News & Press: ACFCS News

U.S. authorities fine UniCredit Bank $1.3 billion for Iran violations, second huge fine in a week

Monday, April 15, 2019   (0 Comments)
Posted by: Brian Monroe
Share |

HVB Tower or formerly Hypo-house is an administrative building of the HypoVereinsbank in Munich, courtesy Wikimedia.

By Brian Monroe
April. 15, 2019

U.S. federal and state authorities Monday fined one of Europe’s largest banks more than $1.3 billion and forced it to enter a guilty plea for processing hundreds of millions of dollars for blacklisted entities and countries, including Iran – the second such billion-dollar plus settlement in as many weeks.

The U.S. Department of Justice, U.S. Treasury, and state and federal regulators have hit Munich-based UniCredit Bank AG (UCB AG), operating at the time as HypoVereinsbank, for “knowingly and willfully” moving nearly $400 million through the U.S. financial system on behalf of sanctioned entities for more than a decade.

Federal prosecutors noted that, in particular, the bank provided financial and other transactional resources for an entity specifically designated to being blocked out of the international financial system for helping move funds supporting the creation of weapons of mass destruction.

The New York State Department of Financial Services (NYDFS) went even further, stating the UniCredit deliberately moved billions of dollars for clients tied to rogue regimes, including Iran, Libya and Cuba, an institutionalized procedure ironically enough run by the “Core Compliance Team” in a supposed bid to be “neutral” to countries and improve customer service.

The UniCredit settlement is actually the second hefty sanctions compliance settlement in just two weeks – a rare synchronicity that is likely a planned parallel by mostly these same cast of characters.

Federal and state authorities in the United States and United Kingdom last week levied a penalty of more than $1.1 billion against Standard Chartered, one of London’s largest banks, for engaging in thousands of illicit transactions worth hundreds of millions of dollars involving blacklisted countries including Iran, Sudan and Syria – a rare global settlement for financial crime compliance failures.

That was the third time federal and state regulators have penalized StanChart for such failings.  

The NYDFS penalized StanChart $340 million in August 2012 for AML, sanctions and books and records violations, at one point threatening to pull its banking license. The decision front-ran a concurrent federal investigation, leading to criticism of then head Benjamin Lawsky.

Just a few months later, in December 2012, the bank paid $327 million to U.S. regulators and prosecutors for sanctions breaches related to Iran and broader AML compliance failings.

In total, the NYDFS has penalized StanChart more than $1.1 billion alone in four separate actions for AML, sanctions and other financial crime failures.

And now, just days later, UniCredit faces many of the same charges in its settlement.

Investigative, regulatory scrum: Didactic documents detail UniCredit failings

To read the full OFAC action, click here.

DOJ To read the full DOJ action, click here.

To read the full Federal Reserve action, click here.

To read the full NYDFS action, click here.

To read the full Manhattan DA’s Office action, click here.

‘Formalized’ sanctions evasion procedures

Federal prosecutors note that the sanctions evasion process wasn’t done by a small, fringe splinter group in the bank attempting to outwit dogged compliance officers – it was a formalized process run by compliance staffers and even detailed in certain bank policies and procedures.

UCB AG “engaged in this criminal conduct through a scheme, formalized in its own bank polices and designed to conceal from U.S. regulators and banks the involvement of sanctioned entities in certain transactions,” according to federal prosecutors, noting that the bank used sanctions screening software to find and help, not block, transactions tied to off-limits regimes.

 In tandem, the bank “routed illegal payments through U.S. financial institutions for the benefit of the sanctioned entities in ways that concealed the involvement of the sanctioned entities, including through the use of companies that UCB AG knew would appear unconnected to the sanctioned entity despite being controlled by the sanctioned entity,” according to penalty documents.

“UniCredit prioritized profit over compliance and security by deliberately engaging in billions of dollars of transactions with clients from sanctioned nations, including Iran, Libya, and Cuba, and then working to cover their tracks to avoid detection,” said Acting NYDFS Superintendent Linda Lacewell. 

“Sanctions against dangerous foreign regimes and terrorist groups are critical to protect national security and uphold the integrity of our global financial system, and DFS will hold violators accountable to the fullest extent of the law.”


A look at prior sanctions cases, nearly a dirty dozen

DOJ and the NYDFS have been increasingly aggressive in the past decade for banks that thought they had outwitted regulators and beaten the system.

In 2014, BNP Paribas Bank (BNPP) also pleaded guilty in Manhattan to falsifying business records and conspiring to evade U.S. sanctions and paid a record $8.83 billion in criminal forfeiture and penalties.

Since 2009, eleven banks, including UniCredit Bank AG, have forfeited more than $14 billion in settlements following Manhattan D.A. investigations. The D.A.’s Office has additionally entered into Deferred Prosecution Agreements with the following financial institutions related to U.S. sanctions violations and violations of New York State law:

Compliance team rotten to the ‘core’

In many of the past high-profile bank sanctions busting cases, the institution formalized procedures to strip out information for countries on U.S. blacklists, dubbed the “stripping cases.”

But rarely, if ever, did a bank repurpose a transaction screening tool typically used for sanctions compliance to find ties to designated entities, and then play a sleight of hand card game with international payment messages, such as the widely used SWIFT cover payment types.

In 2004, UniCredit AG installed an automated transaction filtering tool, known as the “Embargo Tool,” to identify potentially prohibited transactions containing information relevant to the Office of Foreign Assets Control (OFAC), indicating links to a person or entity on U.S. sanctions or OFAC’s Specially Designated Nationals (SDN) list.

But the tool meant for compliance was quickly coopted to improve customer “convenience.”

At the time the companies implemented the Embargo Tool, the “Core Compliance Team established detailed instructions for intentionally circumventing the tool for transactions prohibited by OFAC, in order to avoid inconveniencing bank customers,” according to the NYDFS order.

Confused? Don’t worry. The screening tool to improve blacklisted customer support even came with a handy dandy “instruction guide” to help staff violate both state and national laws.

The “instructional guide directed bank employees to violate New York law by submitting certain payment orders in what was euphemistically known as an ‘OFAC-neutral’ manner, meaning without the involvement of U.S. banks or ensuring that the information implicating OFAC sanctions was not revealed in the payment messages sent to U.S. banks,” according to the NYDFS.

The DFS investigation uncovered that UniCredit AG conducted more than 2,500 non-transparent U.S. dollar payment transactions, totaling some $5.4 billion, sent by UniCredit AG through the U.S banking system between 2002 and 2011. 

DFS also found that during that time, UniCredit AG sent approximately 300 U.S. dollar payments totaling more than $60 million through the U.S. banking system that were off limits by OFAC and only were processed due to the use of these non-transparent payment messaging techniques.

As well, in that nearly decade time frame, state examiners found an additional 667 payments totaling $660 million, including some transmitted through financial institutions regulated by DFS and violating federal sanctions laws in countries such as Iran, Libya and Cuba.

Get schwifty with SWIFT

How did UniCredit fool so many banks with sanctions filters of their own for so many years?

This where the bank tried to get schwifty with SWIFT, the worldwide payment operator.  

The bank used non-transparent methods that included “cover payments” and “wire stripping,” with some of these transactions touching banks regulated by DFS.

Under the cover payment method, the bank used Society of Worldwide Interbank Financial Telecommunications (SWIFT) payment messages in a bid to use subterfuge to disguise transactions.

The first SWIFT message, known as an MT103, included all details about the transaction, and UniCredit AG would “send it directly to the prohibited beneficiary’s bank,” according to penalty documents.  

The bank would then send a second message, known as an MT202 or “cover payment” message, to the U.S. financial institution in New York that was clearing the U.S. dollar payment. 

This is where one variation of the stripping would occur as the “cover payment” message “intentionally omitted details about the underlying parties to the transaction and was sent for the transaction to be settled in U.S. dollars.”

UniCredit AG, though, also “used another deceptive practice known as wire stripping,’ which involved bank employees deliberately removing information identifying potentially sanctioned entities from payment messages and instructions to ensure customer payments were not impeded by sanctions prohibitions,” state examiners stated.  

Who created such a gleaming diabolical diadem? Why, the compliance team of course.

For example, the “Core Compliance Team instructed other employees to strip words” such as “Sudan,” Myanmar” and “Tehran,” noting in one instance that such terms “should be deleted because of the US embargo against Iran,” the NYDFS said.

Stronger sanctions compliance program incoming

The U.S. Treasury is requiring UniCredit, and all of its related operations in Europe engaging in these practices, to strengthen compliance in a bevy of ways, including senior management promoting and shepherding a “culture of compliance,”  buttressing internal controls to adequately address OFAC risk assessment results and country profiles, and better sanctions training.

The NYDFS also laid out improvements that examiners want to see at the state level, but that ensconce global business lines outside the U.S., including:  

  • Sanctions risk assessments: An annual assessment of OFAC compliance risks arising from the global business activities and customer base of UniCredit Group’s subsidiaries, including risks arising from transaction processing and trade finance activities conducted by or through UniCredit Group’s global operations;
  • OFAC, trade screening: Policies and procedures to ensure compliance with applicable OFAC Regulations by UniCredit Group’s global business lines, including screening with respect to transaction processing and trade financing activities for the direct and indirect customers of UniCredit Group subsidiaries;
  • Violation investigations: The establishment of an OFAC compliance reporting system that is widely publicized within the global organization and integrated into UniCredit Group’s other reporting systems in which employees report known or suspected violations of OFAC Regulations, and that includes a process designed to ensure that known or suspected OFAC violations are promptly escalated to appropriate compliance personnel for appropriate resolution and reporting;
  • Staffing, resources: Procedures to ensure that the OFAC compliance elements are adequately staffed and funded; and
  • Role-based training: Training for UniCredit Group’s employees in OFAC-related issues appropriate to the employee’s job responsibilities that is provided on an ongoing, periodic basis.
  • OFAC audit: An audit program designed to test compliance with OFAC regulations.

The U.S. government is taking a more aggressive approach to see how countries offering sanctuary to designated terror groups and weapons proliferators are helping finance their networks, with the hammer coming down on any banks involved.

“UniCredit Group banks routed transactions through the United States in a non-transparent manner, when those payments would have been blocked or rejected if their true nature had been clear, in violation of multiple sanctions programs,” Sigal P. Mandelker, Under Secretary for Terrorism and Financial Intelligence, said in a statement. 

“As the United States continues to enhance our sanctions programs, incorporating compliance commitments in OFAC settlement agreements is a key part of our broader strategy to ensure that the private sector implements strong and effective compliance programs that protect the U.S. financial system from abuse.”

©2018 Association of Certified Financial Crime Specialists
All Rights Reserved