OFAC Issues Finding of Violation — but No Penalty — for Sanctions Violations Caused by Compliance System Defects and Human Error

On April 30, 2020, the US Department of Treasury (“Treasury”)’s Office of Foreign Assets Control (“OFAC”) issued a Finding of Violation to American Express Travel Related Services Company (“AMEX”). AMEX issued a prepaid travel card to Gerhard Wisser, a specially designated national or “SDN,” and subsequently processed approximately $35,000 in transactions Wisser conducted using the card. AMEX had automated sanctions screening processes in place to prevent SDNs such as Wisser from obtaining cards—and those processes did, in fact, flag Wisser as an SDN. However, defects in the system, paired with human error, allowed the automated flags to be overridden so that Wisser could obtain a card. OFAC did not issue a monetary penalty for AMEX’s violations.

OFAC’s findings, and its decision not to penalize AMEX, highlight three important sanctions compliance considerations for US and non-US companies alike.

• First, OFAC can, and does, enforce with regard to relatively small sanctions violations—here, AMEX processed approximately $35,000 in transactions for Wisser.
• Second, as we’ve previously reported, companies can mitigate their monetary exposure to sanctions violations by maintaining a risk-based sanctions compliance program consistent with OFAC’s Framework for OFAC Compliance Commitments. The program should include, among other things, automated and manual screening processes tailored to companies’ businesses, and should enable companies to timely report and mitigate potential violations.
• Finally, although companies should use automated screening processes (if appropriate to their businesses), they cannot rely on them exclusively and should ensure that the automated processes cannot be overridden without proper review of potential sanctions issues.

Overview of AMEX's Violations

Generally, US persons—which include US-incorporated companies—are prohibited from dealing, directly or indirectly, with SDNs. Violations of these “primary” sanctions restrictions can carry civil and criminal penalties, including imprisonment for individuals. Likewise, non-US persons may be held liable under primary sanctions for “causing” US persons to violate primary sanctions (e.g., by using US dollar in support of prohibited transactions), and may be secondarily sanctioned (e.g., designated as an SDN) for engaging in material transactions with SDNs.

Wisser is an SDN designated under the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. Part 544. On March 26, 2015, Wisser applied for an AMEX “GlobalTravel Card” at a non-US bank, which entered Wisser’s information into AMEX’s screening system used for OFAC compliance. This program identified Wisser as a potential SDN, and automatically generated decline messages to the non-US bank.

However, the non-US bank “made several additional approval attempts,” which had the effect of causing the compliance program to “time out” and, in turn, automatically approve Wisser’s application. Although the application was sent to an AMEX compliance analyst for manual review, the analyst incorrectly concluded that Wisser was not an SDN. As a result, AMEX issued Wisser a card.

Between March and May 2015, Wisser made two initial deposits and 39 withdrawal transactions totaling approximately $35,000, using his card at various ATMs in Germany and the United Arab Emirates.

OFAC's Findings

In assessing AMEX’s violations, OFAC applied the Economic Sanctions Enforcement Guidelines, 31 C.F.R. Part 501, which govern OFAC’s analysis of the severity of potential violations and the appropriate penalty by reference to “aggravating” and “mitigating” factors.

On the one hand, OFAC found that AMEX’s violations were aggravated by the fact that: (i) AMEX conferred economic benefit on an SDN; (ii) AMEX is a “large, commercially sophisticated financial institution”; and (iii) “AMEX’s automatic approval of applications in . . . timeout [situations] was a critical shortcoming of its compliance program.” On the other hand, OFAC determined that the violations were mitigated by the fact that: (i) AMEX was not willful or reckless; (ii) there was “no information to indicate that [AMEX] knew it maintained a card for an SDN, or that its system could be overridden”; (iii) AMEX remediated its violations, reducing the likelihood of future violations; (iv) AMEX cooperated with OFAC’s investigation and voluntarily disclosed its violations; and (v) “AMEX has not received a penalty notice of Finding of Violation . . . in the five years preceding the earliest date of the transactions giving rise to the violations.”

Takeaways

As noted above, OFAC’s findings and decision not to penalize AMEX highlight three important sanctions compliance considerations.

First, OFAC can, and does, enforce relatively small sanctions violations—here, AMEX processed approximately $35,000 in transactions for Wisser. In its Finding of Violation, OFAC noted that the “sanctions harm” was not the value of the transactions conducted by Wisser, but the “economic benefit” conferred on Wisser.

Second, as we’ve previously reported, companies can mitigate their monetary exposure to sanctions violations by maintaining a risk-based sanctions compliance program (as AMEX did) consistent with OFAC’s Framework for OFAC Compliance Commitments. The program should include, among other things, automated and manual screening processes tailored to companies’ businesses, and should enable companies to timely report and mitigate potential violations. Although AMEX’s program contained fatal defects that led to its violations, AMEX’s position would likely have been worse if it had a less robust, or no, compliance program.

Finally, although companies should use automated screening processes (if appropriate to their businesses), they cannot rely on them exclusively, and should ensure that the automated processes cannot be overridden without proper review of the potential sanctions issues. Notably, AMEX apparently did not know that its system could be overridden in a way that would enable Wisser, or other SDNs, to get a card. Moreover, the time out of AMEX’s compliance system was initially caused by failures at a non-US bank, and apparently not by AMEX—although this defect was compounded by the human error of AMEX’s compliance analyst. As such, companies should consider the ways in which its automated compliance screening programs can be affected by human error or the actions of third parties who have a role in providing information to their compliance programs.

*  *  *

We have a global platform specializing in compliance and investigations work, and are ready to help companies design and implement sanctions and other compliance programs to meet regulators’ expectations. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.