Daily Briefing: OFAC issues sanctions compliance guidance, EU AML enforcement uptick, and more
Monday, May 6, 2019
Posted by: Brian Monroe
By Brian Monroe
May 6, 2019
Quote of the Day: “No legacy is so rich as honesty.” – William Shakespeare
In today’s ACFCS Fincrime Briefing, the U.S. Treasury issues sanctions guidance, compliance best practices, banking analysts fret over EU AML enforcement surge, predicting more actions to come, and more.
Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.
Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!
OFAC issues detailed guidance, sanctions compliance expectations, best practices, pitfalls of past failures
The U.S. Treasury arm tasked with administering the country’s sanctions programs has issued its most detailed and prescriptive piece of guidance yet on what it considers a strong compliance program to prevent banks and corporates of all stripes from running afoul of the ever-changing requirements to not deal with blacklisted entities and rogue regimes.
The Office of Foreign Assets Control (OFAC) in a historic missive laid out the key pieces of a sanctions compliance program (SCP) it believes can help large organizations that are headquartered in the U.S. or do significant business in the country to better prevent sanctions failings, identify gaps more quickly and uncover and report potential sanctions violations.
OFAC for the first time has framed a formalized sanctions compliance program (SCP), mirroring many of the tenets of the anti-money laundering (AML) compliance program, including prongs such as crafting internal controls, engaging in OFAC risk assessments, adequately training staff and testing and auditing systems and human decisions to ensure gaps are closed quickly.
Sanctions compliance has always been in an interesting gray area when it comes to overall financial crime compliance programs.
Unlike AML, there is no legal requirement to create a dedicated sanctions compliance program, but, if you violate OFAC rules, it’s a strict liability standard – a potential penalty only mitigated by the presence, and strength, of a sanctions compliance program.
In certain rare cases, OFAC has chosen not to issue a monetary penalty – even though it could have – because of the depth and effectiveness of a counter-sanctions program, the transparency and responsiveness of the company and commitment to remediate the root causes of the failure.
OFAC states that while each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance:
· Management commitment: Promotes a culture of compliance by ensuring SCP staffers have adequate authority, autonomy, resources and executive responsiveness for failures.
· Risk assessment: Similar to the AML risk assessment, but done through the lens of U.S. sanctions policies, cognizant of the propinquity to rogue regimes, sanctions evaders.
· Internal controls: As in the case of the AML transaction monitoring system, these can include the actual automated sanctions screening systems and the policies around investigating and escalating potential hits.
· Testing and auditing: This is typically a group outside of sanctions, either internal or external, that can review both sanctions screening inputs and outputs and scrutinize the decisions of staff to ensure potential hits are analyzed, escalated and dispositioned.
· Training: Without training on how regimes evade sanctions policies, what regions of the world this happens and in what ways – such as through trade and co-opted correspondents – there is no way analysts can make the right decisions. Training has to be expansive, relevant, nuanced and infused with the geopolitical power shifts driving sanctions evaders.
When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effective SCPs at the time of an apparent violation.
For example, under General Factor E, the compliance program, OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a civil monetary penalty (CMP) on that basis.
Subject persons that have implemented effective SCPs that are predicated on the five essential components of compliance may also benefit from further mitigation of a CMP pursuant to General Factor F, or the remedial response, when the SCP results in remedial steps being taken.
Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious,” (via OFAC).
The guidance also laid out what OFAC has seen as some of the root causes for major penalties and enforcement actions. Here are some of the culprits and some of my added analysis:
· Lack of a formal OFAC compliance program: If a company is not looking, it won’t find any sanctions missteps.
· Misinterpreting the applicability of OFAC regulations: Some banks have thought not dealing with OFAC simply meant scrubbing out all references to sanctioned countries. This also means knowing ownership levels to certain percent levels.
· Facilitating sanctioned transactions for foreign individuals and companies through overseas subsidiaries or affiliates: Banks have paid as high as $9 billion for this particular failure, in some cases by rogue foreign operations.
· Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC sanctioned persons, countries: Some items, like medicine and other equipment, are OK, but items that can be used for both medical equipment and weapons are off limits.
· Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-Sanctioned persons, countries: Similar to the above $9 billion penalty. In some cases, there were pockets of non-compliance, in others, stripping wires of references to OFAC hits was in the bank’s policies and procedures.
· Weak or lax due diligence on customers: If the AML, KYC or business line staffer doesn’t ask enough questions, they won’t be able to ferret out a company or individual trying to evade sanctions rules on behalf of blacklisted regimes or terror groups.
· Sanctions screening software gaps, filter faults and related poor decision-making: Apart from wholesale flouting of the rules, if sanctions screening systems aren’t tuned properly, they can create too few, or too many, alerts for analysts, wasting resources and missing actual hits.
European banks must strengthen controls against financial crime, or face more wrath form regulators, investigators, investors
Banking analysts are noticing the uptick of financial crime and compliance investigations in Europe, the Baltics and the Nordic regions, noting that they are likely to continue to cause banks and investors consternation and regulators and investigators concern as the widening money laundering scandals roiling these regions could just be the tip of the iceberg.
In the last six months, European banks continue to suffer from a steady drip of troubling news, according to banking analysts, with fears that will not just continue, but get worse.
Further details and allegations related to the various Laundromat scandals continue to emerge, with Swedbank now under the spotlight having fired its CEO, after which the Chairman stood aside.
ING and Deutsche Bank continue to feel the ire of regulators as they work to enhance customer due diligence. Standard Chartered has now finally exited its 2012 deferred prosecution agreement, after more than six years and well over $2 billion (in settlements and remediation costs).
Unicredit agreed to pay $1.3 billion to U.S. authorities to settle claims of sanctions breaches during the 2002-2011 period. UBS has appealed the guilty verdict of its tax prosecution in France, having previously settled tax-related cases in the U.S. and Germany. And these are just the most recent examples.
Typically, these allegations relate to legacy events, often dating from the 2007-2015 period. But such problems can take a while to emerge. So what comfort should investors have that in the coming one to two years they will not see emerging problems that stem from today's activities?
Arguably, only a little. The latent risk has been reduced by banks' widespread enhancements to customer due diligence and tax attestations and related offboarding of noncompliant clients, as well as improved tax transparency.
However, some banks will also need to change their governance of this risk to take a rather more holistic approach, and to invest in new technology and data analysis techniques. This would be an act of enlightened self-interest in two respects:
- Financial crime is a hard-to-quantify nonfinancial risk that can have significant adverse consequences for a bank; and
- Compliance costs have risen steadily across the industry, but investments could yield significant efficiencies as well as improve effectiveness.
The banks cannot do it alone, however. For the fight against financial crime to be truly effective, this will likely require changes to financial regulation, data and company law, greater investigatory resources, and efforts to remove technical obstacles.
- We see reducing tolerance from investors, clients, and regulators for banks making missteps in the area of financial crime risk.
- European banks have reduced their inherent financial risk profiles, but we expect many will review their governance of this area and step up investments in smart technologies and data analysis techniques.
- We continue to take a differentiated approach when concerns arise. This reflects the varying fact pattern and gravity of each case, and so the varying financial and franchise implications for the affected banks, (via S&P Global).
Banking analysts are coming to realize what many AML insiders, regulators and investigators already know: financial crime compliance enforcement is not just something the U.S. is championing, other regulators in multiple jurisdictions are more aggressively joining the fight.
In some cases, it’s a result of the country being embarrassed by a massive money laundering scandal, as in the case of Danske Bank in Estonia.
Others are following the tendrils of dirty money from places like Russia and realizing they are landing in places like Denmark, Sweden and other Nordic and Baltic locals that are typically known for staying out of the AML headlines.
As in cases past, with so many large international banks intermingled with one another, and relying on what they think was done by an institution one or two steps removed from itself, they are finding out that foreign affiliates and foreign correspondents can result in massive risk exposure due to unseen pockets of non-compliance, in many cases by corrupt insiders.
Whistleblower: I told Standard Chartered it had dirty money risk
The whistleblower who worked at Standard Chartered Bank, which recently paid more than $1.1 billion for sanctions violations, claims he warned two managing directors that it was possible to “misspell the name” of a client and still process a transaction for a blacklisted entity or regime.
In short, he alleges that it meant “there was no way of carrying out money laundering checks” for certain high-risk regions and companies.
The British whistleblower behind a legal action that could leave Standard Chartered facing a £1.5 billion fine claims that he was ousted from the bank after he warned senior staff of a major loophole in its money laundering checks.
The former Standard Chartered executive, who worked in Singapore, filed a report in 2011, seen by The Mail on Sunday, which alleges that the way foreign exchange transactions were processed meant the bank could not tell who its clients were.
In the document, he alleges that the way the bank’s systems operated meant that “there is no line of sight on the client.”
When the April fine was announced, chief executive Bill Winters said it marked the end of the saga and pointed blame at ‘two junior employees’ for breaking the sanctions. But The Mail on Sunday revealed last weekend that Standard Chartered could face a new £1.5billion fine after whistleblowers – including the Briton who raised the alarm in 2011 – filed a civil case in America.
The British whistleblower alleges that after he alerted senior management, he was summoned to a meeting with an executive at Standard Chartered, where it became clear that he had to leave the bank.
“[The executive] said, ‘I heard you wanted to leave the bank.’ I said that was news to me and he said, ‘I think it’s in the best interests of all that we part company,’” the whistleblower said.
He subsequently left the firm and alerted the US authorities. Under the US False Claims Act, which is designed to encourage people to expose corporate wrongdoing, whistleblowers in the US can receive up to 25 per cent of any penalties awarded against a company, (via This is Money).
I was just at a conference last week and sat in on a panel on whistleblowing. I know when it comes to uncovering large scale compliance and sanctions failures, it’s easy to think this case broke due to the scrutiny of regulators or doggedness of investigators following the money.
But in a surprising amount of bank AML, and corporate fraud and corruption cases, the tipping point came from a whistleblower tip, when then got the ball rolling for related authorities. And this story touches on a very divisive question and vexing issue in the world of whistleblowing: do you go to compliance first, or go straight to regulators or federal investigators?
Well, as this story points out, if you go to internal sources, a compliance official – who is also often an attorney with the bank’s best interest in mind – can confuse a whistleblower, try to build a case against his story and, as this piece shows, retaliate by firing the individual.
Conversely, if a person chooses to stay quiet and go straight to authorities, they have the potential to be the hero and keep confidential and anonymous their involvement, so they get to keep their job and career – as many whistleblowers can be ousted from their field and essentially blacklisted.
Many widely used Dell Computers have a pre-installed software flaw that can expose machines to remote hacking
If you use a Dell computer, then beware — hackers could compromise your system remotely, and this vulnerability has little to do with the strength of your passwords or if you have updated all patches and virus protections.
Bill Demirkapi, a 17-year-old independent security researcher, has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers.
Dell SupportAssist, formerly known as Dell System Detect, checks the health of your computer system's hardware and software.
The utility has been designed to interact with the Dell Support website and automatically detect Service Tag or Express Service Code of your Dell product, scan the existing device drivers and install missing or available driver updates, as well as perform hardware diagnostic tests.
If you are wondering how it works, Dell SupportAssist in the background runs a web server locally on the user system, either on port 8884, 8883, 8886, or port 8885, and accepts various commands as URL parameters to perform some-predefined tasks on the computer, like collecting detailed system information or downloading a software from remote server and install it on the system.
Though the local web service has been protected using the "Access-Control-Allow-Origin" response header and has some validations that restrict it to accept commands only from the "dell.com" website or its subdomains, Demirkapi explained ways to bypass these protections in a blog post published Wednesday.
As shown in the video, Demirkapi demonstrated how remote hackers could have easily downloaded and installed malware from a remote server on affected Dell computers to take full control over them.
The remote code execution vulnerability, identified as CVE-2019-3719, affects Dell SupportAssist Client versions prior to version 18.104.22.168, (via the Hacker News).
It’s challenging but vital that individuals, banks and corporates keep up with how their computers can be exposed to potential hacks, even if they are engaging in adequate cyber hygiene and keeping up with industry best practices.
Something as simple as a pre-installed piece of software can open the door to hackers taking over a computer, and if that computer is tied to a network and has extensive access privileges, this could lead to a much larger breach, critical details to keep in mind in an ever-changing digital world.