Some red meat for all you sanctions compliance nerds: a Deutsche Bank subsidiary has agreed to pay $583,000 for two separate sanctions violations. One involved compliance employees improperly configuring a sanctions screening tool; the other, senior business and compliance managers rushing a transaction without appropriate due diligence.
The Office of Foreign Assets Control announced the settlement on Wednesday. The subsidiary in question is Deutsche Bank Trust Company Americas, which is headquartered in New York and provides all the usual banking services one expects from a global bank. The sanctions blunders happened in 2015, and as usual, they provide some interesting lessons for the rest of the compliance community.
The more notable infraction happened in December 2015, when Deutsche Bank processed 61 transactions that sent a total of $276,000 to a Russian investment firm called Krayinvestbank. That bank has been on OFAC’s list of sanctioned entities since 2015, in retaliation for Russia’s invasion of Crimea the year before.
What happened, exactly? As described in the OFAC settlement order, when Deutsche Bank employees were adding Krayinvestbank to their sanctions screening tool, they failed to include Krayinvestbank’s SWIFT business identifier code. That was contrary to internal compliance procedures.
Another issue: at the time of those 61 transactions, Deutsche Bank’s screening tool was configured so that only a payment with an exact SDN List match would trigger manual review. So even though all 61 transactions included Krayinvestbank’s SWIFT code, and a nearly identical match for the bank’s name and address, the majority of payments sailed past without manual intervention.
From Sanctions Problem to Resolution
The theoretical maximum penalty for a violation like this is $18 million, yet Deutsche Bank Trust ended up paying only $425,000 for this specific incident. How did that happen? Let’s take a look at aggravating factors OFAC didn’t like, and mitigating factors that it did.
First, the aggravating factors:
- Deutsche Bank had a prior OFAC settlement in 2013 for a nearly identical violation: failing to include a sanctioned bank’s SWIFT business identifier code in the bank’s screening tool. (That makes me wonder about the effectiveness of Deutsche Bank’s screening compliance program since then. Hmmm.)
- Deutsche Bank employees failed to comply with internal policies and procedures when they flubbed the SWIFT codes for Krayinvestbank.
- Deutsche Bank should have known about the transactions at issue because each set of payment instructions contained the SWIFT codes for Krayinvestbank.
- Deutsche Bank “is a large and sophisticated financial institution,” which means it should have known better.
And the mitigating factors:
- Deutsche Bank doesn’t appear to have acted with willful intent to violate U.S. sanctions law or with a reckless disregard for its U.S. sanctions obligations.
- No supervisory or managerial staff appear to have been aware of the conduct here.
- The apparent violations represent a small percentage of the large volume of transactions Deutsche Bank processes annually.
- In response, Deutsche Bank implemented changes promptly to its procedures for adding BICs to its interdiction filter.
- Deutsche Bank cooperated with OFAC’s investigation of the apparent violations by providing well-organized and user-friendly information in a prompt manner.
Net all that out, and OFAC decided that Deutsche Bank Trust Company Americas deserved a $425,000 slap for the alleged violation.
What’s interesting to me is that yet again, we see OFAC hitting a company for configuration of its screening tool. To the best of my knowledge, OFAC only started doing that in 2018, when it fined a Virginia electronics manufacturer $87,500 for a subsidiary’s misfigured screening tool.
So these fines aren’t large, and they’re not frequent — but they do happen. I suspect an offending company’s general counsel would be none too pleased with the sanctions compliance team under that circumstance, since configuring the screening tool correctly is your job. Be warned.
And the Second Sanctions Incident
The second apparent violation happened in August 2015, when Deutsche Bank processed a $28.8 million transfer related to a bundle of fuel oil purchases. One of the parties “involved” in the purchases was IPP Oil Products Ltd., a Cyprus-based business also on OFAC’s sanctions list for Russia’s invasion of Crimea.
When that transaction arrived at Deutsche Bank’s desk, one of the lawyers involved in the deal told Deutsche Bank that IPP had previously owned the property in question, but no longer did when OFAC added IPP to its sanctions list.
Spoiler alert: that statement was not true. As the OFAC settlement says, “Despite verbal assurances made to [Deutsche Bank]… that IPP’s title to the fuel oil had transferred prior to IPP’s designation, OFAC has determined that IPP nonetheless had an interest in the transaction.”
OK, clients lying to banks about what’s really going on is nothing new. But then, that’s the whole point of due diligence, isn’t it? The OFAC order continues:
During the course of a phone call and subsequent email communications with the Entity, [Deutsche Bank] became aware that the payment was related to a purchase of fuel oil in which IPP, at some point, had been involved…
[Deutsche Bank] personnel involved in the exchanges appear to have accepted the verbal assurance from the Entity’s U.S. counsel and processed the transaction, the instructions for which did not contain an explicit reference to an entity on the SDN List, approximately one hour after the Entity first contacted [Deutsche Bank], without taking steps to independently corroborate the representations made by the Entity in order to ensure compliance with OFAC’s regulations.
This incident makes me think of that due diligence guidance FinCEN has published recently about how to comply with the Customer Due Diligence rule. That guidance didn’t provide much clarity about what compliance teams are supposed to do. Rather, it encouraged you to “take a risk-based approach,” and you need to decide for yourself what that means.
Well, this incident with IPP is an example of what that means. Deutsche Bank had a big transaction where compliance staff knew the deal had connections to a sanctioned bank. Rather than apply a higher standard of due diligence, where the bank might have discovered IPP’s continued involvement, Deutsche Bank took the word of a lawyer involved in the deal — word that subsequently turned out to be baloney.
The result was $157,700 in penalties. One aggravating factor: “Several senior managers within the bank’s anti-financial crime division, as well as a representative from its counsel’s office, failed to exercise a minimal degree of caution or care in connection with the conduct that led to the apparent violation.”
Ouch. Yet again, we have a rush to complete a lucrative transaction, rather than prudence to take the necessary time to perform due diligence.