InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN Advisory Addresses Risks Presented By Citizenship-by-Investment Program
On May 20, FinCEN issued Advisory FIN-2014-A004, warning financial institutions about the risk of illicit financial activity conducted by individuals with passports from St. Kitts and Nevis (SKN), which allows individuals to obtain passports through a citizenship-through-investment program. The program offers citizenship to any non-citizen who either invests in designated real estate with a value of at least $400,000, or contributes $250,000 to the SKN Sugar Industry Diversification Foundation. FinCEN believes that illicit actors are using the program to obtain SKN citizenship in order to mask their identity and geographic background for the purpose of evading U.S. or international sanctions or engaging in other financial crime. FinCEN advises financial institutions to conduct risk-based customer due diligence to mitigate the risk that a customer is disguising his or her identity for such an illicit purchase. FinCEN further reminds institutions of SAR filing obligations related to known or suspected illegal activity and potential OFAC obligations.
Insurance Company Resolves Apparent Cuba Sanctions Violations
On May 8, OFAC released enforcement information regarding “apparent violations” of the Cuban Assets Control Regulations by Canadian subsidiaries of a U.S. insurance company. The U.S. company self-reported 3,560 apparent violations that occurred between January 2006, and March 2009, and agreed to remit $279,038 to settle potential civil liability. OFAC stated that over a more than three-year period two Canadian subsidiaries issued or renewed property and casualty insurance policies that insured Cuban risks of a Canadian company, and that one of the subsidiaries maintained a D&O liability insurance policy that insured certain directors and officers of three Cuban joint venture partners of a Canadian corporation. Separately, another subsidiary sold, renewed, or maintained in force individual or annual multi-trip travel insurance policies in which the insured identified Cuba as the travel destination. The civil penalty reflects OFAC’s balancing of aggravating and mitigating factors, including the actual knowledge of the company and certain members of management of the violative conduct; and the company’s self-disclosure, cooperation, and advance remediation.
OFAC Publishes Initial Ukraine-Related Sanctions Regulations
On May 8, OFAC issued regulations to implement recent Executive Orders establishing sanctions against Russian individuals and entities related to the situation in Ukraine. The Ukraine-Related Sanctions Regulations, 31 C.F.R. Part 589, implement Executive Order 13660 of March 6, 2014, Executive Order 13661 of March 17, 2014, and Executive Order 13662 of March 20, 2014. Consistent with its prior practice, OFAC published the regulations in abbreviated form and plans to provide a more comprehensive set of regulations, which may include additional interpretive and definitional guidance and additional general licenses and statements of licensing policy.
OFAC Announces $6 Million Settlement To Resolve Alleged Cuba Sanctions Violations
On April 18, OFAC announced that a privately held travel services provider based in the Netherlands but majority-owned by U.S. persons agreed to pay nearly $6 million to resolve allegations that over a roughly six-year period the company’s business units mostly outside the U.S. provided services related to travel to or from Cuba, which assisted 44,430 persons. OFAC states that such business activities constitute alleged violations of the Cuban Assets Control Regulations. The company voluntarily self-disclosed the alleged violations to OFAC, the vast majority of which occurred prior to such disclosure. OFAC claims that the company (i) failed to exercise a minimal degree of caution or care regarding its obligations to comply with OFAC sanctions against Cuba by processing unauthorized travel related transactions for more than four years before recognizing that it was subject to U.S. jurisdiction; (ii) processed a high volume of transactions and assisted a large number of travelers, which caused significant harm to the objectives of the Cuban Assets Control Regulations; and (iii) failed to implement an adequate compliance program. OFAC’s Cuba Penalty Schedule sets a base penalty for the alleged violations at $11,093,500, which was reduced given that (i) the conduct at issue was the company’s “first violation”; (ii) the company provided substantial cooperation during OFAC’s investigation of the alleged violations, including by agreeing to toll the statute of limitations and by providing OFAC with detailed and well-organized documents and information; and (iii) the company already has taken significant remedial action in response to the alleged violations.
Obama Administration Sanctions Numerous Russian, Ukrainian Officials
This week, President Obama issued two new Executive Orders, one on March 17 and another on March 20, authorizing the Treasury Department to impose sanctions on (i) current and former Russian and Ukrainian officials; (ii) a Russian bank; (iii) any individual or entity that operates in the Russian arms industry; and (iv) any individual or entity determined to be owned or controlled by, to act on behalf of, or provide material or other support to, any senior Russian government official or blocked person. Concurrent with each executive order, OFAC added (on March 17 and March 20) numerous current and former Ukrainian and Russian officials to its list of Specially Designated Nationals and Blocked Persons. These latest actions expand on the President’s initial March 6 Executive Order authorizing sanctions in response to Russia’s recent actions related to Ukraine, which the Obama Administration has characterized as threatening Ukraine’s democratic processes and institutions, sovereignty, territorial integrity, and assets. Generally, the orders exclude the designated persons and entities from the U.S. financial system and block the designated persons’ and entities’ access to property and interests in property that are within the U.S. As a result, U.S. banking institutions are required to block the financial assets of the designated individuals and entities and report such blocked property to OFAC within 10 business days. The orders and sanctions are the beginning stages of a potential extended sanctions framework involving Russian officials and businesses.
OFAC Announces Sanctions Settlement With Securities Intermediary
On January 23, the Treasury Department’s OFAC announced that a Luxembourg bank agreed to pay $152 million to resolve potential civil claims that the bank concealed the interest of the Central Bank of Iran (CBI) in certain securities held in one of the Luxembourg bank’s custody accounts. OFAC claims that from December 2007 through June 2008, the bank held an account at a U.S. financial institution through which the CBI maintained a beneficial ownership in 26 securities valued at nearly $3 billion. After assuring OFAC of its intention to terminate all business with its Iranian clients, the bank allegedly transferred the securities to another European bank’s custody account at the Luxembourg bank. Though the transfer changed the record ownership of the securities, the custody account allowed CBI to retain beneficial ownership. OFAC alleged that in acting as the channel through which the CBI held interests in the securities, the Luxembourg bank exported custody and related securities services in violation of the Iranian Transactions and Sanctions Regulations. OFAC highlighted the bank’s “strong remedial response” after learning of the alleged lapse mitigated the penalty amount. Although OFAC did not identify the specific enhanced controls implemented by the bank, it encouraged other firms operating as securities intermediaries to implement certain specific measures: (i) make customers aware of the firm’s U.S. sanctions compliance obligations and have customers agree in writing not to use their account(s) with the firm in a manner that could cause a violation of OFAC sanctions; (ii) conduct due diligence, including through the use of questionnaires and certifications, to identify customers who do business in or with countries or persons subject to U.S. sanctions; (iii) impose restrictions and heightened due diligence requirements on the use of certain products or services by customers who are judged to present a higher risk; (iv) attempt to understand the nature and purpose of non-proprietary accounts, including requiring information regarding third parties whose assets may be held in the accounts; and (v) monitor accounts to detect unusual or suspicious activity.
Federal, State Authorities Announce Coordinated Economic Sanctions Enforcement Actions Against Foreign Bank
On December 11, the Federal Reserve Board, the Treasury Department’s Office of Foreign Assets and Controls (OFAC), and the New York Department of Financial Services (DFS) announced that a foreign bank agreed to pay $100 million to resolve federal and state investigations into the bank’s practices concerning the transmission of funds to and from the U.S. through unaffiliated U.S. financial institutions, including by and through entities and individuals subject to the OFAC Regulations. The investigations followed a voluntary review by the bank of its U.S. dollar transactions, the results of which it submitted to federal, state, and foreign authorities. The federal and state authorities alleged that the bank engaged in payment practices that interfered with the implementation of U.S. economic sanctions, including by removing material references to U.S.-sanctioned locations or persons from payment messages sent to U.S. financial institutions. They assert the alleged failures resulted from inadequate risk management and legal review policies and procedures to ensure that activities conducted at offices outside the U.S. comply with applicable OFAC Regulations. As part of the resolution, the bank consented to a Federal Reserve cease and desist order and civil money penalty order, pursuant to which the bank must pay $50 million, continue to enhance its compliance controls, and retain an independent consultant to conduct an OFAC compliance review. A separate settlement with OFAC requires the bank to pay $33 million, which will be satisfied as part of the payment to the Federal Reserve. The DFS order assesses an additional $50 million penalty. The DFS highlighted that, as part of its cooperation with authorities, the bank took disciplinary action against individual wrongdoers, including through dismissals.
Multinational Oil Services Company Resolves FCPA, Sanctions, And Export Control Matter
On November 26, the DOJ announced that Weatherford International—a multinational oil services company—and certain of its subsidiaries agreed to pay approximately $250 million in fines and penalties to resolve FCPA, sanctions, and export control violations. The DOJ alleged in a criminal information that the company knowingly failed to establish an effective system of internal accounting controls designed to detect and prevent corruption, including FCPA violations. The alleged compliance failures allowed employees of certain of the company’s subsidiaries in Africa and the Middle East to engage in prohibited conduct over the course of many years, including both bribery of foreign officials and fraudulent misuse of the United Nations’ Oil for Food Program. The company entered into a deferred prosecution agreement, pursuant to which it must pay an approximately $87 million penalty, retain an independent corporate compliance monitor for at least 18 months, and continue to implement an enhanced FCPA compliance program and internal controls. The subsidiaries pleaded guilty to related specific acts of corruption, including those alleged in a separate criminal information. The DOJ alleged, among other things, that employees of certain subsidiaries engaged in at least three schemes to pay bribes to foreign officials in exchange for government contracts. In addition the parent company agreed to pay over $65 million and submit to compliance and monitoring requirements to resolve parallel SEC civil allegations that the company violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA.
Separately, the parent company entered into an agreement with the Treasury Department’s Office of Foreign Assets Control (OFAC) and a deferred prosecution agreement with the DOJ, as well as an agreement with the Department of Commerce, to resolve alleged sanctions and export controls violations. Collectively, those agreements require the company to, among other things, pay $100 million in penalties and fines—inclusive of a $91 million settlement with OFAC—and undergo external audits of its efforts to comply with the relevant U.S. sanctions law for calendar years 2012, 2013, and 2014. Those payments resolve allegations, described in part in another DOJ criminal information, that the company and certain subsidiaries exported or re-exported oil and gas drilling equipment to, and conducted business operations in, sanctioned countries—including Cuba, Iran, Sudan, and Syria—without the required U.S. Government authorization.
Special Alert: OCC Updates Third-Party Risk Management Guidance
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:
Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.
Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:
- Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
- Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
- Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
- Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
- Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.
Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:
- Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
- Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
- Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
- Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
- Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.
Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:
- Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
- Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
- Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
- Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.
Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.
The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.
These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.
Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Jon David Langlois, (202) 349-8045
Treasury Fines Foreign Investment Firm Over Iran Sanctions Violations
On October 21, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed a $1.5 million civil penalty in an enforcement action against a UAE-based investment and advising company for violating the Iranian Transactions and Sanctions Regulations. OFAC determined that the firm recklessly or willfully concealed or omitted information pertaining to $103,283 in funds transfers processed through U.S.-based financial institutions for the benefit of persons in Iran. OFAC determined that the firm’s actions were egregious because (i) it did not voluntarily self-disclose the violations to OFAC, has no OFAC compliance program, and did not cooperate in the investigation, (ii) the firm’s management had actual knowledge or reason to know of the conduct, and (iii) the conduct resulted in potentially significant harm to the U.S. sanctions program against Iran.