Continuing a trend that has been developing for a few years, headlines were again captured this summer by allegations of U.S. sanctions violations and related money laundering against well-known financial institutions. Most notably, on June 12, 2012, the U.S. Department of the Treasury’s Office of Foreign Assets Control ("OFAC") announced that it had reached a $619 million settlement with ING Bank N.V. ("ING") relating to potential liability under various U.S. sanctions against Burma (Myanmar), Cuba, Iran, Libya, and Sudan.1 The settlement was the largest in a string of enforcement actions relating to financial institutions’ compliance with U.S. sanctions.
Just this summer, in addition to the ING settlement, we have seen the release of a Congressional report detailing allegations of money laundering and OFAC sanctions violations by a prominent financial institution, and the aggressive enforcement of sanctions-related allegations by New York’s Department of Financial Services against one of the world’s largest financial institutions. OFAC cases will continue to capture the attention of U.S. and foreign regulators and will have a significant impact on the stakeholders of financial institutions for many years to come. With more than $2 billion in penalties during the past few years and no sign of slowing down, this issue is too big to ignore.
OFAC administers and enforces economic sanctions against targeted foreign countries, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other perceived threats to the national security, foreign policy, or economy of the United States. The sanctions prohibit or restrict U.S. persons from engaging in transactions involving certain countries, groups, and individuals.
OFAC currently administers comprehensive economic sanctions against Cuba, Iran, Sudan, and Syria. OFAC also administers more limited sanctions targeted at current or former governments, persons or entities linked to the Western Balkans, Belarus, Burma (Myanmar), Cote d’Ivoire (Ivory Coast), Democratic Republic of the Congo, Libya, North Korea, Somalia, and Zimbabwe, as well as limited sanctions related to Iraq and Lebanon. In addition, OFAC administers targeted sanctions against certain specified narcotics traffickers, terrorists, and weapons proliferators, and prohibits U.S. persons from engaging in transactions with any individual or entity listed on OFAC’s List of Specially Designated Nationals and Blocked Persons (the "SDN List").2
The sanctions limit the ability of U.S. persons to engage in transactions. A "U.S. person" is a "United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States." See, e.g., 31 CFR § 538.315. Each sanction regime is different, however, and the prohibitions contained therein are distinct. For example, the Cuban sanctions prohibit transactions of U.S. persons, as well as their foreign subsidiaries. In comparison, until very recently, the Iranian sanctions did not prohibit transactions by foreign subsidiaries3 of U.S. companies, and the Sudan and Syria sanctions programs generally still do not apply to foreign subsidiaries of U.S. companies.4
The fines for violations of OFAC sanctions can be substantial. Depending on the program, criminal penalties can include fines ranging from $50,000 to $10 million per violation, and imprisonment ranging from 10 to 30 years for willful violations. Depending on the program, civil penalties range from $250,000 or twice the amount of each underlying transaction, to $1,075,000 for each violation.
OFAC Enforcement against Banks and Financial Institutions
OFAC’s enforcement priority has been squarely focused on financial institutions for a number of years. The recent cases often relate to the removal of material information from wire transfers (so-called "stripping"), insufficient diligence with regard to letters of credit, transactions involving blocked property, and investments in funds owned or operated by SDNs. These OFAC violations are often paired with allegations of money laundering or violations of other financial regulatory requirements, such as the Bank Secrecy Act.
While most of the recent published cases have been directed at European-based, global financial institutions, recent penalties have also been assessed against a small community bank5 and a domestic investment management firm.6 Historically, there have been a number of OFAC enforcement actions involving community and regional financial institutions. The published cases indicate a series of OFAC enforcements in the early 2000s against domestic regional and community banks and financial institutions for allegations largely relating to funds transfers and operation of accounts for sanctioned persons. Also, there have been numerous unpublished voluntary disclosures, subpoenas, and investigations that have affected community and regional financial institutions.
There have also been recent enforcement actions in activities that are commonly considered to be low-risk for sanctions violations, such as purely domestic or local activity. For instance, a Dallas homeowners association was penalized earlier this year for reimbursing itself for past assessments and late fees from the sale of property in which an SDN had an interest.7 More recently, OFAC has settled an enforcement action with Great Western Malting Co. where liability was based solely on the back-office support that Great Western’s U.S.-based employees provided for a foreign affiliate’s sales to Cuba.8
What Do These Cases Mean for You?
Community and regional banks will be expected to understand the types of issues that led to the violations in these cases, and to ensure that their existing compliance programs are designed to minimize associated risks. In many of the enforcement actions, OFAC found management indifference or involvement, weak internal controls, widely used "work-arounds" to avoid delays (circumvent U.S. bank filters), and the failure of bank employees to respond to "red flags." In many cases, the financial institutions had compliance programs, but the programs were "stale," not fully implemented, or otherwise ineffective.
Community and regional banks and financial institutions should be periodically considering a few key questions:
- OFAC Risk Assessment – Do we understand where our risks exist? Have we considered how those risks have changed over time? Have we reviewed current risks or are our assessments based on risks at the time we implemented our compliance program?
- Industry Benchmarking – The "stripping" cases certainly stand for the proposition that widespread industry practice is no excuse, but it is still important to understand where we fit in relation to peer institutions. Do we know what our competitors are doing to ensure compliance? Do we know what the market leaders are doing? Have we adopted an approach that is consistent with industry leaders? Are there ways we can improve efficiency without decreasing controls?
- Blocked/Rejected Transactions – As OFAC has said, "If your bank does not block and report a transfer and another bank does, then your bank is in trouble." Do we have a system in place for ensuring that blocked transactions are timely reported? Do we audit our systems to ensure that they are working properly? Do we have a clear reporting chain within our organization to ensure that appropriate personnel are notified? Do we have gaps in our program? Is an override possible? If so, who has the ability to override and are they properly trained?
- Software Filtering – Most banks have software solutions that provide filtering for SDNs and other persons who may be prohibited or blocked under U.S. law. Do we have a solution? Do we have gaps in our solution like the gap noted in the Trans Pacific settlement? Are there any gaps in implementation? Do we have a rationale basis for setting filters at different sensitivity settings? Who is reviewing screening hits? Are they adequately trained? Do they have a defined process for resolving screening hits? Can we make this process more efficient?
- Compliance Program – Are responsibilities clearly delineated in our compliance program? Are personnel adequately trained? Are employees bogged down with the existing program – can we make it work better? Does our program have manual and electronic elements? Have we evaluated the sufficiency of our program in the past five years? Ten years? Are we relying on a program that was implemented when we first learned of these issues? Have changes in the financial reporting requirements and sanctions been implemented?
- Policies and Procedures – Do we have written policies and procedures? Are they current? Is anyone using them? Where are they stored, how are they communicated, and who needs them? Do we have processes for ensuring compliance with vendors and partners? Have we audited compliance with the procedures and policies? Do we have a clear policy (and a clear management commitment) to compliance with the sanctions?
- Training – Are responsible personnel attending training? Have business leaders and management been briefed on requirements? How widespread should training be? How often should training occur? How is information about changes in the law shared with personnel?
- Auditing – Are we auditing for OFAC compliance and effectiveness of our OFAC compliance program? Do we need internal or external auditing? Have our internal auditing departments uncovered past noncompliance? What have we done to address this and have we considered a voluntary disclosure?
These questions and many more should be periodically answered to ensure that all financial institutions have an appropriately tailored, risk-based approach to compliance with the sanctions.
OFAC’s continued enforcement focus on financial institutions and its demonstrated willingness to second-guess risk-based compliance approaches (such as in OFAC’s enforcement against GEICO9) requires financial institutions of all sizes and scope to continue to monitor developments in the law, and changes in industry practices, and to approach OFAC issues with great care. As the requirements under the sanctions administered by OFAC have changed over time and have become more intertwined with other financial services regulations, the risks associated with an OFAC violation have increased considerably. Indeed, companies alleged to have violated the sanctions are now often left facing enforcement prosecutions and investigations by various federal agencies (OFAC, SEC, DOJ), state and local officials, and foreign governments. The questions above should help you focus your attention on where your compliance program may have shortcomings or gaps.