Daily Briefing: OFAC cites State Street for Iran violations, but no fine, FBME Bank raided, and more
Monday, June 3, 2019
Posted by: Brian Monroe
By Brian Monroe
June 2, 2019
Quote of the Day: “Difficulties mastered are opportunities won.” – Winston Churchill
In today’s ACFCS Fincrime Briefing, OFAC dings world’s largest custodian bank, State Street, on Iran ties, but no fine, Cypriot police raid FBME on laundering fears, U.S., EU sanctions saber rattling, and more.
Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.
Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!
OFAC cites State Street for Iran sanctions failures, processing more than $10,000, but levies no penalty due to compliance responsiveness, remediation steps
The sanctions arm of the U.S. Treasury cited the world’s largest custodian bank for processing more than $10,000 tied to a party residing in Iran over a roughly three-year period, but chose not to hand down a monetary penalty due to the institution agreeing to remediate the failures, enter into a tolling agreement and that the transactions potentially could have been covered by a license.
The Office of Foreign Assets Control (OFAC) has issued a finding of violation to State Street Bank and Trust Co. for acting as trustee for a customer’s employee retirement plan between January 1, 2012 and September 1, 2015 – a customer that physical resided in Iran.
At issue: State Street processed at least 45 pension payments totaling $11,365 to a plan participant who was a U.S. citizen with a U.S. bank account, but who was resident in Iran. OFAC decided not to hand down a monetary penalty for several reasons, chiefly that State Street self-disclosed the matter to the agency.
State Street is the world’s largest custodian bank, an institution that, as its namesake implies, safeguards the assets of powerful companies and individuals, rather than engaging in traditional banking relationships and transactions.
Even so, many of the world’s largest institutions also have this custodial arm, with the largest such custodian banks including Bank of New York Mellon, JPMorgan and Citi. State Street alone has some $7 trillion in assets, with roots dating back nearly 100 years.
The failures in this case echo a familiar refrain in past banking actions: a bifurcation of sanctions compliance responsibilities leading to the wrong team – one more aligned with knowing business – reviewing screening systems hits that should have been scrutinized by the centralized system and related staffers with more sanctions analysis experience.
State Street “appears to have known that it was sending payments to account at the request of or for the benefit of a person in Iran, not only because its internal system indicated the beneficiary’s address was located in Tehran, Iran, but also because the bank’s sanctions screening software produced an alert on each of the 45 payments due to the Iranian address,” OFAC stated in its enforcement order.
The institution’s personnel overseeing the beneficiary payments, the Retiree Services Staff (RSS), were more part of the SSBT business unit overseeing the business relationship with the retirement plan and engaged their own sanctions screening filter instead of State Street’s “centralized sanctions screening system,” according to OFAC.
This caused several problems, foremast among them that the transactions never got to the sanctions screening team who really knew what to do with them.
The routine escalation procedures for the RSS staff “dictated that they refer possible sanctions list matches to SSBT compliance personnel aligned with the line of business (i.e., compliance individuals who were not sanctions specialists), rather than SSBT’s central Sanctions Compliance unit staff who have specialized sanctions expertise,” OFAC noted.
Accordingly, it was the “business-aligned compliance personnel who were responsible for manually reviewing potential matches and approving the processing of the payments,” leading to clearly sanctioned transactions getting the go-ahead.
OFAC weighed a host of aggravating and mitigating factors to arrive at its no fine decision, including:
· Processed transactions on behalf of an individual in Iran after being alerted to the Iran connection, and thus SSBT reasonably should have been put on notice that the conduct constituted a violation of U.S. law;
· Had actual knowledge that it was processing transactions on behalf of an individual who was resident in Iran, as SSBT stopped, escalated, reviewed, and approved every one of the 45 distribution payments, each of which contained an explicit reference to Iran;
· Caused harm to the sanctions program objectives and the integrity of the ITSR by performing a service on behalf of an individual in Iran;
· Is a large and commercially sophisticated financial institution;
· Had escalation and review procedures for sanctions-related alerts that nonetheless failed to lead to correct decisions on 45 occasions; and
· Had compliance screening issues that continued for a year after the Federal Reserve Bank of Boston notified the bank of a related issue pertaining to inadequate escalation procedures.
In addition, OFAC considered the following when issuing a finding of violation rather than a civil monetary penalty:
· No SSBT managers or supervisors appear to have been aware of the conduct that led to the violations;
· SSBT’s screening filter did appropriately identify and alert staff to the nexus to a sanctioned jurisdiction;
· The payments at issue may not have actually been transferred to Iran, though they were made on behalf of a person in Iran;
· SSBT took remedial action in response to the violations and enhanced its escalation procedures as they pertain to sanctions-related alerts;
· There is a possibility that the funds transfers could have become licensed; and
· SSBT cooperated with OFAC by voluntarily self-disclosing the violations and entering into a tolling agreement with extensions.
But State Street escaped a monetary penalty, mainly due to the fact that it self-reported the failures, fixed the problem that led to the failure and that there was the potential for the transactions to have become licensed if the institution had gone through the proper steps, according to the agency, a critical roadmap for banks and corporates alike that find themselves in violation of sanctions rules, (via OFAC).
Not surprisingly, this action has been making major waves in the sanctions space, taking up gallons of ink from attorneys, consultants, and commentators aplenty as it has a bevy of important lessons for banks and corporates alike.
It’s very rare that OFAC takes the time to investigate a violation, find a violation, highlight that the company knew about ties to a sanctioned entity, did the transaction, and the agency later decided NOT to levy a penalty.
So for firms worried about how to potentially find violations, but not open yourself up to extensive penalty exposure – the key word here is potentially, as any sanctions failure with OFAC puts a company in the penalty box, it’s a zero tolerance liability standard – here is what the roadmap can look like.
Some key themes to remember: Transparency, timelines, honesty, responsiveness, remediation readiness, effectiveness – and likely the most important action of all: a thorough mea culpa in the form of self-reporting the problem.
Also, don’t forget the little detail of the “tolling agreement.” This is a much bigger deal than you think it is. That means State Street voluntarily extended the statute of limitations to allow OFAC, and itself, to go far back enough to find the full extent and root of the problems.
By doing that, it means a more expensive remediation and investigation, but it also proves to OFAC you are serious about being open and honest about the full depth and breadth of a sanctions violation, rather than attempting to give it short shrift and hide further failings from OFAC investigators and regulators.
Lastly, not every institution can be this lucky. Another interesting detail in State Street’s favor is that, as OFAC said in the action, the transactions could have been covered by a license, if they had the foresight to go through the license process ahead of time.
As a bonus contextual point, keep in mind this action comes out just weeks after OFAC detailed what it considers an effective sanctions compliance program, a powerful piece of guidance it has never put out before.
The timing of these actions is not coincidence. The moves are clearly done to further reinforce to firms that having a formalized, dedicated sanctions compliance program can be a critical piece of leverage at the penalty negotiating table later.
What to do going forward: If you are a bank or corporate and already have such a sanctions compliance program, review it and make it stronger. And if you don’t, create one post haste or you could be looking at what was a minor or manageable sanctions snag spiraling into “egregious” territory.
Public exposure of sensitive files on Internet Getting Worse, even as countries try to strengthen data privacy rules
There are some 2.3 billion files currently exposed and accessible through misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets to anyone on the internet, according to estimates.
That's 750 million more than 12 months ago, and despite Amazon's largely successful attempts to limit the exposure of its S3 buckets.
The latest analysis from Digital Shadows' Photon Research Team shows that the U.S. remains the single largest national culprit with more than 326 million files exposed -- although this is dwarfed if the EU is treated as a single bloc (883 million files).
The latter figure is particularly interesting. Like many other recent surveys, it shows that GDPR is yet to have a significant overall effect on data protection within Europe -- in fact, the EU's data exposure increased by 262 million files.
They also point to France, which has the second highest national exposure to the U.S. France, currently with 151.6 million exposed files, is still in the process of aligning national laws, which won't be complete until June 2019.
File exposures primarily occur through the Server Message Block (SMB) protocol, FTP and rsync servers, and to a lesser degree, Amazon S3 buckets. SMB is the worst offender, accounting for 46% of all exposed files; that is, 1.071 billion individual files, showing a 547.6 million file increase over last year. FTP accounts for 20%, and rsync for 16%.
In November 2018, Amazon introduced a new feature called 'Block Public Access'. This appears to be working. "From the 16 million files we detected in October 2018 coming from S3 buckets, we are now detecting less than 2,000 files being exposed," say the researchers.
The SMB figures, however, are particularly worrying -- not just because of the volume, but because they are now clearly in the sights of cyber criminals. SMB is commonly used for company backups.
Backup is the most recommended solution to ransomware encryption. Criminals are now targeting and encrypting SMB files that may be company backups -- presumably with the intent to later target the company itself, (via Security Week).
This story will, hopefully, cause a shock, drop and roll for readers, particularly financial institutions and corporates across the board still wrestling with the true risks of cyber assassins, vulnerabilities at the systems levels and exposure points at the human level – the culprit behind 90 percent of all successful cyber intrusions.
The critical takeaway: If a bank is only bolstering systems – ensuring software patches are up to date, virus protections are current and access privileges are tiered with regular offline backups – they are wasting incredible resources building a high fence, but leaving the door unlocked.
This story also made me think of a hilarious, and scary – a scilarious – detail mentioned in an ACFCS webinar about cybersecurity: there is likely sensitive details on every person in the U.S. and the only reason we all haven’t had our computers, bank accounts and phones hacked is because there is so much data out there, not even the hackers can get to it all.
Yeah. I know. Yikes and double yikes indeed. In short: In parallel with investing in top cyber defense talent, and systems, be just as aggressive in investing in training people on basic and advanced cyber hygiene practices, such as not falling for phishing, spear phishing, vishing – through a phone call – business email compromise and other virtual attack tactics.
It might seem a resource drain at the outset, but could just save your company from an online attack so devastating, there is no company left to salvage – a painful lesson many former thriving firms left on the virtual junkpile of history can attest.
Cypriot police raid FBME Bank in money laundering probe, institution already named 'primary' concern by FinCEN: OCCRP
Cypriot police Friday raided the premises of FBME Bank in Nicosia and in Limassol, looking for evidence of money laundering, an institution already on the radar of global regulators and investigators for being a key portal for financial crime, two sources told OCCRP.
The investigation concerns “many cases” of legalization of illegal proceeds from various activities, including drug smuggling, as well as terrorism financing, according to one source, adding that the bank’s owners had not been questioned yet, but agents copied documents and server contents.
The raided bank’s headquarters is in Tanzania and has two service points in Cyprus.
In July 2014, the US Treasury’s Financial Crime Enforcement Network (FinCEN) described FBME Bank as a “financial institution of primary money laundering concern” and banned US banks from dealing with it.
FinCEN had identified that FBME Bank was facilitating “money laundering, terrorist financing, transnational organized crime, fraud schemes, sanctions evasion, weapons proliferation, corruption by politically exposed persons, and other financial crime.”
Immediately after the US ban, the Central Bank of Cyprus (CBC), which supervises the island’s banking system, installed a new management and reduced the bank’s operations.
In December 2015, the CBC fined FMBE Bank €1.2 million ($1.3 million) for gaps in the implementation of the anti-money laundering (AML) legislation and revoked the license of its branch which performed 90 percent of its business.
In May 2017, the Bank of Tanzania also revoked the bank’s license. Since July 2014, the bank’s operations have been restricted and in 2016, it considerably reduced its staff.
In 2013, Cyprus agreed as part of a bailout agreement to do more against money laundering. According to press reports, pressure from the US led to the introduction of stricter anti-money laundering rules last year, (via the OCCRP).
FBME is well known to U.S. regulatory and investigative bodies and is still struggling to prove that it is not, as FinCEN has said, a major money laundering portal for illicit entities.
In recent years, it has been under enormous pressure to prove it has changed its ways and improved its AML compliance program overall and willingness and aggressiveness in uncovering and reporting potentially criminal transactions to local authorities.
This latest piece of news reveals that bank still potentially has pockets of non-compliance, so much so it has local investigators worried enough to raid the premises and attempt to uncover something much more sinister than a lax AML program: actual insiders helping criminal groups.
I also recall a story not so long ago that also speaks to FBME’s “culture of compliance” and “tone at the top” in some regions, or lack thereof. U.S. regulators and investigative agencies have liberally placed those terms in enforcement actions and guidance as examples of what they want to see for a compliance program to be deemed effective.
But I remember a recent story about FBME where the institution was trying to find out and sue compliance program whistleblowers. Not only is this the opposite of global best practices, it shows that the bank is more interesting in hiding failures than fixing them.
U.S. sends stern warning to Europe: Its controversial Iran workaround could face wrath of sanctions
The Trump administration escalated its battle with European allies over the fate of the Iran nuclear accord, threatening penalties against the nascent financial body created by Germany, the U.K. and France to shield trade with the Islamic Republic from U.S. sanctions, a controversial move that has further strained ties between longtime partners usually moving in formation.
Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence, signaled in a May 7 letter obtained by Bloomberg that Instex, the European vehicle to sustain trade with Tehran, and anyone associated with it could be barred from the U.S. financial system if it goes into effect.
“I urge you to carefully consider the potential sanctions exposure of Instex,” Mandelker wrote in the letter to Instex President Per Fischer. “Engaging in activities that run afoul of U.S. sanctions can result in severe consequences, including a loss of access to the U.S. financial system.”
Germany, France and the U.K. created Instex in January to allow companies to trade with Iran without the use of U.S. dollars or American banks -- thus allowing them to get around wide-ranging U.S. sanctions that were imposed after the Trump administration abandoned the 2015 Iran nuclear deal last year.
Any bank that would be part of Instex, particularly if it has any ties to the U.S. or transacts in U.S. dollars, and moved funds tied to Iran or any designated entity could find itself blacklisted from the U.S. financial system or paying massive penalties – fines that in recent years that have soared to as high as $9 billion against one institution.
A senior official involved in the internal debate that led to the letter said the U.S. decided to issue the threat after concluding that European officials, who had earlier downplayed the significance of Instex in conversations with the Trump administration, were far more serious about it than they had initially let on.
The official, who asked not to be identified discussing internal deliberations, said the letter was intended to serve as a warning that the U.S. would punish anyone associated with Instex -- including businesses, government officials and staff -- if they were working to set up a program to help Iran evade U.S. sanctions.
European countries broadly opposed Trump’s decision to withdraw from the nuclear accord but have struggled to deliver the economic benefits Iran expected from the deal, known as the Joint Comprehensive Plan of Action, since the U.S. quit.
In the meantime, U.S. sanctions have delivered a blow to Iran’s economy, fueling inflation, reducing oil revenue and pressuring President Hassan Rouhani’s government. Instex was supposed to help address that, but so far it has largely failed to get up and running.
At the heart of the latest U.S. move is the argument that Iran and its central bank use deceptive financial practices and haven’t implemented minimum global safeguards against money laundering and terrorism financing, (via Bloomberg).
This was always a possibility as the current administration and OFAC have made pressure on Iran and preventing its banks and blacklisted entities from gaining access to the U.S. and international banking system, a top priority.
Moreover, this is something well known to all large domestic and foreign financial institutions. Over the past decade, OFAC has levied billions of dollars in fines against banks who worked with Iran and related off-limits entities, in many cases attempting to hide the trail by stripping transactions and hiding information from regulators and investigators.
It will be interesting to see if Instex every becomes the sanctions-evading force the EU had envisioned, particularly now that it has been formally put on notice by a top U.S. official. And as we just mentioned, Instex would need the help of large foreign banks with extensive direct and foreign correspondent networks to really help Iran.
So the question remains: How many of these banks do you think are willing to stick their necks out and, while potentially gaining credit with EU regulators, put themselves in the firing line of OFAC? Not many, I would guess.