On July 21, 2022, the Office of Foreign Assets Control ("OFAC") of the U.S. Department of the Treasury issued a Finding of Violation ("FOV") to MidFirst Bank ("MidFirst") for violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations ("WMDPSR").
The violations stemmed from MidFirst's maintaining of accounts for and processing of 34 payments on behalf of individuals added to the OFAC's List of Specially Designated Nationals and Blocked Persons ("SDN List") 14 days post-designation. These violations apparently were connected to a misunderstanding on MidFirst's behalf regarding the frequency of scans a third-party vendor conducted on the SDN List against its existing customer base.
The violations occurred after OFAC added two individuals to the SDN List pursuant to the WMDPSR on September 21, 2020. Despite their SDN designations, MidFirst processed five transactions totaling $604,000 on behalf of the two individuals on the same day, and another 29 transactions on behalf of the same individuals between September 22, 2020, and October 5, 2020. Once MidFirst's screening vendor notified them of the individuals being added to the SDN List on October 5, 2020, MidFirst blocked the accounts and transactions of those individuals.
The deficiencies in scanning and reporting by the screening vendor to MidFirst grew from a misunderstanding of the terms of an agreement between the two parties. Although the screening vendor conducted daily screenings of new customers and of existing customers who made changes to their accounts, they did not actually scan the entire customer base against the SDN List daily. MidFirst was mistakenly under the assumption that the screening vendor was scanning the entire customer base daily, when in fact the actual screening of the entire existing customer base against the SDN List only occurred once a month. Thus, depending on the timing of additions to the SDN List, MidFirst could have been unaware for up to a month that it was maintaining an account for blocked individuals.
MidFirst has since implemented a "manual process to be notified 'of all OFAC list updates' and to manually rescreen the entire customer base whenever there are any updates to the SDN List. Further, as of December 2020, their screening vendor has updated the frequency of screening the entire account base against the SDN List.
OFAC issued a FOV on this matter to reaffirm that financial institutions should take a risk-based approach to sanctions compliance, part of which is ensuring that screening services, whether outsourced or not, are adequate to ensure compliance. The determination to issue a FOV reflects OFAC's consideration of all the information provided by MidFirst in accordance with the General Factors Affecting Administrative Action set forth in OFAC's Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A.
We summarize the factors OFAC considered when deciding to issue this FOV below.
OFAC determined the following to be aggravating factors:
- According to their agreement and conduct MidFirst had reason to know that the screening vendor was only scanning the entire customer base against the SDN List once a month.
- By allowing blocked individuals to operate for two weeks post-designation to the SDN List there were sanctions harm and a significant risk of asset flight.
OFAC determined the following to be mitigating factors:
- The violations occurred within two weeks post-designation and 98% of the value associated with the violations took place just hours after designation.
- The sanctions harm was less than the facial amount of the violations considering the largest transactions were internal transfers between one individual's accounts.
Financial institutions should generally ensure they are screening their entire customer list against the SDN List regularly, or otherwise ensuring that additions to the SDN List are promptly reflected in the Bank's compliance posture. In addition, companies should be well informed of the frequency and types of screening procedures being implemented by an outsourced screening vendor they rely upon to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.