Compliance officers might want to take a close look at the wrist-slap that State Street Corp. received from the Office of Foreign Assets Control on Tuesday, for violations of sanctions against Iran. It’s a small but telling example of how a robust compliance program brings benefits, OFAC or otherwise.
OFAC did cite State Street for violating Iran sanctions, because the bank acted as custodian for a customer’s retirement plan and processed $11,365 worth of pension payments to the customer, a U.S. citizen, while he was residing in Iran in the mid-2010s.
On the other hand, OFAC did not impose any monetary penalty against State Street because the bank used screening software that found the suspicious payments, self-reported the transactions once compliance staff knew about them, and improved its escalation procedures for suspicious payments in the future.
In other words, State Street did those things OFAC just told us an effective sanction compliance programs should do, in that “Framework for OFAC Compliance Commitments” guidance that OFAC published on May 2. And now we have an example of how following those principles can lead to a better outcome.
Let’s start with the facts of the case. According to OFAC’s enforcement order, State Street was the custodian of a customer’s pension plan. This customer was a U.S. citizen, with a U.S. bank account. From January 2012 until September 2015, State Street processed 45 pension payments to that customer, into the U.S. bank account, while that person was living in Iran.
State Street knew it was processing financial transactions for a person living in Iran, both because the customer had given a mailing address in Tehran and because the bank’s screening software flagged all 45 transactions.
Here’s where it gets tricky. The State Street division that managed pension payments, Retiree Services Staff, used its own sanctions screening filter instead of State Street’s centralized sanctions screening filters. Moreover, when RSS staff did find fishy transactions, standard escalation procedure was to send those alerts to State Street’s line-of-business compliance teams responsible for the RSS unit — not to State Street’s specialized sanctions compliance team, which the bank does have. Those line-of-business compliance officers reviewed the 45 transactions manually and approved them all.
State Street’s compliance team discovered the error in 2015 (we don’t know how) and self-reported to OFAC. Then the bank remediated its procedures so that all RSS transactions run through the same centralized screening software, and any questionable payments are escalated directly to State Street’s sanctions compliance team for further review.
Weighing the Factors
First, State Street did process these payments to a person living in Iran, and employees knew that the transactions were destined for that person in Iran. (After all, the transactions were flagged by RSS’ screening software and sent to compliance staff for review.) So there’s no question that State Street violated sanctions law.
Worse, the Federal Reserve Bank of Boston had previously warned State Street about inadequate escalation procedures, yet the payments continued — 45 times, over the course of 33 months, at a large and sophisticated financial firm that should have known better.
On the other hand, OFAC notes, the errors in judgment seemed to be confined to the Retiree Services Staff; no managers or supervisors in State Street’s main management function knew these payments were happening. Plus, once State Street’s main compliance team did grasp what was happening, they self-reported and remediated the weaknesses in the bank’s escalation procedures.
It’s also not clear that the $11,365 transferred to the customer ever did end up in Iran, and at the time of the offenses, while the Obama Administration was tiptoeing around better relations with Iran, those transfers might have become licensed anyway.
All those factors, OFAC said, led to the conclusion that no monetary penalty was appropriate here.
Fundamentally the problems here were about decentralized compliance. The RSS unit had its own sanctions filtering software, and referred potential issues to the unit’s own compliance staff. We can trace that approach back to several root causes of sanctions compliance failure that OFAC discussed in its May 2 guidance.
For example, OFAC has a whole section dedicated to the risks of a decentralized program, which seems almost tailor-made for the facts here:
Several organizations… have committed apparent violations due to a decentralized program, often with personnel and decision-makers scattered in various offices or business units. In particular, violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.
Using line-of-business compliance staffers rather than sanctions compliance specialists also fits with OFAC’s warning about “misinterpreting, or failing to understand the applicability of, OFAC regulations.” The guidance states:
For example, several organizations have failed to appreciate or consider (or, in some instances, actively disregarded) the fact that OFAC sanctions applied to their organization based on their status as a U.S. person, a U.S.-owned or controlled subsidiary (in the Cuba and Iran programs), or dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods and technology.
We don’t know for sure that State Street’s line-of-business compliance staff misunderstood OFAC regulations for this customer, but he was a U.S. citizen, placing money into a U.S. bank account — which was irrelevant, because he was living in Iran, and that’s what mattered. Sanctions specialists would know that, and they weren’t involved here.
All that said, once State Street did understand that it had problems, the bank corrected them. Above all, it streamlined its escalation procedures so that when a sanctions risk now does emerge, it goes to a compliance professional with enough expertise and authority to resolve the question properly.
Or, as the OFAC guidance says, a sufficient sanctions compliance program will have staff who “understand complex financial and commercial activities, [and] apply their knowledge of OFAC to these items, and identify OFAC-related issues, risks, and prohibited activities.”
That’s what State Street undertook to achieve with its sanctions compliance program, and today’s violation-but-no-penalty enforcement action is the result.
First OFAC Lesson, Not the Last
The other important lesson in this enforcement action is simply that OFAC took this action at all. It’s a sign that OFAC is indeed looking at transactions like this, which exist almost entirely in the U.S. legal and regulatory system except for the recipient living in Iran.
So we might see more such enforcement actions in the future. If your sanctions compliance program isn’t working hard to assess its risks and to build effective policies and procedures, you might not get away penalty-free like State Street.