What Happened:

On July 21, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued a finding of violation1 (“FOV”) against MidFirst Bank for allowing two individuals to conduct transactions even after they had been added to the OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN” list). OFAC said the bank violated the Weapons of Mass Destruction Proliferators Sanctions Regulations (“WMDPSR”) by maintaining accounts for and processing payments on behalf of the sanctioned individuals.

The Bottom Line:

The Bank’s violations arose because its sanctions screening vendor only screened the Bank’s existing customer base against the sanctions lists on a monthly basis (and not when OFAC announced new sanctions designations), thereby allowing two weeks to lapse between the designation of blocked persons who held accounts at the Bank and the Bank’s discovery of those designations. The FOV is a cautionary tale for financial institutions to ensure that their sanctions compliance programs—and sanctions screening vendors—account for regular screening of new and existing customers, particularly when the SDN List changes.

OFAC’s action emphasizes the importance of financial institutions—and, by implication, other organizations with a significant sanctions compliance risk—taking a risk-based approach when developing their sanctions compliance programs, to include with respect to the manner and frequency with which accounts and transactions are screened for potential sanctions violations.

The Full Story:

MidFirst Bank, headquartered in Oklahoma City, OK, is the largest privately-owned bank in the U.S., with assets totaling $32.1 billion.

OFAC Designations

On September 21, 2020, at 12:36 pm EDT, OFAC designated two individuals to the SDN list under the WMDPSR; both had accounts at MidFirst Bank. Within hours that same day, between 2:00 pm EDT and 5:48 pm EDT, MidFirst processed five transactions totaling $604,000 for the two blocked persons. Two of those transactions (totaling $400,000) were internal book transfers between one of the blocked person’s accounts at the Bank. Over the next two weeks, the Bank processed 29 additional transactions totaling almost $10,000 for the blocked persons.

MidFirst’s sanctions screening vendor did not notify the Bank that the blocked persons had been added to the SDN list until October 5, 2020, 14 days after their designations. MidFirst promptly blocked their accounts upon being notified.

MidFirst’s agreement with its vendor provided for periodic screening of the Bank’s customers against the sanctions lists. The vendor conducted daily screenings of any new customers and of existing customers who had certain account changes (such as name or address changes), but it only screened the entire existing customer base once a month. MidFirst apparently mistakenly believed that the vendor screened the entire customer base against additions and changes to the SDN List on a daily basis. According to OFAC’s press release, “as a result, depending on the timing of additions to the SDN List in relation to the monthly screening, MidFirst could be unaware for up to 30 days that it was maintaining an account for a blocked person.” MidFirst’s own internal screening also only occurred on a monthly basis, further compounding the gap in coverage.

As a result of the Bank’s failure to screen the entire customer base immediately upon any changes to the SDN List announced by OFAC, the two blocked persons were able to continue accessing their accounts and making transactions for almost two weeks after being designated as sanctioned.

Following this incident, MidFirst implemented a manual process to be immediately notified of any SDN List updates and to manually rescreen its entire customer base whenever those updates are announced by OFAC. Its vendor also updated the screening frequency protocols to account for sanctions list changes in real time.

OFAC’s Findings

OFAC ultimately issued only a Finding of Violation to MidFirst, without assessing any monetary penalties. OFAC considered the following factors.

OFAC found two aggravating factors during its assessment of the incident. First, MidFirst should have known that it was maintaining accounts for blocked persons and that its vendor was only screening existing customers on a monthly basis. Second, the two-week lapse in identifying the blocked persons caused harm to the objectives of the sanctions program, and could have aided asset flight.

Mitigating factors did exist, however. For instance, all violations occurred within two weeks of the designations, with 98% of the transaction volume occurring within six hours of designation. Additionally, the actual value of assets transferred out of the accounts was far less than the face value, because the largest transactions were internal book transfers within the Bank. The Bank promptly changed its screening processes as a result of the incident. Finally, it self-disclosed the incident to OFAC and fully cooperated with OFAC’s investigation.

The FOV announcement emphasized OFAC’s expectation that financial institutions should be considering and implementing the guidance outlined in OFAC’s A Framework for OFAC Compliance Commitments.2 While there is no fixed requirement for sanctions screening, OFAC is explicit that “understanding the scope and capabilities of outsourced sanctions compliance services is critical to ensuring that those services are aligned with the financial institution’s expectations for managing its self-assessed sanctions risk.”

The National Security Practice group at Hunton Andrews Kurth LLP will continue to monitor closely the development of this and other U.S. sanctions matters. Please contact us if you have any questions or would like further information regarding these new developments or other questions related to U.S. sanctions programs.

Implications for Other Types of Organizations

OFAC’s issuance of the FOV to MidFirst sends a clear message to financial institutions, and OFAC framed it as such. However, the compliance program requirements referenced by OFAC in the MidFirst FOV also apply to all other U.S. persons and entities, not just financial institutions. Accordingly, other types of businesses and organizations—particularly those with a significant sanctions compliance risk—should also carefully consider their screening policies consistent with the MidFirst FOV.