Swedbank Latvia agreed to pay more than $3.4 million to resolve apparent U.S. sanctions violations in the Crimea region of Ukraine, the Treasury Department’s Office of Foreign Assets Control (OFAC) announced.

Swedbank announced the settlement Monday, which OFAC confirmed in a press release Tuesday. The bank self-disclosed the apparent violations in March 2020, though OFAC noted this was not voluntary. The agency concluded the violations were non-egregious, however, and levied a civil penalty in the case below the base applicable amount.

In March, Swedbank said it reserved 40 million Swedish krona (U.S. $3.7 million) for a settlement regarding the matter.

The details: Prior to Russia’s 2014 invasion of Crimea, Swedbank Latvia onboarded a shipping client in Crimea that owned three special purpose companies (SPCs), said OFAC in its enforcement release.

Around March 2016, the owner of the SPCs used Swedbank Latvia’s e-banking platform from an IP address in Crimea to send payments to a U.S. correspondent bank, the agency said.

The correspondent bank rejected the payments, citing potential sanctions violations, and alerted Swedbank Latvia, per OFAC. However, the correspondent bank failed to reply to Swedbank Latvia with additional information upon request, leading Swedbank Latvia to rely on false assurances from the SPC owner and eventually approve the payments after rerouting them to a different U.S. correspondent bank, OFAC said.

Compliance considerations: When Swedbank Latvia onboarded the client, it obtained know your customer (KYC) data, including addresses, telephone numbers, and a customer questionnaire that clearly indicated a physical presence in Crimea, according to OFAC.

Despite having the data, the bank failed to integrate it into its sanctions’ screening process, the regulator said. Because of this oversight, the bank allowed 386 transactions totaling more than $3.3 million that apparently violated sanctions, OFAC said.

Swedbank Latvia did not voluntarily self-disclose the violations because a third party notified the agency first, OFAC noted.

The regulator identified the bank exiting its relationship with the SPCs in December 2016 and the SPC owner in February 2017 as mitigating factors. Other mitigating factors included:

  • Implementing geofencing to prevent customers from sending online banking payments from IP addresses in sanctioned jurisdictions;
  • Adopting automated controls within transaction screening to identify potential resubmissions of payments after rejection;
  • Establishing enhanced due diligence for high-risk customers undertaking any payments in U.S. dollars and for responses to correspondent banks;
  • Expanding compliance staff to implement the new protocols; and
  • Undertaking measures to improve its KYC, anti-money laundering, and financial sanctions controls.

Company response: “Swedbank takes the historical shortcomings seriously and has learned from them in the comprehensive work that has been performed to strengthen internal governance and control,” said Tomas Hedberg, Swedbank deputy president and deputy chief executive officer, in a press release.

Investigations by the Department of Justice, Securities and Exchange Commission, and New York State Department of Financial Services regarding the apparent sanctions violations remain ongoing, according to the bank. Swedbank said it could not yet assess the financial consequences or completion timeline of the probes.