Historically, the U.S. government has taken more linear, explicitly restricted approaches to sanctions by naming known individuals, companies, vessels or underlying industries within countries subject to sanctions. Due to the Russian invasion of Ukraine, there are many unknown actors and companies, in addition to the known restricted and named parties. Therefore, the sanction restrictions become more nuanced and call for the human element to research underlying parties to determine if they are indeed restricted. Coupling unknown actors and nuanced sanctions restrictions with a few other vulnerabilities like the U.S.’ nascent regulatory framework, data availability issues and poor matching algorithms make for a confusing and labor-intensive path forward for all U.S. persons and entities that must comply with sanctions restrictions.
For example, some of the unknowns are further compounded as the U.S. was over six years late to the requirement of ultimate beneficial owner (UBO) collection when opening a business banking account. In addition, many “offshore” states allow business creation and incorporation to happen through a registered agent and without disclosing the UBO of a business. Couple those two issues with shelf companies that can be bought via a simple Google search and unregulated gatekeepers (attorneys), and voila—there are many ways in which any sanctioned individual can move their money through normal U.S. institutions without being caught. If UBOs and associated names of individuals and companies are in fact captured within a system, there is still the issue of poor matching algorithms, decentralized sanctions functions such as wires, new accounts, operations, anti-money laundering (AML), etc., as well as inconsistent training.
Not Just Russia
While the attention has been squarely on Russia, readers should be aware of several sanctions related to Ukraine and the so-called Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR). Executive Order (EO) 14065 was issued on February 21, 2022, prior to the Russian attack on Ukraine on February 24, 2022. There were also six general licenses issued on February 21, 2022, regarding EO 14065. What is unique about the order is that President Biden explicitly states that charitable contributions are disallowed from being sent to the DNR or LNR.1 However, personal remittances that are of an ordinary incident—and not connected to charitable contributions—such as support of family businesses or for commercial use are authorized. This means that the “trigger” to review the source, purpose and individuals attached to payments should really start at the macro (country) level.
In addition to Russia and partial Ukrainian sanctions, there are restrictions against Belarus. These are mostly at the Department of Commerce level; however, there are specific restrictions against providing support via technology, military supplies, etc., to the Belarusian military.
Where Do We Go From Here?
Community institutions and fintechs will need to ensure that they are fully aware of their threat landscape. Typically, most institutions will assume that their risk levels are low to none without looking at the threat application. For example, a community institution in Pennsylvania may assume that the ongoing changes to sanctions restrictions will not affect their day-to-day operations and that their Office of Foreign Assets Control screening systems will catch anything that needs to be stopped. However, with nuanced and dynamic sanctions restrictions, most institutions will need to take a broader look at their threat landscape. Below are two steps for all institutions to consider, big or small, traditional or nontraditional.
Step 1: Determine the threat exposure to individuals and businesses related to Russia, Belarus and parts of Ukraine.
Consider certain actions such as:
- How many non-resident aliens (NRAs) have Russian, Ukrainian or Belarusian citizenship?2 Monitor these customers closely for behavioral changes. Identify recently opened account(s)/relationship(s) for NRAs from a high-risk sanction jurisdiction and non-U.S. addresses (or even require approval prior to opening).
- How many transactions (i.e., wires or automated clearing houses) to or from these countries have been processed? Staff should ensure that all avenues for wires are accounted for, such as foreign exchanges, U.S. dollars via a correspondent, SWIFT, etc.). Implement changes within internal systems to prevent staff/customers from being able to select these countries for wire initiation on behalf of customers; require pre-approval before initiating; monitor returned transactions that are then resubmitted for the same dollar amount (this could indicate stripping); and review increased activity through potentially higher-risk geographic areas such as China, the United Arab Emirates, free trade zones and other countries within close proximity to Russia, Belarus and Ukraine.
- Who is physically conducting transactions using points of sale, ATMs, credit cards, etc., in these countries? Consider blocking debit card, ATM and credit card activity in these countries and/or requiring approval of transactions.
- Review historical activity to identify customers who may not have violated sanctions before involving these but would now violate the new sanctions. Ensure that the activity does not happen again.
- How many addresses in your system(s) indicate a mailing or physical address or IP address in one of those countries? Consider putting a hold on activity involving these accounts (subject to approval); and consider blocking IP addresses from these countries’ access bank platforms.
- How many customers are inapplicable industries that are restricted or higher-risk sanctions industries (e.g., agriculture, aviation/aerospace, construction, banking, military/defense, mining, textiles, metals/minerals, oil/petrochemicals/energy, railways, shipping, technology, telecom, research and development, etc.)?
- Determine if any charitable organization customers have a mission and/or involvement with these countries or other high-risk jurisdictions in close proximity to these countries. Determine sanctions risk, monitor these customers closely and take action to mitigate sanctions risk.
- Determine the threat level of foreign politically exposed persons (PEPs) as well as private banking accounts that may have an additional layer of privacy.
Step 2: Identify and Monitor Critical Data
- Provide actionable steps to every individual or area that touches sanctions—from the online banking team (IP addresses), wire operations, AML, fraud and cyber areas. Do not over-explain but rather provide the high-level red flags to look out for and a direct email or phone number for these areas to call if they see red flags.
- Utilize enterprise-wide research tools if there is a positive match at the country level. If your AML/sanctions area does not have access to a third-party system that provides information regarding business ownership, relatives, etc., ask your lending area to provide access to the various systems they use in the underwriting process. In addition, utilize public domain searches as well. For example, there is value in searching for taxpayer-identification numbers (TIN) (INNs) provided in payment instructions for Russian entities.3
- Contact watchlist screening vendors to understand what actions they are taking and ensure that they update their solutions with the most recent sanctions changes in a timely manner. Update internal watchlists to identify cities within DNR and LNR if the vendor cannot identify them. Work with the vendor management team to identify any vendors that have ties to these countries and understand the actions they are taking. Finally, consider updating the third-party language for vendors and new deals to be more specific, including Russia and comprehensive jurisdictions, versus being general.
- When changes are made to the known list of restricted entities, sample those in your various systems for sanctions (primarily wires and AML) to ensure that the restricted entities are not in your systems.
- Provide ongoing communication on the status of sanctions and actions taken to mitigate sanctions risk/exposure to the board and senior management. Also, consider using banners/announcements to communicate with customers about the sanctions, their requirements and any potential impact on their banking activities.
- Update sanctions compliance policies and procedures continuously to incorporate sanctions requirements.
- Collaborate with peer institutions to discuss the best practices, experiences, sanctions interpretation, etc.
- When in doubt, call the U.S. Department of the Treasury (1-800-540-6322) and document the party and transaction involved as well as the name of the person with whom you spoke.
Step 3: Reporting
According to the recently released FinCEN Advisory (FIN-2022-001),4 institutions and U.S. businesses should be monitoring for red flags, most of which are noted above. This is a departure from other output from the U.S. Department of the Treasury, as this advisory goes beyond the outlined restrictions to a more nuanced, red flags approach. This is due to the ability to edit wires and payment mechanisms, as well as the ability to obfuscate the ownership of companies that may be restricted due to their owners. In addition, FinCEN recommends that registered 314(b) institutions use this valuable information-sharing avenue to expand their investigations and provide critical contextual information that may determine if a customer or business is related to a restricted entity or industry.
The advisory from FinCEN reminds institutions that a suspicious activity report (SAR) should be filed if there is additional information that may not have been submitted on the blocking report filed with the Office of Foreign Assets Control (OFAC). In addition, if there are ransomware or cyberattacks, these should also be submitted to OFAC.5 When institutions file SARs, the advisory requests to use the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2 and the narrative. If there is a need to expedite the information contained in the SAR, an institution can call FinCEN’s Hotline at 866-556-3974.
Step 4: Monitoring Updates
Lastly, sanctions change almost daily. Monitor and sign-up for updates with news sources covering sanctions developments and attend as many webinar trainings as possible. Examples include ACAMS Sanctions Space, Kharon, Atlantic Council, ACAMS Today and ACAMS moneylaundering.com. Do not forget to sign-up with government agencies such as the United Nations Security Council, the U.S. Department of the Treasury, the European Union and HM Treasury Sanctions for updates.
As your institution looks forward, these types of sweeping sanctions changes should be easier to operationalize once your institution has a sanctions compliance framework as recommended by the U.S. Department of the Treasury in October of 2018.6 Issues regarding the third-party matching algorithms, the decentralized approach to sanctions and applicable training would be readily available to address when issuing notices like what is suggested in step 2. For now, keep refreshing the latest updates and extending oversight into those areas that have a role in sanctions compliance.
- “Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to Continued Russian Efforts to Undermine the Sovereignty and Territorial Integrity of Ukraine,” Office of Foreign Assets Control, February 21, 2022, https://home.treasury.gov/system/files/126/ukraine_gl21.pdf
- It is important to note that individuals with various citizenship indicators may not be known to the institution as a customer can provide a non-passport ID, like a driver’s license. Therefore, the institution may not know the customer has a visa or passport from another country. So cast a wide net, looking for ITINs with the IRS’ format for an NRA, such as 9XX-7X-XXXX or 9XX-8X-XXXX.
- The following is an example of a catalog to search for INN and other useful information. “Catalogue of Russian organizations,” Org-info.com, https://www.org-info.com/
- “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts,” FinCEN, March 7, 2022, https://www.fincen.gov/sites/default/files/2022-03/FinCEN%20Alert%20Russian%20Sanctions%20Evasion%20FINAL%20508.pdf
- Reports should be submitted to OFAC at OFAC_feedback@Treasury.gov.
- “A Framework for OFAC Compliance Commitments,” U.S. Department of the Treasury, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf