The UK-based Bank of China agreed to pay $2.3 million to settle violations of OFAC’s Sudan Sanctions Program.  OFAC repealed the Sudan sanctions in October 2017 but is continuing to investigate violations of the Sudan Sanctions Program that occurred prior to October 2017.

The enforcement action was the result of an internal investigation and voluntary disclosure triggered by a bank action blocking a customer transaction.  Between the period September 2014, and February 2016, the Bank of China (“BOC-UK”) processed 111 commercial transactions totaling over $40 million through U.S. financial institutions on behalf of individuals and entities in Sudan.

After blocking a specific transaction, the BOC-UK authorized an internal investigation to identify prior Sudan-related transactions.  The investigation uncovered two customers of BOC-UK who had engaged in Sudan transactions that were ultimately processed through the US financial system.

One of the customers was an entity incorporated outside of Sudan but maintained a branch in Sudan that was the instructing party and account signatory to transactions processed by BOC-UK. The customer sent written communications that indicated it operated a branch in Sudan.  In addition, BOC-UK processed a number of transactions for recipients who were located in Sudan at the time of the individual transactions.

The second customer was a Sudanese subsidiary of an entity that was incorporated outside of Sudan.  The customer submitted KYC documentation that identified the subsidiaries location as being registered in Sudan.

Despite these clear references to Sudan, BOC-UK’s internal database failed to include any reference to Sudan for each of these customers. The SWIFT messages used to process the transactions for these customers at the U.S. banks omitted any reference to Sudan.

BOC-UK’s compliance staff failed to identify and escalate these transactions to resolve red flags relating to Sudan ties. 

BOC-UK voluntarily disclosed the conduct to OFAC.  OFAC noted that the case underscores the importance of “integrating know-your-customer information throughout internal databases that inform compliance decisions and that potential sanctions concerns are appropriately flagged and escalated when a sanctions nexus may be present.”

BOC-UK demonstrated a reckless disregard for U.S. sanctions requirements by processing transactions for entities in Sudan despite having account and transactional information indicating a connection to Sudan in violation of the bank’s existing policies and procedures.

BOC-UK cooperated with OFAC’s investigation by conducting a thorough internal investigation and entering into a tolling agreement to delay the running of the statute of limitations.

As part of its remediation effort, BOC-UK established an executive level committee responsible for implementation of sanctions compliance policies and procedures.  The committee reports directly to the board of directors.

Additionally, BOC-UK agreed to conduct an annual enterprise-wide sanctions risk assessment by business line, which incorporates monitoring of risks and internal audit testing and includes input from external consultants; apply a centralized customer due diligence function firm-wide to strengthen internal controls; customize firm-wide staff training on sanctions compliance based on the employee’s tenure and business line; and enhance policies and procedures to address U.S. sanctions regulations applicable to payment processing through the United States.