When Screening for Bad Guys, Matching Names No Longer Enough
The most aggressive enforcer of federal sanctions law may now be New York State. At home and overseas, this could cause a lot of people a lot of problems.June 20
New York regulators announced a $250 million settlement Thursday with Bank of Tokyo Mitsubishi-UFJ (BTMU) for violating United States sanctions against countries including Iran, Sudan and Myanmar.June 20
In a little-noticed civil penalty release in June 2013, the Office of Foreign Assets Control, the U.S. Treasury office responsible for administering and enforcing economic sanctions, raised the bar on acceptable checking practices and potentially exposed many banks and other financial institutions to penalties.
This agreement between OFAC and Wells Fargo settled potential civil liability for "804 apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations" for only $23,937. The 804 apparent violations involved accounts Wells maintained for two individuals designated under the Kingpin Sanctions and placed on the Specially Designated Nationals List.
The importance of the case is not in the relatively small amount of the fine. Rather, it is in the rationale for the fine and the critical impact this case will have on bank compliance practices from now on.
Wells opened accounts for and transacted business with two individuals:
Claudia Aguirre Sanchez. On Dec. 12, 2007, OFAC designated Aguirre Sanchez under the Kingpin Sanctions. Prior to this Wells had opened an account for her, but in the name of Claudia Aguirre (no "Sanchez"). She provided a U.S. address, Social Security Number and date of birth, in accordance with Wells' Customer Identification Program.
Carlos Antonio Ruelas Topete. This individual was placed on the SDN List on Jan. 12, 2005. From Nov. 2008, to May 2010, Wells maintained an account for Carlos A. Ruelas (without "Antonio" or "Topete"). At account opening, he provided Wells with a U.S. address, Social Security number, and birthdate, again in compliance with Wells' customer identification program.
In both instances, the dates of birth provided at account opening matched those on the SDN List. While OFAC referenced a number of mitigating factors in reaching the settlement amount, it stated only two aggravating factors:
1. Wells did not include screening based on date of birth in its OFAC compliance procedures at the time of the apparent violations, and,
2. Wells "is a very large and highly-sophisticated financial institution."
Lesson Learned. If your financial institution's OFAC compliance program only matches names, this is no longer enough (if it ever was). In this settlement, OFAC is saying that a "large and highly-sophisticated" financial institution must check both major points of intersection, between the SDN List and a financial institution's CIP, name and date of birth.
But where is the "Wells Rule" line drawn? Clearly, if a company is larger than Wells, it is subject to the rule. There are few firms matching that description, since Wells is the fourth-largest bank in the U.S. As of June 30, Wells had $1.4 trillion in assets.
Where is the line drawn beneath this size? While this is unknown at the present time, OFAC will move the line farther and farther down the asset and perceived sophistication scale in the coming months. This conclusion is based on OFAC's history of requiring increasingly capable OFAC screening as more individuals are placed on the SDN List and computers become more powerful.
The cost of including this additional factor (date of birth) in the OFAC screening process may be substantial and cause major retooling of compliance software (internal or vendor-supplied) and procedures. Companies should check with their OFAC software vendors to see if they are "Wells Rule" compliant now and, if not, should move toward compliance as quickly as possible.
Experience with Financial Crimes Enforcement Network, OFAC's sister organization at the Treasury, illustrates that information system changes take time and money. An example of this is the effective date of Fincen's "travel rule." Adopted as a final rule on Jan., 3, 1995, it required that certain originator- and beneficiary-related information be included in electronic funds transfers. But implementation, due mainly to software issues, was postponed until July 1, 2004.
While the "travel rule" experience illustrates the difficulty in making global changes to financial information systems, it also demonstrates that financial institutions will increasingly be required to capture information useful to law enforcement and to use these facts effectively in their compliance programs. The Wells decision is another step in mandating that financial institutions to be active partners in enforcing U.S. law and foreign policy goals.
D.E. Wilson, Jr. is a former White House and Treasury official now a partner with Venable LLP in Washington.