OFAC continues its enforcement push.  At the same time, OFAC is managing a complex, global set of sanctions against Russia.  DOJ has promised to increase prosecution of global banks for sanctions violations.

Meanwhile, OFAC reached another settlement with Swedbank Latvia AS (“Swedbank Latvia”), which is a subsidiary of “Swedbank AB”, a global bank headquartered in Stockholm, Sweden. Swedbank Latvia agreed to pay $3.43 million to settle potential civil liability for 386 violations of OFAC sanctions prohibiting transactions with Crimea.

During 2015 and 2016, a Swedbank Latvia customer used the e-banking platform from an internet protocol address in Crimea to send payments to Crimea persons through U.S. correspondent banks.  OFAC noted that the conduct was not voluntarily disclosed. The U.S. correspondent bank involved in the transactions notified OFAC of the violations.

Before Russia’s invasion of the Crimea region, Swedbank Latvia had onboarded a shipping industry company in Crimea that owned three special purpose companies (“SPC”), each with an account at Swedbank, Latvia.  During an 18 month period, the SPC Owner conducted 386 transactions totaling $3.3 million through SPC accounts that were processed by U.S. correspondent banks.

In March 2016, the SPC Owner attempted to send payments from an IP address in Crimea using the e-bank platform to a U.S. correspondent bank, which rejected the payments because of concerns relating to the Crimea sanctions.  Swedbank Latvia asked for additional information from the U.S. correspondent bank, but did not receive any information.  The SPC Owner falsely assured Swedbank Latvia  that none of the transactions involved Crimea. Based on this false representation, a Swedbank Latvia re-routed the payments to a different U.S. correspondent bank, which ultimately processed the transactions.

OFAC concluded that Swedbank Latvia had reason to know that the SPC Owner’s representations were false.  When Swedbank Latvia onboarded the SPCs, Swedbank Latvia obtained KYC data, including addresses, telephone numbers and a customer questionnaire, which confirmed that the SPCs had a physical presence in Crimea.  Despite having this information, Swedbank Latvia did not apply, double-check or consider the KYC data when re-routing the payments. In particular, Swedbank did not integrate internet protocol into its sanctions screening processes. 

In applying the penalty factors, OFAC noted that Swedbank failed to exercise due caution or care in neglecting to access KYC information in its possession when conducting sanctions screening. Swedbank AB and Swedbank Latvia implemented significant remedial actions, including:

• Terminating the client relationship with the SPC Owner in February 2017.
• Implementing geofencing that prevents customers from sending payments through online banking platforms from IP addresses in sanctioned jurisdictions.
• Implementing an automated system control within their transaction screening solution.
• Establishing enhanced due diligence and screening procedures for high-risk customers.
• Implementing enhanced diligence and transparency protocols for responses to correspondent bank inquiries.
• Expanding their compliance staff to implement new protocols.
• Undertaking measures to improve its KYC, AML and financial sanctions controls more broadly.

OFAC explained that this case demonstrates the importance of implementing a risk-based sanctions compliance program operating in high-risk regions.  Such programs have to ensure that KYC information and IP data are integrated into sanctions screening protocols.

In addition, OFAC observed that the case underscores the importance of undertaking reasonable efforts to investigate red flags.  In particular, OFAC noted the importance of diligently responding to red flags and the importance of reviewing existing data, such as KYC information, before responding to a red flag inquiry from a correspondent bank.