Distilling Compliance Lessons of U.S. Sanctions Laws

Regulators have put another scalp on the wall to warn financial institutions about the importance of sanctions compliance. The latest victim: Crédit Agricole.

The Office of Foreign Assets Controls, responsible for enforcing compliance with economic and trade sanctions, reached a $329.6 million settlement with the bank on Oct. 20 over charges that Crédit Agricole masked billions in financial transactions it processed for businesses in rogue countries like Burma and Sudan. The bank also paid another $457.7 million in criminal and civil financial penalties to other law enforcement agencies, for a painful total of nearly $790 million.

That sort of action against a financial firm is likely to be more common in the future, observers say.

“In trends we will see going forward with respect to enforcement: fewer cases, much more sophisticated, high-dollar enforcement actions by OFAC that include coordination across other U.S. government agencies, both at the state and federal level, as well as across other jurisdictions,” Maura Rezendes of the law firm Allen & Overy said in panel discussion the Association of Corporate Counsel’s annual conference in Boston last week.

The scheme Crédit Agricole ran is known as “wire stripping”—removing information about the originating country of a wire payment to evade sanction laws that forbid banks from working with businesses in certain countries. Regulators have been hammering that practice for a while, Rezendes said, and he describes such cases today as “a dying breed.”

A recurring theme emerging from recent enforcement actions suggests that most wire-stripping activity occurs in a poor culture of compliance. In the Crédit Agricole case, for example, many of the bank’s policies and procedures to omit identifying details about sanctioned parties to U.S. dollar transactions were reviewed and approved by its highest level legal and compliance staff at the Geneva branch. Accordingly, it was the policy of the bank, as directed by its Geneva compliance professionals, to remove or omit Sudanese, Iranian, Burmese, or Cuban information from U.S. dollar-denominated payment messages.

“In trends we will see going forward with respect to enforcement: fewer cases, much more sophisticated, high-dollar enforcement actions by OFAC that include coordination across other U.S. government agencies, both at the state and federal level, as well as across other jurisdictions.”
Maura Rezendes, Senior Counsel, Allen & Overy

The Crédit Agricole settlement is just the latest in a long list of other big settlements: BNP Paribas, $8.9 billion; Schlumberger, $232.7 million; ING Bank, $619 million; Credit Suisse, $536 million; HSBC Holdings, $375 million; Lloyd Bank, $217 million; Standard Chartered, $132 million; Barclays, $172 million.  

Tougher Sanctions

Even as penalties get bigger, global sanctions programs are becoming more complex, giving compliance departments a double whammy. Sweeping bans against business in whole nations (think Cuba, Iran, North Korea once upon a time) are giving way to more nuanced sanctions against specific businesses or transactions (think Russia and Iran today). “We’re starting to see an evolution in the type of sanctions programs that the United States is implementing,” Rezendes said.

Unfortunately, that evolution makes implementing compliance programs more difficult. Passage of the Ukraine Freedom Support Act (UFSA) in December is one example of the targeted approach Congress is taking toward sanctions. At its core, the UFSA authorizes Congress to establish “sectoral” sanctions and asset-blocking on certain Russian defense, energy, and financial services companies.

Traditionally, the Specially Designated Nationals (SDN) and Blocked Persons lists issued by OFAC has been black and white: Either you can do business with a particular entity, or you can’t. Sector sanctions don’t establish blanket restrictions on a particular entity; they establish restrictions on certain types of activity involving that entity.

“The Russian sanctions are incredibly difficult,” Allie Cheatham, head of sanctions consulting and advisory group at JPMorgan Chase, said at the ACC event. “They are a complete shift from how sanctions were approached.”

BEST PRACTICES

Below is a list of suggested best practices for corporate counsel regarding sanctions compliance.
Know the rules

Obtain information from multiple sources.

Use reliable outside counsel (U.S. & non-U.S.) that posts news promptly.

Read source documents; don’t rely on interpretations of others.

Make sure you have latest information, as the landscape can change daily.

Establish jurisdictional reach: When does U.S. jurisdiction apply?

Understand applicability to entities owned/controlled by sanctioned persons/entities.
Participate

Listen during government calls.

Attend trade association meetings/conference calls.

Ask questions.

Benchmark with other companies.
Implement

Communicate internally—both up to the top and down; be clear, concise and current. Make sure facilitation restrictions are clearly understood.

Post internally-prepared FAQs and flowcharts.

Establish and document robust procedures.

Conduct training geared to different internal audiences and post materials.

Audit.

Incorporate sanctions restrictions into corporate M&A programs.
Source: Allen & Overy.

“Crimea has also been a big headache,” Cheatham said. An executive order issued in December prohibited the trade of goods, technology, or services to and from the Crimea region of Ukraine, as well as new investments there. But because Crimea is a region rather than a country, “it makes it very difficult to restrict,” she said.

Adding yet another layer of complexity to sanctions compliance: OFAC has warned that some people list cities in Crimea as being in Ukraine, and others in Russia. “You have to identify all the cities and towns in Crimea,” Cheatham added. Such nuances have led to a “massive increase in the amount of effort that financial institutions have to undertake,” she said.

Conflicting Sanctions

Several other speakers at ACC warned that sanctions law across multiple countries is inconsistent. The United States, Britain, Japan, Canada, and Australia all maintain their own sanctions programs, for example. So does Switzerland. On the other hand, while the European Union does have its own EU-wide sanctions program, it does not have a single enforcement agency like OFAC here in the United States—and member nations within the European Union can maintain their own programs as well. 

“If you’re dealing with EU sanctions, it’s very important to always keep in mind the European Union is not a sovereign government, and EU sanctions are implemented at a member state level,” said Neyah van der Aa, an associate with law firm Allen & Overy. “A lot of member states have their own sanctions that are separate and sometimes more far-reaching than the EU sanctions.”

“Blocking statutes” in other countries—where Country B prohibits a business working there from complying with a sanctions program required by Country A—can also add risk. In the European Union and Canada, for example, businesses organized there are not allowed to comply with the United States’ sanctions against Cuba.

The solution to conflicts of law issues, according to OFAC, is licensing. Before OFAC will consider issuing a license, however, “they will require a real and present conflict,” Rezendes said. Such conflicts could involve a real threat of an enforcement action from a domestic regulator or a lawsuit from customers, she said.

Facilitation Risks

Under OFAC’s theory of facilitation, U.S. workers or businesses can violate sanctions law by directing, approving, or otherwise supporting the company’s business in sanctioned countries. As an entity incorporated in the British Virgin Islands, for example, Schlumberger wasn’t directly banned by U.S. law from doing business in Iran and Sudan. U.S. law does, however, bar any non-U.S. company from involving its U.S. branches or employees to support business in those sanctioned countries.

According to the Justice Department, employees in Schlumberger’s drilling and management unit routinely approved expenditure requests, made strategic decisions, and provided technical support for Schlumberger Oilfield entities doing business in Iran and Sudan—despite Schlumberger’s compliance policies to the contrary.

“If you are operating across the globe, and you do have part of your business doing business with sanctions targets, it really has to be 100 percent separated from U.S. operations,” Rezendes said.

Referrals are another facilitation risk. You cannot refer a business opportunity to an offshore entity that you, as a U.S. person, would be barred from handling yourself, Rezendes warned. Nor is it legal to change your policies to accommodate prohibited business activities, such as altering the way data approval processes work if a transaction above a certain dollar threshold requires approval by a U.S. officer or director.

“You can’t change your policy to have approval done outside the United States to accommodate that business,” Rezendes said. “Those are some examples of how facilitations play out in real-world corporate scenarios.”