Iran war brings urgency to fintechs' sanctions compliance

• Key insight: Fintechs and small banks may receive additional scrutiny from regulators on know-your-customer compliance.
• Expert quote: "Shadow banking is a real threat ... there can't be any ambiguity in decision-making or oversight." —Rob Farling, West Monroe
• Forward look: Expect additional changes to Iran sanctions from the OFAC in the coming weeks.

As the finance industry faces various risks in the outbreak of war in Iran, smaller banks and fintechs are also navigating a changing environment for know-your-customer compliance.

"From a fintech perspective, there's always been a high risk of sanctions evasion," Cassie Schock, chief operations officer for the compliance consulting firm de Risk Partners, told American Banker. "This war just highlights the fact that there is going to be higher scrutiny from regulators."

In the days leading up to the U.S.'s initial strikes on Iran, the U.S. Department of the Treasury's Office of Foreign Assets Control, or OFAC, placed an additional 32 Iranian individuals, entities and vessels on its Specially Designated Nationals list, which prohibits U.S. entities from transacting with them.

Erin DeWitt, a de Risk partner and former community bank executive, told American Banker that sanction-dodging bad actors also target smaller banks.

"People always assume this is just impacting the large money center banks," she said. "The predators are really smart and they know which prey to feast upon. They very much target the smaller community banks, because their system of internal controls may not be as sufficient as the JPMorganChase powerhouse. I live in Louisiana and [worked for] a small community bank that banked an oil field, so we did a lot of transactions with the Middle East and Russia, but we weren't a large player or a large fish. 

"This is something that really does impact the whole U.S. banking system," she continued.

Fintechs, even though they are not officially banks, have also been held responsible for OFAC sanction violations committed on or through their products.

In December, OFAC issued a $3.1 million fine to the U.S. crypto wallet fintech Exodus for 254 violations of OFAC's sanctions on Iran. Twelve of the violations were labeled by the agency as "egregious" instances where customer support staff "recommended that these users obscure their location in Iran using Virtual Private Networks, or VPNs, to avoid the sanctions compliance controls implemented by such exchanges" and access digital asset exchanges through Exodus' wallet software.

"This enforcement action highlights the importance of ensuring that all companies, including new ventures in the financial technology sector, adopt measures to ensure compliance with OFAC sanctions," the enforcement release said.

Schock noted that some fintechs believe their bank partners, at least in part, take care of know-your-customer compliance requirements for them.

"In all the products that you're offering to a client, you can't say, 'Well, we're sponsored by a bank, and that bank has to follow sanctions rules or anti-money-laundering rules, so we don't have to,'" she said. "The fintech has to take accountability, they can't just rely on that bank to do the work for them."

Like traditional banks, fintechs are responsible for ensuring capital is not moving in violation of applicable sanctions, according to West Monroe's national risk and regulatory banking lead Rob Farling.

"That starts with making sure sanctions lists are up to date and screening systems are working as intended," he told American Banker. "Even if a fintech operates on a non-custodial basis or acts purely as an intermediary, it still has an obligation to block and report transactions that attempt to move funds out of sanctioned jurisdictions."

Schock believes, however, that name screening alone is not fully sufficient for sanction compliance.

"It's not just the names involved in the transactions," she said, "but the underlying data and the type of transaction that really should determine what level of enhanced due diligence you're doing on that particular client or transaction. Anyone involved in shipping, imports/exports or the oil industry really needs to have a deeper dive at this point, for China and Iran in particular."

China and Iran currently have a strong trade relationship, and according to Schock certain types of transactions involving China should also be inspected by banks and fintechs in their compliance protocols to ensure that sanction dodges aren't being unwittingly assisted.

Cryptocurrency and stablecoins have also been a compliance concern for banks and regulators. When Russia first invaded Ukraine in 2022, U.S. lawmakers expressed concern in a letter to the Treasury that Russian banks and oligarchs could use cryptocurrency to dodge retaliatory sanctions.

The blockchain analytics firm Elliptic reported in late January that it determined "with a high level of confidence" that the Central Bank of Iran purchased "at least $507 million" in USDT, Tether's U.S. dollar-backed stablecoin, last year.

"'Shadow banking' is a real threat, and when you layer in the complexity of digital currencies, there can't be any ambiguity in decision-making or oversight," Farling said.

However, sanction compliance in regard to Iran could also shift the other way in the coming weeks. Trump said on Sunday that he was open to lifting sanctions on Iran if the new leadership showed itself to be a pragmatic partner, according to the New York Times.