So, simply put, one of American Express’ home-grown applications had a bug in it (BTW, not in the actual matching software):
On January 12, 2009, OFAC added Wisser to the List of Specially Designated Nationals and Blocked Persons (“SDN List”). On March 26, 2015, Wisser applied for an American Express GlobalTravel Card at a non-U.S. bank, which at the time was an authorized GlobalTravel Card issuer. When the non-U.S. bank entered Wisser’s information into the screening system, the Amex system utilized for OFAC compliance purposes, which uses a “risk engine” designed by Acertify Inc., a wholly-owned subsidiary of Amex, identified Wisser as a potential SDN match and automatically generated multiple “declined” messages to the non-U.S. bank indicating that the application could not be processed. The non-U.S. bank, however, made several additional approval attempts which eventually led the risk engine to time out. The timing out of the risk engine then triggered the application to be automatically approved.
and a mistake by one of the staff:
After generating an approval message following a system time-out, the risk engine separately routed the application into a manual review queue for investigation of potential sanctions-related issues. The Amex compliance analyst incorrectly determined that the individual applying for the GlobalTravel Card was not the SDN. On March 26, 2015, after clearing Wisser as a potential match to the SDN List, the compliance analyst placed him on the company’s “Accept List.” In addition to making two initial deposit transactions or “card loads” totaling approximately $17,655.17 on March 26, 2015, Wisser was able to engage in approximately 39 withdrawal transactions totaling approximately $17,591.65 (nearly the entire balance on the card) between March 26, 2015, and May 19, 2015, by using his GlobalTravel Card at various ATMs in Germany and the United Arab Emirates. This activity was in violation of the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. Part 544 (WMDPSR).
Here are the aggravating factors:
(1) There was sanctions harm because Amex conferred economic benefit to an SDN, allowing 41 transactions totaling $35,246.82;
(2) Amex is a large, commercially sophisticated financial institution; and
(3) Amex’s automatic approval of applications in instances where the risk engine led to a system
timeout was a critical shortcoming of its compliance program.
and the mitigating ones:
(1) There was no willful or reckless behavior;
(2) OFAC has no information to indicate that Amex knew it maintained a card for an SDN, or
that its system could be overridden;
(3) Amex remediated, making it less likely similar violations will recur;
(4) Amex cooperated with OFAC’s investigation, including by voluntarily disclosing the
violations to OFAC; and
(5) Amex has not received a penalty notice or Finding of Violation from OFAC in the five years
preceding the earliest date of the transactions giving rise to the violations.
and the lesson learned?
This case highlights the importance of taking the steps necessary to ensure that automated sanctions compliance controls measures cannot be overridden without appropriate review.
Now, my commentary. First, one nice thing they did in this enforcement information document was put in headings for each section (e.g. “General Factors Analysis”,”Compliance Considerations”). Clearly makes the documents easier to read and navigate.
However, this is a really ticky-tacky violation. The “lesson” is pretty weak and half of the issue was an employee error. The screening software itself properly flagged the SDN, after all. I have to wonder why this did not result in a Cautionary Letter. Two possibilities: the total amount of the violations made a Finding of Violation a better choice, and the fact that, despite the “nothing in the last 5 years” mitigating factor, this is not Amex’s first tangle with OFAC.