Enforcement Actions

News Release 2019-138 | November 21, 2019

OCC Enforcement Actions and Terminations

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today released new enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with national banks and federal savings associations.

All Cease and Desist Orders, Civil Money Penalty Orders, and Removal/Prohibition Orders are issued with the consent of the parties, unless otherwise indicated as a Decision and Order issued by the Comptroller of the Currency.

Copies of the final actions are available for download by viewing the searchable database of all public enforcement actions taken since August 1989 at http://apps.occ.gov/EnforcementActions.

View the current actions by selecting the enforcement actions below. You may also submit a request electronically to obtain copies through the OCC’s online FOIA site, https://foia-pal.occ.gov or by writing to the Comptroller of the Currency, Communications Division, Suite 3E-218, Washington, DC 20219. When ordering, please specify the appropriate enforcement action number.

Bank Civil Money Penalty Orders

Formal Agreements

Removal/Prohibition Orders

Terminations of Existing Enforcement Actions

Media Contact

Public Affairs
(202) 649-6870


OCC Notice

The Department of State has concluded an administrative settlement with AeroVironment, Inc. (AV) of Simi Valley, California, to resolve alleged violations of the Arms Export Control Act (AECA), 22 U.S.C. § 2751 et seq., and the International Traffic in Arms Regulations (ITAR), 22 C.F.R. Parts 120-130. The Department of State and AV have reached this settlement following an extensive compliance review by the Office of Defense Trade Controls Compliance in the Department’s Bureau of Political-Military Affairs.

The Department of State and AV have reached an agreement pursuant to ITAR § 128.11 to address alleged unauthorized exports of defense articles, including technical data; the failure to properly maintain records involving ITAR-controlled transactions; and violations of the provisos, terms, and conditions of export authorizations. The settlement demonstrates the Department’s role in strengthening U.S. industry by protecting U.S.-origin defense articles, including technical data from unauthorized exports. The settlement also highlights the importance of obtaining appropriate authorization from the Department for exporting controlled articles as well as maintaining proper records of such exports.

Under the terms of the twenty-four (24) month Consent Agreement, AV will pay a civil penalty of $1,000,000. The Department has agreed to suspend $500,000 of this amount on the condition that the funds have or will be used for Department-approved Consent Agreement remedial compliance measures. AV must also hire an outside Special Compliance Officer (SCO) for a term of one year and conduct an external audit to assess and improve its compliance program during the Consent Agreement term.

AV voluntarily disclosed to the Department the alleged AECA and ITAR violations, which are resolved under this settlement. AV also acknowledged the serious nature of the alleged violations, cooperated with the Department’s review, and instituted a number of compliance program improvements during the course of the Department’s review. For these reasons, the Department has determined that it is not appropriate to administratively debar AV at this time.

The Consent Agreement and related documents will be available for public inspection in the Public Reading Room of the Department of State and on Penalties and Oversights Agreements section of the Directorate of Defense Trade Controls’ website.

For additional information, please contact the Bureau of Political-Military Affairs’ Office of Congressional and Public Affairs at pm-cpa@state.gov.


State Department Press Release

Apple paid $466,912 for non-egregious, self-reported violations of the Kingpin Act, as opposed to the base penalty amount of $576,434 and the maximum civil monetary penalty of $74,331,860. Turns out they had a developer company in the App Store who was an SDN, and whose account administrator was, too – and Apple’s screening software and procedures were found wanting:

On July 18, 2008, Apple entered into an app development agreement with SIS, a software company located at 19 Spruha, Trzin 1236, Slovenia. On February 24, 2015, OFAC designated SIS and Savo Stjepanovic (“Stjepanovic”), a director and majority owner of SIS, pursuant to the Foreign Narcotics Kingpin Designation Act, 21 U.S.C. §§ 1901-1908, and added them to the SDN List. OFAC’s public announcement of the designation included SIS’s address, registration number, and tax identification number, and further noted that SIS was linked to Stjepanovic. The SDN List provided the following identifying information for SIS:

SIS D.O.O., 19 Spruha, Trzin 1236, Slovenia; Registration ID 5919070 (Slovenia); Tax ID No. SI91729181 (Slovenia) [SDNTK].

OFAC also published a diagram titled “KARNER Steroid Trafficking Network,” which included a photograph of Stjepanovic, SIS, and a SIS logo.

On the same day that OFAC designated SIS and Stjepanovic, Apple, in accordance with its standard compliance procedures, screened the newly designated SDNTKs against its app developer account holder names using its sanctions screening tool. During this screening, Apple failed to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked. Apple later attributed this failure to its sanctions screening tool’s failure to match the upper case name “SIS DOO” in Apple’s system with the lower case name “SIS d.o.o.” as written on the SDN List. The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company. In addition, even though the address for SIS collected by Apple matched the address for SIS identified and published by OFAC, Apple failed to identify SIS as an SDNTK for over two years after the designation.

On the day of designation, Apple was in possession of Stjepanovic’s full name in its records since he was listed as an “account administrator” in its App Store developer account, though he was not listed as a “developer.” At the time, Apple’s compliance process screened individuals identified as “developers,” but did not screen all of the individual users identified in an App Store account against the SDN List. Apple therefore failed to identify Stjepanovic as an SDNTK.

On the day of designation, any property in which SIS or Stjepanovic had an interest became blocked, and any transactions or dealings in such property by Apple, a U.S. person, were prohibited. Nonetheless, Apple continued to host software applications and associated content (“apps”) owned by SIS on the App Store, allowed downloads and sales of the blocked SIS apps, received payments from App Store users downloading the blocked SIS apps, permitted SIS to transfer and sell its apps to two other developers, and remitted funds on a monthly basis to SIS for the sales of the blocked SIS apps.

On or about April 17, 2015 — approximately two months after the designations — Apple facilitated the transfer of a portion of SIS’s apps to a second software company (the “Second Company”). The Second Company was incorporated several days after OFAC’s designation of SIS. Separately, on or about September 14, 2015, SIS entered into an agreement with a third software company (the “Third Company”) and transferred the ownership of SIS’s remaining apps to the Third Company. The owner of the Third Company took over the administration of SIS’s App Store account and replaced SIS’s App Store banking information with his own banking information. These actions were all conducted without personnel oversight or additional screening by Apple.

After enhancing its sanctions screening tool and related processes, Apple identified SIS as a potential SDNTK in February 2017. Apple’s finance team immediately suspended further payments associated with the SIS account, which was being administered by the Third Company, and whose owner was receiving payments from Apple. However, Apple continued to make payments to the Second Company for the blocked SIS apps that had been transferred to the Second Company in April 2015, after OFAC’s designation of SIS as a SDNTK.

Apple made 47 payments associated with the blocked apps, including payments directly to SIS, during the period of time that SIS was listed on the SDN List. In total, over 54 months, Apple collected $1,152,868 from customers who downloaded SIS apps.

Here are the aggravating factors, according to OFAC:

(1) Based on the number of Apparent Violations, the length of time over which the Apparent Violations occurred, and the multiple points of failure within the company’s sanctions compliance program, policies, and procedures, the conduct demonstrated reckless disregard for U.S. sanctions requirements;

(2) Apple’s payments to SIS and for the blocked apps conferred significant economic benefit to SIS and its owner, as Apple’s App Store appears to have been the main business for SIS around the time it was designated; and

(3) Apple is a large and sophisticated organization operating globally with experience and expertise in international transactions.

OFAC found the following to be an aggravating factor with respect to three Apparent Violations that occurred after Apple identified SIS as an SDNTK in February 2017:

(4) Apple failed to take corrective actions in a timely manner after identifying SIS as an SDNTK, and continued to make payments for the download of blocked apps for multiple months.

And the mitigating factors:

(1) The volume and total amount of payments underlying the Apparent Violations was not significant compared to the total volume of transactions undertaken by Apple on an annual basis;

(2) Apple has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the transaction giving rise to the Apparent Violations; and

(3) Apple responded to numerous requests for information in a prompt manner

And Apple’s remediation:

• Increased the role of the Global Export and Sanctions Compliance Senior Manager in the escalation and review process;

• Reconfigured the primary sanctions screening tool to fully capture spelling and capitalization variations and to account for country-specific business suffixes, and implemented an annual review of the tool’s logic and configuration;

• Expanded sanctions screening to include not only app developers, but also their designated payment beneficiaries and associated banks;

• Updated the instructions for employees to review potential SDN List matches flagged by the primary sanctions screening tool; and

• Implemented mandatory training for all employees on export and sanctions regulations.

And the lesson to be learned:

This enforcement action highlights the benefit of comprehensive SDN List screening that utilizes all of the information on the SDN List. Companies should consider OFAC screening and compliance measures that exploit names, addresses, and other identifying information on the SDN List. Compliance measures should also anticipate potential vulnerabilities in a company’s compliance program that could allow sanctions evasion and circumvention, and should include preventative measures that alert and react to sanctions evasion warning signs, such as business and employment connections between individuals and entities.


OFAC Enforcement Information


Notice to exporters 2019/15: UK exporters fined for unlicensed exports

Published 12 November 2019


Notice to exporters 2019/15

So, Apollo (now called Carlyle Aviation Partners Ltd) had 12 apparent violations of the Sudanese Sanctions Regulations for leasing aircraft engines to a company, which subleased them to another, which installed them on aircraft belonging to the SDN Sudan Airways. The lease agreements contained provisions prohibiting the lessee from transferring the engines to any country subject to US or UN sanctions.

According to OFAC, this is the problem:

Notwithstanding the inclusion of this clause, Apollo did not ensure the aircraft engines were utilized in a manner that complied with OFAC’s regulations. For example, at the time, Apollo did not obtain U.S. law export compliance certificates from lessees and sublessees. Additionally, Apollo did not periodically monitor or otherwise verify its lessee’s and sublessee’s adherence to the lease provision requiring compliance with U.S. sanctions laws during the life of the lease. As a result, Apollo learned where its engines had actually flown only after the engines were returned to Apollo at the end of the lease.

Because Apollo was considered a large sophisticated firm:

During the time in which the apparent violations occurred, Apollo was a multi-strategy aviation investment manager with extensive technical knowledge, in-depth industry expertise, and long- standing presence in the mid-life commercial aviation sector. Apollo’s aircraft investing included acquiring, refurbishing, marketing, and leasing commercial jet aircraft, engines and related assets, and disassembly and resale of aircraft and components. By the end of 2015, Apollo reported to have nearly $2.5 billion of aviation assets under management. At that time, Apollo had offices in the United States, Ireland, and Singapore.

The maximum penalty was $3,000,000, but these were considered non-egregious and had been voluntarily self-disclosed. Therefore, the base penalty was $360,000.

OFAC arrived at the final amount based on the following aggravating factors:

1. The unauthorized use of Apollo’s aircraft engines in Sudan by an entity on the SDN List resulted in harm to U.S. sanctions program objectives;

2. Apollo is a large and sophisticated entity; and

3. Although Company 1 appears to have violated the terms of its engine lease prohibiting any use in sanctioned countries, Apollo failed to monitor or otherwise verify the actual whereabouts of these aircraft engines during the life of its leases.

and mitigating factors:

1. No Apollo personnel had actual knowledge of the conduct leading to the apparent violations;

2. Apollo has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the apparent violations;

3. Apollo implemented a number of remedial measures in response to the apparent violations, including investment in additional compliance personnel and systems; and

4. Apollo provided information to OFAC in a clear, concise, and well-organized manner.

And the company fixed up its compliance program:

• Apollo improved its Know-Your-Customer screening procedures in keeping with global best practices;

• Apollo enhanced employee training on U.S. export law, including by making employees aware of the screening process used by the company; and

• Apollo began obtaining U.S. law export compliance certificates from lessees and sublessees.

And here is the lesson to be learned:

This enforcement action highlights the importance of companies operating in high-risk industries to implement effective, thorough and on-going, risk-based compliance measures, especially when engaging in transactions concerning the aviation industry. For example, on July 23, 2019, OFAC issued an advisory to the civil aviation industry to warn of deceptive practices employed by Iran with respect to aviation matters. While that advisory is focused on Iran, participants in the civil aviation industry should be aware that other jurisdictions subject to OFAC sanctions may engage in similar deceptive practices. This action also highlights the importance of companies operating internationally to implement Know You Customer screening procedures and implement compliance measures that extend beyond the point-of-sale and function throughout the entire business or lease period.

And there’s even a paragraph pointing folks to the OFAC Framework document (the title they quote for their own document is wrong).

But, still, the level of oversight OFAC seems to expect here seems to be overkill – especially since the sublessee installed the engines, not Apollo’s customer. Yes, it’s similar to the bar being set in the PACCAR and e.l.f. cases, but does seem a step further than either of those cases.


OFAC Enforcement Information

On 8 May 2019, the Central Bank of Ireland (the “Central Bank”) reprimanded and imposed a fine of €280,000 on Campbell O’Connor & Company (the “Firm”) for five breaches of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the “CJA 2010”). The Firm has admitted the breaches.

The Central Bank determined that the appropriate fine was €400,000, which was reduced by 30% to €280,000 in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank’s investigation into the Firm commenced following a themed supervisory inspection which was part of its ongoing engagement with the investment firm sector. The inspection identified failings in the Firm’s anti-money laundering and countering the financing of terrorism (“AML/CFT”) framework. The breaches occurred between July 2010 and November 2016 and related to the following:

• Failure to conduct appropriate money laundering/terrorist financing (“ML/TF”) risk assessment.

• Failure to adopt adequate policies and procedures for preventing and detecting ML/TF.

• Failure to monitor and scrutinise customer transactions.

• Failure to provide training to staff on identifying suspicious transactions.

• Failure to ensure that all necessary arrangements were in place with third parties whom the Firm relied on to conduct customer due diligence measures on the Firm’s customers.

The Central Bank confirms that the Firm took the necessary steps to rectify the failings that gave rise to the breaches by 9 August 2018 and that the investigation is now closed.


Central Bank of Ireland Enforcement Action

The penalty, for which Telia requested and received a Ministerial review, was for repeated facilitation of international phone calls to a sanctioned Syrian entity (SyriaTel) “over an extended period of time.” When the review was performed, Telia provided additional detail which reduced the value of the violations by more than 50% (from £480,000 to £234,000). OFSI’s original assessment of £300,000 was appropriate, but reduced it to the final amount based on the additional information. Telia was entitled to appeal the decision to the Upper Tribunal, but chose not to.

OFSI added a “lessons learned” to this case:

This case illustrates that ‘economic resources’ can cover a wide variety of tangible and intangible resources and can be provided directly and/or indirectly. It also illustrates that companies need to be able to recognize when they are in breach of the regulations and take immediate action to stop their activity and report it to OFSI.

Again, there is very little detail here in how these violations came about, about the actual knowledge of or involvement of management, the quality of Telia’s compliance program, or any of the other factors considered by OFSI and documented in their enforcement guidance.

The one saving grace, of course, is that penalty is much more proportional than that doled out to Raphaels Bank and Travelex earlier this year. By the way, there is no discussion of how the £300,000 penalty was determined, or whether there was any “base penalty” calculated as in the earlier cases.

So, a step forward for OFSI, but they can still do better….


Monetary Penalty Notice