US enforcement against non-US banks
Economic sanctions continue to dominate press headlines, both in respect of increasing regulation and regulatory enforcement. As a result, sanctions compliance is a growing concern for international banks and financial institutions. While the long-arm of US regulators remains an obvious issue for non-US banks, significant growth in EU sanctions in recent years and increased scrutiny of sanctions by the UK’s Financial Conduct Authority (FCA) signals a warning for banks and financial institutions operating in the EU and UK.
The ability of US regulators to prosecute non-US banks for causing breaches of US sanctions has been clearly evidenced in recent years. A long list of non-US banks has been subject to substantial penalties for causing US persons to breach US sanctions. The outcome for a number of non-US banks has also involved reputational damage and stringent on-going compliance obligations.
The most recent and well publicised enforcement action by US regulators resulted in BNP Paribas paying a fine of US$8.9 billion for processing billions of dollars of transactions through the US financial system on behalf of individuals and entities associated with countries subject to US sanctions during the period 2004 to 2012. The press release issued by the US Department of Justice confirmed that this is the first time a global bank has agreed to plead guilty to large-scale violations of US sanctions.
Liability in the majority of cases in recent years is based on what was once common practice at several European banks and is referred to as the ‘cover payment method’ or ‘wire stripping’. This essentially involved non-US financial institutions eliminating payment data before sending instructions to the US where that data would have revealed the involvement of US sanctioned countries and entities. Many of these cases involve the more deliberate and egregious examples of non-compliance with US sanctions. However, far more minor, inadvertent breaches can also lead to an obligation on banks to make mandatory disclosures to its regulators (for example in the UK a sanctions breach triggers a mandatory disclosure obligation to HM Treasury), which in turn could expose a bank to further investigations and enforcement by its regulators.
The EU and UK perspectives
Enforcement in the EU (which is left to individual Member States) has not been as vigorous as seen in the US, but the sanctions regimes are becoming more aggressive. The majority of the conduct giving rise to the enforcement of US sanctions against non-US banks occurred prior to 2010 and in some cases, as early as 2002. During this period there were no equivalent sanctions in place across the EU. Now more aligned with the US, there has been a marked increase in the use of sanctions by the EU in recent years. By way of example, from 2010 to 2011 the number of relevant EU regulations imposing sanctions trebled from 22 to 69, mainly concerning Iran, Syria and Libya. These more recent sanctions regimes are viewed as having real teeth and have made a significant impact on many of their targets. As a result, the EU sanctions regime is more comprehensive than at any previous time, both in terms of the scope of the regulations imposed and regulatory scrutiny.
The approach of US authorities, with their aggressive pursuit of banks for alleged sanctions violations and layering of other charges (such as money laundering and failure to maintain accurate books and records offences in addition to sanctions violations), gives a sense of how regulatory authorities from EU Member States may, or indeed are, following suit. In the UK, the FCA has stated that it expects banks to establish and maintain systems and controls to counter the risk that firms may be used to further financial crime (including transactions subject to sanctions). In practice, this means that in addition to complying with the relevant sanctions regimes, banks must comply with other legal obligations, including the Money Laundering Regulations 2007 and the Proceeds of Crime Act 2002. In relation to maintaining adequate systems and controls, there are a number of potential areas of exposure for banks including Principle 3 of the FCA’s Principles for Businesses (Management and Control), which places obligations on banks to take reasonable care to organise and control its affairs responsibly and effectively. In addition, Rule 6.1.1R of the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) specifically provides that banks must establish, implement and maintain adequate policies and procedures within the context of the firm potentially being used to further financial crime.
This is not an exhaustive list of a bank’s obligations with respect to sanctions; however, it is intended to highlight that the scope of these obligations is quite separate and is in addition to the underlying obligations pursuant to the EU and UK sanctions regimes. The FSA’s settlement with the Royal Bank of Scotland Group (RBS) in 2010 remains a key example of enforcement which may be brought against banks in the UK. The RBS settlement was not based on underlying sanctions violations but instead arose from deficiencies in the systems and controls of RBS to prevent breaches of UK financial sanctions (for conduct between December 2007 and December 2008) pursuant to the Money Laundering Regulations 2007. In a more recent case, Guaranty Trust Bank (UK) Limited was fined in August 2013 for failing to maintain effective systems and controls for customers based in countries associated with a higher risk of money laundering, bribery or corruption, including accounts held by politically exposed persons. The settlement with Guaranty Trust was pursuant to Principle 3 of the FCA’s Principles for Businesses and 6.1.1R of SYSC.
Compliance with EU sanctions requires further attention due to the fact that implementation is complicated; banks dealing across different Member States must also adhere to sanctions laws implemented at the national level. While EU regulations imposing sanctions will be ‘directly applicable’ in each Member State, licensing, enforcement and penalties for violations are implemented at the national level and additional restrictions may be imposed by individual Member States. For example, the EU sanctions against Russia (i.e. Council Regulation (EU) 269/2014 (as amended)) have been implemented in the UK with additional restrictions, including a ban on exporting military and ‘dual-use’ items which could be used by Russian armed forces against Ukraine. Banks involved in trade finance, for example, must therefore consider local restrictions when dealing across Member States.
Key issues and emerging risks
The US and the EU now appear to be aligned on the rationale of major sanctions, although additional restrictions on Russia are currently wider in scope in the US. To date, the number of UK criminal prosecutions for sanctions offences (outside the finance sector) has been limited, but predominantly successful. In addition to the risk of criminal prosecutions, the FCA is increasing its focus on compliance with sanctions by banks. The FCA recently released a summary of feedback to its consultation on examples of good and poor practice in ‘Banks’ control of financial crime risks in trade finance’ (including a review of controls around sanctions compliance). The trade finance review followed a previous thematic review by the FSA in 2009, which focussed on ‘Financial services firms’ approach to UK financial sanctions’. These types of reviews suggest that compliance with sanctions is a key focus for the FCA. More investigations and enforcement are likely to follow against the backdrop of more sanctions in the EU, including a broader focus by the FCA on the conduct of senior management at banks who are responsible for maintaining adequate systems and controls.
The significance of compliance
Addressing sanctions compliance is complex and subject to constantly evolving circumstances. Although immediate measures can be taken to identify existing connections with sanctioned individuals or entities, banks and financial institutions must have systems in place to ensure adequate awareness of pending transactions and to ensure a pro-active and consistent approach to compliance. The US and EU enforcement actions referred to above highlight the need for an effective sanctions compliance programme, together with adequate numbers of sufficiently qualified and experienced personnel to execute the programme and escalate issues appropriately.
Banks and financial institutions must be able to demonstrate to regulators that they are fully aware of the sanctions and embargoes which are in place, and the intricacies within each of the sanctions regimes, and that the company has effective systems and controls to regulate compliance and to report issues to regulators where appropriate.
The obligations imposed on banks and financial institutions in connection with sanctions-related compliance programmes tend to be strict and onerous, requiring global consistency, regular testing, effective training, and proper record keeping and reporting. To assist with these obligations there is industry guidance available (such as the guidance issued by the Joint Money Laundering Steering Group), which banks and financial institutions are encouraged to follow. Notably, published industry guidance may be taken into account by a regulator or a court in assessing a bank’s compliance with sanctions regulations. Departures from good industry practice, and the rationale for doing so, may have to be justified to a regulator or a court.
In circumstances where sanctions regulations do not impose specific policy and procedure requirements, regulators expect banks and financial institutions to implement appropriate systems based on an assessment of risk. They often look for a robust and proportionate response to complying with sanctions requirements.
Banks should therefore ensure that any sanctions-related compliance programme is:
- working consistently on a global level
- being tested regularly and effectively
- providing for adequate due diligence
- providing for effective training
- providing for adequate screening
- focused on record-keeping and reporting
- allowing for adequate audit
With the regulatory spotlight on the finance sector both in the EU and the US, banks and financial institutions should keep sanctions compliance under active review and ensure all processes are appropriate, taking into account the needs and risks of their business.