As we mentioned in the first part of our U.S. Sanctions Year in Review series, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) had an extraordinarily busy year in 2019, and its enforcement activity was no exception. OFAC rolled out 30 public enforcement actions in 2019, with 26 civil penalties or settlements and four findings of violation. Eleven of the enforcement actions were directed at financial institutions (“FIs”), four against FIs based in the United States and seven against FIs based abroad. However, these enforcement numbers can be deceptive in assessing overall FI risk, because while slightly more than a third of OFAC’s 2019 enforcement actions targeted FIs, those institutions paid almost 99 percent of the penalties. This is because the penalties assessed against FIs averaged around $127 million, while the average penalty assessed against non-FIs was only about one percent of that amount (approximately $1.2 million).
2019 was also notable for the number of enforcement actions brought against FIs without voluntary self-disclosures. Six of the 11 were not voluntarily disclosed, with two of these cases receiving egregiousness determinations from OFAC and, accordingly, the largest penalties of the year. By contrast, OFAC determined no case to be egregious last year where the FI discovered and voluntarily disclosed the violative conduct, resulting in dramatically reduced penalties for the confessors. These numbers show that FIs must remain vigilant against sanctions risks and stand ready to investigate, analyze, and rapidly determine whether to disclose future potential violations.
In addition to the enforcement activity noted above, OFAC published its “Framework for OFAC Compliance Commitments” last May, outlining for the first time the “essential elements” OFAC expects a sanctions compliance program to possess. These essential elements are (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC’s Framework also discusses common “root causes” of sanctions compliance program breakdowns. As we previously wrote, many of these root causes related to specific OFAC enforcement actions. Importantly, OFAC mentions in the Framework that it will consider the “existence of an effective [sanctions compliance program]” as a factor in its analysis when determining whether a sanctions violation should be deemed egregious (and whether a penalty should be imposed at all). With this in mind, FIs should review OFAC’s Framework when developing or revising their sanctions compliance programs in 2020.
It’s also worth remembering that OFAC Director Andrea Gacki announced last June that OFAC would no longer give credit for all types of fines paid to other government agencies in multi-agency settlements. Rather, OFAC will now only give credit for penalties imposed by other agencies arising out of “the same pattern of conduct for the same period of time” as OFAC violations. OFAC referenced this new policy in its two “major bank” settlements last year – involving Standard Chartered and UniCredit – and this policy is likely to impact FIs more than other types of businesses due to the multiple regulators and regulatory controls to which FIs are subject.
OFAC’s FI cases in 2019, as in prior years, strongly suggest that the agency holds FIs to higher compliance standards than other types of businesses. This is likely due to the size and sophistication of FIs, their critical role in ensuring the integrity of the U.S. and international financial systems, and the essential part they play in ensuring corporate sanctions programs are effectively implemented. While OFAC does not generally prescribe particular sanctions compliance procedures, other than as noted in its Compliance Commitments, it does give hints of its compliance expectations in its public enforcement actions. FIs need to be aware of these expectations as they can factor significantly into whether OFAC views problematic conduct as worthy of a monetary penalty. Accordingly, MoFo’s National Security team has, once again, collected the latest lessons from OFAC’s FIs enforcement actions last year. These Top 10 lessons should be valuable for FIs and non-FIs alike, although we will focus on OFAC’s non-FI enforcement cases in the third part of our OFAC Year in Review series tomorrow:
1. Preventing payments from embargoed jurisdictions through the United States remains a key OFAC focus. In 2019, the Trump Administration removed a general license authorizing U.S. FIs to process “U-turn payments” – payments where the originator and beneficiary are non-U.S. persons outside the United States – involving Cuba. This brings OFAC’s Cuba program in line with OFAC’s other comprehensive sanctions programs (Iran, North Korea, Syria, and the Crimea region of Ukraine) and means that FIs need to remain vigilant to ensure they are not wittingly or unwittingly processing payments involving these jurisdictions through the United States. OFAC’s largest penalties in 2019 were the result of these types of transactions, which frequently resulted from (A) branches in high-risk jurisdictions and/or (B) inadequate compliance and legal oversight:
2. If you are a non-U.S. financial institution, understand your touch points to the United States. Most non-U.S. FIs know that processing U.S. dollar payments related to transactions taking place outside the United States carries U.S. sanctions risks because those payments are often cleared through the United States. However, this is obviously not the only way for non-U.S. FIs or activities to come under U.S. jurisdiction. Last year two cases illustrated the risks of (A) bulk U.S. dollar funding arrangements, and (B) intermediate U.S. ownership structures that brought non-U.S. FIs and activities under U.S. jurisdiction:
3. OFAC expects financial institutions to have sophisticated sanctions compliance programs. While many of OFAC’s trade cases focus on the failure of non-FIs to catch matches to names on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”), those involving FIs suggest higher compliance expectations – which may be replicated in the future against non-FIs – including that FIs (A) organize business data to inform sanctions screening, (B) block accounts of companies beneficially owned by individuals in embargoed countries, (C) utilize IP blocking software and (D) use sanctions exclusion clauses in contracts:
4. No matter how sophisticated your compliance program is, it won’t work if your employees don’t use it properly. Companies need to ensure that they cultivate a culture of compliance, and train employees to understand how to adequately use their compliance systems. For example, in the UniCredit cases from April, UniCredit had a group sanctions policy in place that “clearly addressed OFAC sanctions concerns and restricted the processing of transactions denominated in USD on behalf of [sanctioned parties].” Despite this policy, OFAC noted that employees at UniCredit’s German subsidiary processed payments related to the Islamic Republic of Iran Shipping Lines (“IRISL”) even after receiving an email policy directive not to process such payments. OFAC also noted that employees of UniCredit’s Italian subsidiary “ignored or fail[ed] to adhere to UniCredit Group sanctions policies” by processing U.S. dollar payments on behalf of persons located in comprehensively sanctioned countries.
5. Test, audit, and enhance sanctions compliance programs. OFAC listed testing and auditing as an “essential component” of a sanctions compliance program in its Compliance Commitment Framework. FIs that do not test their programs may discover that these programs do not work as intended. In particular, FIs need to (A) test and audit any ring fencing policies designed to allow limited business with sanctioned parties outside the United States, (B) ensure sanctions compliance systems incorporate information from customer due diligence, and (C) establish appropriate compliance reporting lines to ensure sanctions issues are followed up with the appropriate parties:
6. Generally know your customers’ customers. No, we are not suggesting that the standard Know Your Customer (“KYC”) obligations have been supplanted by a new KYCC standard, as some in the U.S. State Department have claimed. Yet, FIs should generally know your customers’ customers’ lines of business and how they are protecting your customers and you from sanctions risks. Several of OFAC’s FI enforcement actions highlighted the importance of knowing who your downstream counterparties are so that you can stop them from getting you into trouble. In 2019, OFAC highlighted the risks posed by (A) third-party underwriters, (B) general trading companies, (C) trade credit assignments, (D) third-party travel agencies, and (E) foreign sub-agents:
7. Conflicts of law continue to confound. After President Trump announced the United States’ withdrawal from the Joint Comprehensive Plan of Action (“JCPOA”), the European Union updated Council Regulation (EC) No 2271/96 (the “EU Blocking Statute”), which prohibits EU companies from complying with U.S. sanctions against Iran and Cuba. As we previously wrote, the Trump Administration escalated these issues in 2018 when it required U.S. foreign subsidiaries abroad to comply with the same Iran sanctions rules as their U.S. parents and in 2019 when it refused to waive key provisions of the Helms-Burton Act. In response to the latter escalation, the EU issued a joint statement from High Representative Federica Mogherini and Commissioner for Trade Cecilia Malmström, restating the EU’s “strong opposition to the extra-territorial application of unilateral Cuba-related measures that are contrary to international law.” Canada’s Foreign Extraterritorial Measures Act contains provisions similar to the EU Blocking Statute for Canadian companies. However, foreign companies may not rely on these provisions to violate U.S. sanctions.
8. Stripping still doesn’t pay. The trio of settlements with UniCredit continue a long line of cases against non-U.S. FIs that engaged historically in “payment stripping,” the practice of removing information on messages for payments sent through the United States that would have identified a party as sanctioned or located in a sanctioned jurisdiction. Like previous stripping cases, OFAC found UniCredit’s conduct to be egregious, thereby significantly increasing its penalty.
9. Use your regulator, and your financial condition, when talking penalties with OFAC. In the BACB case from September, OFAC noted that the operating capacity of the London-based bank “was such that it would face disproportionate impact if required to pay the proposed penalty of $228,840,000.” Accordingly, “[i]n consultation with BACB’s domestic regulator, the United Kingdom’s Prudential Regulation Authority,” OFAC settled the approximately $229 million matter for $4 million.
10. When in doubt, ask OFAC. Although the recent Exxon decision suggests that companies may not be obliged to consult OFAC when they believe the law is unclear, that decision may have limited impact, and OFAC continues to advise that the private sector approach the agency before making a move that could implicate sanctions. In the Atradius case from August, OFAC highlighted “the importance of obtaining a specific license before engaging in” potentially unauthorized activity. Of course, decisions on whether and how to approach OFAC should not be made lightly, given that ill-informed approaches can lead to delays in responses, stoppages in business activities, and even governmental investigations.
The pace of enforcement actions accelerated significantly in 2019, and OFAC has already begun issuing its first enforcement cases for 2020. The cases above demonstrate that FIs should be especially vigilant in reviewing and understanding their sanctions risks heading into this new year. As always, we in Morrison & Foerster’s National Security Practice Group stand ready to provide counsel on the scope and sufficiency of sanctions compliance programs and training, the legality/sanctionability of particular transactions or lines of business, and any actual or potential enforcement matters.
Reema Shocair Ali, a national security analyst in the firm’s D.C. office, assisted in the preparation of this client alert.