On December 16, 2009, Credit Suisse AG, a financial institution organized under the laws of Switzerland, agreed to pay $536 million in penalties to the United States and the State of New York to settle charges of violating federal and state law related to transactions with countries subject to U.S. economic sanctions. The U.S. Government and New York split the fine evenly ($268 million each). This fine significantly exceeds penalties ($350 million) imposed on January 9, 2009 against Lloyds TSB Bank plc of the United Kingdom by the U.S. Government and New York for similar conduct.
Credit Suisse waived indictment and entered into separate deferred prosecution agreements with the U.S. Department of Justice (DoJ) and District Attorney of the County of New York (DANY). Credit Suisse must comply with a variety of conditions set forth in these agreements in exchange for DoJ and DANY agreeing to dismiss the charges in two years. Credit Suisse also must comply with an Order to Cease and Desist issued by the Board of Governors of the Federal Reserve System. In addition to these settlements, on December 16, 2009 the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC), released a civil settlement agreement with Credit Suisse. This follows OFAC’s civil settlement agreement on August 24, 2009 with Australia and New Zealand Bank Group, Ltd., for $5.75 million regarding transactions (and related payment messages) with Sudan and Cuba from 2004 to 2006 that utilized similar techniques as Credit Suisse described below. OFAC has not yet published a civil settlement agreement in connection with the Lloyds TSB case.
According to a factual statement appended to the DoJ settlement agreement, Credit Suisse allegedly engaged in a systematic pattern of conduct beginning in 1995 that gave rise to apparent violations of U.S. economic sanctions regulations involving Iran, Sudan, Libya, Myanmar (Burma), and Cuba or Specially Designated Nationals (SDNs) thereof as follows.
- Credit Suisse’s office in Zurich reportedly removed, omitted, or falsified references from U.S. Dollar Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment messages to U.S. correspondent banks, including clearing banks such as the Bank of New York, regarding U.S. sanctioned countries, persons, or entities.
- This conduct included manually deleting Iranian names and references from SWIFT messages, substituting abbreviations as codes for Iranian customers to obscure the real identities of sanctioned country entities, and inserting the phrase “one of our customers” and “order of a customer” instead of the actual names of Iranian clients.
- Credit Suisse allegedly provided written procedures to internal personnel regarding how to undertake the SWIFT message protocols. Credit Suisse also promoted the protocols to clients located in Iran by furnishing specific instructions about how to format SWIFT messages that would avoid detection by OFAC “screening” software utilized by U.S. banks.
- Furthermore, Credit Suisse’s subsidiary in the United Kingdom, Credit Suisse Asset Management Limited (CSAM), allegedly used code words to: (1) signify sanctioned entities in Libya and Sudan; and (2) restrict knowledge of the clients’ identities internally and externally. CSAM managed fixed income and equity portfolios for sanctioned entities when executing trades involving U.S. securities that were transmitted through the United States. (Note that OFAC lifted sanctions against Libya in 2004.)
- Credit Suisse allegedly knew that without such alterations, amendments, and code words, OFAC screening filters at U.S. financial institutions likely would have detected that these transactions involved U.S. embargoed countries and entities, thereby allowing the U.S. financial institutions to reject or block the sanctions-related transactions and to report them to OFAC, as required by U.S. law.
- By engaging in this conduct, DoJ and DANY asserted that Credit Suisse caused personnel at U.S. financial institutions to process restricted transactions unknowingly.
- Credit Suisse voluntarily decided to cease all business with U.S.-sanctioned countries in December 2005, with the exception of relations with private banking entities in Iran, which apparently terminated in October 2007.
Credit Suisse admitted to one count of violating the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701-1706, and sections 560.203 and 560.204 of the Iranian Transactions Regulations, 31 C.F.R. Part 560, which respectively prohibit: (1) the export of goods or services by U.S. persons to Iran without authorization from OFAC, and (2) transactions within the United States that “evade or avoid,” or have the purpose of evading or avoiding, U.S. sanctions restrictions. Credit Suisse separately admitted to violations of New York State Penal Law, sections 175.05 and 175.10, which make it a crime to “with the intent to defraud . . . (i) make or cause a false entry in the business records of an enterprise . . . or (iv) prevent the making of a true entry or cause the omission thereof in the business records of an enterprise.”
The Credit Suisse enforcement action is notable in several respects:
Magnitude of the Penalty
The $536 million penalty marks the largest fine ever imposed for violations of the U.S. sanctions regulations. As in the Lloyds TSB case, the magnitude of the fine demonstrates the U.S. Government’s ability to impose substantial penalties for such violations – and these fines involve transactions that occurred before civil and criminal penalty amounts for sanctions violations were increased significantly by the U.S. Congress in 2007. The case also demonstrates that persons need to be aware of U.S. state laws that apply to international financial transactions and can lead to significant enforcement liability if violated.
Increased Effort at Enforcing U.S. Sanctions Against Non-U.S. Entities
The U.S. Government continues to aggressively enforce U.S. economic sanctions laws and regulations against non-U.S. companies, particularly foreign banks and other financial institutions that have conducted or now conduct business with sanctioned countries while also maintaining ties to the United States. This case highlights the significant risks to foreign persons and foreign financial services entities doing business with restricted countries (particularly Iran) and SDNs if some U.S. nexus exists in connection with the transaction. Such a U.S. nexus could include transmitting dollar clearing financial transactions for SDNs with institutions in the United States, processing payments related to SDNs through foreign banks that may be branches of U.S. financial institutions or may voluntarily implement U.S. sanctions requirements and OFAC screening mechanisms into their compliance structures, or knowingly relying on services provided by individual U.S. persons, wherever located in the world, to participate in or approve transactions with sanctioned countries or SDNs.
Based on the facts of this case and Lloyds TSB, foreign entities engaged in financial services should recognize the inherent U.S. enforcement risk with respect to hiding or failing to provide information about sanctioned country customers or parties to an offshore transaction that may involve the United States or U.S. persons. Specifically, theIEEPA Enhancement Act of October 2007 increased fines for any person who intentionally commits or helps others commit violations of certain U.S. sanctions laws. These amendments now make it unlawful “for a person to violate, attempt to violate, conspire to violate, or cause a violation of [US sanctions].” (emphasis added.) Furthermore, a criminal penalty can be imposed against “[a] person who willfully commits, willfully attempts to commit, or willfully conspires to commit, or aids or abets in the commission of, an unlawful act ….” (emphasis added.) These amendments provide legal authority – which did not apply to Credit Suisse or Lloyds TSB because the amendments were enacted after the apparent sanctions violations in those cases occurred – for increased civil and criminal penalties against both U.S. persons and non-U.S. persons for conduct occurring abroad, if such activity causes others to violate U.S. sanctions laws and regulations.
A range of non-U.S. companies in a variety of sectors – including non-U.S. banks, insurers, reinsurers, and various oil and gas producers and service providers – have voluntarily exited the Iran market (and other U.S.-sanctioned countries) in recent years, in some cases after coming under the scrutiny of OFAC, DoJ, and/or U.S. bank regulators. The U.S. Government’s focus on employing the extraterritorial provisions of U.S. law against non-U.S. entities to restrict overseas business with sanctioned countries is a trend that is expected to continue. For example, the U.S. Government’s focus on Iran has included proposed legislation that overwhelmingly passed the House of Representatives on December 15, 2009, the Iran Refined Petroleum Sanctions Act of 2009 (H.R. 2194), which includes a provision --subsection 3(a)(2)(b) -- intended to restrict non-U.S. underwriting or providing insurance or reinsurance services for transporting, delivery, or providing refined petroleum products to Iran. OFAC officials, building on efforts in the United Nations and European Union, are working to develop multilateral strategies so that both U.S. and foreign entities will voluntarily decide not to conduct business with certain U.S.-embargoed countries such as Iran or entities and organizations involved in supporting terrorism, weapons of mass destruction proliferation, or narco-trafficking. And increased multilateral cooperation in investigation and enforcement should be anticipated.
Voluntary Disclosure and Corrective Actions
It appears from the various Settlement Agreements that Credit Suisse submitted voluntary disclosures to OFAC in 2006 regarding apparent U.S. economic sanctions violations for securities trading activities. OFAC considered Credit Suisse’s reports to be voluntary self-disclosures under Sanctions Enforcement Guidelines published last month. However, it also appears that the DANY had independently initiated an investigation in early 2007 regarding suspicious wire transfers conducted by or for Credit Suisse. Subsequent to the launching of this investigation, Credit Suisse informed OFAC about its SWIFT payment message activities for embargoed countries connected to U.S. dollar clearing/correspondent transactions. Since DANY had already discovered substantially similar transactions, OFAC did not consider Credit Suisse’s report about the SWIFT payment transactions to be voluntarily self-disclosed.
The U.S. Government did find that Credit Suisse substantially cooperated with its investigation and that the bank initiated corrective actions in 2006 to rectify sanctions compliance deficiencies prior to any government review being launched. These actions included amending policies and procedures to establish an enhanced U.S. sanctions compliance program, introducing U.S. sanctions training and internal auditing modules, implementing sanctions screening filters on outgoing and incoming transactions, and setting up a channel to report misconduct confidentially. Credit Suisse also conducted a detailed review of all relevant transactions, and provided updates regularly to DoJ, DANY, OFAC, the Federal Reserve Bank of New York, and Swiss authorities. Finally, Credit Suisse demonstrated that it would comply with Financial Action Task Force international Anti-Money Laundering and Combating Financing of Terrorism best practices and the Wolfsberg Anti-Money Laundering Principles for Correspondent Banking.
As part of its agreement with the DoJ, Credit Suisse must undertake the following: (1) pay the total fines within five days of signing the settlement agreements; (2) provide training on U.N., U.S., and E.U. sanctions by June 30, 2010 to a number of personnel involved in U.S. Dollar payment transactions and securities trading orders, as well as all U.S. employees; (3) certify that Credit Suisse has a written policy to require use of standard bank-to-bank payment messages and system architectures by June 30, 2010; (4) maintain a database of all SWIFT payment messages from 2002 through April 30, 2007 in an electronic format for five years; and (5) abide by all orders and regulations of the Board of Governors of the Federal Reserve System. Under the agreement with DANY, Credit Suisse must provide a report within 270 days about all transactions from 2002 to 2007 that involved Specially Designated Terrorists, Specially Designated Global Terrorists, Foreign Terrorist Organizations, and proliferators of Weapons of Mass Destruction as identified by OFAC. Under the agreement with OFAC, Credit Suisse must provide OFAC with copies of all submissions to the Board of Governors.
Pursuant to the Order to Cease and Desist, Credit Suisse must submit a report to the Board of Governors and Swiss Financial Market Supervisory Authority (FINMA) regarding an enhanced global regulatory compliance program related to U.S. economic sanctions. This program must provide: (1) an assessment of U.S. law compliance risks arising from Credit Suisse’s global activities conducted outside of the United States related to OFAC sanctions concerns; (2) the adoption of policies and procedures to ensure U.S. law compliance with respect to cross-border payment process and due diligence procedures for U.S. dollar clearing and other financial services; (3) reporting procedures for known or suspected violations of U.S. sanctions laws; (4) procedures to adequately integrate U.S. law compliance with Credit Suisse’s compliance program; (5) training for employees; (6) an audit program to test compliance; and (7) an annual review by inside or outside personnel to verify the program is working effectively, addresses vulnerabilities, and detects problems when they occur. After approval of the program by the Board of Governors, Credit Suisse must promptly implement the plan and file quarterly written progress reports to the Board of Governors and FINMA detailing actions taken to promote compliance. The key point to recognize here is that Credit Suisse’s non-U.S. entities must implement U.S. law standards for transactions where some U.S. nexus exits, and at least assess OFAC-compliance risks for all cross-border transactions involving Credit Suisse’s non-U.S. entities.
Use of Deferred Prosecution Agreement
The use of deferred prosecution agreements represents the continuation of a trend seen in U.S. regulatory enforcement matters both in economic sanctions / export controls and in other contexts. Notably, the DoJ agreement provides that the DoJ can prosecute Credit Suisse, as well as its corporate parent, affiliates, and successors, in the event it is determined that Credit Suisse knowingly and willfully transmitted or approved the transmission of funds to or from OFAC-restricted terrorism and weapons proliferation parties, in violation of U.S. law, or, in the sole discretion of the United States, if there is a willful and material breach of the agreement.