OFAC Enforcement Action: Double Check Your Screening Tools
Jessica Sanderson, Partner at the Volkov Law Group, re-joins us for a posting on a recent OFAC enforcement action. Jessica can be reached at [email protected].
Some may dismiss OFAC’s recent announcement last week that it issued a Finding of Violation to MidFirst Bank for violations of the Weapons of Mass Destruction Proliferators sanctions regulations as insignificant because OFAC did not impose any civil monetary penalties, and most of us have been focused on the Russian sanctions program. But OFAC only issues a Finding of Violation under 31 C.F.R. § 510.705 when it “considers it important to document the occurrence of a violation; and … concludes that an administrative response is warranted ….” OFAC issued this Finding of Violation to send an important message to all financial institutions (and we believe, to all U.S. Persons) that: (1) companies must implement sanctions screening tools that are sufficient to address exposure to sanctions risks; and (2) now means now.
OFAC’s July 21, 2022 Enforcement Release explains that MidFirst maintained accounts for and processed 34 payments on behalf of two individuals added to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) for 14 days post-designation. The violations stemmed from MidFirst’s misunderstanding of the frequency of its vendor’s screening of new names added to the SDN List against its existing customer base. “Ninety-eight percent of the value of the post-designation transactions occurred within six hours of designation.” While the immediacy was a “mitigating factor,” the transactions still constituted violations.
According to the Enforcement Release, MidFirst engaged a vendor to provide periodic screening of MidFirst’s customers against the SDN List, but the vendor only screened MidFirst’s entire existing customer base once a month. MidFirst mistakenly believed that the vendor screened on a daily basis. Accordingly, MidFirst did not discover the violations until the vendor generated its monthly report two weeks after the customers were added to the SDN List. MidFirst also maintained its own process to screen existing customers, but it, too, only screened existing customers on a monthly basis.
OFAC found as one of the “aggregating factors,” that “[b]y allowing the accounts to operate for two weeks post-designation, there was harm to the objectives of the sanctions program, and potential for significant harm as it could have aided asset flight.” Thus, although the fact that the overwhelming majority of the value associated with the violations related to transactions that took place within hours of designation,” was a mitigating factor, the message is clear. OFAC expects U.S. Persons to comply with sanctions regulations, in this instance to block the property and interests of SDNs, within hours of designation.
OFAC reaffirmed its view that there is no “one-size-fits all” approach to sanctions screening, and that the frequency of sanctions screening may vary based on risk tolerance and risk profile. But it is hard to read the Enforcement Release any other way than daily screening is required to ensure prompt compliance. OFAC’s decision may have been very different (and likely would have included monetary penalties) if the value of the transactions were greater and the SDNs were able to access and transfer more money out of the country despite the timing of the violation.