Article New York Law Journal

10 Takeaways From OFAC’s Settlement Agreements With Non-U.S. Banks

In this article for New York Law Journal, attorneys Mario Mancuso, Anthony Rapa, Sanjay Mullick and Anais Bourbon discuss two recent settlement agreements between the U.S. Department of the Treasury’s Office of Foreign Assets Control and non-U.S. financial institutions, and important lessons for non-U.S. banks and non-U.S. companies conducting global transactions.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued two settlement agreements on consecutive days with non-U.S. financial institutions, which affirm the extensive reach of U.S. economic sanctions and underscore the government’s increased industry compliance expectations. On Aug. 26, OFAC reached a $2,329,991 settlement with Bank of China (UK) Limited, a financial institution located in London. On Aug. 27, OFAC reached an $862,318 settlement with First Bank SA, located in Romania, and its U.S. parent, JC Flowers & Co. The settlement agreements offer several important lessons for non-U.S. banks and non-U.S. companies conducting global transactions.

1. Transactions by non-U.S. persons can still be subject to OFAC sanctions. OFAC stated that from 2014 to 2016, Bank of China (UK) processed Sudan-related payments via U.S. correspondent banks. Its processing payments “through the U.S. financial system” constituted exporting financial services from the United States, in apparent violation of the Sudan sanctions, which in 2017 were repealed. Similarly, OFAC stated that from 2016 to 2018, First Bank processed payments for individuals and entities located in Iran and Syria through U.S. banks. Doing so constituted an indirect exportation of financial services and “caused U.S. financial institutions to export financial services” to Iran and Syria in apparent violation of the Iranian Transactions and Sanctions Regulations (ITSR) and Syrian Sanctions Regulations. OFAC emphasized the importance of non-U.S. financial institutions understanding the scope of U.S. sanctions on transactions processed via the U.S. financial system or within the United States.

2. Transactions in non-U.S. currency can still be subject to OFAC sanctions. OFAC explained that between October 2018 and March 2019, First Bank processed payments involving or for the benefit of Iranian parties that were actually denominated in Euros and occurred “outside the U.S. financial system.” Nonetheless, in June 2018 JC Flowers had acquired a majority ownership interest in First Bank, making the bank a subsidiary of a U.S. person. Under the ITSR, a non-U.S. person that is “owned or controlled by a United States person” is subject to the Iran sanctions (as well as the Cuba sanctions) to the same extent as a U.S. person. OFAC emphasized that it was important to monitor newly acquired subsidiaries for compliance, as U.S. sanctions can apply to entities “without a physical presence in the United States.”

3. Parties must make use of information about their counterparties. OFAC stated that Bank of China (UK) had communications from one customer indicating it maintained a branch in Sudan, as well as know-your-customer documentation from another customer indicating it was an entity registered in Sudan. OFAC added, however, that “despite having account and transactional information indicating the Sudanese connection the accounts,” the bank’s internal customer database did not include reference to Sudan in the name or address field of either customer. OFAC emphasized that the case highlights the importance of ensuring that know-your-customer information “is integrated holistically throughout internal databases that inform compliance decisions.”

4. Parties have a duty to make reasonable inquiries. OFAC stated that Bank of China (UK)’s staff failed to appropriately evaluate and escalate potential transactions that provided indications of ties to Sudan. OFAC similarly stated that First Bank “had actual knowledge or reason to know” it was processing payments on behalf of parties in Iran and Syria. Under OFAC’s Economic Sanctions Enforcement Guidelines (Enforcement Guidelines), OFAC states that it will consider whether a party had—or should have had—reason to know “based on all readily available information and with the exercise of reasonable due diligence.” Here, OFAC highlighted that it is important that potential sanctions concerns “are appropriately flagged and escalated when a sanctions nexus may be present.”

5. Senior management must be involved and engaged in compliance. OFAC stated that following the apparent violations, Bank of China (UK) was establishing an executive level committee responsible for implementation of compliance procedures, which ultimately reports to its Board of Directors. Similarly, with respect to First Bank, OFAC stated that the bank had issued a new global sanctions policy, following approval by its Supervisory Board. OFAC’s Framework for OFAC Compliance Commitments (Compliance Framework) calls for senior management, e.g., senior leadership, executives, and/or Board of Directors, to review and approve an organization’s sanctions compliance program (SCP), describing such a commitment as a “critical factor” in determining the SCP’s success. Conversely, under OFAC’s Enforcement Guidelines, lack of management oversight can be viewed as “disregard for its responsibility to comply” with sanctions, an aggravating factor in determining penalties.

6. Internal controls must continuously be improved. OFAC stated that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment messages processed by Bank of China (UK) for the transactions at issue did not include references to Sudan, despite the bank having such information in communications from one customer and in its know-your-customer documentation for another customer. OFAC indicated that Bank of China (UK) represented to OFAC that it would apply a centralized customer due diligence function firm-wide, “to strengthen internal controls.” Under the Compliance Framework, OFAC has indicated that an essential component of an SCP is internal controls, “to identify, interdict, [and] escalate,” and to “report and keep records on activity that may be prohibited by” OFAC sanctions.

7. Self-reporting means disclosing before the U.S. government becomes aware. OFAC indicated that Bank of China (UK) made a voluntary self-disclosure, having conducted an internal investigation after a particular customer’s payment request. However, while OFAC also indicated that First Bank made a voluntary self-disclosure, OFAC indicated that the bank conducted an internal investigation after the National Bank of Romania (the country’s central bank) flagged one of its transactions. As other regulators and stakeholders such as central and commercial banks may identify compliance issues, there can be an incentive for companies to submit an initial notification of an apparent violation to OFAC quickly and then initiate an investigation, to preserve voluntariness credit.

Under OFAC’s Enforcement Guidelines, generally a voluntary self-disclosure is defined as the self-initiated notification to OFAC of an apparent violation “prior to or at the same time that OFAC or any other federal, state, or local government agency or official, discovers” it. Though in one of these cases a non-U.S. government agency learned about the apparent violation first, in both cases OFAC credited the parties with having made a voluntary self-disclosure.

8. Self-reporting can lead to meaningful mitigation. With respect to Bank of China (UK), which processed 111 payments concerning Sudan totaling over $40 million, OFAC indicated that the applicable statutory maximum civil monetary penalty was over $99 million. However, in applying the Enforcement Guidelines to conclude that the case did not represent a particularly serious violation of the law calling for a strong enforcement response (“non-egregious”) and recognizing that it had been voluntarily self-disclosed, OFAC determined that the applicable base civil monetary penalty amount was just over $4.3 million.

For First Bank, which processed 98 transactions concerning Iran and Syria totaling over $3.5 million, OFAC indicated that the applicable statutory maximum civil monetary penalty was over $31 million, but similarly determined that the applicable base civil monetary penalty amount was just over $1.7 million. Given OFAC’s consideration that mitigating factors such as cooperation outweighed aggravating factors such as knowledge, the figures were further reduced to the ultimate settlement amounts of just over $2.3 million and $862,318, respectively.

9. OFAC will consider compliance programs in determining penalties. In both settlement agreements, OFAC explained that its Compliance Framework provides its perspective on the “essential components” of an SCP, which are (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC added that it may incorporate these components into its “evaluation of apparent violations and resolution of investigations resulting in settlements.” Ultimately, the extent of each sanctions compliance program is risk-based depending on a number of factors; for example, OFAC described Bank of China (UK) as a “commercially sophisticated financial institution” involved in processing international transactions, holding it to a higher standard. Nonetheless, the existence of a compliance program not only can help avoid sanctions violations, but also can help reduce potential penalties in the event violations still occur.

10. OFAC may expect extensive remedial measures. OFAC stated that Bank of China (UK) represented that it was conducting an annual enterprise-wide sanctions risk assessment by business line that “incorporates internal audit testing and integrates input from external consultants.” Similarly, OFAC stated that First Bank represented it “more than doubled its compliance staffing overseeing sanctions.” Steps like these require additional personnel and resources, both internally and externally, to demonstrate to OFAC a commitment to safeguard against a recurrence of prior compliance deficiencies. They also demonstrate that, though a voluntary self-disclosure may result in a significant penalty discount, it can come with its own additional costs.


OFAC’s settlement agreements serve as a reminder that the reach of U.S. sanctions is extensive; parties must be diligent and vigilant about their counterparties and transactions; compliance and controls must be coordinated, elevated and continuously improved; voluntary self-disclosure can afford substantial mitigation; and meaningful remedial measures may be necessary to avoid further penalties.

Reprinted with permission from the September 28, 2021 edition of New York Law Journal. Further duplication without permission is prohibited.