Trade Sanction Enforcement on the Rise

As the U.S government considers more trade sanctions against Russia for its actions during the crisis in Ukraine and its annexation of Crimea, companies that do business there are dusting off trade sanction policies.

Others, realizing how quickly a crisis can occur, leading to new trade sanctions, are also ensuring that they have the proper systems in place to comply with trade sanction orders. 

The Office of Foreign Assets Controls, which is part of the Treasury Department and is responsible for administering and enforcing violations of economic and trade sanctions, has aggressively pursued companies for violations.

With more sanctions potentially coming in addition to those already in place against business and individuals in Russia, Syria, Iran, North Korea, and other countries, enforcement actions are likely to rise. In 2013, OFAC brought 27 enforcement actions, compared to 16 in 2012. “The aggressive enforcement environment will definitely continue, and judging by some of the results that OFAC has obtained in various settlements, it very well could be that the numbers may even increase,” says Melvin Schwechter, a partner with law firm BakerHostetler.

Consider these high-dollar settlements:  ING Bank, $619 million; Credit Suisse, $536 million; HSBC Holdings, $375 million; Lloyd Bank, $217 million; Standard Chartered, $132 million; Barlclays, $172 million. “The hits just keep on coming,” says Schwechter.

In many of these cases, the violations involved processing transactions through the United States on behalf of customers from embargoed countries, or those on the Specially Designated Nationals list. In some cases, these violations occurred because companies didn't have effective compliance controls in place to detect violations, while in other cases “senior management was either reckless in allowing the transactions to go forward or, in some cases, were even involved in them,” says Schwechter.

While financial services are especially prone to trade sanction violations, it is not the only industry that OFAC is focusing on.  “Every industry with a global reach faces risk of sanctions violations,” says Jason Waite, a partner with the law firm Alston & Bird.

The most common violations involve transaction and business dealings with Iran, Sudan, and Cuba. “Those are your top three,” says Keith Monson, vice president of application compliance for technology solutions provider CSI. Other high-risk countries where the United States has in place economic and trade sanctions include North Korea, Syria, Burma, and others.

Heightened Compliance Expectations

It's not the massive, headline-grabbing civil monetary penalties, however, that companies should be paying attention to; it's the heightened compliance expectations that lurk quietly under the radar.

The big million dollar OFAC civil penalties that make headlines are the ones that companies tend to focus on the most, says Serena Moe, counsel at law firm Wiley Rein and former deputy chief counsel at OFAC. Yet, it's with the smaller enforcement actions brought against banks during the last two years where OFAC has really been “sending a message to banks about how they need to fine-tune their compliance programs, or face consequences,” she says.

In December, for example, OFAC reached a $32,400 settlement with HSBC USA to resolve claims that it violated global terrorism sanction regulations by processing a handful of transfers that may have put money into the hands of a designated terrorist. OFAC determined that the “apparent violations constituted a non-egregious act” and “were not the result of willful or reckless conduct.”

“For companies that want to self-disclose, your best bet is to be very transparent. It can really backfire on you, if you don't capture the entirety of the violation.”

—Jason Waite,

Partner,

Alston & Bird

The significance of the case doesn't lie in the relatively small amount of the fine, but rather the compliance lessons it instills. According to the settlement notice, the bank processed a series of transferred funds that appeared to have originated from third-party financial institutions acting on behalf of Tajco, a business venture run by Husayn Tajideen who was listed as “specially designated global terrorist” by the Treasury Department in December 2010.

What's interesting about the case, says Moe, is that OFAC said HSBC should have known it was authorizing payments to an entity on OFAC's SDN list, even though the name and address referenced in the payment instructions appeared to have no affiliation with the individual or entity on the SDN list.

Sending a Message to Banks

The settlement sends a warning to compliance officers that they now must establish a more robust means of screening the names of their customers against the SDN list to be able to identify transactions that are related to those on the list but do not specifically include their name. “That requires more than just crossing your t's and dotting your i's,” says Moe. “That's sending a pretty strong message to banks that if you fail to take these steps—steps that are nowhere required of banks as a matter of law—you are potentially subject to civil penalties.”

In another enforcement action with compliance implications, Wells Fargo reached a $23,937 settlement with OFAC to resolve charges that the bank maintained accounts with two individuals whose names partially matched those on the SDN list. Both customers provided valid U.S. addresses and social security numbers, but because their birth dates also matched those of sanctioned individuals, OFAC faulted Wells for not including screening based on dates of birth in its OFAC compliance procedures.

The broader lesson from the Wells Fargo case is that it's no longer enough to just examine customers' names against the SDN list without considering other pieces of information too. “You have to look at really granular details when you're opening an account,” says Moe. That can be quite challenging for a financial institution, for example, that just acquired a credit card portfolio of a half-million individuals from another bank, she says.

PROATIVE MEASURES

Companies can take several proactive measures to reduce fines, or avoid them altogether, in the event that a potential violation is discovered, such as:

Design and implement a robust compliance program. “The biggest thing companies need to do is put in place a risk-based compliance program to detect violations,” says Schwechter. “That can be a very significant mitigation factor if a violation does take place.”

Keep up-to-date on laws and regulations. Companies should always be prepared to fine tune their compliance program as laws and regulations change, says Moe. “All compliance programs have to be based on knowledge of the regulations and the laws that are the underpinning of economic sanctions.”

Adopt an automation tool. Having in place a well-tailored automation tool that screens against various government watch lists goes a long way toward complying with sanctions regulations. “Companies that don't use an automation tool,” Monson says, “stand a greater change of running into violations with OFAC.”

—Jaclyn Jaeger

Many banks may not be able to meet the heightened level of screening OFAC now expects, and will just have to take their chances. Still, these smaller cases serve as a warning that if a bank discovers that it has sanctioned individuals in its portfolio, “know that OFAC will, indeed, have a different expectation for how you create your compliance program," says Moe.

Many companies still don't perform even basic due diligence in regard to screening against the SDN list prior to a transaction, says Monson. “They just go ahead and perform the transaction,” he says. 

The HSBC and Wells Fargo cases also emphasize the importance of having in place “some element of subjective, human-based processes to make sure you know your customers,” says Waite. That means training employees to recognize red flags. “Sometimes the best people in the company to know the customer are the sales and customer service team.”

In both cases, HSBC and Wells Fargo self-reported the potential violations. “If a company sees it has a problem, you need to self-identify; self-correct; and self-report,” says Monson. “If a company reports the problem to the Treasury, Treasury will find that favorable, and those measures will help reduce the monetary penalty levied against the company in the event of an OFAC violation.”

Still, companies need to use caution when self-reporting. “For companies that want to self-disclose, your best bet is to be very transparent,” says Waite. “It can really backfire on you, if you don't capture the entirety of the violation. That can actually put you sometimes in a worse position than if you hadn't disclosed at all.”