In two recent cases, OFAC sanctioned two Financial Institutions (FIs) for US sanction breaches: Wells Fargo Bank, N.A. (“Wells Fargo”), and Uphold HQ Inc. ("Uphold"). Although the number of apparent violations appears similar, 124 in one case, and 152 in the second one, the penalties imposed reflect the proportionality of the total of money involved.

In the first case, published on March 30, 2023, Wells Fargo has agreed to remit $30,000,000 to settle its potential civil liability for apparent violations of three sanctions programs for about seven years beginning in 2008 and ending in 2015. In the second case, published on March 31, 2023, Uphold, which is a Larkspur, California-based money services business, has agreed to pay $72,230.32 to settle its potential civil liability for apparent violations of multiple sanctions programs between March 2017 and May 2022.

Wells Fargo case

Wells Fargo represents a continuation of OFAC's precedents on successor liability. This case sheds light on how a combination of a complex inherited situation together with a lack of adequate management could result in a real compliance failure. Although the extreme complexity of the case and the related facts, it is possible to extract some red flags from this chain of events in a post-acquisition environment: 🚩 Fully audit, and screen “black boxes”, software, provided by the acquired company, especially when part of the services of the acquired company. 🚩 Mitigate this absence/lack of knowledge in setting up an appropriate level of control on ops. 🚩 Address on due time, and with appropriate resources repeated internal alerts. It should become a priority. 🚩 Audit function to challenge internal risk assessments adequately Good practices from the two cases.

On Wells Fargo, OFAC acknowledged the good quality of its sanctions compliance program, including in the involved line of business. As a result, the fact that the senior management of the bank failed to prevent and detect the breaches could not be analyzed as a systematic compliance breakdown. In addition, OFAC considered the sectors financed through the apparent violations, finding that agriculture, medicine, and telecommunications may have been eligible for a general license.

Uphold case

Uphold or its affiliates processed 152 transactions totaling $180,575.80 in apparent violation of OFAC’s sanctions against Iran, Cuba, and Venezuela. Uphold, or certain of its non-U.S. affiliates, maintained accounts for customers who provided information during the account onboarding process indicating their location in Iran or Cuba. Customers voluntarily informed their location being in a sanctioned country despite having the possibility, in the drop-down menu, to select a non-sanctioned country.

In the Uphold case, it emerged that the financial institution was not screening the free text address field for sanctions compliance as well as the identification documentation from a sanctioned jurisdiction that was provided by customers. This was in apparent violation of the sanctions applicable to transactions with Venezuela. Uphold processed 58 transactions totaling $1,316.54 in 14 months on behalf of two customers who self-identified in the course of enhanced customer diligence as employees of GoV-owned Petroleos de Venezuela S.A. (PdVSA).

In the Uphold case, OFAC considered the application of two aggravating factors: failure to exercise due caution or care, and reason to know. In relation to the second factor, it was argued that having all information available, and not using them, or ignoring them, is sufficient to determine the institution “knew” about the occurring breaches.

Failure to exercise due caution or care results in implementing inadequate screening and other compliance processes to identify, analyze, and address sanctions risks. This shows that there is no neutral parameter when a company sets up its screening tool. Time might be a key factor to determine which field to screen, or to ignore, but the Uphold case demonstrates how the decision to ignore should be carefully balanced with all the content a given field can be informed with.

In some cases, it should be better to decide not to maintain a free text field. That would prevent creating a loophole in the screening process.

Based on the Uphold decision, the remediation measures are showing how the company closed the loopholes in its information system, increased the monitoring of its data, and how the firm geared up and invested in its compliance program to keep a level of control reflecting its growing business. They include: • Suspension of account access to all of the users described above; • Implementation of an information technology solution to screen customer information provided in free text fields and identification documents; • Weekly quality assurance testing of screening systems; • Independent testing of screening systems; • Implementation of automatic restrictions applicable to users who attempt to send transfers to beneficiaries in sanctioned jurisdictions; • Real-time virtual currency wallet address screening; • Increased compliance department resources in line with the growth of the business; and • Implementation of periodic sanctions risk assessments.

Conclusion

In conclusion, the recent sanctions cases involving Wells Fargo and Uphold highlight the importance of maintaining a robust sanctions compliance program to avoid potential civil liability. Both cases demonstrate the importance of taking proactive measures to address compliance failures and investing in compliance programs that reflect the growth of the business. Finally, these cases suggest that demonstrating a company's compliance program's adherence to its business development and growth can be an effective means to show the regulator's organization's maturity. In particular, the considered mitigating factors were related to new businesses. The conclusion is that companies should identify, interrupt, infuse, and increase compliance efforts.

See Enforcement Release: March 30, 2023: OFAC Settles with Wells Fargo Bank, N.A. for $30,000,000 Related to Apparent Violations of Three Sanctions Programs. https://ofac.treasury.gov/media/931541/download?inline

See Enforcement Release: March 31, 2023: OFAC Settles with Uphold HQ Inc. for $72,230.32 Related to Apparent Violations of Multiple Sanctions Programs. https://ofac.treasury.gov/media/931556/download?inline

#OFAC #sanctions #FinancialInstitutions #KYC #compliance #WellsFargo #Uphold #Iran #Cuba #Venezuela #duecaution #successorliability #audit #remediation #screening #riskassessment #sanctionscompliance #moneylaundering #regulatorycompliance #financialregulation #complianceprogram #penalties #OFACpenalties #civilpenalties #enforcementaction #riskmanagement #complianceculture #compliancefailures #regulatoryrisk #regulatorycompliance #complianceconsulting #AML #terrorismfinancing #financialcrime #financialservices #bankingindustry