Compliance officers hear the story all too often these days: A bank becomes the center of a Justice Department probe for sanctions violations, the press goes on a feeding frenzy, and senior management is left to pick up the pieces—and that’s just the outcome when the investigation ends without charges.

French banking giant BNP Paribas wasn’t so lucky. The bank entered into a guilty plea in July and agreed to a record $8.9 billion settlement—the largest penalty ever obtained by the Justice Department in a criminal economic sanctions case, and the largest in a criminal case involving a bank. It also marks the first time a global bank has agreed to plead guilty to large-scale, systematic violations of U.S. economic sanctions. The plea agreement includes forfeiture of $8.8 billion and a fine of $140 million. 

According to court documents, BNP conspired to violate the International Emergency Economic Powers Act and the Trading With the Enemy Act by concealing more than $190 billion in transactions from 2002 to 2012 on behalf of clients subject to U.S. sanctions in Sudan, Iran, and Cuba.  

At its core, the broader lesson to other multinational banks is simple: “Don’t process transactions for sanctioned countries,” says Jason Waite, a partner with law firm Alston & Bird.

But look at BNP through the lens of effective governance, risk management, and compliance, and a litany of mistakes emerge. Below is a look at those mistakes, and how to avoid them.

Corporate culture. Rarely does a corporate scandal not evolve directly from a company’s culture of compliance, or the lack thereof. BNP is no exception. On multiple occasions, BNP compliance and legal executives voiced concerns about the bank’s continued business with sanctioned entities, and they were rebuffed.

For example, one senior compliance officer at BNP Geneva worried about the bank’s use of satellite banks. In an e-mail sent to legal, business, and compliance personnel at BNP Geneva, the senior compliance officer warned: “As I understand it, we have a number of Arab Banks (nine identified) on our books that only carry out clearing transactions for Sudanese banks in dollars. This practice effectively means that we are circumventing the U.S. embargo on transactions in [U.S. dollars] by Sudan.”

In another example, compliance officers at BNP Geneva met with several senior BNP Paris and Geneva executives “to express, to the highest level of the bank, the reservations of the Swiss compliance office concerning the transactions executed with and for Sudanese customers.” At the meeting, a BNP Paris senior executive dismissed the concerns of the compliance officer and requested that no minutes of the meeting be taken.

Another compliance officer at BNP Paris informed business managers at BNP Geneva that U.S. dollar transactions cleared through unaffiliated U.S. banks could be viewed as a “serious breach.” Despite these warnings, the transactions continued.

“The message to the banks is that they need to take more seriously a culture of compliance that values the advice given by people in the compliance department,” says Jeffrey Alberts, a partner with law firm Pryor Cashman. In any company, the compliance department should be able to escalate the issue up to a compliance committee, whose members should include independent directors, he says.

“It helps to have a pre-established path of escalation within the company,” Waite says. Clear escalation procedures reduce the chance that compliance will encounter skepticism or resistance when reporting potential wrongdoing, he says.

According to BNP’s internal control charter, the bank has escalation procedures in place. At BNP, internal controls consist of both permanent controls and periodic inspections by internal audit. “Permanent control is the mechanism for implementing, on an ongoing basis, actions to keep risks under control and to monitor the implementation of strategic actions,” the charter states. “It applies to all types of risks encountered by BNP Paribas.”

The charter explains that permanent control relies initially on operational staff, who are accountable for the risks generated by the activities for which they are responsible, and then on independent control functions—risk and compliance—“whose primary responsibility is to oversee the way in which risks are taken and managed by operational staff, particularly by taking a second look at certain decisions,” the charter states. “In the event of a disagreement between these two parties, an escalation procedure is triggered.”

The moment senior executives receive notice that what they’re doing is a violation of U.S. sanction laws, “they should immediately seize action,” Alberts says. Any transaction that occurs after senior executives become aware of the misconduct—as made obvious in BNP’s case—is going to be included in the fine ultimately imposed on the bank, he says.

My advice to compliance personnel is not to editorialize. Stick to the facts and the law.
Jason Waite, Partner, Alston & Bird

Profits over principle. At the same time that some compliance officers were arguing to cease the illegal transactions, other compliance officers and senior executives within BNP were emphasizing the importance of continuing its business with Sudan.

Senior executives and compliance personnel at both BNP Geneva and BNP Paris repeatedly recognized BNP’s role in circumventing U.S. sanctions against Sudan, but condoned the behavior, “because the business was profitable and because BNP Geneva did not want to risk its longstanding relationships with Sudanese clients,” court documents stated.

Following a credit committee meeting of BNP’s general management, for example, BNP’s senior compliance personnel approved the continuation of the U.S. dollar transactions with Sudanese-sanctioned entities. An e-mail summarizing that meeting explained that “[t]he relationship with this body of counterparties is a historical one, and the commercial stakes are significant. For these reasons, compliance does not want to stand in the way of maintaining this activity.”

For their role in the misconduct, however, the New York State Department of Financial Services (DFS) ordered the termination of 13 individuals, including:

Vivien Levy-Garboua, current senior adviser to the BNP executive committee and former group head of compliance;

Stephen Strombelline, head of ethics and compliance for North America; ?

George Chodron de Courcel, group chief operating officer;

Christopher Marks, group head of debt capital markets; and

Dominique Remy, group head of structured finance for the corporate investment bank.

Enforcement agencies have said repeatedly that putting profits above the law will never be tolerated. “The significant financial penalties imposed on BNP Paribas sends a powerful deterrent message to any company that places its profits ahead of its adherence to the law,” FBI Director James Comey said in a statement.

Cover-ups.  Enforcement agencies also have no tolerance for concealed misconduct. As Attorney General Eric Holder described, “BNP Paribas went to elaborate lengths to conceal prohibited transactions, cover its tracks, and deceive U.S. authorities.”

Specifically, BNP Geneva routed illegal payments through third-party financial institutions to hide not only the involvement of the sanctioned entities, but also BNP’s role in facilitating the transactions. BNP Geneva further instructed other financial institutions not to mention the names of sanctioned entities in payments sent through the United States and removed references to sanctioned entities from payment messages so the funds could pass through the U.S. financial system undetected.

“Sanctions are a key tool in protecting U.S. national security interests, but they only work if they are strictly enforced,” Holder said. “Banks thinking about conducting business in violation of U.S. sanctions should think twice because the Justice Department will not look the other way.”


Below is a look at the civil penalties levied against BNP Paribas under OFAC regulations.
BNP Paribas SA Settles Potential Civil Liability for Apparent Violations of Multiple Sanctions Programs: BNP Paribas SA (“BNPP”) has agreed to settle potential civil liability for 3,897 apparent violations of: the Sudanese Sanctions Regulations (the “SSR”), 31 C.F.R. part 538; the Iranian Transactions and Sanctions Regulations (the “ITSR”),1 31 C.F.R. part 560; the Cuban Assets Control Regulations (the “CACR”), 31 C.F.R. part 515; and the Burmese Sanctions Regulations (the “BSR”), 31 C.F.R. part 537. BNPP’s settlement with the Office of Foreign Assets Control (“OFAC”) is part of a global settlement among BNPP, OFAC, the U.S. Department of Justice, the New York County District Attorney’s Office, the Federal Reserve Board of Governors, and the Department of Financial Services of the State of New York. BNPP agreed to settle with OFAC the apparent violations of OFAC regulations for $963,619,900, with the obligation deemed satisfied by payment of an equal or greater amount in satisfaction of penalties by the Department of Justice and the New York County District Attorney’s Office arising out of the same pattern of conduct.
OFAC determined that BNPP did not voluntarily self-disclose these apparent violations, and that the apparent violations constitute an egregious case. Both the statutory maximum and base civil monetary penalties in this case were $19,272,380,006 ...
… The settlement amount reflects OFAC's consideration of the following facts and circumstances, pursuant to the General Factors Affecting Administrative Action under OFAC's Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A. The following were found to be aggravating factors: BNPP had indications that its conduct might have constituted violations of U.S. law, and therefore BNPP acted with reckless disregard for U.S. sanctions regulations; at least one member of BNPP’s senior management was aware of the conduct leading to the apparent violations; BNPP’s business line management and supervisors were aware, and/or had reason to know, of the conduct leading to the apparent violations; the conduct described above resulted from a pattern or practice that spanned many years and multiple BNPP branches and product lines; the conduct described above conferred significant economic benefit to persons subject to U.S. sanctions and undermined the integrity of multiple U.S. sanctions programs; BNPP is a large and commercially sophisticated financial institution; and BNPP did not maintain adequate policies, procedures, or internal controls to ensure compliance with the sanctions programs administered by OFAC. Mitigation was extended because BNPP has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest transaction giving rise to the apparent violations; BNPP cooperated with OFAC’s investigation of the apparent violations by conducting an extensive internal investigation and executing a statute of limitations tolling agreement with multiple extensions; BNPP took remedial action in response to the apparent violations described above; and a consideration of the totality of the circumstances warrants further mitigation to ensure an enforcement response that is proportionate to the nature of the violations.
Source: BNP Paribas.

Disconnect between compliance departments. Another factor that contributed to BNP’s pervasive wrongdoing was the “huge disconnect,” Alberts says, between BNP’s compliance department in the United States and its compliance departments overseas. “Almost all of the wrongdoing involves BNP Paris and BNP Geneva, as opposed to wrongdoing by BNP New York,” he says.

That’s not to say that BNP New York was an innocent party. According to BNP’s consent order with DFS, compliance staff of BNP’s New York branch operated with the knowledge that they “did not have adequate legal and compliance authority to ensure that activities conducted from BNP Paribas offices outside of the United States complied with New York and U.S. laws and regulations. This practice was intentional.”

In BNP’s case, compliance staff in the United States clearly ignored the misconduct, but the broader warning for other U.S. compliance departments with overseas operations is not to simply take the word of compliance departments overseas where potential misconduct may be occurring. “They have to go a step further and conduct an investigation into exactly what’s going on overseas, or else they’re at risk of being subjected to these massive penalties,” Alberts says.

On paper, at least, BNP appeared to have a robust compliance function. In response to a 2012 consultation paper by the European Securities and Markets Authority, for example, BNP stated that, when it comes to procedures and standards, “group compliance rules prevail over local rules whenever these latter rules are less strict or demanding.”

BNP added that its compliance function is organized in such a way that “through its opinions, oversight, and independent second-level reviews, provides a reasonable assurance of the efficiency and consistency of the system for verifying the compliance of the group’s operations.”

The BNP case highlights the importance of communicating the value of compliance within a company. “As a compliance officer, you want to be able to communicate effectively, persuasively, and specifically about why a particular course of action or conduct presents substantial compliance risks to a company,” Waite says.

Particularly in sanction cases, that task is not always easy, especially for senior management “who can sometimes be very headstrong and, in the case of foreign companies, have their own cultural tendencies or skepticism about the reach of U.S. laws or the purpose of U.S. sanctions,” Waite adds.

“My advice to compliance personnel is not to editorialize. Stick to the facts and the law: ‘Here is what U.S. sanctions provide. Here is how they extend to foreign banks. Here are the potential consequences. This is why we shouldn’t engage in this misconduct. This is the extent of the risk to the company’,” he says.