Last month saw the publication of a Tri-Seal Compliance Note from the U.S. Departments of the Treasury, Commerce, and Justice, reminding foreign institutions to take seriously the impacts of U.S. sanctions and export control laws on their business and operations.1
A week later, Treasury’s Office of Foreign Assets Control (OFAC) drove home the point: In its first public enforcement action of 2024, OFAC imposed a civil penalty of $3.74m on a Swiss-based global private banking group for apparent violations against multiple U.S. sanctions programs.2
For many financial institutions, OFAC sanctions screening is no novel task. OFAC’s Specially Designated National and Blocked Persons (SDN3) List is used by thousands of firms across the U.S. and around the world to screen real-time transactions and accounts.4 So where are compliance efforts falling short?
On that question, OFAC’s public enforcement actions against the financial services sector are especially enlightening. Published decisions provide valuable guidance to practitioners working on the front lines, illustrating in real-world context the types of risk mitigation measures that firms are expected to implement.
Below we look at key findings which may help inform your own approach, even if you operate outside the U.S.
The global reach of the U.S. sanctions regime
The U.S. sanctions regime has global reach, reflecting the size of the U.S. financial system and the centrality of the U.S. dollar in international trade. A significant volume of sanctions evasion activity occurs in U.S. dollars and transits U.S. bank accounts.5 In response to such threats, the U.S. has implemented robust sanctions and export controls in an effort to prevent malign actors from accessing and exploiting the U.S. financial and commercial system.
As the agency charged with administering the U.S. sanctions regime, OFAC takes an expansive view of its jurisdiction—and is vigorous in enforcing its mandate. Even beyond U.S. soil, foreign entities are expected to ensure that their activities do not cause U.S. persons to violate U.S. economic sanctions, or result in the exportation, re-exportation, sale, or supply of goods, services, or technology from the U.S. to blocked persons or sanctioned jurisdictions.
While the majority of public enforcement actions have concentrated on operators in the U.S., recent years have seen several fines imposed on foreign firms, from Switzerland to the Cayman Islands, Latvia to Monaco. It comes as no surprise then that persons outside the U.S. can and often do voluntarily adopt the same measures required for persons within the U.S., in the hopes of avoiding the (very costly) consequences of OFAC intervention.
So what can we learn from OFAC enforcement action?
KYC and geolocation data must be integrated into screening protocols A prominent theme has been the failure of financial institutions (both in and outside the U.S.) to appropriately integrate know-your-customer information and geolocation data into compliance screening protocols. In a string of cases dating back to 2020, OFAC has reiterated the importance of not only gathering but properly leveraging all available information, including geolocation data, to screen customers or transactions for a nexus to sanctioned jurisdictions. Recent examples include:
- A money services business that failed to identify that its customers were located in sanctioned jurisdictions, despite the customers having provided information to that effect upon onboarding. While screening protocols were applied to customers’ ‘country of residence’ selections from a drop-down menu, free text address fields were not captured. Similarly, identification documents issued from sanctioned jurisdictions were not screened or flagged.6
- A payments firm that redeemed prepaid digital reward cards for users who had indicated residence in a non-sanctioned jurisdiction, but whose Internet Protocol (IP) addresses were associated with Iran, Syria, Cuba, and Crimea. Even after the firm began screening IP addresses, it later discovered that prepaid cards had been redeemed for recipients whose email addresses contained top-level domains associated with sanctioned jurisdictions (for example, .sy for Syria, or .ir for Iran).7
- A virtual currency exchange that applied geolocation controls at the time of onboarding, but not with respect to subsequent transactional activity—a failure which resulted in the processing of over 800 transactions totalling over $1.6m on behalf of individuals in Iran.8
Controls should anticipate the potential for circumvention
OFAC has also highlighted the potential shortcomings of controls that rely on customer-provided information, rather than holistic information-gathering that can mitigate evasion or misrepresentation.
For one European operator, failure to properly interrogate customer-provided information resulted in payments of over $3.3m being processed on behalf of special purpose companies in a sanctioned jurisdiction. In that case, a Latvian bank relied on customer assurances that its payments instructions, which had been rejected by a U.S. correspondent bank, did not involve Crimea. Based on that representation, the bank re-routed the rejected payments to a different U.S. correspondent bank, which ultimately processed the transactions. This occurred despite the fact that the Latvian bank’s own KYC information as well as IP data supported the concerns of its correspondent bank.
As was emphasized by OFAC, reasonable efforts must be undertaken to investigate red flags, rather than relying on unsubstantiated assurances.9
Compliance should start at the top, from day one
A third recurrent issue goes to the importance of incorporating sanctions compliance into business functions at the outset, particularly for new companies and those involved in emerging technologies. This is especially so when financial services are offered to a global customer base:
- Last year, a digital asset company, a small start-up at the time of the apparent violations, was penalized for having operated its online trading and settlement platform for 16 months without a sanctions compliance program. Even after a program had been implemented, it was not applied consistently across sanctioned jurisdictions, nor to pre-existing accounts.10
- Similarly, in 2022, an online virtual currency exchange was penalized for having operated without a sanctions compliance program for nearly two years. Even after a program was implemented, the company screened only for hits against the SDN List, and not for a nexus to a sanctioned location—information which was held by the company and which, if screened, would have shown such a nexus.11
- In OFAC’s highest settlement to date, a penalty of $968m was imposed on a virtual currency exchange operating out of the Cayman Islands. Senior management knew of and permitted the presence of both U.S. and sanctioned jurisdiction users on its platform and did so knowing that the platform could (and did) match U.S. users with users from sanctioned jurisdictions. Management also took steps to undermine its own compliance function, encouraging users to circumvent the company’s own ostensible controls.12
As OFAC has emphasized, management commitment is the first pillar of an effective, risk-based compliance program, and such commitment must begin on ‘day one’, even as a company may still be establishing itself and developing its technologies and offerings.
Conclusion
Ultimately, OFAC enforcement actions reiterate the critical role to be played by financial institutions in ensuring that their activities do not cause harm to the integrity of sanctions programs and the associated policy objectives. As recent cases have demonstrated, foreign entities that avail themselves of U.S. customers, goods, technology, or services are expected to implement sanctions compliance controls commensurate with their risk profile. Failure to do so exposes your business to significant civil monetary penalties—and runs the very real risk of putting critical funds into bad actors’ hands.
Sources
1. Department of Commerce, Department of the Treasury, and Department of Justice. 2024, March 6. Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with U.S. sanctions and export control laws.
2. Enforcement Release dated 14 March 2024.
3. U.S. persons are generally prohibited from dealing with individuals and companies listed on the SDN List.
4. FATF (2016), Anti-money laundering and counter-terrorist financing measures – United States, Fourth Round Mutual Evaluation Report, FATF, Paris
5. Department of the Treasury. (February 2024). National Proliferation Financing Risk Assessment.
6. OFAC Enforcement action dated 31 March 2023.
7. OFAC Enforcement action dated 6 November 2023.
8. OFAC Enforcement action dated 28 November 2022.
9. OFAC Enforcement action dated 20 June 2023.
10. OFAC Enforcement action dated 1 May 2023.
11. OFAC Enforcement action dated 11 October 2022.
12. OFAC Enforcement action dated 21 November 2023.
