The Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced Thursday that Bank of China’s U.K. arm (BOC UK) agreed to pay $2.3 million to settle its potential civil liability for processing transactions in apparent violation of now-repealed Sudan sanctions regulations.

Between September 2014 and February 2016, BOC UK processed 111 commercial transactions totaling $40.6 million through the U.S. financial system on behalf of parties in Sudan, OFAC stated. The sanctions regulations allegedly violated were repealed in October 2017; investigations related to violations before that date can still lead to enforcement.

According to OFAC’s web notice, BOC UK conducted a review to identify potential Sudan-related transactions following an internal investigation triggered by a Sudanese customer’s request to process a payment. That review identified two customers who had engaged in Sudan-related transactions processed through the U.S. financial system.

Both customers were incorporated outside Sudan but maintained subsidiaries within the country that carried out dealings with BOC UK. The bank had information in both cases that made it apparent it was working with entities in the sanctioned region, according to OFAC.

Compliance failures: In relation to both customers, the internal customer database of BOC UK “did not include reference to Sudan in the name or address fields,” OFAC stated. Messages processed for those customers by the bank through U.S. banks did not include any references to Sudan.

The staff of BOC UK failed to “appropriately evaluate and escalate potential transactions with underlying account and transactional documentation indicating ties to Sudan,” OFAC alleged.

Mitigating factors: BOC UK self-identified and voluntarily self-disclosed the apparent violations, which constituted a non-egregious case. OFAC further credited the bank with undertaking the following measures intended to minimize the risk of recurrence of similar conduct:

  • Establishing an executive level committee responsible for implementation of compliance policies and procedures that reports to the board of directors;
  • Conducting an annual enterprise-wide sanctions risk assessment by business line that incorporates monitoring of risks and internal audit testing and integrates input from external consultants;
  • Applying a centralized customer due diligence function firm-wide;
  • Customizing firm-wide staff training on sanctions compliance based on employee tenure and business line; and
  • Enhancing policies and procedures to better address U.S. sanctions regulations applicable in processing payments through the United States.

These enhancements helped BOC UK avoid a fine of $4.3 million.

OFAC stated the case “highlights the importance of ensuring that know-your-customer information is integrated holistically throughout internal databases that inform compliance decisions and that potential sanctions concerns are appropriately flagged and escalated when a sanctions nexus may be present.”