By George W. Thompson
Two recent determinations by the Office of Foreign Assets Control (OFAC) under the Iranian Transactions and Sanctions Regulations highlight the errors that arise in even the best-intentioned compliance programs.
The first involved BMO Harris Bank NA, acquirer of Marshall and Ilsley Bank and, therefore, the successor to the latter bank’s liability. Marshall and Ilsley maintained screening software to identify potential prohibited transactions. The software flagged one of its customers for having the word “Persian” in its name as potentially covered by the Iranian Transactions Regulations. At the time, certain transactions involving carpets from Iran, the merchandise in which the customer dealt, were permitted under the regulations. The bank placed the customer on its “false hit list” of companies identified by screening software, and – properly at the time – processed the customer’s financial transactions.
From False Hit to Prohibited Party
In 2010, OFAC revoked the authorization for transactions relating to carpet transactions. Overnight, the bank became prohibited from processing payments for these transactions; unfortunately, it failed to take account of this change by removing the customer from the “false hit list” and blocking further transactions with it. Aficionados of the OFAC regulations can guess what happened next: a payment was processed by the bank despite being flagged as problematic by another financial institution. Several subsequent transactions were processed as well.
OFAC found a violation, based on the bank’s failure to update its “hit list” and knowledge (albeit at a lower employee level) of the conduct involved. No penalty level was announced.
“Good Guy” Causes Bad Problem
In the second case, Banco do Brasil, S.A., New York Branch’s screening software identified a company with the name “Isfahan” in its name as a potential Iranian entity; that company was a customer of the bank’s Brazilian affiliate. Notwithstanding the “hit”, the bank placed the company on its “Good Guy Exception List”, based on the company’s verbal assurance that it was not involved in trade with Iran. The bank thereafter processed financial transaction for the company
The bank adhered to its position even though an intermediary financial institution questioned and then rejected the transaction. Its compliance staff reviewed the trade documentation, concluded that Iran was not involved, and permitted subsequent transactions to proceed. You can guess the rest. The customer’s transactions did, in fact, stem from business with Iran. The bank agreed to pay a penalty of $139,500, based on various aggravating and mitigating factors.
Guidance from OFAC
OFAC noted that its evaluation of the case included an “assessment that the bank may have been unaware of the risks associated with a false hit list that was not reviewed and updated regularly.”
The agency also stated that “This enforcement action highlights the risks associated with failing to review multiple OFAC warnings signs with respect to a particular customer – including transactions blocked or rejected by other financial institutions specifically due to OFAC sanctions – as well as the risks posed by relying on incomplete or inaccurate information when assessing a potential OFAC alert or match.”
To further address this problem, OFAC issued “False Hit Lists Guidance” with suggestions for compliance program policies.
I won’t repeat these here, but do urge everyone subject to OFAC regulations – which is pretty much everyone – to review and incorporate them in compliance programs.