Financial institutions and other U.S. persons who conduct business with foreign parties have become increasingly aware of their obligation to thoroughly vet the parties with which they are doing business. Often, as part of their due diligence process, employees are tasked with screening the Office of Foreign Assets Control’s (OFAC) List of Specially Designated Nationals and Blocked Persons (the “SDN List”). In addition, larger organizations often create their own robust databases utilizing materials published by OFAC, affording the organization the ability to annotate or customize OFAC’s information based on past experiences or other developments. However, as was highlighted in OFAC’s newly-announced enforcement action against BMO Harris Bank NA (“Harris Bank”), failure to appropriately update these databases can create serious consequences.1

It’s not uncommon, when a company is conducting due diligence on a new business partner, for general searches to produce a “hit” on the SDN List, indicating that the transaction may be prohibited under OFAC’s regulations. However, after further examination, the company may conclude for legitimate reasons that the “hit” is a “false hit,” which means U.S. persons can engage in business with the third party. Two of the most common reasons why a “hit” is considered a “false hit” are because (1) the vetted party shares a similar name with a blocked party or (2) OFAC has issued a license authorizing the underlying transaction. In an effort to reduce the volume of repetitive analyses associated with these “false hits,” a company may place the entry in its internal “false hit list.” While OFAC recognizes this is a common and legitimate practice, using false hit lists can create serious risks due to the continuously evolving U.S. sanctions programs.

This risk became particularly evident in the enforcement action against Harris Bank published on October 21, 2015. Prior to merging with Harris Bank, Marshall and Ilsley Bank (“M&I Bank”) processed several fund transfers on behalf of its customer in 2011 for receivables owed to an Iranian carpet company. In 2009, M&I Bank had added its customer’s name to its internal false hits list because the underlying transaction was legal pursuant to a general license issued by OFAC in accordance with its Iranian Transactions and Sanctions Regulations (ITSR).2 However, OFAC revoked the relevant license in 2010. Despite the revocation, OFAC alleges M&I Bank failed to remove the customer’s name from its false hit list and, as a result, processed transactions that violated the ITSR. Subsequently, when M&I Bank merged into Harris Bank, Harris Bank absorbed the liability associated with the 2011 violations.

Alongside this recent enforcement action, OFAC released guidance for U.S. persons utilizing false hit lists.3 Specifically, OFAC stressed the importance of implementing policies and procedures that “review, evaluate, and reassess” the entries on false hit lists and recommends taking measures that include:

  1. Involving sanctions compliance personnel in developing guidelines for, and oversight of, the functioning of false hit lists, including periodic reviews;
  2. In situations where additions or changes to an SDN List entry are similar to a false hit list entry, ensuring that alerts generated by screening hits in connection with the additions/changes to the SDN List are not automatically suppressed by the existing false hit list entry;
  3. Amending the false hit list, as needed, in response to updates to OFAC’s sanctions programs (including, for example, the revocation of general licenses, the implementation of new sanctions programs and/or prohibitions, or enhanced restrictions on certain categories of transactions); and
  4. For direct customers who have an entry on a false hit list, ensuring that any meaningful changes to the customer’s information (e.g., a change in ownership status, business activity, address, date of birth, place of business, etc.) trigger a review of the false hit list entry.4

Since OFAC deems U.S. persons to have knowledge of any update to its U.S. sanctions programs or SDN List, it is imperative that all U.S. persons conducting business with foreign parties ensure that their databases, including false hit lists, are updated every time that OFAC updates the SDN List or takes any other action that alters the scope of its sanctions programs.

Because the utilization of false hit lists can create significant liabilities if they are not periodically reviewed and properly maintained, it is important that appropriate personnel and experts are involved in developing and auditing a company’s internal risk assessment process. In addition, the enforcement action against Harris Bank underlines the necessity of thoroughly examining a target company’s internal risk assessment and compliance practices as part of due diligence in a merger or acquisition and ensuring that the definitive agreement provides appropriate representations and warranties. Please contact your legal representative to help identify any issues and necessary actions to ensure that your current practices and risk process comport with the requirements imposed by OFAC.