The U.S. Department of the Treasury’s Office of Foreign Assets Control Issues Finding of Violation to MidFirst Bank
The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) today announced the issuance of a Finding of Violation to MidFirst Bank, a financial institution headquartered in Oklahoma City, Oklahoma, for violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations. The violations related to MidFirst’s maintaining accounts for and processing of 34 payments on behalf of two individuals added to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) for 14 days post-designation. The violations stemmed from MidFirst’s misunderstanding of the frequency of its vendor’s screening of new names added to the SDN List against its existing customer base.
From the Enforcement Information:
OFAC determined that the appropriate administrative action in this matter was an FOV in lieu of a civil monetary penalty. This FOV reaffirms that financial institutions should take a risk-based approach to sanctions compliance, including when implementing sanctions screening tools, and demonstrates the importance of ensuring the scope and capabilities of outsourced sanctions compliance services are consistent with the financial institution’s assessment of its exposure to sanctions risks.
On September 21, 2020, at 12:36 p.m. EDT, OFAC designated and added two individuals to the SDN List (“the blocked persons”) pursuant to the WMDPSR. On the same day, between 2:00 p.m. EDT and 5:48 p.m. EDT, MidFirst processed five transactions totaling $604,000 on behalf of accounts held by the blocked persons. Two of those transactions, totaling $400,000, were internal book transfers between one of the blocked person’s accounts at MidFirst. Between September 22, 2020 and October 5, 2020, MidFirst processed 29 additional transactions totaling $9,879.02 on behalf of the blocked persons. Ninety-eight percent of the value of the post-designation transactions occurred within six hours of designation.
MidFirst reported to OFAC that its sanctions screening vendor notified MidFirst that the blocked persons had been added to the SDN list on October 5, 2020, 14 days after their addition. MidFirst then promptly blocked accounts belonging to the blocked persons.
The agreement between MidFirst and its vendor provided for periodic screening of MidFirst’s customers against the SDN List. Although the vendor conducted daily screenings of new customers and of existing customers with certain account changes (e.g., changes to a customer’s name or address), the vendor only screened MidFirst’s entire existing customer base once a month. MidFirst misunderstood the scope of the contract with its vendor, mistakenly believing that the daily screenings would screen its entire customer base against additions and changes to the SDN List.
As a result, depending on the timing of additions to the SDN List in relation to the monthly screening, MidFirst could be unaware for up to 30 days that it was maintaining an account for a blocked person. In this case, the customers matching two of the September 21, 2020 designations were not discovered until the vendor generated its monthly report on October 5, 2020.
Although MidFirst maintained its own process to screen existing customers, this process also screened on a monthly basis only. The first such monthly screening following the subject designations was conducted on October 5, 2021, the same day the vendor flagged the matches for MidFirst.
As a result of the foregoing, MidFirst’s maintaining of accounts for and processing 34 transactions on behalf of the blocked persons was in violation of § 544.201 of the WMDPSR.
Note: Just wow – for all the but the smallest firms, once a month just doesn’t cut it for customer screening. And certainly not for a bank… best practice is screen new and updated accounts against all sanctions lists daily (if not sooner – see next paragraph), and all accounts against all changes to sanctions lists daily. If you do that on a daily basis, you also spread out your workload by having fewer records to screen, fewer to screen against, and therefore, fewer to review.
However, the real issue is that there was no transaction screening in place. Honestly, you can get away with a monthly customer scrub if you are checking transactions. Maybe MidFirst was doing that, but not checking book transfers? Even so… money transferred with a book transfer can then go elsewhere, like another book transfer to a “clean” account, followed by a funds transfer.
General Factors in this case
OFAC determined the following to be aggravating factors:
(1) MidFirst had reason to know that it maintained the accounts for the blocked persons, and that its vendor was re-screening MidFirst’s existing accounts against changes to the SDN List on a monthly basis only.
(2) By allowing the accounts to operate for two weeks post-designation, there was harm to the objectives of the sanctions program, and potential for significant harm as it could have aided asset flight.
OFAC determined the following to be mitigating factors:
(1) The violations occurred within two weeks of the designations, and the overwhelming majority (98 percent) of the value associated with the violations relates to transactions that took place within hours of designation.
(2) The sanctions harm was substantially less than the face amount of the violations as two of the largest transactions were internal book transfers between a blocked person’s accounts at MidFirst.
(3) After discovering the violations, the vendor began re-screening existing accounts more frequently, and “MidFirst implemented a manual process to be notified “of all OFAC list updates” and to manually rescreen the customer base whenever there are updates to the SDN List.
(4) MidFirst cooperated with OFAC.
(5) MidFirst has not received a Penalty Notice or FOV from OFAC in the five years preceding the first violation noted herein.
And the lesson to take away…
As explained in OFAC’s A Framework for OFAC Compliance Commitments, financial institutions should take a risk-based approach when developing their sanctions compliance program, including with respect to screening accounts and transactions for potential violations of OFAC regulations. There is no “one-size-fits all” approach to sanctions screening. Different financial institutions may have different risk tolerances and divergent approaches to sanctions compliance based on an institution’s unique risk profile. Accordingly, the frequency with which financial institutions screen and review existing customers and accounts should be based on the financial institution’s assessment of its unique sanctions risk. Consistent with that risk-based approach to sanctions compliance, this FOV demonstrates that understanding the scope and capabilities of outsourced sanctions compliance services is critical to ensuring that those services are aligned with the financial institution’s expectations for managing its self-assessed sanctions risk.
Categories: Enforcement Actions Finding of Violation OFAC Updates Weapons of Mass Destruction Proliferation Sanctions
Leave a Reply