Mind the Gaps: AML and Fraud Global Benchmark Survey
scce-cep-2015-05-Ward-1
1. Compliance & Ethics
Professional
a publication of the society of corporate compliance and ethics www.corporatecompliance.org
May
2015
41
Data in the cloud: A primer
for compliance, security,
and privacy officers
Janet K. Himmelreich
31
If you build
it, will
they come?
Sarah Morrow
35
When you say “yes,”
are you simply opting
to not to say “no”?
Jeremy Beakley
21
Amnesty works for
the government. Can it
work for your company?
Robert E. Connolly
Meet Phyllis
Skene-Stimac
Executive Vice President
Chief Compliance Officer
at MoneyGram International
See page 14
This article, published in Compliance Ethics Professional, appears here with permission from the Society of Corporate Compliance Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
2. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 65
ComplianceEthicsProfessional May2015
Ward
by Robert J. Ward, Jr., Esq., CCEP
M
uch attention has been focused,
and rightfully so, on Foreign
Corrupt Practices Act (FCPA)
compliance. With well-publicized US penalties
in the hundreds of millions of dollars
(e.g., Siemens at $800 million in 20081
and,
more recently, Alstom at $772 million
in December 2014),2
there has been
plenty of incentive to get it right.
Could there be a global compliance
headache on par with the FCPA?
OFAC introduction and impact
Another compliance area exists where
the penalties have been equally, if
not more, punitive with the potential fallout
set to cause just as much of a headache
as the FCPA. Said area comprises global
sanctions principally administered by the U.S.
Treasury’s Office of Foreign Asset Controls
(OFAC). These are the economic embargoes
imposed for foreign policy and national
security reasons against different countries,
such as Iran, North Korea, Sudan, and Syria.
Cuba is expected to be removed from this
list of harshly sanctioned countries, given
President Obama’s December 2014 remarks.3
The US government targets other countries
in a limited fashion, such as Russia, the
Balkans, Belarus, Burma, Iraq, Ivory Coast,
The Democratic Republic of the Congo, the
former Liberian regime of Charles Taylor,
The Palestinian Authority, Libya, Lebanon,
Somalia, Yemen, Zimbabwe, etc.4
In June 2014, BNP Paribas SA agreed to
pay OFAC $964 million (out of a total of almost
$9 billion in penalties to US regulators for
various offenses).5,6
Additionally, in June 2012,
ING Bank N.V. settled OFAC violations for
$619 million.7
In December 2012, HSBC Global
OFAC’s global sanctions:
A greater headache than
the FCPA?
»» The largest OFAC penalties levied on banks have matched and even exceeded the largest FCPA penalties against industry.
»» The collateral impact of this is that financial institutions can be expected to blow the whistle to OFAC on customers who
make USD wire transfers that involve sanctioned targets.
»» Particularly at-risk global companies include those under non-western ownership that are not accustomed to compliance
with US and EU sanctions laws, but that operate and/or have assets within the U.S./European Union.
»» To avoid violations, preventive measures to deal with known vulnerabilities will be critical and targeted training will
be essential.
»» Sanctions laws are constantly changing in response to world developments, so keeping policies, procedures, operations
playbooks, and training materials up-to-date will be necessary to mitigate penalties if a violation occurs.
3. 66 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional May2015
Holdings plc settled OFAC violations for
$375 million (out of a total $1.9 billion
HSBC paid in penalties to US regulators for
various offenses).8
As is the case for the FCPA in often
targeting foreign owned industry, the fact
that the highest OFAC penalties have been
levied against foreign banks is not all that
surprising. The US government, through
OFAC, assiduously monitors US dollar
(USD) wire transactions that are all routed
through clearing banks within the U.S.
(e.g., New York City) with a view that the
US currency itself is US property, and thus,
cannot be legally used to facilitate or support
transactions involving a harshly sanctioned
country. Indeed, with the banks taking the
initial brunt from penalties, one can expect
future actions will stem from the banks
blowing the whistle, either on each other or on
customers who do not properly monitor and
screen their transactions. A few years back,
I discovered (through visits with a couple
of bank compliance officers in New York
City) that their greatest fear was potentially
being turned in to OFAC by their counterpart
compliance officers at another bank for
missing an ill-fated transaction involving a
harshly sanctioned country!
When one steps back to think, if not for
effective implementation of US sanctions laws,
the U.S. would have to have military boots on
the ground in armed conflict, or expensive
airstrikes at a minimum, the reasons for strict
enforcement quickly become understandable.
With the total costs of the Afghan and Iraqi
war estimated to approach between $4 and $6
trillion,9
it can be expected that vigorous and
strict enforcement will only continue to get
tougher and tougher.
This article will review critical preventive
measures for avoiding OFAC violations,
examine possible bad case scenarios that
can potentially happen at any globally
operating company, and will conclude with
recommendations for keeping up with this
highly dynamic and moving target.
Critical preventive measures for avoiding
OFAC penalties
Without question, like FCPA compliance,
OFAC compliance is an area that behooves
globally operating companies to do what
they can to anticipate risk areas and prevent
violations. Perhaps the biggest incentive for
compliance, aside from penalty exposure,
is the possibility that egregious violations
will lead to being blacklisted as a Specially
Designated National (SDN), where others
will not do business with the SDN. Moreover,
for publicly-traded companies, there is the
SEC requirement effective fiscal year 2012 to
disclose whether, “during the period covered
by” the issuer’s report, “the issuer or any
affiliate of the issuer” worldwide knowingly
engaged in certain types of “transaction[s] or
dealing[s],” involving Iran, the government of
Iran, or certain individuals and entities on the
list of SDNs published by the US government.10
Risk-based assessments
The first step in prevention is to perform a
risk-based assessment of one’s vulnerabilities.
Questions to delve into at key regional
offices include:
·· Are we in an industry where the
harshly sanctioned countries could be
implicated, even if inadvertently? (e.g.,
banking and financial sectors; oil, gas,
and extractive industries; high tech and
telecommunications industries; foreign-
based agency businesses such as sales,
maritime, aircraft, customs broker, and
freight forwarding; and even tax and visa
processing agents).
·· Does our US parent company have a
controlling interest in subsidiaries located
in known trans-shipment countries, such
4. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 67
ComplianceEthicsProfessional May2015
as the United Arab Emirates, Hong Kong,
and Singapore?
·· Even if our parent company is foreign-
owned, do we use the US dollar as our
functional currency with transaction
payments approved by US persons and/or
wire transfers cleared through US-based
clearing banks?
·· Is there the potential of facilitating
transactions with sanctioned countries or
SDNs by US persons, including foreign
expatriates working in the U.S. as well as
green card holders?
·· Is there the potential of evasion of
sanctions through US persons making
referrals to third parties or even merely
suggesting payments be made in
currencies other than the US dollar?
Such inquiries into potential
vulnerabilities will readily provide a road map
for the needed focus of policy, procedures, and
training efforts.
Crafting relevant policies and procedures
Once it is determined what the proper focus
should be, it is imperative to have relevant
policies and procedures that cover known
vulnerabilities. It is typical to include global
sanctions policies and procedures, along
with export control and anti-
boycott subject matter. The key
headings for such policies and
procedures usually cover the
following:
·· Purpose
·· Scope and applicability
·· Policy statement
·· Contact information
If the company has had
prior violations or is anticipated
to have issues given particular
difficulties in establishing effective internal
controls, it will be worthwhile to create an
operations playbook to supplement any
policies and procedures. The playbook
should cover likely scenarios and how best to
handle them. Training sessions should cover
the playbook scenarios as well as afford an
opportunity to add more relevant scenarios as
those in the field may bring up.
Screening software is a must
Because OFAC concerns itself not only with
country embargoes, but also with SDNs,
it is imperative to have effective screening
software. OFAC’s SDN List contains many
thousands of individuals, entities, vessels, and
banks all over the globe including:
·· Specially Designated Terrorists (SDTs),
Global Terrorists (SDGTs), and Foreign
Terrorist Organizations (FTOs)
·· Specially Designated Narcotics Traffickers
(SDNTs) and Kingpins (SDNTKs)
·· Weapons of Mass Destruction (WMD)
Proliferators (NPWMDs)
As long as one is going to the trouble to
implement screening software, one should, at
a minimum, screen against the lists in Table 1.
This list comes from OFAC Analyzer11
—a
screening software program.
Gov’t Agency List Description Last Update
# of Records
in List
OFAC (SDN) Specially Designated Nationals List 03/25/15 25,385
(OFCL) Consolidated List 12/23/14 416
BIS BIS Denied Persons/Unverified List 02/18/15 874
FBI Most Wanted Terrorist List 09/12/14 42
Canada (OSFI) 11/25/14 3,527
Europe HM Treasury Sanction List 03/23/15 7,838
European Union Sanction List 02/21/15 13,607
UN United Nations 1267 List 09/12/14 2,336
Table 1: Lists that screening software should cover at a minimum
5. 68 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional May2015
As can be readily seen, OFAC maintains
the most extensive list. Depending on where
one’s company does business, it might behoove
one to include other lists from other countries
(and it goes without saying that banks and
financial institutions have to undertake Anti-
Money Laundering List checks).
A best practice is to screen customers,
joint venture partners, agents, suppliers, and
even employees and contract workers. In
short, it is critical to screen every person and
legal entity with whom one’s company does
business, and, just in case someone has turned
into a bad apple in the interim, it is important
to conduct regular batch screens (e.g., on a
monthly basis) of all such business partners.
There are software screening programs that
can be integrated into a company’s Enterprise
Resource Planning (ERP) system for real-time
continuous screening. Banks and financial
institutions that have to process hundreds of
thousands of transactions in a single day will
go to the trouble for such integrated real-time
and continuous screening capabilities.
Tailor training for worst-case scenarios
The number of ways things have gone wrong
and can go wrong can surprise even the most
experienced compliance professional. Based
on personal experience, the author can readily
describe a couple of bad headache cases. One
instance involved a US Accounts Payable
person who did not realize agency expenses
paid via US dollar wire-transfer for services
rendered at the port of Bandar Mahshahr
would violate US sanctions against Iran.12
(Bandar Mahshahr is a port city in Khuzestan
province in southwestern Iran.)
Unfortunately, on the wire transfer
supporting documents, there was no mention
of the country of Iran. This case suggests,
aside from rigorous screening, it will be
important to train personnel on the geography
of these areas to prevent these types of
mistakes and to reduce company vulnerability.
Aside from outside counsel fees, this mistake
cost the involved maritime agency an
$84,000 USD penalty and months of strict
due-diligence follow-up by US dollar clearing
banks in New York City that took notice of the
publicized penalty.
Another instance involved a US-based
company that rented equipment as part of
a managed service. This case has already
been self-disclosed to the government and
reported in SEC filings per Section 219 of the
National Defense Authorization Act (NDAA).
The company provided a Chinese customer
the rented equipment in Singapore. However,
the Chinese customer later advised they
were planning to take the equipment to Iran
for work to be performed there. Attempts
to retrieve the equipment were to no avail.
Meanwhile, a high-performing engineer,
based in Singapore, took it upon himself to
continue to provide the managed service
as a subcontractor to a Singapore-owned
vendor. Remarkably, the Australian general
manager of the Singapore office approved this
arrangement without consulting headquarters
in the U.S.
Besides representing an OFAC violation,
this activity also constituted potential
violations of US export control laws (given the
US-origin components in the equipment), not
to mention a violation of the US company’s
code of conduct forbidding activities that
amount to a conflict of interest. Put another
way, the Singapore office evidently attempted
to keep their revenue numbers up and did so
by joining with a vendor to serve a customer
operating in a forbidden, harshly sanctioned
jurisdiction (i.e., earning revenues from
a vendor).
The investigation yielded the dismissal
of both the general manager and the high-
performing engineer for violating US laws
applicable to their US-controlled subsidiary,
6. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 69
ComplianceEthicsProfessional May2015
as well as for the unreported conflict of
interest. This case militated toward creating
an operations playbook to alert personnel to
be on the look-out for customers that might
be at risk for operating in harshly sanctioned
countries. In addition, personnel are now
requiring customer certifications that any
contemplated work in a harshly sanctioned
country will require sufficient notice for
return of the rented equipment.
On more than one occasion, I have seen
failures by companies to have anything other
than one-page agency powers of attorney
and failing to limit such powers, including
standard FCPA as well as global sanctions and
export control protective clauses. Other ways
things can conceivably go wrong include the
following (all of which should be included in
due diligence processes, protective contractual
clauses, customer certifications, training, and
potentially in operations playbooks to avoid
trouble down the road)13
:
a. Because OFAC generally prohibits
“evasion and facilitation” by US persons
of transactions by non-US persons
with sanctions targets, training should
advise against the following in such
circumstances:
–– Advising, assisting, approving,
authorizing, supporting, referring,
brokering, financing, or making
decisions for a transaction by a foreign
person that in any way involves a
sanctions target other than activities of
a purely clerical or reporting nature;
–– Altering operating policies or
procedures, or those of a foreign
subsidiary or affiliate, to permit
the foreign subsidiary to engage
in transactions with sanctions
targets that previously required
US person approval;
–– Referring to a foreign person purchase
orders, requests for bids, or similar
business opportunities involving a
sanctions target;
b. Parent company facilitation can arise
in many ways (e.g., providing various
types of financial or legal assistance or
mandatory approval for certain contracts);
c. Risks arise with foreign subsidiaries that
are not sufficiently independent or if there
is a divergence of operational structure
from legal structure;
d. Facilitation risks exist with other
relationships, such as joint development,
joint ventures, clients, and customers as
noted in the above examples from the
author’s personnel experience; and
e. Referring business to a third-party vendor
related to transactions in a sanctions target.
Specific, conceivable bad-case scenarios
might also include:
·· A US citizen employee of the Cairo
office engages in business planning in
support of Sudanese investments by a
Norwegian client;
·· A French employee of the Dubai office
prepares and emails comments on a Swiss
client’s Iranian investments while attending
a conference in Hawaii;
·· A British national employed by an entity
in the U.S. receives an inquiry from a
customer in Europe about trade advisory
services needed in Syria and forwards that
inquiry to the firm’s Geneva office with a
recommendation and tips on how best to
pursue this new business opportunity;
·· A Swiss employee of an entity in Geneva
calls the firm’s commodities expert in the
U.S. for commercial advice in connection
with structuring a Swiss-Iranian transaction;
·· A Swiss trader for an entity in Geneva
asks an executive in the U.S. to authorize
the export of non–US-origin rice to Iran
without the benefit of a license covering that
consultation or shipment (humanitarian
7. 70 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional May2015
aid is permitted but requires an OFAC
license); and
·· OFAC also prohibits “evasion” of sanctions
by concealing information or other means
to enable the completion of a transaction
through the
United States that
could not occur
on a transparent
basis (banks have
run afoul here
by suppressing
or outright
misrepresenting
details in US dollar
wire-transfer requests).
Conclusion: How best to keep up with this
dynamic area of the law
The key point is that the high OFAC penalties
imposed on banks will trigger the financial
industry to blow the whistle on their customers
who attempt, even if inadvertently, to facilitate
or support any transactions involving a
sanctions target. OFAC has penalized the
banking industry severely, so financial
industry finger–pointing will surely occur to
those undertaking global operations without
adequate compliance due-diligence processes
in place. Traps for the unwary can involve
OFAC penalties, damage to reputation, a high
level of clearing-bank scrutiny on all payment
and receipt requests, and even potential
SDN designation!
Just in the past year, we have witnessed
the rolling back of Cuban sanctions, while
Russia experienced a significant imposition of
multilateral sanctions stemming from Russia’s
annexation of Crimea and Russia’s continued
support (including militarily) to separatists in
Eastern Ukraine. Along with those country-
level sanctions have been numerous additions
to the SDN and other blacklists. Keeping
one’s policies, procedures, training materials,
and monitoring processes up-to-date can be
daunting. Certainly, implementing a solid
screening software program, where list updates
are uploaded as close to real-time as possible, is
a critical first step. The author subscribes to two
major newspapers, one
US-based and the other
European based, as well
as covering a number of
different blogs in order
to keep up with the
ever changing global
political, social, and
economic landscape.
In the end, the key
is to focus on the risks of one’s company having
involvement with sanctions targets. Updates
will have to be made as soon after executive
orders are released regarding new sanctions for
any parts of the world where the company may
be operating in close proximity, or where there
is a risk of a customer or agent doing business
involving a sanctions target. ✵
1. Department of Justice, Office of Public Affairs, press release: “Siemens
AG and Three Subsidiaries Plead Guilty to Foreign Corrupt Practices
Act Violations and Agree to Pay $450 Million in Combined Criminal
Fines.” December 15, 2008. Available at http://bit.ly/siemens-ag
2. Department of Justice, Office of Public Affairs, press release: “Alstom
Pleads Guilty and Agrees to Pay $772 Million Criminal Penalty to
Resolve Foreign Bribery Charges.” December 22, 2014. Available at
http://bit.ly/alstom-guilty
3. CNN Money website: “The promise for American businesses
if Cuba sanctions are lifted.” January 20, 2015. Available at
http://bit.ly/cuba-trade
4. OFAC Guide Compliance Regulations for 2015. Available at
http://bit.ly/ofac-guide
5. Department of the Treasury: Settlement Agreement with PNP
Paribas, June 30, 2014. Available at http://bit.ly/treasury-sactions
6. Noamie Bisserbe: “BNP Paribas Assures It Has Ample Cash to Cover
U.S. Penalties.” July, 1, 2014. Available at http://bit.ly/bnp-paribas
7. Department of the Treasury: Settlement Agreement with
ING Bank N.V. June 12, 2012. MUL-565595. Available at
http://bit.ly/treasury-civpen
8. Department of the Treasury: Settlement Agreement with HSBC
Global Holdings plc. December 11, 2012. MUL-615225. Available at
http://bit.ly/treasury-civpen2
9. Ernesto Londono: “Study: Iraq, Afghan war costs to top $4 trillion.”
Washington Post, National Security section. March 28, 2013. Available
at http://bit.ly/afghan-4-trillion
10. Section 219 of the National Defense Authorization Act for Fiscal
Year 2012. Public Law 112–81, December 31, 2011. Available at
http://bit.ly/treasury-programs
11. OFAC Analyzer screening software. Available at
http://bit.ly/ofac-analyser
12. http://bit.ly/treasury-afac
13. Norton Rose Fulbright: Phoenix – Our slides and WebEx
recordings. Slide deck from a March 2013 presentation. Available at
http://bit.ly/norton-roseful
Robert J. Ward, Jr. (robertjwardjr@gmail.com) is Vice President Global
Compliance at Houston International Business Corp in Houston and is a
Certified U.S. Export Compliance Officer.
In the end, the key is
to focus on the risks of
one’s company having
involvement with
sanctions targets.