The Office of Foreign Assets Control (OFAC) closely monitors potential infractions arising from inadequate internal compliance systems and staff negligence.
To underline the point, OFAC recently cited three banks for denied party screening and sanctions compliance violations after they revealed that regulatory breaches had occurred.
Banks (and businesses in general) must conduct OFAC sanctions searches diligently to ensure OFAC compliance. It cannot be stressed enough though that there are additional lists to screen against that are maintained by other government departments (State and Commerce) as well as foreign jurisdictions (United Kingdom, European Union, to name a few) and international bodies (United Nations, central banks, among others). Financial institutions can avoid incidents like those described below by focusing on their internal compliance systems and processes.
In this post, we’ll explore why these three banks were cited, what lessons can be learned, and provide insights into how banks can improve their approach to OFAC compliance.
Misalignment Between an Organization and Its Screening Vendor Resulted in an OFAC Sanctions Violation
In July, 2022, OFAC issued sanctions for the violation of the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMDPSR), after a bank reportedly provided services to two individuals on OFAC’s List of Specially Designated Nationals (SDN) and Blocked Persons.
What Happened?
The organization had a third-party sanctions screening vendor to protect against OFAC compliance violations, however, it erroneously assumed the vendor screened all its clients against OFAC sanctions lists on a daily basis. In actuality, OFAC sanctions search was performed on the entire customer base only once a month, while the daily denied party screenings were only performed on new customers and those with recent account changes.
This insufficient screening frequency means that depending on the time when the parties are added to the OFAC SDN list, it could take the bank up to a month to identify a restricted party within its network. In this instance, the blocked parties maintained their accounts with the bank and continued to carry out transactions for up to two weeks after OFAC had included them to its sanctions list.
What Was the OFAC Penalty, and How Did the Organization Respond?
The lapse in OFAC compliance stemming from the bank’s inability to dynamically screen against changes to OFAC sanctions list resulted in a Finding of Violation (FOV) from OFAC. Such a ruling implies that banks must take a risk-based approach to sanctions compliance, ensuring the robustness of their system on an end-to-end basis, and if a bank outsources its compliance function (as this one did), it must verify that the denied party screening capabilities sufficiently align with its compliance risks exposure.
The bank’s response was to increase the frequency of its OFAC sanctions search and institute new manual processes for going through the entire list of clients after any changes are made to the OFAC sanctions list. In citing the Finding of Violation ruling which carries no monetary penalty, OFAC considered the bank’s remediation actions, its transparency with the agency, and other mitigating factors.
Repeated Human Negligence Resulted in a $430,500 OFAC Compliance Violation Fine
OFAC settled with a major payment services provider in July 2022, for 214 apparent violations of its Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). This occurred when an account for a U.S. citizen issued a supplemental card to another foreign individual involved in illegal drug distribution and money laundering.
This foreign individual, who was on the SDN List, successfully applied for and obtained a supplemental card under the same account as a domestic citizen, a fact that may have obscured the violation to the payment services provider.
How Did these OFAC Compliance Violations Occur?
The organization’s compliance program failed to properly identify and suspend services to the restricted party due to human error and an inadequate screening platform. Multiple mistakes occurred prior to this OFAC ruling:
- The first mistake happened when a “high confidence” alert generated by the company’s denied party screening system was incorrectly closed by an internal analyst. This action stopped the mandatory second-level review of high risk matches from being initiated, thus permitting transactions to go through the system.
- The next mistake happened after another analyst correctly flagged and suspended the account but did not disclose that the suspension was due to OFAC compliance sanctions. When the U.S. account owner called to inquire about the status of the account, the customer service representative removed the suspension, believing it was unimportant.This error was spotted the following day and in a second attempt to suspend the account, an employee issued the wrong suspension code which resulted in even more illegal transactions going through the account before it was finally closed.
What Was the OFAC Penalty, and How Did the Company Respond?
The statutory maximum monetary penalty applicable to a violation of this nature is $331 million, however OFAC considered the sum of the transactions, the level of cooperation provided by the organization and remedial measures taken to prevent future occurrences to decide the final monetary penalty of $430,500 to be settled.
The bank responded to this civil liability settlement by implementing various enhancements to its compliance policies. To address the failed suspensions, it centralized controls over account suspensions in general to protect against negligence and mistakes. It also prevented accidental override of any sanctions-related suspension and trained its staff to identify future compliance risks and how to adequately treat to OFAC sanctions search results.
A Monetary Penalty of a Quarter Million Applied for Venezuela Sanctions Violation
OFAC recently executed an enforcement action against a bank in Puerto Rico for maintaining bank accounts for two Government of Venezuela employees in apparent violation of its Venezuela sanctions regime. The U.S. government’s Executive Order 13884 (E.O. 13884), which was issued on August 5, 2019, prohibits the provision of services to “any persons, owned or controlled, directly or indirectly by the government of Venezuela”.
How Did these OFAC Compliance Violations Occur?
The bank was slow to implement appropriate changes in its compliance program in order to flag potential violations related to this new sanction. Over the period of 14 months, the bank processed 337 transactions totaling $853,126 on behalf of these restricted parties. This incident is another case of a company acting too late.
What Was the OFAC Penalty, and How Did the Company Respond?
In determining the settlement amount, OFAC weighed the fact that the bank had the documentation showing that the two individuals were Venezuelan government employees but was slow to identify them, against the multiple steps taken by the bank to remedy its mistakes, such as enhancing training on sanctions list screening, implementing new policies for its compliance due diligence, and hiring new staff specifically for OFAC sanctions search responsibilities.
The final monetary penalty of $255,937.86 to be remitted by the bank, reflects the consideration OFAC gave both on the aggravating and mitigating factors, where the maximum applicable fine is $105 million.
What Does This Mean for Other Banks and Institutions?
These three incidents demonstrate the importance of financial institutions and organizations in general implementing efficient and resilient compliance screening programs not only for OFAC sanctions list but also to meet the obligations of the many regulations currently in place such as Sarbanes-Oxley compliance. The key lessons to learn and implement include:
- Frequent Automated Screening: The cases we examined show that in addition to having accurate sanctions lists to search against, sanctions compliance requires speed and as close to real time denied party screening as possible. This is a pace that manual driven compliance processes cannot match. It is therefore necessary for banks and other organizations to rely on innovative software tools with the ability to perform rapid, frequent sanctions search daily and as when changes to denied party lists occur.
- Regular Audits and Updates to Compliance Programs: Organizations are encouraged to take a risk-based approach to their compliance function. While most have compliance policies already, the systems in place may have deficiencies especially as business grow and regulatory activity continues its volatile trend. As denied party lists change and OFAC sanctions search evolves, regular audits of the compliance processes in place are necessary to identify lapses.
- Understand the Scope and Competencies of Your Compliance Software: Whether you are building an in-house compliance program or relying on 3rd party vendors, there is no room for assumptions or misinterpretation. Organizations should have a clearly mapped out understanding of their business priorities and risk profiles, so they can choose a provider or platform that aligns with it.
- Continuous Training of Compliance Personnel: The compliance landscape is rapidly shifting, with ever-changing regulations and bad actors. Staff will need periodic education on compliance functionality, as well as resources to minimize human error, boost expertise, and stay ahead of the curve.
- Minimize Severity of Fines and Penalties: Mistakes can still happen, regardless of the compliance risk controls you have in place. However, as demonstrated in the examples highlighted, OFAC enforcement action can be less severe if you are able to demonstrate strong due diligence efforts, such as having a high-performing sanctions screening software in place along with a self-disclosure mechanism when you notice a violation. OFAC decides on penalties partly based on what it calls aggravating and mitigating factors. Showing a good track record with good compliance processes in place will likely lower your potential fine or sanction.
How Visual Compliance Can Help
For organizations to keep up with an ever-changing and risk-laden compliance landscape, they must look to software solutions for their denied party screening needs. Manual efforts create plenty of opportunity for human error and are simply too slow to keep up with the current pace of compliance risks.
Descartes Visual Compliance is a leading provider of sanctions screening solutions including automated and dynamic denied party screening, export compliance, and other 3rd party risk management solutions.