12 Sep 2017
A little over 25 years ago, I first heard of the Office of Foreign Assets Control (OFAC)—when the New York branch of the large international bank I worked for was fined 25 thousand dollars for two violations. After the branch manager had a bit of a meltdown, we got working on adding a software solution to our funds transfer system. Six weeks later, we had a basic ability to hand-enter names from the Specially Designated Nationals (SDN) List and screen incoming and outgoing payments against it. When we had a potential match, a printout of the SDN List from OFAC was used to compare the details we couldn’t enter into the limited space we had on one row of our screen.
We knew nothing of the regulations, licenses or guidance at the time. To us, compliance was checking the list. And that is how we complied with OFAC regulations for the better part of the next decade.
Eventually we installed a system which also gave us a fuller database of government officials, geographic place names and cargo vessels from blocked countries. That was necessary because the country sanctions programs we could name—Cuba, North Korea, Vietnam, Iran, and the Federal Republic of Yugoslavia (FRY)—were all comprehensive sanctions programs which included some international trade restrictions. With the SDN List and those handful of easily-obtained additional sources, we were pretty sure we were in compliance.
Of course, we were likely wrong. Even back then, perhaps a careful reading of the regulations would have taught us that the corporate entities in which the government had a significant ownership stake might have drawn scrutiny as “property or interests in property” (the standard language that seems to appear in every sanctions Executive Order and associated regulation)—and therefore, for a firm of our size, geographic reach and prominence, we might need to identify those holdings. However, with no knowledge, much less scrutiny, of OFAC enforcement actions, and with no notice of any guidance, ignorance of our obligations did not cause further entanglements.
The long march
The 619 million dollar civil monetary penalty agreed to ING Bank in 2012 changed everything—even the initial 50 Percent Rule guidance issuance four years earlier. The revamping of the Enforcement Guidelines in 2009 landed on deaf ears outside the most prominent US firms (and I can’t even vouch for them). Ever since then, OFAC has used guidance and enforcement actions to demonstrate how the bar for sanctions compliance is being (not so) slowly but surely raised. Still, if one didn’t subscribe to OFAC’s email alerts or regularly review the Recent Actions page, one was still in the dark.
One could be forgiven not noticing the 50 Percent Rule guidance prior to 2014, as it was just a link on every sanctions program’s page on the OFAC website. It went beyond the “property or interests in property” verbiage by mandating that ownership stakes in other commercial enterprises of 50 percent or more by a current sanctions target made those firms sanctioned similarly. In 2014, around the time of the Ukraine-related sanctions Executive Orders and regulations, the rule was changed so that aggregate ownership reaching the 50 percent threshold would trigger this treatment, too. Most importantly, these additional firms were not published by U.S. regulators, implying that all but the smallest firms (who might be excused as part of a risk-based sanctions program) would need to acquire this significant amount of additional data in order to stay compliant. Unlike the need to gather geographic place names, government functionaries, and/or associated cargo vessels and their management companies, which is implied by the nature of a comprehensive sanctions program, there were no readymade sources of such information.
To underscore the importance of following this guidance, OFAC made an example of Barclays PLC in 2016 with a small fine (~$2.5 million) for not catching firms owned by Zimbabwean SDNs. In a similar fashion, small settlements with Wells Fargo (for not comparing available customer date of birth data) and Deutsche Bank (for not identifying sanctioned firms by their SWIFT Bank Identifier Code, or BIC, which is not part of the specific SDN List listings) provided more teachable moments while raising the bar for sanctions compliance.
The Ukraine-related sanctions program added an additional wrinkle for any firm dealing in securities transactions: the need to know which securities issued by the firms added to the new Sectoral Sanctions Identification (SSI) List (as well as those required by the 50 Percent Rule) were now off-limits to U.S. persons. This requirement also meant that those firms had to conduct additional ongoing research to identify those issues and their standardized codes (e.g. CUSIP, SEDOL, and ISIN).
Still, at least a solid starting point was provided: new listings on the SDN and SSI Lists. Such a simpler time…
Look, ma, no hands!
That all changed with the issuance of Executive Order (E.O.) 13808 on Friday, August 25th. On an initial read the order seemed unremarkable—it imposed SSI-like restrictions on elements of the Government of Venezuela. However, when the weekend passed and no new designations (or list—we expected one because the restrictions were different than the existing SSI List ones), we suspected something was up. A call to OFAC’s Hotline revealed that no designations would be forthcoming, and that it was up to U.S. persons to identify all elements of the government (plus 50 Percent Rule holdings) and their securities issues. There is no longer any de minimus way for even the smallest firms or those with minimal overseas exposure to maintain any level of compliance through reliance on OFAC’s published lists.
The shape of things to come?
Such a lack of detail provided by OFAC has both pluses and minuses. On the one hand, for comprehensive restrictions such as E.O. 13808, it is certainly more efficient for a small organization such as OFAC to be less prescriptive in terms of designations, while still penalizing missteps. Additionally, it implements sanctions programs more rapidly by not requiring the extra steps of designation and/or list creation.
On the other hand, such lack of structure has its limits. Targeted (i.e. non-comprehensive) programs require specific designations in order to be properly focused on the persons and entities that the United States wishes to affect. Perhaps more importantly, lack of specific designation implies a greater lack of knowledge about the actual level of compliance by U.S. persons, and its impact. Therefore, it is harder to gauge how effectively the U.S. foreign policy goals behind the sanctions are being achieved. As the old saw goes “you can’t improve what you can’t measure”; sanctions without a baseline of formal designations (and without even a statement directing how firms should comply) are like a ruler with neither end visible.
It’s therefore likely that E.O. 13808 is an anomaly and that future similar actions will provide greater formal detail, so that the U.S. government has greater certitude of the scope and likely effect of its sanctions requirements. And every firm with a significant sanctions program certainly hopes so.
Eric A. Sohn, CAMS (firstname.lastname@example.org) is Director of Business Product at Dow Jones Risk & Compliance in New York. Eric has over a decade of experience in the financial crime compliance field and has served on the ACAMS Editorial Task Force since 2010.
Count this content towards your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet