On July 21, 2022, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) issued a Finding of Violation to MidFirst Bank (MidFirst) for violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations. According to OFAC's announcements, MidFirst maintained accounts for, and processed 34 payments on behalf of, two individuals added to the OFAC's List of Specially Designated Nationals and Blocked Persons List (SDN List) for 14 days after their designation.
According to the OFAC, these apparent violations resulted from "MidFirst's misunderstanding of the frequency of its vendor's screening of new names added to the SDN List against its existing customer base." MidFirst apparently believed (incorrectly) that the agreement between itself and its sanctions screening tool vendor provided for daily screenings of its entire customer base. In reality, however, while the third-party sanctions screening tool conducted daily screenings of new customers and of existing customers with certain account changes, the tool utilized only screened MidFirst's entire existing customers once a month. Similarly, MidFirst's additional, internal sanctions screening process also only screened the existing customers on a monthly basis. Consequently, MidFirst failed to realize that the two individuals were added to the SDN List until 14 days after their additions. OFAC found the lack of real-time sanctions screening procedure as an aggravating factor, stating that "MidFirst had reason to know that it maintained the accounts for the blocked persons, and that its vendor was re-screening MidFirst's existing accounts against changes to the SDN List on a monthly basis only."
This enforcement action serves as a reminder to financial institutions in particular and other companies more generally of the importance of implementing real-time sanctions screening systems. It also highlights the importance of understanding the scope and capabilities of any third parties engaged for sanctions compliance services and ensuring that the scope and capabilities of such third parties can adequately address the sanctions compliance risks faced by the company.
In past enforcement actions, OFAC has also emphasized the importance of "fuzzy logic" in sanctions screening. "Fuzzy logic" allows sanctions screening tools to identify non-exact matches and account for spelling mistakes or variations in spellings, among other things. For example, as discussed in our advisory, OFAC issued an enforcement action against Apple, Inc. in 2019, in part due to the company's failure to properly screen counterparties when its screening tool failed to match the upper case name "SIS DOO" in the company system with the lower case name "SIS d.o.o." as written on the SDN List.
OFAC sanctions regulations are enforced on a strict liability basis and thus OFAC need not prove fault or intent to bring an enforcement action and impose a civil penalty. OFAC also encourages organizations to adopt a risk-based approach in building their sanctions compliance programs and considers the adequacy of the compliance program to mitigate the sanctions risks of a given organization in determining whether to bring an enforcement action and the appropriate civil penalties.1 Therefore, as demonstrated by these enforcement actions, it would be prudent for financial institutions and other organizations to ensure that their sanctions screening tools are capable of conducting frequent (if not real time) sanctions screening and utilizing "fuzzy logic."
Footnote
1. See OFAC, A Framework for OFAC Compliance Commitments, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
