Last week, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced the issuance of a Finding of Violation (“FOV”) to State Street Bank and Trust Company (“State Street”) for violations of the Iranian Transactions and Sanctions Regulations (“ITSR”), also known the Iran trade embargo. According to OFAC, State Street processed 45 transactions over a three and a half year period related to pension payments made to a U.S. bank account held by a U.S. citizen who is now ordinarily resident in Iran. The total amount of those payments was $11,365.44.

On its face this looked like a case of over enforcement. After all, we’re talking about payments of approximately $252.57 each going to a retired U.S. citizen and it appears that none of those funds left the U.S. Is that worth an OFAC enforcement action? In the agency’s view yes, it is, but not for the conduct itself; rather it was an inadequacy in State Street’s compliance program that was–in my opinion–what led to the FOV.

First, I would note that if OFAC really saw the conduct as serious enough to warrant a penalty they could have issued a civil penalty. They did not, however, and I believe that is due to their recognition that it would be silly to impose a monetary penalty–an FOV is just the public announcement of a finding, with no financial penalty attached to it–to a financial institution for the type of conduct underlying the ITSR violations.

Second, I believe what really motivated the FOV was the fact that the conduct revealed the decentralization of State Street’s sanctions compliance program. De-centralization of a sanctions compliance program–where different business units are responsible for screening and compliance decisions–is something that was identified by OFAC in its recent Framework for Compliance Commitments as being a common cause of violations. It’s also an aspect of sanctions compliance that regulators beyond OFAC–i.e., The Federal Reserve Bank Board of Governors and The New York Department of Financial Services (“DFS”)–increasingly view as an inadequacy in a compliance program.

OFAC’s web notice announcing the FOV pointed out that the State Street personnel overseeing the beneficiary payments were part of the business unit that had the relationship with the retirement plan making the payments, and that the business unit utilized their own sanctions screening filter instead of State Street’s centralized sanctions screening system. In addition, that unit’s escalation procedures directed referrals of possible sanctions list matches to compliance personnel aligned with that business line, who were not themselves sanctions specialists, as opposed to State Street’s central Sanctions Compliance unit staff who have specialized sanctions expertise. Thus, business-aligned compliance personnel were responsible for manually reviewing potential matches and approving the processing of the payments, as opposed to independent compliance personnel focused on sanctions specific compliance issues.

In determining that the FOV was appropriate, OFAC considered, amongst other factors, that 1) State Street had escalation and review procedures for sanctions-related alerts that failed to lead to correct decisions on 45 occasions; and 2) that State Street’s screening issues continued for a year after the Federal Reserve Bank of Boston notified the bank of a related issue pertaining to inadequate escalation procedures.

FOV’s are rare. Thus, when they happen, there is a specific reason behind it. I believe the reason is that traditionally OFAC only punishes violations on a transactional basis–as this is what their legal authority permits–as opposed to other regulators who can impose penalties for perceived deficiencies in a compliance program. While OFAC still does not have that authority, this FOV coupled with last month’s Framework for Compliance Commitments maybe a sign of things to come and demonstrate that OFAC is looking to align its practices closer to those of other regulators. I believe this will lead to further enforcement actions that OFAC would have traditionally closed out with a No Action or Cautionary Letter, and that the reasons underlying those actions will be due to failure to align compliance policies and procedures to the Framework and OFAC’s overall expectations, rather than the seriousness of the violation that occurred.

So what can financial institutions do with this information? First, there are three lessons to be drawn from this specific enforcement action:

  1. Screen transactions through a centralized screening system;
  2. Centralize escalation procedures, and ensure that specific business lines are not responsible for making decisions on alerts that originate under them; and
  3. Ensure that those to whom alerts are being escalated have sanctions specific experience.

Second, keep an eye on OFAC enforcement actions, read them closely to identify what led to the action, and then identify whether your institution is doing the same. If so, fix it immediately. Also, if you see an institution get credit for something that your institution is not doing, then look into augmenting your institution’s compliance practices so they align with what OFAC has provided credit to others for doing in prior cases.

OFAC enforcement has changed quite a bit over the past six months. Following the rules outlined above will help your institution navigate this new terrain and avoid having their name appear in the next FOV or worse.

One final interesting insight to come of this FOV is that OFAC acknowledged that the conduct at issue–making pension payments to a U.S. account held on behalf of a U.S. citizen that is ordinarily resident in Iran, may be eligible for specific licensing. That’s not necessarily germane to the discussion of this post, however, I thought it might be useful for the sanction practitioners reading this.