transaction screening.
Sharing is caring: when it comes to sanctions, don’t let audit play ‘not it’
Lastly, if not already included in your institution’s audit plan, share this FOV with them and ask them to include testing for similar scenarios in their annual audit scope.
Peter Piatetsky, Co-Founder and CEO at Castellum.AI, a sanctions screening and fincrime compliance technology firm
To read Piatetsky’s full post and be part of the conversation, click here.
How important is real time screening? Very important.
OFAC just issued a violation to MidFirst Bank for transactions it did with an SDN within SIX HOURS of the designation.
This is the first enforcement case in OFAC history where OFAC actually points to the specific time between when a name went on a list and when the violator was engaged in the transaction.
As a note, Castellum.AI updates data every five minutes.
So what exactly happened?
MidFirst processed five transactions totaling $604,000 on behalf of accounts held by the blocked persons.
Two of those transactions, totaling $400,000, were internal book transfers between one of the blocked person’s accounts at
MidFirst. Between September 22, 2020 and October 5, 2020, MidFirst processed 29 additional transactions totaling $9,879.02 on behalf of the blocked persons.
In all, 98 percent of the value of the post-designation transactions occurred within six hours of designation.
Timeline of events
On September 21, 2020, at 12:36 p.m. EDT, OFAC designated and added two individuals to the SDN List pursuant to the WMDPSR.
On the same day, between 2:00 p.m. EDT and 5:48 p.m. EDT, MidFirst processed five transactions totaling $604,000 on behalf of accounts held by the blocked persons – less than two hours after OFAC released the update.
If you’re trying to figure out who the SDNs are and why a bank in Oklahoma was doing business with SDNs, this should help: Oklahoma has a large energy industry and the two entities added that day were MAMMUT DIESEL and MAMMUT INDUSTRIAL GROUP P.J.S.