Top 10 Lessons Learned from OFAC's 2019 Financial Institution Enforcement Actions (OFAC 2019 Year in Review Part 2)

As we mentioned in the first part of our U.S. Sanctions Year in Review series, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) had an extraordinarily busy year in 2019, and its enforcement activity was no exception. OFAC rolled out 30 public enforcement actions in 2019, with 26 civil penalties or settlements and four findings of violation. Eleven of the enforcement actions were directed at financial institutions (“FIs”), four against FIs based in the United States and seven against FIs based abroad. However, these enforcement numbers can be deceptive in assessing overall FI risk, because while slightly more than a third of OFAC’s 2019 enforcement actions targeted FIs, those institutions paid almost 99 percent of the penalties. This is because the penalties assessed against FIs averaged around $127 million, while the average penalty assessed against non-FIs was only about one percent of that amount (approximately $1.2 million).

2019 was also notable for the number of enforcement actions brought against FIs without voluntary self-disclosures. Six of the 11 were not voluntarily disclosed, with two of these cases receiving egregiousness determinations from OFAC and, accordingly, the largest penalties of the year. By contrast, OFAC determined no case to be egregious last year where the FI discovered and voluntarily disclosed the violative conduct, resulting in dramatically reduced penalties for the confessors. These numbers show that FIs must remain vigilant against sanctions risks and stand ready to investigate, analyze, and rapidly determine whether to disclose future potential violations.

In addition to the enforcement activity noted above, OFAC published its “Framework for OFAC Compliance Commitments” last May, outlining for the first time the “essential elements” OFAC expects a sanctions compliance program to possess. These essential elements are (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC’s Framework also discusses common “root causes” of sanctions compliance program breakdowns. As we previously wrote in June of 2019, many of these root causes related to specific OFAC enforcement actions. Importantly, OFAC mentions in the Framework that it will consider the “existence of an effective [sanctions compliance program]” as a factor in its analysis when determining whether a sanctions violation should be deemed egregious (and whether a penalty should be imposed at all). With this in mind, FIs should review OFAC’s Framework when developing or revising their sanctions compliance programs in 2020.

It’s also worth remembering that OFAC Director Andrea Gacki announced last June that OFAC would no longer give credit for all types of fines paid to other government agencies in multi-agency settlements. Rather, OFAC will now only give credit for penalties imposed by other agencies arising out of “the same pattern of conduct for the same period of time” as OFAC violations. OFAC referenced this new policy in its two “major bank” settlements last year – involving Standard Chartered and UniCredit – and this policy is likely to impact FIs more than other types of businesses due to the multiple regulators and regulatory controls to which FIs are subject.

OFAC’s FI cases in 2019, as in prior years, strongly suggest that the agency holds FIs to higher compliance standards than other types of businesses. This is likely due to the size and sophistication of FIs, their critical role in ensuring the integrity of the U.S. and international financial systems, and the essential part they play in ensuring corporate sanctions programs are effectively implemented. While OFAC does not generally prescribe particular sanctions compliance procedures, other than as noted in its Compliance Commitments, it does give hints of its compliance expectations in its public enforcement actions. FIs need to be aware of these expectations as they can factor significantly into whether OFAC views problematic conduct as worthy of a monetary penalty. Accordingly, MoFo’s National Security team has, once again, collected the latest lessons from OFAC’s FIs enforcement actions last year. These Top 10 lessons should be valuable for FIs and non-FIs alike, although we will focus on OFAC’s non-FI enforcement cases in the third part of our OFAC Year in Review series tomorrow:

1. Preventing payments from embargoed jurisdictions through the United States remains a key OFAC focus. In 2019, the Trump Administration removed a general license authorizing U.S. FIs to process “U-turn payments” – payments where the originator and beneficiary are non-U.S. persons outside the United States – involving Cuba. This brings OFAC’s Cuba program in line with OFAC’s other comprehensive sanctions programs (Iran, North Korea, Syria, and the Crimea region of Ukraine) and means that FIs need to remain vigilant to ensure they are not wittingly or unwittingly processing payments involving these jurisdictions through the United States. OFAC’s largest penalties in 2019 were the result of these types of transactions, which frequently resulted from (A) branches in high-risk jurisdictions and/or (B) inadequate compliance and legal oversight:

• Branches in high-risk jurisdictions. In one of the Standard Chartered Bank (“SCB”) cases from April, SCB’s branch in the UAE originated thousands of U.S. dollar payments primarily related to Iran that were processed through SCB’s branch in New York. FIs should ensure that any branches or subsidiaries they have in high-risk geographies, including those near sanctioned jurisdictions or with historic trading ties to such jurisdictions, have sufficient compliance resources to identify and respond to heightened local risks.
• Inadequate compliance and legal oversight. In a trio of cases involving various UniCredit entities last April, UniCredit managers developed and implemented a policy to process payments related to jurisdictions subject to comprehensive U.S. sanctions in what UniCredit referred to as an “OFAC neutral” manner. However, the UniCredit staff who developed the policy did not submit it for legal review to either UniCredit’s legal department or external counsel. If they had, the legal teams might have flagged that the policy included instructions to confirm that payments “were formatted in a manner that ensured U.S. intermediary parties could not detect the involvement of OFAC-sanctioned parties or countries,” thereby resulting in the “stripping” of relevant payment information that caused UniCredit to violate U.S. sanctions.

2. If you are a non-U.S. financial institution, understand your touch points to the United States. Most non-U.S. FIs know that processing U.S. dollar payments related to transactions taking place outside the United States carries U.S. sanctions risks because those payments are often cleared through the United States. However, this is obviously not the only way for non-U.S. FIs or activities to come under U.S. jurisdiction. Last year two cases illustrated the risks of (A) bulk U.S. dollar funding arrangements, and (B) intermediate U.S. ownership structures that brought non-U.S. FIs and activities under U.S. jurisdiction:

• Bulk U.S. dollar funding. In the British Arab Commercial Bank (“BACB”) case from September, the U.K.-based BACB developed an internal “book transfer” mechanism to process U.S. dollar payments on behalf of Sudanese customers without clearing those transactions through the United States. However, to process the book transfers, BACB needed a supply of U.S. dollars to fund book transfer-related accounts. BACB funded these accounts by sourcing U.S. dollars in bulk from European FIs that, in turn, sourced those dollars from the United States. While the book transfer process appears to have successfully avoided U.S. jurisdiction, OFAC found that because BACB’s bulk U.S. dollar funding “corresponded” to individual payments related to Sudan, the bulk funding transactions violated U.S. sanctions against Sudan at the time.
• Intermediate U.S. ownership structures. Both the Allianz and ACE Limited cases from December involved non-U.S. FIs selling insurance products outside the United States. Both Allianz and ACE were ultimately owned by non-U.S. companies. However, they were each owned or controlled by an intermediate company incorporated in the United States, thus bringing them under OFAC’s regulations related to Iran and Cuba. Without intermediate U.S. ownership or control, it appears that none of Allianz or ACE’s conduct would have been subject to U.S. sanctions.

3. OFAC expects financial institutions to have sophisticated sanctions compliance programs. While many of OFAC’s trade cases focus on the failure of non-FIs to catch matches to names on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”), those involving FIs suggest higher compliance expectations – which may be replicated in the future against non-FIs – including that FIs (A) organize business data to inform sanctions screening, (B) block accounts of companies beneficially owned by individuals in embargoed countries, (C) utilize IP blocking software and (D) use sanctions exclusion clauses in contracts:

• Organize business data to inform sanctions screening. In the Western Union case from June, Western Union collected business data including location information while onboarding a new sub-agent in The Gambia. Western Union stored this information in its systems as an agent location of a partner bank, and not as a discrete legal entity acting as a sub-agent. Unfortunately, the new sub-agent was later designated as a Specially Designated Global Terrorist (“SDGT”). Despite holding the SDGT’s location data in its systems, Western Union “did not screen location data for sanctions-related issues” as part of its process to review agents and sub-agents acting on its behalf. If Western Union had incorporated the location data available in its systems into its screening process, it may have avoided doing business with an SDGT and a fine from OFAC. This lesson is particularly critical for FIs dealing with legacy systems that may not have been created with the current screening processes in mind.
• Blocking accounts of companies beneficially owned by individuals in embargoed countries. In the SCB settlement agreement from April, OFAC noted that “while [SCB] had previously blocked the account of [a non-Iranian company’s] Iranian national beneficial owner due to sanctions risk, SCB Dubai maintained an account relationship” with the company, processing over $150 million in transactions through the United States on the company’s behalf. OFAC viewed these services as violating U.S. sanctions against Iran because even though the company itself was not Iranian, the benefit of processing transactions for the company was received in Iran, presumably by the Iranian beneficial owner.
• IP blocking. In its settlement agreement with SCB, OFAC noted that SCB “did not implement any controls to restrict access” to its online and mobile banking platforms from comprehensively sanctioned jurisdictions until 2013. Without such controls, SCB customers originated thousands of U.S. dollar payments that were processed through SCB’s branch in New York in violation of multiple sanctions programs.
• Sanctions exclusion clauses. In the ACE Limited case from December, OFAC noted that ACE’s global insurance policies did not contain “sanctions exclusion clause[s,]” which would have excluded transactions that could violate U.S. sanctions from coverage. OFAC stated that it viewed the lack of sanctions exclusion clauses in ACE’s insurance policies as a failure to “implement adequate internal controls” (a reference to OFAC’s Compliance Framework). 

4. No matter how sophisticated your compliance program is, it won’t work if your employees don’t use it properly. Companies need to ensure that they cultivate a culture of compliance, and train employees to understand how to adequately use their compliance systems. For example, in the UniCredit cases from April, UniCredit had a group sanctions policy in place that “clearly addressed OFAC sanctions concerns and restricted the processing of transactions denominated in USD on behalf of [sanctioned parties].” Despite this policy, OFAC noted that employees at UniCredit’s German subsidiary processed payments related to the Islamic Republic of Iran Shipping Lines (“IRISL”) even after receiving an email policy directive not to process such payments. OFAC also noted that employees of UniCredit’s Italian subsidiary “ignored or fail[ed] to adhere to UniCredit Group sanctions policies” by processing U.S. dollar payments on behalf of persons located in comprehensively sanctioned countries.

5. Test, audit, and enhance sanctions compliance programs. OFAC listed testing and auditing as an “essential component” of a sanctions compliance program in its Compliance Commitment Framework. FIs that do not test their programs may discover that these programs do not work as intended. In particular, FIs need to (A) test and audit any ring fencing policies designed to allow limited business with sanctioned parties outside the United States, (B) ensure sanctions compliance systems incorporate information from customer due diligence, and (C) establish appropriate compliance reporting lines to ensure sanctions issues are followed up with the appropriate parties:

• Test and audit ring fencing policies. In one of the SCB cases from April, SCB’s affiliate in Zimbabwe established a “ring fencing” policy to conduct business with OFAC-sanctioned parties. However, these efforts were unsuccessful in part because the Zimbabwe affiliate’s personnel were unaware that their customers subject to the ring-fencing policy could use credit cards issued in Zimbabwe in other countries, including the United States. Similarly, in the BACB case, OFAC noted that BACB employees believed that all of BACB’s Sudan-related transactions, including the bulk U.S. dollar funding, would be processed outside the United States because they apparently did not consider that the bulk U.S. dollar transfers would be sourced from the United States.
• Ensure sanctions compliance systems incorporate information from customer due diligence. OFAC noted in SCB’s settlement that SCB collected customer due diligence information on one of its UAE corporate clients indicating the client was owned by an Iranian individual who also held an account at SCB. However, despite SCB’s customer due diligence files indicating the Iranian account holder owned the UAE corporate client, “SCB did not identify” that the accounts of the two were “linked within its internal systems.” As a result, SCB’s branch in the UAE processed hundreds of payments through the United States on behalf of the UAE corporate client that OFAC determined violated U.S. sanctions against Iran.
• Establish appropriate compliance reporting lines. In the State Street Bank case from May, State Street Bank and Trust Co. (“State Street”) had a policy in place that required its retiree service staff to refer possible sanctions issues to business-aligned compliance staff rather than State Street’s central sanctions compliance unit that had specialized sanctions expertise. While escalating sanctions issues to business-aligned compliance staff rather than sanctions specialists, State Street’s retiree service staff processed 45 pension payments to U.S. citizens resident in Iran in violation of U.S. sanctions against Iran.

6. Generally know your customers’ customers. No, we are not suggesting that the standard Know Your Customer (“KYC”) obligations have been supplanted by a new KYCC standard, as some in the U.S. State Department have claimed. Yet, FIs should generally know your customers’ customers’ lines of business and how they are protecting your customers and you from sanctions risks. Several of OFAC’s FI enforcement actions highlighted the importance of knowing who your downstream counterparties are so that you can stop them from getting you into trouble. In 2019, OFAC highlighted the risks posed by (A) third-party underwriters, (B) general trading companies, (C) trade credit assignments, (D) third-party travel agencies, and (E) foreign sub-agents:

• Third-party underwriters. In the Allianz case from December, the German financial services company, Allianz, operated in Canada through a branch of its U.S. subsidiary. The Canadian branch sold Cuba travel insurance policies to Canadian residents through a Canadian third-party underwriter without collecting travel destination information. Neither the third-party underwriter nor the Canadian branch of Allianz collected travel destination information from their customers upon policy issuance. However, the third-party underwriter did collect destination information when emergency medical assistance was required, revealing that many of the travelers went to Cuba. The underwriter did not report this information to Allianz’s Canadian branch, which ultimately sold thousands of Cuba-related insurance policies in violation of U.S. sanctions against Cuba at the time.
• General trading companies. In 2013, OFAC issued a public advisory describing ways in which Iranian persons use general trading companies to evade U.S. sanctions. The first SCB case from April demonstrates the risks of dealing with these entities without sufficient controls in place. In that case, OFAC stated that the majority of SCB’s problematic conduct “concern[ed] Iran-related accounts … including accounts at SCB Dubai held for a number of general trading companies” ultimately acting on behalf of customers physically located and/or ordinarily resident in Iran.
• Trade credit assignments. In the Atradius Trade Credit Insurance case from August, a company sold cosmetics under a trade credit arrangement (whereby a company lends its products on credit to retailers who repay the credit when products are sold) to the Soho Mall in Panama. The cosmetics company purchased trade credit insurance from Atradius to insure against trade credit defaults from the Mall. OFAC later designated the Soho Mall pursuant to the Foreign Narcotics Kingpin Designation Act, thereby causing the Mall to default on its trade credit. In response, the cosmetics company invoked its trade credit insurance and assigned the right to collect the trade credit to Atradius. Atradius accepted the assignment and ultimately collected on the trade credit from the Soho Mall. OFAC noted that Atradius “did not undertake any meaningful analysis or otherwise seek confirmation from OFAC that assignment of the [Mall]’s debt and acceptance of payment from the Soho Mall” was permissible. OFAC found that Atradius violated the Narcotics Kingpin sanctions by both accepting the assignment of and collecting on the designated Soho Mall’s trade credit.
• Third-party travel agencies. In the ACE Limited case from December, ACE sold group travel policies to a European online travel agency through a master agreement. The travel agency then dealt with customers directly, paying ACE a pre-determined premium for each specific individual covered under the group policy. Unfortunately for ACE, many of the individuals who purchased its insurance products through the European travel agency used them for Cuba travel coverage, thereby exposing ACE to U.S. sanctions liability.
• Foreign sub-agents. In the Western Union case, Western Union had a pre-existing relationship with a bank in The Gambia that acted as Western Union’s agent. That bank entered into a sub-agent relationship with a shopping center that was subsequently designated as an SDGT. However, Western Union entered the SDGT sub-agent into its systems as a bank location rather than a distinct legal entity, thereby relying on the Gambian bank for sanction compliance. This reliance proved problematic, as the local bank did not notify Western Union after OFAC designated the sub-agent. This case demonstrates the potential risks of relying on business partners for sanctions compliance and that, if you do so, you need to ensure they understand their obligations under U.S. sanctions rules and are capable of fulfilling those obligations.

7. Conflicts of law continue to confound. After President Trump announced the United States’ withdrawal from the Joint Comprehensive Plan of Action (“JCPOA”), the European Union updated Council Regulation (EC) No 2271/96 (the “EU Blocking Statute”), which prohibits EU companies from complying with U.S. sanctions against Iran and Cuba. As we previously wrote in August of 2019, the Trump Administration escalated these issues in 2018 when it required U.S. foreign subsidiaries abroad to comply with the same Iran sanctions rules as their U.S. parents and in 2019 when it refused to waive key provisions of the Helms-Burton Act. In response to the latter escalation, the EU issued a joint statement from High Representative Federica Mogherini and Commissioner for Trade Cecilia Malmström, restating the EU’s “strong opposition to the extra-territorial application of unilateral Cuba-related measures that are contrary to international law.” Canada’s Foreign Extraterritorial Measures Act contains provisions similar to the EU Blocking Statute for Canadian companies. However, foreign companies may not rely on these provisions to violate U.S. sanctions.

• In the ACE Limited case from December, OFAC noted that ACE explained “the lack of a sanctions exclusionary clause[s]” in its global insurance policies was due to advice it received from a European regional compliance team to ensure its insurance policies complied with the EU Blocking Statute. Despite conflicting laws between the EU and the United States, OFAC held ACE liable for the Cuba-related travel policies ACE sold from its U.K. subsidiary because that subsidiary was owned by an ACE subsidiary in the United States and thus subject to U.S. jurisdiction for Cuba-related activities. OFAC specifically mentioned that its action against ACE “underscores … the importance of [using] sanctions exclusionary clauses to mitigate potential sanctions violations.”

8. Stripping still doesn’t pay. The trio of settlements with UniCredit continue a long line of cases against non-U.S. FIs that engaged historically in “payment stripping,” the practice of removing information on messages for payments sent through the United States that would have identified a party as sanctioned or located in a sanctioned jurisdiction. Like previous stripping cases, OFAC found UniCredit’s conduct to be egregious, thereby significantly increasing its penalty.

9. Use your regulator, and your financial condition, when talking penalties with OFAC. In the BACB case from September, OFAC noted that the operating capacity of the London-based bank “was such that it would face disproportionate impact if required to pay the proposed penalty of $228,840,000.” Accordingly, “[i]n consultation with BACB’s domestic regulator, the United Kingdom’s Prudential Regulation Authority,” OFAC settled the approximately $229 million matter for $4 million.

10. When in doubt, ask OFAC. Although the recent Exxon decision suggests that companies may not be obliged to consult OFAC when they believe the law is unclear, that decision may have limited impact, and OFAC continues to advise that the private sector approach the agency before making a move that could implicate sanctions. In the Atradius case from August, OFAC highlighted “the importance of obtaining a specific license before engaging in” potentially unauthorized activity. Of course, decisions on whether and how to approach OFAC should not be made lightly, given that ill-informed approaches can lead to delays in responses, stoppages in business activities, and even governmental investigations.

Conclusion

The pace of enforcement actions accelerated significantly in 2019, and OFAC has already begun issuing its first enforcement cases for 2020. The cases above demonstrate that FIs should be especially vigilant in reviewing and understanding their sanctions risks heading into this new year. As always, we in Morrison & Foerster’s National Security Practice Group stand ready to provide counsel on the scope and sufficiency of sanctions compliance programs and training, the legality/sanctionability of particular transactions or lines of business, and any actual or potential enforcement matters.