Navigating sanctions is akin to traversing a turbulent sea. Banks – at their inception, or in the form of disruptor entities – can set off as swift sailboats, nimble enough to negotiate (or not be touched by) the interface with U.S. regulators unless they get hit by a "rogue" wave that topples them over (e.g., if they process transactions without realizing they trigger U.S. sanctions). Meanwhile, global institutions and household names are like tankers and liners – behemoths anchored by complex compliance structures, sensitive to the multitude of shifting risks when transacting but less likely to be surprised by a rogue wave. Quick to escalate actions, and with a broad reach, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) is the primary administrator of laws, and enforcer of economic sanctions to protect U.S. foreign and national security goals.
Why do sanctions matter? This is not hypothetical. Financial institutions have to be particularly careful to make sure they are not indirectly clearing U.S. dollars for sanctioned entities, their subsidiaries, or as part of sanctioned country trade (even if the sender and recipient are not sanctioned), and in the process, exposing the bank to violations which carry strict liability penalties. Even if financial institutions process only transactions with no U.S. nexus, there is an increasing use of extraterritorial (so called secondary) U.S. sanctions that can create exposure for non-U.S. financial institutions.
Banks are continually racked by the consequences of sanctions noncompliance, and with each form of punishment and publicity, we highlight recent worldwide developments. In this article, we demonstrate the directionality of this enforcement – sanctions are not going away; and what financial institutions practically and accessibly can do to shield their systems from sanctions noncompliance. Fines and criminal penalties
- A civil fine for a violation of an OFAC sanction is now punishable by a fine totalling the larger of either US$295,141 (adjusted for inflation periodically) or twice the transaction amount (whichever is greater); and for wilful violations, a criminal fine can also be imposed of US$1 million and a maximum jail sentence of 20 years for an individual person involved.
- Most recently, in November 2018, a US$1.3 billion fine was imposed on a French bank, as a penalty and part of a deferred prosecution agreement (DPA) for violations of U.S. sanctions. The significant proportion of these violations stem from transactions in Cuba and Iran, and a lesser extent Sudan and Libya.
- Only a few months prior, a British banking and financial institution were thrust back into the tempest – facing a US$1.5 billion fine over continued shortcomings with its sanctions compliance program since its DPA and a fine of US$667 million in 2012. This DPA has been extended four times in 2014, 2017, and 2018 following further detections of suspicions transactions.
- These are significant sums, but paltry penalties compared to another French headquartered financial institution's circa US$9 billion settlement in 2015 – compromised predominantly of disgorgement – still the record for sanctions breaches for conduct relating to Sudan, Cuba, and Iran.
- In January 2019, the UK's Office of Financial Sanctions Implementation (OFSI) flexed its muscles with its first monetary penalty. Issuing a penalty of £5,000 (reduced by 50 percent in line with disclosure and co-operation) to Raphael's Bank, OFSI penalized the bank for handling just £200 of funds of an Egyptian designated person.
- The decision offers little detailed insight into broad enforcement; similarities to the R v. Skansen case; the first concerning "adequate procedures" under the UK Bribery Act are uncanny; see our commentary on that decision here. But this first decision of enforcement underlines the importance of comprehensive systems and controls as part of a compliance framework.
- When not targeting jurisdictions or territories, OFAC can target organizations or individuals. Designation on these lists can block or freeze property, bar access to the U.S. financial system and U.S. goods, technology, and services.
- We forecast, akin to the Yates Memo, regulators are also likely to become interested in noncompliant individuals within financial institutions, who aid and abet the flouting of sanctions.
- There are already reports of potential individual penalties in high-profile sanction enforcement cases.
- These rumours would be a rare instance of individual bankers being prosecuted over sanctions abuses though Halkbank (the fifth-largest listed Turkish bank by assets) would argue to the contrary. In mid-2017, shares of Halkbank sank by at least 16 percent after U.S. prosecutors charged their senior executive Mehmet Hakan Atilla with plotting to evade Iranian sanctions and launder over a billion dollars in oil revenue through the U.S. financial system. Last year, Atilla was shunned into prison to serve 32 months for his role. This is an enforcement trend to monitor.
- In Southeast Asia for example, and Singapore in particular, monetary authorities have utilized prohibition orders against individuals for noncompliance and barring individuals from financial advisory advice.
- Dealings with OFAC-designated parties such as Specially Designated Nationals (SDNs) or transactions involving behaviour targeted by Iran, Syria, Russia, North Korea, or Venezuela related sanctions can create exposure to adverse action by the U.S. government even if a non-U.S. financial institution processes non-U.S. dollars transactions and the activity has no other U.S. nexus.
- Depending on the secondary sanctions at issue, restrictions that can be imposed on financial institutions include either SDN designation of the institution itself or imposition of less draconian measures that could still have a meaningful impact (e.g. cutting the institution off from clearing any U.S. dollars trade, prohibiting access to U.S. loans over US$10 million, prohibiting entry to the United States of the institutions' officers etc.).
- Sanctions reporting in the headlines or the swirl of rumours hits financial institutions' (and other businesses) bottom line.
- Major institutions have suffered share plummets and recoveries based on the status of an investigation with the share price in one financial institution dropping 40 percent over four years as a result of various noncompliant actions; and a recent Russian extractive industrial's share price jumping 17 percent following a sanctions reprieve.
Intangible penalties include:
- lack of access to U.S. and EU hardware, software, and technology;
- loss of business opportunities; and
- burdensome monitorship and audit requirements.
The trend involving use of secondary sanctions started under the Obama administration (particularly with respect to Iran) but, sanctions have become weaponized under the Trump administration. Due to new legislation in the last two years and executive action, secondary sanctions provide OFAC and State Department the necessary authority to impose restrictions on foreign parties acting outside the U.S. jurisdiction. Even with respect to primary U.S. sanctions, OFAC have noticeably become increasingly aggressive in asserting jurisdiction over non-U.S. entities and individuals when an activity has a U.S. nexus; and international banks are facing an increasing level of scrutiny as a result. The start of 2019 marked Secretary Mnuchin's targeting of individuals connected to Venezuela's currency exchange network which has allegedly siphoned off billions. Concealing these ill-gotten gains in U.S. and EU bank accounts, U.S. prosecutors continue to interrogate the financial system for misconduct.
OFAC have too pinpointed Southeast Asia as a region ripe for enforcement. In August 2018 Iranian nationals living in Singapore had their Oversea-Chinese Banking Corporation (OCBC) bank accounts cancelled. While no official explanation was given, these cancellations were reported to be linked the U.S. re-imposing sanctions on Iran. Financial institutions' geographical proximity in the region to North Korea piques U.S. regulators interest; U.S. Treasury officials met with South Korean banks and the South Korean Financial Supervisory governor last autumn emphasizing the need for continued sanctions compliance. We continue to assist Southeast Asian businesses and financial institutions with the real risks in this regard.
Sentinels of the vault - What can banks do to protect themselves?
We suggest there are three elements to broadly consider: Understanding; protecting; reporting; and future-proofing, tailored and bespoke to the operations of that particular bank.
Understanding Who are your customers?
- Does the transaction involve any restricted parties?
- What do you know about them?
- What is their – the customer's – business?
Where are they transacting?
- Does the transaction involve parties in a sanctioned country or trade involving goods originating from or destined to such country, even if both parties to the trade are outside the sanctioned country?
- Comprehensive OFAC restrictions exist for Cuba, Iran, North Korea, Syria, and the Crimea region, but each jurisdiction may have its own list of other jurisdictions, individuals, and entities, which are constantly updated.
Simply, these above questions should be the hull of any compliance risk assessment from on boarding and beyond.
What is your – the bank's - business?
- OFAC highlights that international wire transfers, high-net-worth individuals, trade finance are particularly high risk areas.
Any other red flags
- A holistic approach to compliance would also consider the proximate risks of money laundering, terrorist financing, bribery, and corruption.
- As appropriate, financial institutions would be recommended to implement software to screen on boarding, the transactional relationship, and as frequently as necessary, with the underpinning technology updated constantly.
- Furthermore, a confidential incident response system which assesses, responds, and actions remedies are paramount.
Staffing and controls
- A compliance officer must be introduced, with a suitably sized function.
- Staff must be supported with adequate authority and resources to implement controls.
Paper and practical policies tailored to the institution's business
- Risk-based approaches must be implemented when contemplating encountering OFAC and compliance issues.
Storytelling and training
- Mastercard have received rave reviews for their compliance training engaging drama and biographies of violations.
- We recommend that engagement with the bank's employees is interesting, memorable and, in bitesize chunks so paper policies and annual checks have real-world relatability.
Controls again and audit
- At least annually, banks should conduct audits.
Reporting and future-proofing
- Financial institutions – both for traditional and virtual currencies – must report all blockings within 10 days of occurrence to OFAC when the activity takes place in the United States or the blocked property is within the possession or control of a U.S. person (e.g., if a SAE bank has a U.S. dollar funds transfer that clears through its New York branch, such transfer has to be blocked and reported to OFAC if an SDN is involved, among other triggers for such action).
- Internal reporting chains to flag noncompliant behaviour; open dialogue between employees is essential.
- OFAC treat virtual currency and other non-fiat currencies with the same obligations as traditional currencies and they have recently pursued digital currency exchangers and attributed digital wallet addresses.
- Stress testing and updating compliance software, awareness, and systems. Especially as clients' businesses may evolve too.
Cookie cutter compliance won't cut it. Banks can launch the above steps as initial adoption to avoid the clear hazards when either knowingly or unknowingly dealing with a sanctioned jurisdiction, entity, or individual.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.