At the beginning of April 2019, the United States (US) Department of Justice entered into a Non-Prosecution Agreement with UniCredit Bank Austria AG regarding the evasion of various economic sanctions1. A total of USD1.3 billion was paid by UniCredit. Various branches of the American legal and regulatory regime imposed standard restrictions onto UniCredit, however the expansion of the oversight into attempted transactions raised some eyebrows within the global compliance industry.

The UniCredit case had all the standard hallmarks of classic sanctions evasion. Training materials were adapted to instruct staff on how to evade Office of Foreign Assets Control (OFAC) sanctions. Separate MT202 messages were sent to the US-dollar (USD) correspondent bank and the beneficiary’s bank to ensure the payment information flowing through New York did not contain anything incriminating about sanctioned individuals, companies or countries. Management actively encouraged the sanctions evasion, even after staff pointed out that such activity was illegal in the eyes of the American legal system.

In other words, UniCredit saw an opportunity to deal with sanctioned entities when others, in response to US government policies, declined. When financial institutions follow the rules and deny sanctioned entities, other banks may calculate that the rewards outweigh the risks of violating economic sanctions imposed by the United States. Given the USD1.3 billion in

penalties and the subsequent costs imposed by the regulatory action, UniCredit may wish to re-evaluate its original profit calculus.

Traditionally, financial institutions operating within the United States place OFAC filters on their inbound and outbound payments, typically MT103 and MT202 messages as administered by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)2. In the case of UniCredit, these OFAC filters were avoided, modified or ignored.

Other financial institutions have tried a similar tactic and faced the wrath of regulatory forces, often at a cost of billions of dollars. Competent managers supervising a financial institution’s payments centre, trade finance operations, credit approval, private banking or correspondent banking business fully understand that short-term gain from interacting with sanctioned entities often leads to overwhelming long-term pain from regulatory action. This is not a difficult equation to solve.

American banking regulations dictate that should an MT103 or MT202 payment message which contains information about sanctioned entities flow through UniCredit or any other financial institution and be detected by an OFAC filter, it must be reported to the Financial Crimes Enforcement Network (FinCEN) and most likely any other financial intelligence unit (FIU) with jurisdiction over the payment.

The OFAC filter is an established mechanism to prevent unauthorised actors from accessing the United States financial system. Countries sanctioned by the United States over the past couple of decades, such as Iran, Syria, North Korea and others have faced crippling economic pressure from the inability to access USD payment flows. With the majority of international trade conducted in USD, the inability to procure dollars for imports or

ManchesterCFSuite 501125-720 King Street WestToronto, Ontario Canada M5V 3S5+1.416.388.6051manchestercf.cominfo@manchestercf.com

Profit is sweet, even if it comes from deception.

– Sophocles, Greek playwright (496BC-406BC)

ManchesterCF Analytics April 20191 of 3

ManchesterC

FFinancial Intelligence

MANCHESTERCF ANALYTICSPROFIT IS SWEET | APRIL 2019

receive dollars for exports can lead to dramatic changes in per capita incomes and the financial health of domestic banks and capital markets.

Sanctioned individuals face potential financial ruin as banks turn them away. Sanctioned companies find their payables and receivables heavily curtailed, potentially bankrupting the firm. Financial institutions shut out from global liquidity in USD payments can face bank runs and swift destruction, often in a matter of hours after the announcement from the US Secretary of the Treasury.

Some financial institutions will strip the payment message of critical information about sanctioned entities and replace these clues with innocuous text that leads anyone curious about either the applicant or beneficiary to refer to an internal reference number or customer code. In some cases, a bank will substitute the applicant or beneficiary information with their own branch and include a reference number that only a few bank employees will be able to decipher.

For alert correspondent banks, message stripping by respondent banks is a serious offence and can lead to both the termination of the correspondent banking relationship and the submission of searing suspicious activity reports (SARs) to FinCEN. If enough SARs accumulate about a financial institution’s habit of message stripping, financial investigators from various branches of civil service will begin to probe the bank and accumulate the evidence necessary for either regulatory or legal action. This is where the multi-billion-dollar problems emerge.

Included in the Non-Prosecution Agreement with UniCredit was some interesting text inserted by the US Department of Justice3:

e. The Bank agrees to continue to implement compliance procedures and training designed to ensure that the relevant Bank compliance officer in charge of sanctions is made aware in a timely manner of any attempts by any person or entity (including, but not limited to, the Bank’s employees and its customers, financial institutions, companies, organizations, groups,

persons, or agents) to circumvent or evade U.S. sanctions laws, including but not limited to, apparent circumvention attempts involving deceptive business practices, suspected front companies, withholding or altering names or other identifying information, or any other infiltration attempts. The Bank shall report to the Offices the name and contact information, if available to the Bank, of any person or entity that makes such a request. The Bank further agrees to timely report to the Offices any known attempts by any Bank employees to circumvent or evade U.S. sanctions laws.

Not content with the filing of SARs from payment messages flagged by OFAC filters, the US government is now expecting additional

measures from UniCredit, some of which will be challenging to implement. Actual transactions, of course, must be reported. Now attempts to transact must be reported as well, and the definition of “attempted” is painted with a broad brush.

In the future, any person or organisation who approaches UniCredit about any payment or other transaction type to or from a sanctioned entity will need to be reported by

UniCredit to American authorities. Whether UniCredit accepts or rejects the overture from the existing or potential customer is irrelevant, as the bank must report this event as per the Non-Prosecution Agreement.

These approaches could be verbal or documented, one may assume. Whether the attempt is an “off the cuff” remark or a documented proposal, it still may be reportable. UniCredit’s legal team will be working long hours to sort through the parameters that will guide internal policy on the matter.

“Deceptive business practices” will require the bank to investigate whether any attempted or actual fraud event involving the bank is potentially linked to an attempt to evade sanctions, an additional compliance burden upon the corporate security and financial crime compliance team. Included in deceptive

ManchesterCFSuite 501125-720 King Street WestToronto, Ontario Canada M5V 3S5+1.416.388.6051manchestercf.cominfo@manchestercf.com

ManchesterCF Analytics April 20192 of 3

ManchesterC

FFinancial Intelligence

Fraud must now be explored from the perspective of economic sanctions, as any failure to recognise the linkage between an actual or attempted fraud and a sanctioned entity may lead to dire consequences from the US Department of Justice.

“

”

business practices will be incidents involving fraudulent documentation and identification. Fraud must now be explored from the perspective of economic sanctions, as any failure to recognise the linkage between an actual or attempted fraud and a sanctioned entity may lead to dire consequences from the US Department of Justice.

The Non-Prosecution Agreement text on attempted sanctions evasion includes the actions of UniCredit employees. Evidence shows that throughout this case employees and management were coached to actively evade OFAC filters and their results in order to serve sanctioned individuals, organisations and countries. The US Department of Justice is merely putting in place a requirement that such activity be reported.

Yet reporting on employees regardless of jurisdiction creates a situation of extra-territoriality that expands into unchartered waters. Employee actions may create reports into the US Department of Justice regardless of due process. Could technical errors, regardless of intent, also result in the submission of reports to the US Department of Justice? Allegations may be reported, whether investigated or not, and a culture of fear may then pervade the business.

Creating such an atmosphere will not lead to greater sanctions compliance by any financial institution. Delving into the minutiae of how employees should act may be of interest to any regulator or FIU from a theoretical standpoint, however in practice, the operational realities may create more problems than they are worth.

UniCredit placed profit over compliance and paid a substantial sum in penalties. The remediation spend on systems, consultants, management changes and procedures will cost millions in addition to the USD1.3 billion in penalties. Emphasis should be on implementing a risk-based approach at UniCredit, not in prescribing specifics to be implemented at the operational level.

Errant employees attempting a transaction or string of transactions should be reported in an SAR to FinCEN or any other FIU with jurisdiction. Serious attempts by customers or employees to

engage sanctioned individuals, organisations or countries should also be reported in SARs by any competent financial institution. These are accepted reactions to known threats that occur

within the global financial services industry every day. Ultimately, suspicious activity is suspicious activity and must be reported.

Deviation from the risk-based approach into a rules-based approach reduces a competent financial institution’s flexibility in response to the ebb and flow of money laundering,

terrorist financing, proliferation financing, national security threats and other elements of financial crime compliance. Guidance from the Financial Action Task Force (FATF) on the risk-based approach, if implemented correctly by UniCredit, would have prevented the bank from assisting a variety of sanctioned entities from accessing the United States financial system. Of course, the threat of a billion-dollar sword of Damocles doesn’t hurt either.

ManchesterCFSuite 501125-720 King Street WestToronto, Ontario Canada M5V 3S5+1.416.388.6051manchestercf.cominfo@manchestercf.com

ManchesterCF Analytics April 20193 of 3

ManchesterC

FFinancial Intelligence

Evidence shows that throughout this case employees and management were coached to actively evade OFAC filters and their results in order to serve sanctioned individuals, organisations and countries.

“

”

1 https://www.justice.gov/opa/press-release/file/1154516/download

2 www.swift.com3 https://www.justice.gov/opa/press-release/file/1154516/download

© ManchesterCF 2019