OFAC’s 23 Compliance Commitments Are Now a Fixture of OFAC Settlements and Are Intended to Provide Guidance to Financial Institutions and Non-Financial Institutions Alike
On April 15, 2019, UniCredit Bank AG (“UCB AG”), headquartered in Munich, Germany, UniCredit Bank Austria AG (“Bank Austria”), headquartered in Vienna, Austria, and their corporate parent, UniCredit S.p.A., an Italian global banking and financial services company (collectively the “UniCredit Group”), resolved alleged violations of U.S. economic sanctions with federal and state agencies for a combined $1.3 billion payment and the imposition of a monitor. In addition, UCB AG pled guilty to federal and New York criminal charges.
The UniCredit Group was alleged to have processed thousands of transactions over a multi-year period (2007-2012) on behalf of persons and entities subject to U.S. economic sanctions, largely related to Iran. The settling agencies are the Department of Justice, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the Board of Governors of the Federal Reserve System (“the Federal Reserve”), the New York County District Attorney’s Office (“DANY”),and the New York State Department of Financial Services (“DFS”).
Along with last year’s Société Générale S.A. $1.3 billion penalty, this resolution shows that the march of large, multi-agency enforcement actions against banks for “wire stripping” or other non-transparent payment methods—involving conduct largely from a decade ago—continues to the present day. The OFAC resolution in particular also highlights the risk of a non-U.S. bank’s sanctioned customers making intra-bank transfers to affiliates or third-parties, which can then make U.S. dollar payments on the sanctioned customers’ behalf. The broad issue of a sanctioned entity’s use of affiliates and third-parties as proxies continues to be a difficult compliance challenge for companies across sectors.
Finally, the OFAC settlement includes OFAC’s 23 compliance commitments (reproduced in Appendix A to this memorandum), which have now been incorporated in over half a dozen settlement agreements since December 2018. OFAC has stated that these commitments should be understood as sanctions compliance guidance for all entities and represent the “hallmarks of an effective compliance program.” Financial institutions and non-financial institutions alike—in the U.S. and abroad—should carefully consider these 23 compliance commitments in evaluating and updating their compliance programs.
UCB AG pled guilty to criminal charges regarding its knowingly and willfully moving at least $393 million through the U.S. financial system on behalf of sanctioned entities, during the period of 2002 through 2012. DOJ stated that most of these funds related to the Islamic Republic of Iran Shipping Lines (“IRISL”), an entity listed on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) and, as such, prohibited from accessing the U.S. financial system. According to DOJ, UCB AG engaged in these transactions through a scheme, which UCB AG had formalized in its own policies, designed to conceal from U.S. regulators and other banks the involvement of sanctioned entities in certain transactions. DOJ also stated that UCB AG purposefully used the information and accounts of companies that would not trigger sanctions warnings to process many of the transactions. DOJ stated that, although these companies appeared unrelated to sanctioned entities, many of them (and their accounts at UCB AG) were ultimately controlled by sanctioned entities. UCB AG’s plea agreement with DOJ included a forfeiture of approximately $316.5 million and payment of a fine of approximately $468.4 million.
Bank Austria entered into a Non-Prosecution Agreement with DOJ and will forfeit $20 million associated with the sanctioned entity transactions. According to the non-prosecution agreement, Bank Austria was engaged in similar wire stripping and non-transparent payment message transmission on behalf of Iranian customers, including Bank Saderat, an SDN. UniCredit S.p.A. separately agreed to ensure that UCB AG and Bank Austria’s obligations to DOJ are fulfilled.
The UniCredit Group entered into a combined $611 million settlement with OFAC in relation to more than 2,800 apparent violations of various U.S. sanctions programs, including: the Weapons of Mass Destruction Proliferation Sanctions Regulations, the Global Terrorism Sanctions Regulations, the Cuban Assets Control Regulations, the Burmese Sanctions Regulations, the Sudanese Sanctions Regulations, the Syrian Sanctions Regulations, the Iranian Transactions and Sanctions Regulations, and the Libyan Sanctions Regulations.
OFAC stated that UCB AG operated several USD accounts on behalf of IRISL as well as several companies “owned by or otherwise affiliated with IRISL.” According to OFAC, although UCB AG maintained an internal “customer group” identifying all IRISL-affiliated entities, at various times UCB AG removed certain entities that IRISL did not own (but still controlled or otherwise had an interest in) from this group, the result of which was that UCB AG did not identify IRISL as having an interest in the accounts when sending funds to or through U.S. intermediary banks.
OFAC stated that after removing certain IRISL affiliated entities from the IRISL “customer group” UCB AG also did not have sufficient controls on transfers between various IRISL and the affiliated accounts outside of the “customer group,” which allowed intrabank transfers from IRISL’s main account to those of its affiliates and other controlled companies. With regard to the accounts placed outside of the IRISL “customer group” OFAC stated that:
[g]iven IRISL's involvement in opening and maintaining the affiliated entities' accounts at [UCB AG]…IRISL appears to have had an interest in transactions processed through the accounts, and the transactions constituted property or interests in property of IRISL that were in the United States.
According to OFAC, UCB AG processed transactions involving or on behalf of IRISL to or through the United States for almost two years after OFAC had designated IRISL on the SDN List in September 2008. Overall, according to OFAC, UCB AG processed over 2,100 transactions in apparent violation of U.S. economic sanctions.
Beyond the apparent violations related to IRISL, OFAC also stated that UCB AG had processed USD payments in a non-transparent matter, including by stripping references to persons, entities, and jurisdictions that were the target of U.S. economic sanctions from payment instructions and messages. OFAC also stated that UCB AG maintained formal “step-by-step instructions” for handling transactions in an “OFAC neutral manner,” e., removing references to sanctioned persons, entities, and jurisdictions. Finally, OFAC stated that UCB AG had also processed USD payments, under letters of credit for customers in Central Asia, that ultimately related to Iran. OFAC stated that UCB AG received documentation prior to processing the payments showing that the payments related to shipments to Iran.
UCB AG Aggravating and Mitigating Factors
OFAC determined that the apparent violations constituted egregious cases and that UCB AG did not voluntarily self-disclose the apparent violations. The total base penalty amount for the apparent violations was $1,366,372,244. The settlement with UCB AG reflects OFAC’s consideration of the following facts and circumstances, pursuant to OFAC’s Economic Sanctions Enforcement Guidelines. 
OFAC found the following to be aggravating factors:
- “With regard to IRISL-related conduct, [UCB AG] acted at least recklessly (a) in failing to implement and successfully deploy appropriate controls to prevent the processing of transactions in which IRISL had an interest; (b) when it continued, after the designation of IRISL and a September 15, 2008 internal email policy directive not to process USD payments for IRISL-affiliated customers, to process payment through auto-transfer arrangement which did not allow U.S. intermediary parties to discern the IRISL interest in the payment; (c) when it removed the internal prohibition on processing USD transactions on behalf of [IRISL controlled entity] approximately two weeks after OFAC designate[d] IRISL without first adequately confirming that IRISL did not have an interest in the [IRISL controlled entity] accounts; (d) when it processed USD transactions on behalf of [IRISL controlled entities] despite knowing several warning signs regarding IRISL’s interest in the companies’ accounts; and (e) knew or should have known prior to OFAC’s designation of IRISL that IRISL had an interest in the various IRISL-related accounts;”
- “With regard to the OFAC Neutral Process, (a) formal bank procedure documents instructed bank personnel to confirm that payment instructions were formatted in a manner that ensured that U.S. intermediary parties could not detect the involvement of OFAC-sanctioned parties or countries, after the bank’s legal department informed the bank’s compliance department it was “pursuing a zero-tolerance policy regarding creative solutions being employed with respect to payments; and (b) the bank continued to process those non-transparent, OFAC-prohibited transactions for an additional five years;”
- “With regard to oil-related transactions, [UCB AG] had at the very least reason to know that the transactions involved Iran because shipping documentation in the trade files the bank maintained and was required to review contained references to onward shipment to Iran;”
- “Further, the conduct described above resulted from a pattern or practice that spanned many years and multiple [UCB AG] branches and product lines;”
- “[UCB AG’s] conduct conferred significant economic benefits to persons subject to U.S. sanctions. Over the span of almost four years, [UCB AG] processed transactions worth over $500 million for persons and countries subject to OFAC sanctions, including IRISL, an entity designated by OFAC for its weapons of mass destruction proliferation activities; and”
OFAC found the following to be mitigating factors:
- “OFAC has not issued [UBC AG] a penalty notice or Finding of Violation in the five years preceding the date of the earliest transaction giving rise to the [a]pparent [v]iolations;”
- “[UBC AG] cooperated with OFAC’s investigation of the [a]pparent [v]iolations by conducting an extensive internal investigation, identifying all of the subject transactions, and executing a statute of limitation tolling agreement with multiple extensions;”
- “[UBC AG] took remedial action in response to the [a]pparent [v]iolations; and”
- “A small number of the [a]pparent [v]iolations involving an interest of IRISL occurred shortly after OFAC’s designation of IRISL on September 10, 2008.”
OFAC stated that for a number of years up to and including 2012, Bank Austria processed over 120 transactions through U.S. financial institutions that involved countries, entities, or individuals subject to U.S. economic sanctions. According to OFAC, Bank Austria engaged in wire stripping and other conduct that removed, omitted, or did not reveal references to or the involvement of sanctioned parties in USD transactions.
The settlement agreement also describes at least six instances in which certain Bank Austria payments on behalf of sanctioned entities were rejected by U.S. financial institutions. According to OFAC, in response, Bank Austria removed Iranian addresses and other identifying information from the payments or changed them to benign locations such as “Austria” or “Dubai” and resubmitted them. OFAC alleged that Bank Austria was generally aware of the prohibitions of U.S. economic sanctions, evidenced by certain requests made to UniCredit Group compliance personnel for exemptions from existing sanctions related internal policies, and took these steps to avoid such prohibitions on USD transactions. Similar to UCB AG, OFAC also stated that Bank Austria had access to certain shipment and other transaction information to show that other payments it processed on behalf of certain Central Asian customers also related to Iran.
Bank Austria Aggravating and Mitigating Factors
OFAC determined that approximately half of the apparent violations (those relating to the processing of certain payments for the exportation, reexportation, sale, or supply of goods, technology, or services from the United States to Iran via a third country with reason to know of the ultimate Iranian destination) constituted non-egregious cases and the remainder constituted egregious cases. OFAC found that Bank Austria did not voluntarily self-disclose the apparent violations. The total base penalty amount for the apparent violations was $39,622,495. The settlement with Bank Austria included a description of the aggravating and mitigating factors that reflected OFAC’s consideration of the facts and circumstances, pursuant to OFAC’s Economic Sanctions Enforcement Guidelines.
According to OFAC, UniCredit S.p.A. in the years up to and including 2012, processed more than 600 transactions that involved countries, entities, or individuals subject to U.S. economic sanctions, including dozens of USD payments on behalf of banks and other entities designated on the SDN List. OFAC also stated that UniCredit S.p.A. engaged in wire stripping and took other actions to remove, omit, or otherwise not reveal the involvement of sanctioned parties in USD transactions.
OFAC stated that UniCredit S.p.A. was aware of the relevant U.S. sanctions prohibitions and took steps to “correct” payment information (i.e., to remove references to sanctioned entities or countries) to avoid such prohibitions. According to OFAC, UniCredit S.p.A. also processed USD transactions pursuant to letters of credit involving the delivery of goods to Cuba and UniCredit S.p.A. was aware from the documentation it had received from its client that the payments related to Cuba. OFAC stated that UniCredit S.p.A. also processed over $1 million worth of USD transactions on behalf of entities located in Burma that were designated pursuant to the Burma sanctions program and transactions worth hundreds of thousands of USD on behalf of entities located in Sudan during the period when Sudan was subject to comprehensive U.S. economic sanctions. According to the settlement agreement, UniCredit S.p.A. also processed over $100,000 worth of USD transactions related to Syria, which is also subject to comprehensive U.S. economic sanctions.
UniCredit S.p.A. Aggravating and Mitigating Factors
OFAC determined that the apparent violations constituted egregious cases and that UniCredit S.p.A. did not voluntarily self-disclose the apparent violations. The total base penalty amount for the apparent violations was $72,741,368. The settlement with UniCredit S.p.A. included a description of the aggravating and mitigating factors that reflected OFAC’s consideration of the facts and circumstances, pursuant to OFAC’s Economic Sanctions Enforcement Guidelines.
As a part of its settlement with the UniCredit Group, OFAC also imposed a series of 23 compliance commitments across six topic areas: (i) management commitment, (ii) risk assessment, (iii) internal controls, (iv) testing and audit, (v) training, and an annual certification of compliance with the commitments. The full list of compliance commitments is included in Appendix A. Under the settlement, during the next five years, the UniCredit must certify annually to OFAC that it has implemented and continues to maintain a compliance program addressing these compliance commitments.
The Federal Reserve Board
The Federal Reserve Board issued a cease and desist order and imposed a $158 million penalty against UniCredit Group for its “unsafe and unsound practices relating to inadequate sanctions controls and supervision of its subsidiary banks.” As a part of the penalty, the Federal Reserve Board also required the UniCredit Group to submit an enhanced global compliance program for the Federal Reserve Board’s review. Additional enhancements required by the Federal Reserve Board include annual global sanctions related risk assessments (including a risk-focused sampling of U.S. dollar payments), enhanced sanctions related compliance policies and procedures, a worldwide sanctions compliance reporting hotline, and increased employee training regarding sanctions compliance topics. The cease and desist order requires that the annual compliance review be conducted by an independent monitor.
DFS imposed a $405 million penalty on the UniCredit Group for conducting business in an unsafe and unsound manner in violation of New York Banking Law § 44 and failure to maintain an effective and compliant OFAC compliance program, in violation of 3 N.Y.C.R.R. § 116.2. DFS stated that the violations involved billions of dollars transiting New York in non-transparent transactions to and from its clients located in countries subject to U.S. sanctions, including Cuba, Iran, Libya, Myanmar, and Sudan. DFS stated that the UniCredit Group had engaged in cover payment and wire stripping activity with regard to thousands of USD transactions. DFS also stated that, in addition to the IRISL activity, the UniCredit Group had processed transactions on behalf of Bank Sepah, which was also designated on the SDN List in January 2007. DFS also required the UniCredit Group to adopt an enhanced sanctions compliance program similar to the requirements of the OFAC and Federal Reserve Board settlements, including: global sanctions risk assessments, enhanced sanctions compliance policies, the establishment of a worldwide sanctions compliance reporting hotline, and increased employee training regarding sanctions compliance topics.
The DFS Consent Order requires that the annual compliance review be conducted by an independent monitor, but indicates that so long as the Federal Reserve Board permits its monitor to share information with DFS, DFS would not require a second independent monitor to be retained.
UCB AG also entered into a guilty plea and concurrent approximately $316 million fine with the DANY. UCB AG pled guilty to charges of Falsifying Business Records in the First Degree and Conspiracy in the Fifth Degree for moving hundreds of millions of dollars through banks in Manhattan on behalf of sanctioned counties and entities. Bank Austria separately entered into a joint non-prosecution agreement with DOJ and DANY and forfeit $20 million related to the sanctioned entities transactions. UniCredit S.p.A. separately agreed to ensure that UCB AG and Bank Austria’s obligations to DOJ and DANY are fulfilled. According to DANY, the UniCredit Group investigation arose out of an earlier 2011 investigation into IRISL, which identified certain USD payment activity related to the UniCredit Group.
The UniCredit Group’s resolutions represented one of the largest penalties ever imposed on a non-U.S. financial institution for violations of U.S. economic sanctions. The UniCredit Group settlements with OFAC also include 23 compliance commitments (see Appendix A), as has been OFAC’s recent practice in its settlements with financial institutions and non-financial institutions alike. These compliance commitments are consistent with the “hallmarks of an effective compliance program” announced by Under Secretary of the Treasury for Terrorism and Financial Intelligence Sigal Mandelker in December of last year and include commitments across five topic areas: (i) management commitment to, (ii) risk assessment, (iii) internal controls, (iv) testing and audit, and (v) training, and require annual certifications of compliance with these commitments over a five-year period.
These compliance commitments include numerous sanctions compliance program “best practices” and largely align with the compliance expectations of federal banking regulators, including the Federal Reserve Board. In connection with the UniCredit settlements, Undersecretary Mandelker noted that “[a]s the United States continues to enhance our sanctions programs, incorporating compliance commitments in OFAC settlement agreements is a key part of our broader strategy to ensure that the private sector implements strong and effective compliance programs that protect the U.S. financial system from abuse.” As such, financial institutions and other companies can consider this list of compliance commitments as guidance for designing and evaluating the sufficiency of their own sanctions compliance programs. Nonetheless, OFAC’s recent approach of imposing standard compliance commitments in its settlement agreements is complicated by the fact (as OFAC has repeatedly recognized) that there is no one-size-fits-all approach and that with regard to the “right” compliance program, much depends on the particular nature of a company’s business and risk profile.
Although the conduct at issue and apparent violations occurred several years ago, for non-U.S. financial institutions the settlement shows the significant risks associated with banking entities or persons designated by OFAC or other entities that they own, and in processing transactions on behalf of parties located in sanctioned jurisdictions. In particular, this penalty shows the risks associated with intrabank transfers between sanctioned persons or entities’ accounts and those of their affiliates and/or third parties that they can otherwise control. Transactions initiated from affiliate or other third party accounts do not necessarily include indicia of the involvement of a sanctioned person or entity to outside entities, and thus can be processed by U.S. correspondent banks without detection.
More broadly, this penalty shows the importance of performing diligence on the ownership structure of entities before permitting access to USD accounts. It also indicates, given the specific mention of the Iran-related shipping documents received, that OFAC and other regulators expect banks and other companies to fully review all the documentation they receive that is associated with USD transactions prior to approving or sending payment.