What Mashreqbank did
Mashreqbank psc is a commercial bank headquartered in the United Arab Emirates that maintains a branch in London. Between January 4, 2005 and February 6, 2009, Mashreqbank psc’s (“Mashreq” or “Mashreq Dubai”) London branch (“Mashreq London”) processed 1,760 outgoing payments through financial institutions in the United States in violation of the SSR, 31 C.F.R. Part 538.1 Specifically, Mashreq London processed payments through U.S. financial institutions that related to U.S. dollar (USD) transfers from accounts of Sudanese banks held outside the United States. Under then-applicable Society for Worldwide Interbank Financial Telecommunications (SWIFT) protocols, general banking practice, and its own standard procedures, Mashreq did not populate optional field 52 (originating institution) in the MT202 payment messages, such that the Sudanese institution that originated the offshore payment was not identified. Moreover, mandatory field 58 (beneficiary bank) in the MT202 payment message specified the non-Sudanese beneficiary bank in the transaction. Because the payment messages sent to the U.S. financial institutions did not include the originating Sudanese bank, Mashreq’s U.S. correspondents could not interdict the payments, and the payments were successfully processed through the U.S. financial system. Mashreq’s processing of these payments for or on behalf of Sudanese financial institutions constitutes a prohibited export of services from the United States to Sudan.
OFAC determined the following to be aggravating factors:
(1) Mashreq processed 1,760 transactions over several years in violation of the SSR. Consequently, Mashreq caused harm to the integrity of a U.S. sanctions program and its associated policy objectives by allowing parties in a sanctioned country to conduct business through the United States for many years.
(2) Despite its intentions to comply with U.S. sanctions requirements, Mashreq acted recklessly regarding its U.S. sanctions obligations when it employed payment practices that did not identify the involvement of U.S.-sanctioned parties in specific payments, a fact that would have allowed U.S. intermediary financial institutions involved in processing those payments to, at a minimum, interdict those payments.
(3) Some senior-level Mashreq branch employees had actual knowledge of the conduct giving rise to the violations.
(4) The bank’s internal controls did not ensure that the payments it processed on behalf of U.S.- sanctioned parties complied with applicable U.S. sanctions laws.
OFAC determined the following to be mitigating factors:
(1) Mashreq provided substantial cooperation throughout the course of OFAC’s investigation into the violations. Mashreq voluntarily entered into a retroactive statute of limitations waiver agreement knowing that none of the violations were within OFAC’s five-year statute of limitations, and without which OFAC would have been time-barred from charging any of the violations described herein. Mashreq also agreed to toll the statute of limitations and extend that agreement multiple times, and produced detailed and well-organized information and documentation.
(2) Mashreq has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the violations.
(3) Many years before the beginning of the investigation in 2015, Mashreq itself discontinued the activity that caused the violations and engaged in extensive remediation of its sanctions compliance program. Specifically, Mashreq represented that it:
• Increased its Compliance function staff by over 400% since 2007.
• Closed all USD accounts of Sudanese banks on January 15, 2009.
• Centralized the compliance function at the head office in Dubai to risk-rate customers and established the level of due diligence required for each customer relationship based on this risk rating beginning in 2008.
• Established a requirement organization-wide for originating bank and customer information to be included in payment messages starting in 2008.
• Transitioned from manual screening to automated screening of customer names, beneficial owners, and directors of entities beginning in 2011.
• Processed USD payments only through the United States beginning in September 2013.
• Retained a law firm to conduct an OFAC risk assessment and gap analysis to identify where internal controls are needed to address the sanctions risks in 2014.
• Installed an upgraded vendor sanctions screening software for Mashreq New York and Mashreq Dubai in 2016.
• In addition, Mashreq represented to OFAC that over the past four years it spent more than $122 million on compliance enhancements, including through the implementation on new systems, retention of consultants, and hiring of additional staff covering risk assessment, internal controls, independent reviews, and training. Additionally, Mashreq represented to OFAC that it plans to spend an additional $40 million on further compliance improvements and enhancements.
(4) The total harm caused to the SSR was less than the total value of the transactions because some of the transactions represented the same pool of funds moving through the U.S. financial system multiple times.
The Lesson to Learn
This enforcement action highlights the importance of financial institutions maintaining appropriate internal controls, policies, and procedures to ensure they process transactions in a transparent manner, including by disclosing to U.S. intermediary parties the involvement of underlying OFAC-sanctioned parties.