June 19, 2019

HKMA Alert: Fraudulent Dah Sing Bank website

Press Releases

Fraudulent website related to Dah Sing Bank, Limited

The Hong Kong Monetary Authority (HKMA) wishes to alert members of the public to a press release issued by Dah Sing Bank, Limited on fraudulent website, which has been reported to the HKMA. Hyperlink to the press release is available on the HKMA website for ease of reference by members of the public.

Anyone who has provided his or her personal information to the website concerned or has conducted any financial transactions through the website should contact the bank concerned using the contact information provided in the press release, and report to the Police or contact the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force at 2860 5012.

Hong Kong Monetary Authority
6 June 2019

Link:

HKMA Notice

June 19, 2019

OFAC Enforcement Action: Hotelbeds USA

Hotelbeds USA, Inc. Settles Potential Civil Liability for Apparent Violations of the Cuba Assets Control Regulations, 31 C.F.R. part 515: Hotelbeds USA, Inc. (“Hotelbeds USA”), incorporated in Florida, is a U.S. subsidiary of Hotelbeds Group (“Hotelbeds”), headquartered in Mallorca, Spain.

Hotelbeds USA has agreed to pay $222,705 to settle potential civil liability for assisting 703 persons with Cuba-related travel service prior to agency notice in apparent violation of the Cuba Assets Control Regulations, 31 C.F.R. part 515 (CACR). Specifically, between on or about December 2011 and on or about June 2014, Hotelbeds USA provided unauthorized Cuba-related travel services to 703 non-U.S. persons to or through the United States in violation of § 515.201 of the CACR.

Hotelbeds USA knowingly sold hotel accommodations and gave its clients specific instructions to direct their payments for the Cuba-related transactions to an account in Spain, from which Hotelbeds USA was subsequently reimbursed.

Various Hotelbeds USA employees and supervisors appear to have had actual knowledge of, and participated in, the conduct that led to the apparent violations. The Cuba-related travel services occurred in part because of a reported misunderstanding and misinterpretation of the CACR that developed throughout Hotelbeds USA in which its personnel believed Hotelbeds USA could engage in Cuba-related transactions if the bookings involved only non-U.S. clients and payments were made to non-U.S. bank accounts. These same personnel were responsible for issuing invoices or sending emails that included disclaimers that payments for any Cuba-related services should not be sent to Hotelbeds USA or the United States. These personnel were also responsible for the process in which customers sent Cuba-related payments to Spain, and subsequently had revenues from such payments credited to Hotelbeds USA.

During the time the apparent violations were occurring, Hotelbeds USA personnel, including a senior manager, were aware that a U.S. financial institution had blocked a payment related to a Cuba-travel transaction and that OFAC had denied a specific license application filed by Hotelbeds USA seeking the unblocking of funds related to an unauthorized Cuba-travel transaction. The specific license denial generally outlined the CACR prohibitions and specifically articulated the CACR prohibitions regarding Hotelbeds USA’s specific license request.

Hotelbeds did not voluntarily self-disclose the violations, which occurred prior to agency notice. The base penalty is $353,500.

Here is how OFAC arrived at the final settlement amount:

OFAC considered the following to be aggravating factors:

1. Various Hotelbeds USA employees, including supervisory or managerial staff, were aware or had reason to know of, or participated in, the conduct that led to the apparent violations;

2. By processing the transactions constituting the apparent violations, Hotelbeds USA caused harm to the sanctions program objectives of the CACR;

3. Hotelbeds USA is a large and commercially sophisticated company; and

4. Despite being a large international travel service provider, Hotelbeds USA only had an informal compliance program that does not appear to have been commensurate with the risks associated with providing international travel services.

OFAC considered the following to be mitigating factors:

1. The Cuba-related transactions constituting the apparent violations appear to represent less than one percent of Hotelbeds USA’s overall business over the same period of time;

2. Hotelbeds USA has not been the subject of an OFAC penalty notice or finding of violation in the five years preceding the earliest date of the transactions giving rise to the apparent violations;

3. Hotelbeds USA took significant remedial action in response to the apparent violations, including by:

a. implementing an enhanced third-party IT solution with a sanctions screening tool;

b. dedicating additional resources to better ensure compliance with applicable sanctions laws; and

c. hiring and training additional compliance personnel; and

4. Hotelbeds USA provided substantial cooperation to OFAC by conducting an extensive internal investigation to determine the extent of the apparent violations at issue, producing records and information to OFAC in a clear and organized fashion, responding in a timely and efficient manner to all follow-up requests for information, and tolling the statute of limitation for 1,043 days.

And the lesson to be learned:

This enforcement action highlights the importance for both U.S. companies and foreign parents of U.S. subsidiaries to evaluate, verify, and audit existing compliance measures. U.S. companies and foreign parents of U.S. subsidiaries are encouraged to implement evolving and dynamic sanctions compliance programs that are commensurate with their sanctions risk, particularly those operating in the Cuba travel industry. U.S. companies and foreign parents of U.S. subsidiaries engaging in Cuba travel-related transactions should take note of and respond accordingly to sanctions-related warning signs, such as payments that are blocked or rejected by financial institutions for compliance or economic and trade sanctions purposes.

Link:

OFAC Enforcement Information

June 18, 2019

OFAC Enforcement Action: Expedia Group

Expedia Group, Inc. (“Expedia”) Settles Potential Civil Liability for Apparent Violations of the Cuban Assets Control Regulations: Expedia Group Inc., headquartered in Bellevue, Washington, on behalf of itself and its subsidiaries worldwide, has agreed to pay $325,406 to settle potential civil liability for assisting 2,221 persons with Cuba-related travel services prior to agency notice in apparent violation of the Cuban Assets Control Regulations, 31 C.F.R. part 515 (CACR). Specifically, between on or about April 22, 2011 and on or about October 16, 2014, Expedia dealt in property or interests in property of Cuba or Cuban nationals by assisting 2,221 persons — some of whom were Cuban nationals — with travel or travel-related services for travel within Cuba or between Cuba and locations outside the United States.

The apparent violations occurred because certain Expedia foreign subsidiaries lacked an understanding of and familiarity with U.S. economic sanctions laws and Expedia employees overlooked particular aspects of Expedia’s business that presented risks of noncompliance with sanctions. Specifically, electronically booked travel resulted from failures or gaps in Expedia’s technical implementations and other measures to avoid such apparent violations. With respect to at least one foreign subsidiary, Expedia failed to inform the subsidiary until approximately 15 months after Expedia acquired the subsidiary that it was subject to U.S. jurisdiction and law. Expedia was slow to integrate the subsidiary into the Expedia corporate family, including with respect to compliance with U.S. sanctions, and the subsidiary continued operating independently during the integration period.

The base penalty for the self-disclosed violations was $556,250. The Enforcement Information does not say if the violations were egregious, but notes that they occurred prior to agency notice. As explained in Monday’s post, the rules for Cuba-related penalties are different

The mitigating factors playing into the final penalty:

1. Expedia failed to exercise a minimal degree of caution or care in avoiding the conduct that led to the apparent violations. Moreover, based on the number of apparent violations, the length of time over which the apparent violations occurred, and the number of Expedia entities involved in the apparent violations, the apparent violations appear to have resulted from a pattern or practice of conduct.

2. The apparent violations harmed the sanctions program objectives of the CACR, based on the number of apparent violations and the length of time over which the apparent violations occurred.

3. Expedia is a sophisticated international travel service provider, providing global travel services to customers located worldwide.

And the mitigating factors:

1. Expedia has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest transaction giving rise to the apparent violations.

2. After discovering the apparent violations, Expedia implemented significant remedial measures to strengthen its U.S. economic sanctions compliance program throughout the Expedia corporate family, including domestic and foreign direct and indirect subsidiaries.

3. Expedia cooperated with OFAC’s investigation by submitting data analytics associated with the apparent violations, responding to OFAC’s requests for additional information, and entering to multiple tolling agreements.

And these were Expedia’s remediation steps:

Consistent with the settlement agreement with OFAC, Expedia has committed to enhancing its compliance procedures by ensuring that Expedia: (1) has a management team in place that is committed to compliance; (2) conducts regular risk assessments to ensure that Expedia’s internal controls appropriately mitigate its sanctions-related risks; (3) conducts regular testing and audits; and (4) provides ongoing sanctions compliance training throughout the Expedia corporate family. Additionally, Expedia has steadily increased its resources dedicated to compliance with U.S. sanctions, resulting in substantially more robust staffing and resources corporate-wide, and taken measures to increase compliance with U.S. sanctions, including enhanced screening methods and implementation of automated software restrictions.

And the lesson to be learned:

This case illustrates the benefits persons subject to the jurisdiction of the United States – including, with respect to OFAC’s Cuba sanctions, entities owned or controlled by U.S. persons – can realize by implementing corporate-wide compliance measures commensurate with their sanctions risks. U.S. companies can mitigate risk by conducting sanctions-related due diligence both prior and subsequent to mergers and acquisitions, and taking appropriate steps to audit, monitor, train, and verify newly acquired subsidiaries for OFAC compliance. U.S. foreign subsidiaries are subject to the CACR, and U.S. person parent companies may face potential exposure to civil monetary penalties vis-à-vis the actions of their foreign subsidiaries. Foreign acquisitions can pose unique sanctions risks, to which a U.S. person parent company should be alert at all stages of its relationship with the subsidiary.

Link:

OFAC Enforcement Information

June 17, 2019

The rules for Cuba-related CMPs are different.

From the Cubasphere settlement:

The Cuba Penalty Schedule, 68 Fed. Reg. 4429 (Jan. 29, 2003), sets a $2,000 penalty for the provision of travel services occurring “prior to agency notice,” plus $500 per person assisted, and a $15,000 penalty for the provision of travel services occurring “subsequent to agency notice,” plus $500 per person assisted.

June 17, 2019

Maldives sanctions, we hardly knew ye…

Maldives: Council revokes sanctions framework

Today, the Council decided to revoke the framework for restrictive measures against the Maldives that it adopted on 16 July 2018.

This framework provided for the possibility of imposing a travel ban and an asset freeze on persons and entities responsible for undermining the rule of law or obstructing an inclusive political solution in the Maldives as well as persons and entities responsible for serious human rights violations. It was adopted following a deterioration of the political situation in the Maldives in the first half of 2018, particularly as institutions such as Parliament and the judiciary were being prevented from functioning properly. No persons or entities were listed under this sanctions regime.

Link:

EU Notice

June 17, 2019

3 for 1: OFAC announces 3 Cuba-related enforcement actions

Settlement Agreements between the U.S. Department of the Treasury’s Office of Foreign Assets Control and Expedia Group, Inc.; Hotelbeds USA, Inc.; and Cubasphere, Inc. and an Individual

6/13/2019

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) today announced a $325,406 settlement with Expedia Group, Inc. (“Expedia”). Expedia, headquartered in Bellevue, Washington, on behalf of itself and its subsidiaries and affiliates worldwide, has agreed to pay $325,406 to settle its potential civil liability for providing Cuba-related travel services in apparent violation of the Cuban Assets Control Regulations, 31 C.F.R. part 515 (CACR). Specifically, between on or about April 22, 2011 and on or about October 16, 2014, Expedia dealt in property or interests in property of Cuba or Cuban nationals by assisting 2,221 persons — some of whom were Cuban nationals — with travel or travel-related services for travel within Cuba or between Cuba and locations outside the United States. These transactions appear to have violated § 515.201(b) of the CACR. OFAC determined that the apparent violations were voluntarily self-disclosed to OFAC and occurred prior to agency notice.

For more information, please visit the following web notice.

OFAC today separately announced a $222,705 settlement with Hotelbeds USA, Inc. (“Hotelbeds USA”). Hotelbeds USA, incorporated in Florida, is a U.S. subsidiary of Hotelbeds Group, headquartered in Mallorca, Spain. Hotelbeds USA has agreed to pay $222,705 to settle its potential civil liability for assisting persons with unauthorized Cuba-related travel services in apparent violation of the CACR. Specifically, between the approximate dates of December 2011 and June 2014, Hotelbeds USA provided Cuba-related travel services to 703 non-U.S. persons in apparent violation of § 515.201(b) of the CACR. OFAC determined that the apparent violations were not voluntarily self-disclosed to OFAC and occurred prior to agency notice.

For more information, please visit the following web notice.

OFAC today also separately announced a $40,320 settlement with an individual (the “Individual”) and Cubasphere, Inc. (“Cubasphere”). The Individual, as well as Cubasphere, on whose behalf the Individual also acted, have agreed to pay $40,320 to settle their potential civil liability for apparent violations of the CACR. Specifically, the Individual and Cubasphere dealt in property in which Cuba or Cuban nationals had an interest, in apparent violation of § 515.201(b) of the CACR, by engaging in unauthorized Cuba travel-related transactions by assisting 104 persons on four separate trips to and within Cuba, from on or about December 30, 2013 to on or about February 22, 2014. OFAC determined that the apparent violations were not voluntarily self-disclosed to OFAC and occurred subsequent to agency notice.

For more information, please visit the following web notice.

OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to review OFAC’s May 2, 2019 “A Framework for OFAC Compliance Commitments” for more information regarding best practices for developing, implementing, and updating risk-based sanctions compliance programs.

Each of these enforcement actions will be discussed in more detail in separate posts. But that last paragraph – despite the violations occurring years ago – tells the story, as you’ll be able to tie these cases to the 10 “root causes” of inadequate sanctions compliance in the last 4 pages of the Framework document.

Links:

OFAC Notice

Expedia Enforcement Action

Hotelbeds Enforcement Action

Cubasphere Enforcement Action

June 14, 2019

OFAC Enforcement Action: A series of unfortunate events befalls Western Union…

The penalty:

Western Union Financial Services, Inc. Settles Potential Civil Liability for Apparent Violations of the Global Terrorism Sanctions Regulations. Western Union Financial Services, Inc. (“Western Union”), a money services business (MSB) headquartered in Denver, Colorado, has agreed to pay $401,697 to settle its potential civil liability for 4,977 apparent violations of the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (GTSR).

OFAC determined that Western Union voluntarily self-disclosed the apparent violations to OFAC, and the apparent violations constitute a non-egregious case. The statutory maximum civil monetary penalty amount for the apparent violations was $1,244,250,000, and the base civil monetary penalty amount for the apparent violations was $637,614.

The facts of the case:

Between December 9, 2010, and March 13, 2015, a bank (“the bank”) in The Gambia was one of Western Union’s principal Master Agents in The Gambia. In or around 2006, the bank established a Sub-Agent relationship with Kairaba Shopping Center (KSC), an entity that was subsequently designated by OFAC pursuant to the Global Terrorism Sanctions Regulations (GTSR) on December 9, 2010.

At the time the relationship with KSC was established, the bank provided Western Union with information relating to KSC. Western Union stored this information in its systems as an agent location of the bank, and not as a discrete legal entity acting as a sub-agent. During the entirety of the review period, in addition to its real-time transaction screening of remitters and beneficiaries, Western Union had a process to screen Master Agents and related sub-agents under the Master Agent structure. However, for the majority of the review period, Western Union did not screen location data for sanctions-related issues as part of its review process.

Western Union became aware that KSC was a potential sub-agent in early February 2015, but mistakenly believed at that time that KSC had operated from a single location, which was no longer active as of that date. On March 25, 2015, Western Union identified a second, active KSC location, and immediately suspended its relationship with KSC and deactivated its access to the Western Union network.

Between December 9, 2010, and March 13, 2015, Western Union processed 4,977 transactions totaling approximately $1.275 million, which were paid out to third-party, non-designated beneficiaries who chose to collect their remittances at KSC.

OFAC determined that Western Union processed transactions involving a Specially Designated National (SDN) for more than four years following the entity’s designation by OFAC, and that after Western Union discovered that this Sub-Agent was an SDN, failed to deactivate KSC’s access to the Western Union network immediately due to its mistaken belief that the Sub-Agent was already inactive. However, starting in 2013, two years prior to discovering the apparent violations, Western Union began a project to remediate the root cause of the apparent violations.

How we got the final settlement amount:

The settlement amount reflects OFAC’s consideration of the following facts and circumstances, pursuant to the General Factors under OFAC’s Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A.

OFAC considered the following to be aggravating factors:

(1) Western Union acted with reckless disregard for U.S. sanctions requirements by failing to immediately identify both KSC locations in searches conducted after it discovered that this Sub-Agent was an SDN, which resulted in a failure to deactivate KSC’s access to the Western Union network immediately;

(2) Western Union engaged in a pattern of conduct that involved processing transactions involving an SDN for more than four years following the entity’s designation by OFAC;

(3) Based on a review of all readily available information and with the exercise of reasonable due diligence, Western Union had reason to know that its Sub-Agent, KSC, was on the SDN List;

(4) By processing these transactions and allowing KSC to continue operating as a Western Union Sub-Agent and provide remittance services to its customers through a U.S. MSB, Western Union caused substantial harm to the sanctions program objectives, including by conferring economic or other benefit to an SDN and undermining the policy objectives of the GTSR; and

(5) Western Union is a large and commercially sophisticated international financial institution.

OFAC found the following to be mitigating factors:

(1) Western Union has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the apparent violations;

(2) Western Union had a global sanctions policy in place at the time of the apparent violations that required its Master Agents to comply with the sanctions programs administered by OFAC and vet its Sub-Agents — a policy that seemed to be effective except in this instance;

(3) Prior to the apparent violations, Western Union had implemented a corrective action plan to close an identified gap in its internal controls related to sub-agent due diligence and screening.

(4) Following the discovery of the apparent violations, Western Union took additional remedial actions, including performing an immediate one-time screening of its Sub-Agent and location data, which did not identify any other Sub-Agents or locations that were on the SDN List; and

(5) Western Union cooperated with OFAC’s investigation by voluntarily self-disclosing the apparent violations and by executing and agreeing to extend multiple times a statute of limitations tolling agreement.

And the final paragraph dovetails nicely with the recently-published Framework document (convenient, no?):

In addition to the above, and as part of its settlement with OFAC, Western Union has agreed to sustain its commitment to implementing robust compliance procedures by ensuring that it continues to have a management team in place that: (1) is committed to a culture of compliance; (2) conducts regular risk assessments; (3) ensures that its internal controls appropriately mitigate its sanctions-related risks; (4) conducts regular audits; and (5) provides ongoing sanctions compliance training throughout the organization.

Mr. Watchlist wonders what the line is between “reckless” and either “careless” or “negligent”… because it seems that Western Union was at worst, negligent or incompetent. And there’s a big gap between that and “reckless”…. just saying.

Link:

OFAC Enforcement Information