By Brian D. Frey
In recently published guidance, the Department of the Treasury’s Office of Foreign Assets Control highlighted 10 common sanctions compliance pitfalls. Many of these pitfalls are particularly applicable to financial institutions, and a strong sanctions compliance program should account for these risks.
1. Lack of a formal OFAC sanctions compliance program
While OFAC regulations do not require financial institutions to maintain a formal sanctions compliance program, the agency has repeatedly highlighted the lack of formal sanctions compliance as a root cause of sanctions violations in numerous public enforcement actions. In addition, the failure to maintain a formal program is an aggravating factor in OFAC’s penalty analysis and may also be relevant to a federal prosecutor’s analysis of whether criminal intent exists.
Because financial institutions are heavily regulated and subject to periodic examinations, virtually all U.S. financial institutions maintain sanctions compliance programs that include sanctions screening for customers and transactions. However, many U.S. financial institutions do not effectively document their programs or update documentation on a periodic basis. This lack of documentation creates the risk that sanctions compliance responsibilities may be misunderstand by those within the organization or that outdated policies and procedures may result in unintended compliance gaps.
U.S. sanctions change on a nearly daily basis. In addition to implementing real-time updates to screening tools, financial institutions should periodically and formally review the changing sanctions landscape and modify sanctions compliance policies and procedures appropriately. In particular, significant changes to sanctions programs such as the reinstatement of sanctions against Iran and the recent expansion of sanctions in Venezuela require prompt risk assessments and decisions about a financial institution’s risk appetite with respect to transactions that continue to be permissible. These risk assessments and risk decisions should be documented in writing and the documents maintained in accordance with the financial institution’s document retention policies.
2. Misinterpreting, or failing to understand the applicability of, OFAC’s regulations
OFAC regulations are complex and regularly evolving. Not surprisingly then, OFAC enforcement actions commonly arise because a person or company did not understand the scope or application of sanctions. Financial institutions are particularly susceptible to the risk of misapprehension of sanctions requirements because of the unique complexities of how sanctions apply in the payments context.
Financial institution sanctions compliance programs should particularly take into account the implications of OFAC’s views of the scope of U.S. jurisdiction. U.S. sanctions do not just apply to U.S. financial institutions or U.S. branches of foreign financial institutions. Rather, U.S. jurisdiction extends to U.S. persons wherever they are located in the world, to U.S.-owned or controlled subsidiaries (in the case of Cuba and Iran sanctions), and to dealings with U.S. persons, the U.S. financial system or U.S.-origin goods or technology.
In addition, should financial institutions choose to engage in transactions implicating comprehensively sanctioned jurisdictions pursuant to general or specific licenses, they should do so in consultation with sanctions counsel. By way of example, U.S. financial institutions are currently permitted to process U.S. dollar payments related to Cuba transactions under the so-called “U-turn” general license. Application of this general license is limited, however, and financial institutions must be careful to ensure that the requirements of the license are met for each contemplated payment.
3. Facilitating transactions by non-U.S. persons
OFAC has noted that organizations with operations or subsidiaries outside of the U.S. are at particular risk of violating the prohibition against facilitation of sanctions-relevant activity by U.S. persons. OFAC interprets facilitation broadly to include activities such as authorizing or approving activity, suggesting alternative means of conducting a payment or transaction to avoid sanctions, participating in business or strategy discussions related to sanctions-relevant activity, and modifying policies or procedures to facilitate sanctions-relevant activity by non-U.S. persons. Financial institutions with global operations must be particularly vigilant to avoid unintentional facilitation.
Financial institutions based outside of the U.S. that maintain U.S. branches must be particularly cautious about facilitation should they wish to engage in sanctions-relevant activity outside of the U.S. Such financial institutions should have formal policies against facilitation and sanctions evasion and should also implement strict rules to recuse U.S. persons or U.S. branches from any sanctions-relevant activity.
4. Exporting or re-exporting U.S.-origin goods, technology or services to sanctioned persons or countries
OFAC also warns of the sanctions risks associated with export or re-export of goods to sanctioned countries or individuals. OFAC’s enforcement efforts in this respect have typically focused on companies that engage in long-term misconduct involving non-routine business practices or active concealment. Although not typically directly relevant for financial institutions, this issue is nonetheless a concern for financial institutions that have significant involvement in trade finance transactions.
International trade finance transactions carry some of the highest sanctions risk of any activities in which a financial institution can engage due the level of complexity of such transactions and the potential for shipping routes and other aspects of delivery of goods to change. OFAC and federal prosecutors are focused on financial institutions’ roles in facilitating trade transactions that result in the export or re-export of U.S.-origin goods that implicate sanctions. By supporting these transactions, financial institutions expose themselves to potentially significant liability. As such, a specialized sanctions compliance process for trade finance transactions is necessary for financial institutions that engage in significant business of this type.
5. Using the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving sanctioned persons or countries
In a clear indication that OFAC’s common pitfalls are intended to provide guidance not just to businesses in general but particularly to financial institutions, OFAC specifically notes that using the U.S. financial system for sanctions-relevant business is a common compliance failure. From a general business perspective this means that businesses should be aware of sanctions and should not use the U.S. financial system for sanctions-relevant activities unless authorized by a license. From a financial institution’s perspective, however, the issue is much broader.
OFAC’s historical enforcement actions against financial institutions have often focused on willful or reckless misconduct by financial institution employees, including stripping or otherwise manipulating payment messages and structuring payment transactions to avoid detection by screening tools. After more than a decade of major enforcement actions against financial institutions, including numerous settlements in excess of $1 billion, OFAC and federal prosecutors are increasingly focusing their investigations on broader compliance program failings within financial institutions.
In the modern age of enforcement, financial institutions can no longer avoid scrutiny by preventing active misconduct by employees. OFAC expects that financial institutions will have sophisticated compliance programs in place to detect and prevent misconduct by third-party customers and counter-parties by means of sophisticated transaction screening and deep customer due diligence. Financial institutions that maintain correspondent accounts for non-U.S. financial institutions must be particularly diligent in ensuring that they know and trust their non-U.S. counterparts to avoid sanctions exposure.
6. Sanctions screening software or filter faults
Although not a common basis for OFAC enforcement, OFAC nonetheless highlights the prevalence of sanctions screening failures as a source of risk. Virtually all U.S. financial institutions utilize sophisticated sanctions screening tools that are updated in real-time as sanctions lists change, which is critical to sanctions compliance. Even the best screening tools are not perfect, however, and financial institutions should periodically stress test their screening systems to confirm that the tools are properly calibrated to identify risks. This is particularly important for financial institutions that engage in business with jurisdictions that frequently use alternative spellings for geographic locations, such as Kuba instead of Cuba.
7. Improper due diligence on customers and clients
As OFAC recognizes, customer due diligence is one of the biggest challenges facing businesses in general. As sanctions screening tools and due diligence efforts have become more sophisticated, so too have efforts by those seeking to misuse the U.S. financial system. Customer due diligence challenges are perhaps more significant for financial institutions than for any other industry.
Given their obligations under the Bank Secrecy Act, financial institutions should have policies and procedures in place to conduct initial customer due diligence as well as ongoing due diligence. Moreover, financial institutions with higher risk customer populations or transaction types such as significant cross-border payments should consider supplementing traditional means of conducting customer due diligence with one or more of the cutting-edge due diligence services that have recently become available. These services can offer deep dives into ownership structure and related companies to give a financial institution a more sophisticated understanding of its customer base and transaction counterparties.
8. Decentralized compliance functions and inconsistent application of a sanctions compliance program
OFAC stresses the importance of maintaining a centralized, well-structured sanctions compliance hierarchy. Although the precise structure of a program will depend on a financial institution’s footprint and risk profile, sanctions compliance and decision-making should be centralized in a sanctions compliance group with a clear reporting hierarchy. Moreover, this group should be insulated from business personnel to avoid undue influence on compliance decisions or even the appearance of such influence. A strong sanctions compliance structure will typically provide the group with a direct reporting line to the chief compliance officer or the general counsel. The sanctions compliance program should also be stress-tested periodically by the financial institution’s audit function.
9. Using non-standard payment or commercial practices
OFAC notes that U.S. businesses are in the best position to determine whether a particular transaction is consistent with normal industry practices. Throughout the history of OFAC enforcement against financial institutions, non-standard payment transactions have been a prime source of violations and resulting liability. From manipulating payment messages to obfuscating payments using back-to-back payment transactions, sanctions violators have invented new and creative means of circumventing traditional sanctions compliance controls.
Financial institutions should already be accounting for these well-known types of non-standard payment practices as a part of their compliance programs. More broadly, however, financial institutions and particularly their business personnel should be cautious about any proposed non-traditional payment method. Business personnel should understand the sanctions risks that such payment methods can raise and should be instructed to obtain review and approval of any such methods before agreeing to permit a client to utilize them. In a world in which payments are becoming increasingly standardized, any request for a non-standard payment transaction is a red flag that requires enhanced scrutiny.
10. Individuals intentionally circumventing sanctions compliance programs
The risk of individual bad actors within an organization circumventing an otherwise effective sanctions compliance program is ever-present. Financial institutions can seek to minimize this risk in several ways. Adequate training on sanctions issues, including the potential for individual civil and criminal liability, is critical. In addition, financial institutions should consider whether their compensation structures or other incentives are structured in a way that would potentially motivate an employee to circumvent compliance requirements. Finally, a strong, formal compliance reporting structure with available means of anonymous reporting can help prevent misconduct.
Brian Frey is a partner with Alston and Bird and member of the firm’s international trade and regulatory team. A former federal prosecutor for the Department of Justice, Frey focuses his practice on representing financial institutions, major corporations and individuals in white collar investigations involving a range of criminal and civil laws, including U.S. sanctions laws, U.S. export controls, anti-money laundering laws, and the Foreign Corrupt Practices Act.