August 16, 2018
By: Anna Sayre, Legal Content Writer, SanctionsAlert.com
After conducting a supervisory examination of its compliance program, the Office of the Comptroller of the Currency (OCC) has issued a $12.5 million fine and a Consent Order requiring Bank of China’s New York Branch to fulfill certain requirements within 90 days, some very far-reaching.
The Order, imposed by the OCC in April 2018, not only details shortcomings found in the Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program of one of the world’s biggest lenders, but also enterprise-wide deficiencies in its Office of Foreign Assets Control (OFAC) compliance requirements.
The Order serves to articulate the expectations that bank regulators have been expressing for quite some time: OFAC non-compliance will not be tolerated.
In fact, there have been a number of consent orders issued by OCC and other regulators in the last few years that mention OFAC-related improvements, for example:
|Year||Regulator||Company||OFAC-Related Improvements Required|
|2018||Federal Reserve Board||U.S. Bancorp||Within 60 days – US Bank shall submit a written plan to strengthen board oversight of its firm wide compliance risk management program with regard to compliance with the BSA/AML Requirements and the OFAC Regulations
|2018||Federal Reserve Board||Mega International Commercial Bank Co.||Within 60 days – Bank shall submit an individual written plan to enhance the Bank’s and the respective Branch’s management’s oversight of the respective Branch’s compliance with the BSA/AML Requirements and the OFAC Regulations
|2017||OCC||Merchants Bank of California||Within 30 days – submit a revised BSA/OFAC program to provide for compliance with the Bank Secrecy Act, as amended (31 U.S.C. §§ 5311 et seq.), the regulations promulgated there under at 31 C.F.R. Part 103, as amended, and 12 C.F.R. Part 21, Sub parts B and C, and the rules and regulations of the Office of Foreign Assets Control (“OFAC”)
|2015||OCC||U.S. National Bank Association||Within 60 days – Bank shall provide an action plan for the completion of an evaluation of the Bank’s BSA/AML and Office of Foreign Asset Control (“OFAC”) compliance programs to the Examiner-in-Charge for a written determination of no supervisory objection.|
The most recent OCC April Order against Bank of China again confirms that U.S. regulators are considering AML violations and OFAC violations on an equal footing andthat companies should ensure both compliance programs within their institution are well maintained.
‘Enterprise-Wide’ OFAC Enhancements
The OCC lists a number of ways that Bank of China must enhance its OFAC compliance program.
The Order states that the bank must prepare an “acceptable action plan for the development and implementation of a written enterprise-wide program to establish and maintain an effective, sustainable, and documented system of internal controls to address any open OFAC-related “Matters Requiring Attention” and to ensure ongoing compliance with OFAC rules and regulations.”
Further, the bank shall ensure that the staff responsible for OFAC compliance has sufficient training, authority, and skill to perform their assigned responsibilities.
Six of the seven OFAC-related deficiencies found at the bank related to “screening”. This is a crucial cog in a bank’s compliance department that analyzes the identity of current and prospective clients, to ensure they are not designated by OFAC.
Within 90 days, the bank is required to take the following actions:
(1) Implement an appropriate and effective OFAC screening system(s) commensurate with the enterprise-wide risk profile;
(2) Maintain procedures to ensure periodic independent validation of the Branch’s automated OFAC screening system. Policies and procedures shall outline the expectations for validations and periodic tuning of all OFAC systems used by the Branch, and include frequency, scope, depth of testing and issue reporting/governance;
(3) Require that all transactions, in particular wire transfers, are screened against all applicable OFAC lists;
(4) Screen new potential customers against current OFAC lists, and screening existing customers against updated OFAC lists (i.e., with additions or changes);
(5) Timely update the lists of blocked countries, entities, and individuals and disseminating such information enterprise-wide;
(6) Handle items that are validly blocked or rejected items under the various sanctions programs and the management of blocked accounts;
The enterprise-wide OFAC program must include “effective and sustainable” policies and procedures for risk-based review and compliance management of transactions involving Group Affiliates and all other customers, including trade finance activities and U.S. dollar clearing activities, to ensure compliance with OFAC rules and regulations.
Though these types of deficiencies are not uncommon, such wide-ranging deficiencies may be surprising for such a big, established bank. Debra Geister, an independent financial crimes strategist, proffers that the deficiencies identified “seem to indicate significant failings and suggest that the bank did not have a screening system or platform. IF that were the case, it would be surprising for a bank with the complexity and risk profile of a global bank such as Bank of China. There is emphasis on the wire system, which is the highest risk area of the bank.”
OFAC Risk Management
In addition to the screening fixes, the regulator requires the bank to make a “documented OFAC risk management processes commensurate with the level of enterprise-wide OFAC risk, consistent with the Branch’s annual OFAC risk assessment.”
This must include:
(i) Expanded job roles tailored to broad OFAC risk management;
(ii) Elevating the seniority and stature of OFAC Officer(s) to provide sufficient authority, stature, and command enterprise-wide and to establish communication and coordination with the Home Office to effectively manage OFAC compliance; and
(iii) Development and expansion of documented policies, procedures, and governance framework focused on the development and proactive execution of an effective OFAC risk management program.
Accordingto Joseph Bognanno, Chief Innovation Officer at Safe Banking Systems (SBS), “the requirements themselves are not surprising but rather the level of detail in that it indicates that the OCC found deficiencies and weakness throughout the program. In a more mature program we often see specific areas identified for improvement, but here we see an enterprise-wide, bottom up expectation of overhaul”, he adds.
Ms. Geisteralso notes that, “the OFAC section seems to suggest fairly grave systemic failures of the bank program for sanctions. There are no details about the root cause; however, the OCC is requiring a fairly complete overhaul of the program.”
The regulator gives the Bank’s New York Branch 90 days to implement.
Raising the Bar
Joseph Bognanno of SBS suggests, this recent action “certainly raises the bar of expectations for Bank of China and gives some insight into the overall compliance “arms race”, if you will. All financial institutions will continue to have to regularly review and improve how well they are meeting regulatory expectations within the context of how their peers are performing.”
Lastly, complying with the Order will take time, effort, and funds to secure proper resources and staffing to deal with the requirements imposed. As Ms. Geister states: “this is a very comprehensive consent order in regard to the Sanctions program and will require a significant investment of time and resources.”