Sanctions compliance a struggle for banks

US regulators are on the warpath over sanctions violations. The fine of $8.9 billion imposed on BNP Paribas at the end of June sent out a signal that those who breach the restrictions should expect a heavy punishment.

BNP Paribas was found to have been trading with Iran, Cuba and Sudan between 2004 and 2012, in what the US attorney general Eric Holder called "a complex and pervasive scheme to illegally move billions through the US financial system". The French bank pleaded guilty to two criminal charges and, in addition to the fine, it was forced to pull out of some dollar-clearing markets for a year and fire 13 executives.

Other banks should prepare themselves for similar hits, warns Scott Maberry, a partner focusing on sanctions policy at Washington, DC-based law firm Sheppard Mullin Richter & Hampton. He says the US Department of Justice has "seven or eight banks" in its sights for sanctions breaches.

US authorities are trawling through the records of large banks operating in the country and finding widespread sanctions violations, he says. "It is very hard to look into the last five years of a bank's activities and not find a Sudan connection to a transaction in, say, a dollar clearing account. It only takes one person to overlook a violation and many illegal transactions will follow. If the bank hasn't yet got a subpoena or a summons from the Department of Treasury or the US banking regulator, or a mutual legal assistance request from their own justice ministry, they are likely to get one soon. The authorities are looking into these things and are starting to find violations."

Sanctions breaches are treated by the US authorities as a matter of national security, rather than of commercial compliance, and the scale of the investigations and size of the penalties reflect this. Maberry comments: "The authorities are super-zealous when it comes to policing sanctions and punishing those that breach the law."

Sanctions policy is enforced by statutory ordinance and not regulation. The authorities neither give guidance nor negotiate. The duty to apply sanctions is regarded as one of strict liability, meaning the act of breaking a sanction puts a company at risk of prosecution, irrespective of whether it did so knowingly.

Emma Hodges, a forensic accountant with Forensic Risk Alliance, a UK-based diligence and compliance consultancy, says: "There is limited legal defence against sanctions violations – one either deals with a sanctioned entity or does not. And there is little due process around regulatory investigations and fines. This means the regulators have a lot of power – ask BNP and the growing number of banks who have already paid up billions of dollars in fines, like Barclays, Lloyds, Standard Chartered, RBS and others."

She adds: "The US has been more than willing to criminally prosecute corporations; again, BNP and also Credit Suisse. In this current climate it is therefore unsurprising to see compliance issues move up the agenda. There has also been a shift in focus from bribery and corruption to concerns surrounding sanctions exposure – a compliance risk area that, until recently, had taken a bit of a backseat."

The first decision to breach sanctions law is typically taken low down in an organisation, where it may be regarded as little more than a technical issue. Competitive issues are also a factor. A bank may wish to protect a long-standing relationship with a party on a sanctions blacklist or it may see an opportunity to gain a new client that has been shunned by those banks observing sanctions regulations. This can lead banks to develop schemes to obscure the source or destination of funds prescribed by the blacklists.

Financial institutions are in the regulators' line of fire, says Maberry. "There has been a flood of new restrictions on financial institutions. One of the first things done in the US was a regulation that shut down banks' ability to have correspondent banking accounts with certain named Iranian banks."

Swift justice

US investigators went on to target banks that were found to be deleting references to sanctioned countries and individuals in Swift codes. The manoeuvre was so successful that standard interdiction software failed to detect the alteration of a Swift code to disguise the involvement of an Iranian counterparty. These investigations and subsequent prosecutions became known as 'stripping cases'.

The pressure on overseas banks increased when US authorities passed a law prohibiting a foreign person from doing anything that would cause a US person to violate the law unintentionally. This sought to protect US banks from placing themselves at risk by handling transactions where the evidence had been removed that a sanctioned state was the counterparty.

Maberry says: "This provided the US nexus when the foreign banks were stripping off the codes. If they omit information that would be caught by US banks' interdiction software, they are subject to prosecution. Each one of these is a violation of the law and you could be talking about millions of violations based on one policy."

BNP Paribas has fallen foul of US sanctions legislation

The bank's senior managers only learn of a breach from the authorities, and this can complicate negotiations as the top directors struggle to understand how it occurred or even why the US authorities are taking it so seriously. Maberry comments: "The executive directors of the banks have not issued the orders that caused the violations, so it's news to them, and they have to orient themselves and realise it will be charged as a foursquare violation of US law."

The board executives of foreign institutions also struggle to understand how the US law can affect them when they are not US banks.

The corporate challenge is to have systems of controls over trading systems and counterparties to ensure firms enforce required sanctions policies. To an extent this mirrors the due diligence required for anti-money laundering (AML) enforcement, but sanctions breaches require additional software and other reference databases.

Internal monitoring and control of sanction regimes in institutions is also required to pinpoint the risk that operatives lower down in a company comply with sanctions regimes and avoid commercial pressure to bypass sanctions controls.

Check list

The key to the compliance system for sanctions is the efficiency of the interface with sanctions blacklists. A plethora of institutions, such as the United Nations, the Federal Reserve and the UK Treasury, maintain lists of designated individuals, companies and countries. These lists are complex and change constantly, says Scott Geddes, a Deloitte compliance partner. "Sanctions are getting more complex and targeted," Geddes says.

Some thousand laws and ordinances specifying sanctions place intense pressure on corporate monitoring and compliance systems. Such lists of 'designated persons' include industrial as well as financial names. Many ordinances are highly prescriptive, targeting components that form part of a larger designated product or system. "If you're screening a simple term of one word against a list, it can be quite straightforward to determine whether there is a match between the terms," says Geddes. "But when it comes to more complex, concatenated terms, the screening technology is much less effective in being able to match."

It is crucial to have know your customer (KYC) and AML measures in place that are sufficient and robust, says Hodges. "Within sanctions and embargo legislation, the designation of individuals and entities – and the penalties that may be incurred for any actual or alleged breach – is a constantly moving target. Take the examples of Myanmar and Zimbabwe where sanctions have eased, compared to the likes of Russia, North Korea and Syria where they are tightening. Even if there are no direct dealings with sanctioned or embargoed regimes, individuals or entities, it is vital to have evidence to hand for the regulatory authorities that there are no designated persons standing behind the individuals and entities being dealt with."

As well as companies needing to know their counterparties, they are also keen to understand the sanctions regime itself. Regulators, and those compiling official lists, are seeking to make sanctions lists and descriptions more comprehensive and detailed, and this may require the involvement of the corporate legal team to interpret and apply the ordinance. "Companies need to have a means of escalating the issue to the appropriate level, where there is a lack of clarity about what the sanction intended," says Geddes. Getting the internal and external lawyers and technical experts involved will allow a bank's staff to determine whether a transaction is a sanctions violation or merits further investigation.

The risk of finding a false positive is greatest during the process of screening names of counterparties against blacklists of designated individuals or companies. Systems often provide erroneous matches where names can be spelt in various ways, especially when they are translated from a language with a different alphabet and there may be no correct or accepted way of transliterating sounds.

A financial institution that finds itself as the mediator between two parties to a trade needs to extract as much information as possible for them. Geddes explains: "The financial institution has limited scope to get behind the parties. They rely on the information made information to them. In a trade finance transaction, they have the details of their own customer, the details of the beneficiary at the other end of the transaction, and they have the shipping letters of credit and bills of lading. They use techniques such as electronic scanning of documents to extract the relevant information. That would be factored into the screening to see if any of the information they've gathered is included in any of the sanctions ordinances."

The capture of appropriate data is critical to a company's sanctions regime, according to Hodges. "Systems are only as good as the data you capture. This is where companies are not up to speed with where they need to be – making sure they are capturing the data and checking against the lists continually. That is often compounded by the disparate systems that companies have when they are not integrated as they cannot be checking effectively. There may be a number of accounting and financing systems within the business that are not completely integrated. You may enter an entity into one system, but all the data may not be transferred to another system. You have to be doing effective due diligence to capture data safely."

Checks on blacklists and other databases every five minutes will ensure a payment to a non-designated party is stopped as soon as the party is designated a sanctioned individual – or at least flagged for a human reviewer to decide whether to permit the payment.

The dangers of decentralisation

Financial institutions lending to or borrowing from third parties for their own books need to scrutinise the movement of all funds to ensure they are not violating sanctions rules. The task is complicated where an organisation has many areas doing similar activities, but using different sanctions-monitoring software. This is a particular risk if the firm has grown by mergers and restructurings. Organisations in a state of transition are vulnerable, says Hodges: "Systems need time to adapt to internal change. If one arm of the business is not alert to the activity of another part, the entire organism risks being compromised."

Having a decentralised structure built up by acquisition resulted in BNP Paribas falling foul of the authorities on an earlier occasion. In this case, its commodities-financing business in Geneva was trading with Iran and Sudan – two countries on the sanctions list. London-based Toby Duthie, a founding partner of Forensic Risk Alliance, says: "They ran a separate software-monitoring system, so even if they had put a block on 90% of BNP's business entities, that block still wasn't carried through into the Geneva trade financing."

Duthie notes the bank had already been subject to scrutiny for sanctions violations for its role in the United Nations' oil-for-food programme in 2004. "The bank had managed all the money on behalf of the UN and the government of Iraq. It was surprising BNP Paribas didn't enhance the compliance of the commodities unit." According to Duthie, the bank was overwhelmed by the scale of the data, and the number of databases requiring control and monitoring. A decade after this first breach, BNP Paribas continues to struggle with sanctions policy.

Trading with offshore and opaque firms increases the logistical challenge of monitoring sanctions obligations. Companies are required to apply diligence principles when seeking to identify the ultimate beneficial owners of counterparties.

"Once you have captured the relevant data, it needs to be shared across your operations, rather than keeping it in a silo," says Hodges. But she warns sanctions compliance may be complicated by legal constraints on sharing data held in one jurisdiction across borders with other parts of the business. "The information that companies gather should be shared across companies and groups, so their systems are populated with the most relevant data to ensure they protect themselves from such exposure."

Companies involved in armament and munitions have longer experience of applying sanctions than those in the financial sector, given the sensitivity of their product. "There may be an arms embargo, but when you get into the specific details, so you can identify what arms are sanctioned, the phrases and terms can become highly complex," Duthie points out. "If someone tries to import or export arms, you are identifying the details within the documentation. These lists are long. What is not at issue is the seriousness with which companies apply the sanctions regime. Breaches pose a risk to national security, and the consequences to the firm and its directors are likely to be dire."

Close collaboration between security services and defence companies will ensure the whereabouts and destination of sensitive products is monitored, and that they do not fall into unsanctioned hands.