OFAC Enters Settlement Agreement With Swedbank Latvia for $3,430,900 Related to Apparent Violations of Crimea Sanctions

On June 20, 2023, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) entered a settlement agreement with Swedbank AS (Latvia) (“Swedbank Latvia”), a subsidiary of Swedbank AB, headquartered in Stockholm, Sweden. According to a press release, Swedbank Latvia agreed to pay $3,430,900 to settle its potential civil liability for 386 apparent violations of Section 6(a) of Executive Order 13685, “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine” (“E.O. 13685”). The apparent violations occurred between February 5, 2015 and October 14, 2016 when a Swedbank Latvia client (the “Client”) used Swedbank Latvia’s e-banking platform from an internet protocol (“IP”) address in Crimea to send a total of $3,312,120 to persons in Crimea through accounts that were processed through U.S. correspondent banks (the “Apparent Violations”).

This settlement agreement serves as a reminder that it is essential for companies to implement effective, risk-based sanctions compliance controls, investigate red flags, and remain vigilant against efforts by persons in Crimea, as well as in other jurisdictions subject to an embargo, to evade sanctions and elude compliance controls. These steps are particularly important for sophisticated financial institutions operating in proximity to high-risk jurisdictions.

The Apparent Violations

According to OFAC, Swedbank Latvia had onboarded a shipping industry client in Crimea prior to Russia’s 2014 invasion of the Crimea region of Ukraine. The Client owned three special purpose companies (“SPCs”), each with an account at Swedbank Latvia. In February 2015, the Client began to send payments to persons in Crimea from an IP address in Crimea using Swedbank Latvia’s e-banking platform. These payments were all processed through U.S. correspondent banks.

Around March 2016, the Client again attempted to use Swedbank Latvia’s e-banking platform from an IP address in Crimea to send payments through a U.S. correspondent bank. This time, the U.S. correspondent bank rejected the payments, citing a potential connection to Crimea, and alerted Swedbank Latvia. Swedbank Latvia requested further information from both the U.S. correspondent bank and the Client. The U.S. correspondent bank did not respond to the request, and the Client assured Swedbank Latvia that none of the transactions involved Crimea. At this point in time, Swedbank Latvia already had reason to know that the Client’s assurances that the transactions did not involve Crimea were false. When Swedbank Latvia onboarded the Client, it obtained Know Your Customer (“KYC”) data, including addresses, telephone numbers, and a customer questionnaire, that clearly indicated that the Client and the SPCs had a physical presence in Crimea. Swedbank Latvia also had the Client’s IP data, which, if screened, would have indicated that the Client was physically located in Crimea. However, Swedbank Latvia had not integrated this IP data into its sanctions screening processes at the time.

Choosing to rely on the Client’s assurances and ignore the red flags in its KYC and IP data, Swedbank Latvia re-routed the rejected payments to a different U.S. correspondent bank, which ultimately processed the transactions. Swedbank Latvia continued to route the Client’s payments to persons in Crimea to U.S. correspondent banks through October 2016.

Swedbank Latvia’s conduct resulted in 386 Apparent Violations of E.O. 13685, which prohibits any transaction that evades or avoids, has the purpose of evading or avoiding, causes a violation of, or attempts to violate the prohibitions set forth in E.O. 13685. Specifically, Swedbank Latvia’ conduct resulted in the export of financial services to Crimea in violation of E.O. 13685(1)(a)(iii).

The Penalty Analysis

The statutory maximum civil monetary penalty was $112,322,552. According to OFAC, Swedbank Latvia did not voluntarily self-disclose the Apparent Violations.  Rather, OFAC first learned about the Apparent Violations from a third-party, which was required to self-disclose. OFAC also determined that the Apparent Violations constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), the applicable base civil monetary penalty amount was $6,238,000. Ultimately, the settlement amount of $3,430,900 reflected OFAC’s consideration of the General Factors under the Enforcement Guidelines.

OFAC determined the following to be aggravating factors:

• Swedbank Latvia failed to exercise due caution or care in neglecting to account for information in its possession regarding its Client’s presence in Crimea and by solely relying on the Client’s assurances when it possessed contrary information, including KYC and IP data.
• Swedbank Latvia knew it had customers in Crimea and had reason to know it was processing payments on behalf of the three SPCs located in Crimea.
• Swedbank Latvia is a sophisticated financial institution with over one million customers and is one of the largest banks in Latvia by assets.

OFAC determined the following to be mitigating factors:

• Swedbank Latvia did not receive a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the Apparent Violations.
• Swedbank AB and Swedbank Latvia took significant remedial action in response to the Apparent Violations, including:
  • Exiting the client relationships with the SPCs in December 2016 and the SPC Owner in February 2017.
  • Implementing geofencing that prevents customers from sending payments through online banking platforms from IP addresses in comprehensively sanctioned jurisdictions.
  • Implementing an automated system control within their transaction screening solution to identify potential resubmissions of payments after rejection.
  • Establishing enhanced due diligence and screening procedures for high-risk customers undertaking any payments in U.S. dollars.
  • Implementing enhanced diligence and transparency protocols for responses to correspondent banks.
  • Expanding their compliance staff to implement the new protocols.
  • Undertaking measures to improve its KYC, AML and financial sanctions controls more broadly.
• Swedbank AB and Swedbank Latvia substantially cooperated by conducting an extensive lookback, providing well organized responses to OFAC’s requests for information, and by tolling the statute of limitations.

We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.

***