FCC ESSENTIALS

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In this fourth edition, Christopher dives into a series of case studies of the Office of Foreign Assets Control (OFAC), the financial intelligence and enforcement agency of the U.S. Treasury Department. In 2023, OFAC's sanctions highlighted the critical role of location, with many fined entities neglecting effective geolocation checks. Despite possessing valuable information, firms failed to leverage geodata for identifying sanctions risks, often due to inadequate capture of country data.

===

Sanctions are a valuable tool of geopolitics, and therefore, it is unsurprising that location plays an especially significant role. If we consider the various fines issued by OFAC in 2023, location is involved in every case, and OFAC explicitly raised the lack of inadequacy of geolocation checks in many cases. Consideration of the various OFAC enforcement actions in 2023 provides numerous examples from which to learn.

Quite often, a sanctions compliance program will consist of screening the names of customers and partners against lists of designated persons. However, not all sanctions programs involve solely specific names. Information about location can also provide an excellent way of identifying risk. In the various OFAC enforcement actions this year, there are many examples of firms failing to use this geolocation data effectively.

Many of the entities subject to fines this year collected information that could have been, but was not, used to identify the sanctions risk. One theme that appears in multiple cases relates to the way country data was captured.

1. In one example, a California-based MSB provided a drop-down menu from which new users could accept their country of residence. It was possible for the users to select a non-sanctioned jurisdiction, and then provide their actual address in a sanctioned jurisdiction in a free text field. No comparison was made between the two fields and the free text field was not used in the sanctions screening process. Additionally, the screening process did not consider if the user provided an identification document from a sanctioned jurisdiction.

31 March 2023: https://ofac.treasury.gov/media/931556/download?inline

2. In another case, a large US technology company did not collect complete and accurate information about the identities of the end customers. The screening system also did not aggregate or consider data that was collected such as names, addresses and tax identification numbers which would have helped identify blocked persons. The reference data didn’t include the entities subject to the 50% rule or the native character alias of the lists entities.

6 April 2023: https://ofac.treasury.gov/media/931591/download?inline

3. IP addresses have come up frequently this year. A US based trading platform monitored these and even would conduct extra due diligence when a connection to sanctioned jurisdictions was identified. But it did not automatically block payments. Also, it had implemented a sanctions compliance program after going live but did not retroactively screen existing customers.

1 May 2023: https://ofac.treasury.gov/media/931701/download?inline

4. A Californian cosmetics company entered into an exclusive distribution agreement with and Iranian distributor to sell the companies goods in the Middle East. After sanctions against Iran increased, a new distribution agreement with the CEO of the Iranian Distributor was signed (using a legal entity in the United Arab Emirates). At one point, the California company received an email describing the process for shipping to Tehran. While this led to an instruction to stop exports to Iran, this was not actually implemented. It was not until the cosmetic company's bank started making inquiries that exports finally were halted.

17 May 2023: https://ofac.treasury.gov/media/931761/download?inline

5. A Nordic bank onboarded a shipping Company in Crimea prior to 2014. This company owned three special purpose companies, and established bank accounts for each. The KYC records indicated the connection to Crimea with addresses, telephone numbers and statements on the customer questionnaire. The bank's e-banking platform was accessed from IP addresses located in Crimea. When a transaction was blocked by a US correspondent bank, the Nordic bank contacted its customer and was falsely assured that none of the transactions involved Crimea. The Nordic bank then rerouted the transaction to another bank.

20 June 2023: https://ofac.treasury.gov/media/931911/download?inline

6. A US manufacturing company was approached to supply license plate sheeting to a German company and believed that the customer would transform the sheeting into blank license plates for export to Iran. The scope of the project was misunderstood, the German company intend to directly reexport the sheeting to Iran. Even after the true scope became apparent, internal documents continued to state the purpose as conversion to blank license plate to avoid further scrutiny. The US company screening process did not identify the risk, because only the name of the German company was screened, not the Iranian end-user. The issue was only identified after the expiration of a general license triggered a full review of all Iran related businesses.

21 September 2023: https://ofac.treasury.gov/media/932161/download?inline

7. An Illinois payments firm manages prepaid rewards card programs. Upon receiving a list of authorized users from the client, the (Illinois payments firm) would send those persons a token for a card. This process involved the collection of the persons' names, addresses and email addresses. It was not possible to select an address in a sanctioned jurisdiction. During a compliance review, it was discovered that users with IP addresses in sanctioned jurisdictions had used its services to redeem cards over twelve thousand times. While the company started blocking based on IP addresses, the company later discovered that additional cases where users were providing email addresses with top-level domains from sanctioned jurisdictions.

6 November 2023: https://ofac.treasury.gov/media/932276/download?inline

8. A virtual currency exchange permitted customers to identify themselves as being in a sanctioned jurisdiction but did nothing with that information. Even when the decision was made to off-board these customers, the users were still able to use the platform months later. While the platform would screen IP addresses, users could change their IP address with a VPN and access services even after failing the KYC screening. To appear compliance, management seemed to push for the use of VPNs to hide connections to the US and would also ask for non-US documents. The company was able to identify the locations of users via KYC questionnaires, phone numbers, documents, and IP addresses, but did not use these.

21 November 2023: https://ofac.treasury.gov/media/932351/download?inline

9. Another virtual currency exchange implemented a KYC and sanctions screening process which included IP address monitoring. Also, if a user presented an identification document from a comprehensively sanctioned jurisdiction, the application would be blocked. However, users were able to provide a 'country of residence' that differed from their actual address. For example, they could enter that they were living in 'Russia', but other fields would show that they were in Crimea. The screening solution focused only on the name of the country and failed to recognize 'Crimea' or city names in Crimea.

13 December 2023: https://ofac.treasury.gov/media/932406/download?inline

Explore our past FCC articles by clicking here.