Reforming the U.S. Sanctions Regulatory Regime: How a Smarter, Risk-Based Approach Can Make Sanctions More Effective

Introduction

For the past two decades the United States has relied on economic and financial sanctions to promote U.S. national security and foreign policy interests. The number and complexity of U.S. sanctions have increased dramatically as economic warfare has largely replaced kinetic warfare as an alternative to diplomacy. The ramifications of these expanded sanctions programs raise serious questions about the role of the U.S. dollar in global commerce and are creating new geopolitical challenges for the United States as other countries and global markets respond. As the United States evaluates the benefits and burdens of its sanctions programs it should ensure that those sanctions are efficiently and effectively implemented.

The Implementation and Enforcement of U.S. Sanctions
Over 30 U.S. sanctions programs cover a wide range of threatening activity ranging from corruption and human rights abuses to terrorism and nuclear proliferation and targeting geopolitical challenges from Latin America to East Asia.[1] The nuance and complexity of these programs have grown, including through the introduction and repeated use of sectoral sanctions that impose a highly technical set of restrictions on specific categories of transactions.[2] Moreover, given the increasing complexity of various sanctions programs, each newly designated person may present multiple challenges for implementation.

The Treasury Department’s Office of Foreign Assets Control is primarily responsible for implementing U.S. sanctions pursuant to statutory authorities and executive orders. In addition to promulgating and administering regulations for each U.S. sanctions program, OFAC pursues civil enforcement actions against individuals and companies that violate those regulations.[3]

In the past decade, Congress has taken a more active role in U.S. sanctions. Congress has passed increasingly prescriptive legislation, including legislation compelling the imposition of sanctions in defined circumstances. It has also exercised its oversight authority[4] and continues to consider bills with sanctions implications.[5]


Financial institutions have played and continue to play a central role in implementing the U.S. sanctions regime, thereby contributing to the advancement of the policy interests reflected in sanctions. As the number of U.S. sanctions has grown over the past two decades, financial institutions have responded by developing, implementing, testing, and improving sanctions compliance programs and tailoring those programs to address increasingly complex regulatory expectations. Meanwhile, however, the sanctions regulatory regime itself and its application by bank regulators has seen only incremental change. It is antedated and insufficiently focused. As a result, U.S. sanctions programs are unnecessarily vulnerable to evasion or abuse as financial institutions are compelled to focus on less productive compliance tasks rather than on innovation and more advanced analytical activities.

A modernized sanctions regime would more effectively target activities in the financial system that truly threaten U.S. national security and foreign policy interests. It would allow financial institutions to allocate their resources in furtherance of proactive initiatives, including coordination with law enforcement to detect and disrupt evasion and abuse; more complex analytics of transactions and relationships; and investment in and testing of new technologies to aid not only in compliance but in advancing U.S. policy interests.

The Strict Liability Standard
Unlike the statutes establishing the U.S. AML regime, the International Emergency Economic Powers Act[7] and the OFAC regulations promulgated pursuant to it (and other key statutory authorities) effectively establish a strict liability standard for sanctions violations. Accordingly, as a matter of law, even unintentional, inadvertent and unwitting missteps are subject to civil monetary penalties. For example, any transaction by a U.S. person involving the property or property interest of a sanctioned person—even if the U.S. person had no knowledge or reason to know of the sanctioned person’s interest and maintained a compliance program reasonably designed to detect and prevent such transactions—violates OFAC’s regulations and, by extension, IEEPA itself. OFAC generally uses its discretionary enforcement authority to prevent draconian application of this strict liability regime, including by favorably accounting for a company’s compliance program and its ability to self-detect and self-report apparent violations when determining whether and to what extent to pursue civil enforcement action. Especially in recent years, OFAC has published administrative guidance that provides the regulated community with signals about the agency’s compliance expectations, including, notably, an endorsement of a “risk-based” approach to sanctions compliance.[8] Nonetheless, the strict liability regulatory requirement—especially when coupled with an examination regime that does not embrace a risk-based approach—remains in place and, as discussed further in this paper, has a counterproductive effect on U.S. policy objectives.


Consistent with its early approach to AML/CFT reform, the Bank Policy Institute[6] has convened and consulted a wide variety of senior experts in all areas of the sanctions regime: law enforcement, national security, diplomacy, banking, law and computer science. This paper generally reflects their views on how the demands of the current U.S. sanctions compliance regime have resulted in the misallocation of compliance resources and, accordingly, the regime does not best advance sanctions’ own objectives. The paper also includes concrete recommendations to legislators, policymakers and regulators that could rather quickly modernize the regime into a much more effective one. It was prepared with the assistance of the Bank Policy Institute’s special counsel, Wilmer Cutler Pickering Hale and Dorr LLP.

There are six overarching problems with the regime by which sanctions are currently implemented, each of which is discussed in the report below.

The Treasury Department and the federal banking agencies are not aligned on how financial institutions should implement sanctions compliance programs. The Treasury Department, through itsOffice of Foreign Assets Control,continues to emphasize a risk-based compliance and enforcement approach that encourages financial institutions to devote compliance resources to their most productive uses. However, OFAC’s emphasis on risk-based compliance is predominantly through non-regulatory communications; its regulations are silent on this point. Absent an explicit regulatory endorsement of risk-based compliance, the bank examination process administered by the federal banking agencies effectively adopts a strict liability approach, and generally does not, in practice, tolerate banks’ adoption of risk-based compliance. This is in contrast with the federal banking agencies’ recognition of banks’ compliance with Bank Secrecy Act (“BSA”) regulations that are also administered by the Treasury Department and, unlike the sanctions regulations, do codify risk-based compliance. The lack of alignment between OFAC’s expectations and the federal banking agencies’ supervisory standards has resulted in what is effectively a strict liability regime that does not fully account for OFAC’s expectations. As a result, banks are compelled to spend greater amounts of resources creating policies and processes to detect ever more improbable variations of the names of sanctioned parties. This outcome is all the more remarkable given that Congress has granted the banking agencies no regulatory or examination authority with respect to sanctions compliance (in contrast with their statutory role in assessing AML compliance under the BSA).[9]The alignment of OFAC and the federal banking agencies on risk-based compliance would result in a more effective U.S. sanctions regime.

Effective sanctions controls require advanced detection activities beyond screening.As originally designed, sanctions compliance focused on screening all transactions against a list of sanctioned individuals or entities identified by OFAC. But an effective modern regime that truly adopts a risk-based approach would focus screening on critical elements and risks, dedicating resources to other, higher-value activities, such as collaborative law enforcement efforts and more innovative techniques to detect sanctions evasion and sophisticated efforts by sanctioned parties to access the U.S. financial system. Screening for “hits” of sanctioned persons has diminished utility as such persons are less and less likely—as U.S. sanctions proliferate and become more widely understood globally—to transact in their own names. Thus, not surprisingly, recent BPI studies have found that true matches from screening against OFAC lists are rarely found, particularly for domestic transactions. Meanwhile, there were innumerable false positives, as many individuals and entities around the world share the same name, particularly when variants are included. Nonetheless, the great majority of resources that banks deploy toward implementing sanctions are devoted to the task of screening, and verifying that the thousands of ‘John Smiths’ (and ‘Jon Smiths’ and ‘John Smythes’) in their records are not the ‘John Smith’ subject to sanctions.Thus, a rational, modern, truly risk-based compliance program would spend fewer resources on screening (e.g., using machine learning and artificial intelligence to quickly determine whether a name has any likelihood of being a true match) and would place greater emphasis on more effective sanctions detection and network identification efforts. To date, the regulatory prioritization of screening as the primary sanctions risk mitigation tool diminishes banks’ ability to focus their resources on such advanced efforts.

Sanctioned parties frequently use anonymously owned shell companies to disguise ownership and evade sanctions.The United States is currently among the worst countries in the world when it comes to allowing formation of a company without identifying the beneficial owners of that company. Anonymous shell companies allow individuals and entities to evade sanctions by masking their identities. As of the publication of this paper, legislation to cure this problem is pending in the form of the National Defense Authorization Act and is expected to become law by the end of 2020. Passage of this legislation would make U.S. sanctions more effective as it would remove this loophole in the U.S. corporate formation system and assist financial institutions with their customer due diligence efforts.

Banks devote extraordinary resources to screening domestic-only transactions, which present low sanctions risks.Although sanctions almost uniformly target foreign persons or entities, many banks apply their screening tools to domestic-only transactions. Additionally, almost all U.S. financial institutions perform screening of their own clients, which means that the risk of a sanctions violation taking place within a domestic transaction is low because all parties to the transaction (i.e., originators and beneficiaries) have been screened. Nonetheless, the federal banking agencies now generally require U.S. banks to screen all domestic transactions, regardless of risk or amount. (OFAC provided guidance in 1997 that ACH transactions—direct deposit, recurring bill payment—need not be screened, but has declined to extend that guidance to other domestic transactions.) Yet this practice does not target the real risks of sanctions evasion or violations. The result is a diversion of resources to a low-value activity—resources that could and should be better spent on other activities.

Banks apply the federal banking agencies’ 2011 Guidance on Model Risk Management to sanctions screening tools.The 2011 Guidance on Model Risk Managementrequires banks to manage risks associated with models, including by properly calibrating and testing them.[10] The Guidance, however, is generally understood to be focused on financial models, and does not specifically mention models used for sanction screening. Furthermore, the Government Accountability Office has subsequently found that the Guidance was an improper rule, and thus invalid.[11] Nonetheless, bank compliance officers treat the Guidance as applicable to sanctions screening models under pressure from federal banking agency examiners. Three problems arise. First, banks report that they devote significant resources to documenting compliance with the Guidance in the sanctions context, diverting resources from more productive uses. Second, banks find it difficult to prove to examiners that their approaches are consistent with the Guidance given the differences between sanctions screening models and true financial models; sanctions filters are designed to identify sanctions concerns within a given transaction, as that transaction occurs, and generate an alert for subsequent investigation, whereas financial models are designed to yield more concrete predictive outputs. Third, the extensive documentation requirements imposed by the Guidance impedes the banks’ ability to innovate or otherwise update their sanctions screening models, which is problematic as any effective model framework should be flexible enough to make quick adjustments to address the adoption of innovative technologies and to respond to emerging typologies that threaten the U.S. financial system. 

Information about sanctioned individuals and sanctions evasion techniques is siloed both between the public and the private sectors and within each individual financial institution.As indicated above, the actual names of U.S. sanctions targets are unlikely to appear among the parties of a financial transaction. Sometimes the sanctions nexus that financial institutions must identify is the involvement of a subsidiary or person that is sanctioned pursuant to OFAC’s so-called 50 Percent Rule.[12] Other times U.S. sectoral sanctions complicate compliance efforts because banks must determine whether a particular type of security of a particular issuer is involved in a transaction (even when that issuer is not one of the transactions parties). Meanwhile, targets of sanctions have sought to hide their identities through shell companies or nominees. U.S. sanctions effectively require that financial institutions act as sleuths, for example, by identifying all the subsidiaries of an Iranian company or the intricate and opaque holdings of a Russian oligarch. The U.S. intelligence community, working in tandem with the Treasury Department and other stakeholders, would be well-positioned to perform these functions. Instead, the job has largely been outsourced to each financial institution, working in isolation. As a result, each financial institution now effectively has its own internal sanctions list based on its own proprietary information gathering. Yet financial institutions could more effectively support U.S. policy objectives if there could be greater cooperation and information sharing between and among public and private sector stakeholders. 

Secondary and Sectoral Sanctions Add Further Complexity to the U.S. Sanctions Regime
Over the past several decades, U.S. sanctions have targeted an increasingly broader range of conduct operating in more sectors of the global economy, including conduct that has neither a direct nexus to the United States nor involves a U.S. person. 

While U.S. sanctions do not impose civil or criminal liability on non-U.S. persons for their conduct wholly outside the United States, non-U.S. companies are increasingly concerned with the impact of U.S. sanctions. These companies must consider so-called “secondary sanctions” in order to avoid the risk of being shut out of the United States due to the otherwise lawful (under their local legal regime) business they conduct with targets of U.S. sanctions. While these secondary sanctions do not apply directly to non-U.S. companies, they authorize the president to forbid U.S. companies from transacting with non-U.S. companies that themselves transact with a sanctions target.[13] Secondary sanctions are used relatively rarely but the threat of their use has—by intent—a chilling effect on international trade and finance involving targets of U.S. sanctions. International banks and other non-U.S. companies have therefore committed greater resources to understanding and managing the potential impact of secondary sanctions. Such efforts are especially challenging because secondary sanctions are not self-executing; they can be imposed under the discretionary authority of the president or the implementing agencies to which he has delegated authority. Secondary sanctions may also create conflicts of law, which complicate efforts by banks to implement regulations across the globe. Accordingly, without the benefit of objective standards or criteria under the law, financial institutions can face enormous difficulty assessing the secondary sanctions risk associated with a particular transaction.  

Likewise, so-called “sectoral sanctions,” which have proliferated since 2014, are highly specialized sanctions that focus on specific categories of transactions—such as those involving certain types of securities—involving restricted parties in a targeted sector (e.g., banking, energy, defense) of a country’s economy. Financial institutions have had to develop new capabilities to identify and isolate particular sanctioned securities, rather than just particular sanctioned parties (i.e., it is not enough to have identified a sanctioned firm as particular securities issued by those firms must now be identified by CUSIP). Financial institutions have also been required to further investigate transactions after applying new and more complex screening terms, to request additional documentation and information from transaction counterparties, and to spend time confirming such information. More recent sectoral sanctions, such as under the Venezuela program, have required new manual processes in order to process transactions involving sanctioned targets.[14]


Over the past several decades, U.S. sanctions have targeted an increasingly broader range of conduct operating in more sectors of the global economy, including conduct that has neither a direct nexus to the United States nor involves a U.S. person. While U.S. sanctions do not impose civil or criminal liability on non-U.S. persons for their conduct wholly outside the United States, non-U.S. companies are increasingly concerned with the impact of U.S. sanctions. These companies must consider so-called “secondary sanctions” in order to avoid the risk of being shut out of the United States due to the otherwise lawful (under their local legal regime) business they conduct with targets of U.S. sanctions. While these secondary sanctions do not apply directly to non-U.S. companies, they authorize the president to forbid U.S. companies from transacting with non-U.S. companies that themselves transact with a sanctions target.[13] Secondary sanctions are used relatively rarely but the threat of their use has—by intent—a chilling effect on international trade and finance involving targets of U.S. sanctions. International banks and other non-U.S. companies have therefore committed greater resources to understanding and managing the potential impact of secondary sanctions. Such efforts are especially challenging because secondary sanctions are not self-executing; they can be imposed under the discretionary authority of the president or the implementing agencies to which he has delegated authority. Secondary sanctions may also create conflicts of law, which complicate efforts by banks to implement regulations across the globe. Accordingly, without the benefit of objective standards or criteria under the law, financial institutions can face enormous difficulty assessing the secondary sanctions risk associated with a particular transaction.  Likewise, so-called “sectoral sanctions,” which have proliferated since 2014, are highly specialized sanctions that focus on specific categories of transactions—such as those involving certain types of securities—involving restricted parties in a targeted sector (e.g., banking, energy, defense) of a country’s economy. Financial institutions have had to develop new capabilities to identify and isolate particular sanctioned securities, rather than just particular sanctioned parties (i.e., it is not enough to have identified a sanctioned firm as particular securities issued by those firms must now be identified by CUSIP). Financial institutions have also been required to further investigate transactions after applying new and more complex screening terms, to request additional documentation and information from transaction counterparties, and to spend time confirming such information. More recent sectoral sanctions, such as under the Venezuela program, have required new manual processes in order to process transactions involving sanctioned targets.[14]

Recommendations

Relatively simple steps could modernize the current U.S. sanctions regime in the short term. These reforms include:

  • OFAC should adopt a rule codifying its endorsement of a risk-based approach to sanctions compliance, encouraging innovative, risk-based compliance programs and clarifying that such programs do not necessarily include screening of domestic-only transactions, which the federal banking agencies should explicitly acknowledge.
  • The federal banking agencies should clarify that the 2011 Guidance on Model Risk Managementdoes not apply to sanctions screening models.
  • Congress should pass, and the president should sign, legislation prohibiting anonymous shell companies.
  • OFAC should maximize its resources to further prioritize list maintenance and address acute licensing and compliance demands.
  • Policymakers should establish a public-private sector information sharing framework to reduce the information silos that impede effective sanctions compliance.

By truly modernizing U.S. sanctions compliance expectations, legislators, policymakers and regulators will empower financial institutions to redeploy compliance resources from low-impact activities like screening domestic transactions to high-impact activities like data-driven analyses of sanctions risks and the contribution of such efforts to the shared public/private effort to maintain an effective U.S. sanctions regime. 

Financial institutions have been, and remain, at the front line of U.S. sanctions implementation. They will continue to dedicate considerable resources to sanctions compliance. The Treasury Department and Congress should seize the opportunity to support the industry’s efforts and optimize their use of resources to promote the most critically important U.S. national security, foreign policy and financial integrity objectives.

I. Aligning Expectations for Risk-Based Compliance

A. The Treasury Department and the Federal Banking Agencies Are Not Aligned on How Financial Institutions Should Implement Sanctions Compliance Programs

OFAC’s regulations offer little guidance to banks about how to comply with U.S. sanctions requirements. OFAC’s Economic Sanctions Enforcement Guidelines note that in determining whether and to what extent OFAC will pursue civil penalties against a person for violations of the sanctions regulations, it will consider “the existence, nature and adequacy of a Subject Person’s risk-based OFAC compliance program at the time of the apparent violation, where relevant.”[15]But OFAC’s program-specific regulations (e.g., regulations implementing U.S. sanctions targeting global terrorist organizations, Iran and others) are silent as to OFAC’s compliance expectations and do not endorse a “risk-based” compliance approach. 

But over the past two decades OFAC has increasingly affirmed that it endorses a risk-based approach to compliance, without specifically mandating particular internal controls, through administrative guidance.[16] Most recently, that guidance appeared in OFAC’s May 2019 Framework for OFAC Compliance Commitments. The Framework states that OFAC “strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).”[17]While instructive, the Frameworkand the Enforcement Guidelines do not alter the fact that a bank still may violate U.S. sanctions regulations, and face a civil enforcement action, notwithstanding its best, risk-based efforts to comply.

Financial institutions thus face a difficult sanctions compliance environment because federal (and state) banking agencies, not OFAC, exercise examination authority over them.[18] The policy and statutory objectives of OFAC and the federal banking agencies are not always aligned and the banking agencies apply evaluative standards that differ from OFAC’s expectations for financial institutions’ sanctions compliance.[19] Most notably, the federal banking agencies’ examination approach includes detailed inspection of banks’ internal controls—especially their sanctions screening tools—to ensure compliance with OFAC regulations (which do not mandate a particular compliance program or any set of particular internal controls).[20] Although the FFIEC Examination Manual was recently updated to include more detailed information than prior versions, OFAC and the federal banking agencies should further clarify how bank examiners should review financial institutions’ sanctions screening tools.[21]

In the absence of clear guidelines and the resultant pressures from banking agencies, financial institutions have tended to design and implement comprehensive programs that seek to eliminate any sanctions “miss” through sanctions screening algorithms.[22] Such an approach, however, diverts critical compliance resources away from developing effective risk-based programs and toward peripheral efforts that produce diminishing returns. For example, a bank may focus its resources on model calibration of screening tools around extreme use cases rather than on proactively identifying and deterring efforts to obscure a sanctioned person’s participation in a transaction. Screening is and should remain an important part of any financial institution’s efforts to manage compliance with OFAC programs. However, the misalignment between OFAC and the banking agencies on risk-based compliance results in the misallocation of compliance resources and a suboptimal U.S. sanctions regime—a gap that could be remedied by creating greater alignment between OFAC and the banking agencies regarding how banks implement a risk-based approach to sanctions compliance. 

B. OFAC Should Embrace a Risk-Based Approach to Sanctions Implementation through a Rule

The United States would significantly advance its policy interests if OFAC continued its evolution of encouraging banks (and others) to take a risk-based approach to compliance by promulgating a new regulatory standard, subject to notice and comment rulemaking, that codifies the principles of risk-based compliance. OFAC has made tremendous strides over the past decades in communicating its compliance expectations to financial institutions that are at the “front lines” of sanctions compliance, from its 2005 Risk Matrices for financial institutions (in which OFAC affirmed “that financial institutions should take a risk-based approach when considering the likelihood that they may encounter OFAC issues”)[23] to last year’s Framework(“OFAC strongly encourages organizations … to employ a risk-based approach to sanctions compliance”).[24] Nevertheless, the absence of a codification of OFAC’s compliance expectations has resulted in the misalignment described above. A codification of risk-based compliance will help to achieve a sanctions regime that aligns OFAC’s compliance expectations with the evaluative standards of banking agencies to whom financial institutions are answerable. 

Without disrupting existing policies and procedures that banks have already developed in furtherance of risk-based compliance where practicable, this rule would effectively codify OFAC’s endorsement of risk-based compliance set out in the Framework and affirm that sanctions screening tailored to a bank’s particular risk profile is acceptable—and should be acceptable to bank examiners. This would empower financial institutions to develop more effective compliance solutions without risking examination deficiency. Ultimately, the banking agencies should reflect OFAC’s endorsement of risk-based compliance in the FFIEC Examination Manual.

Sanctions Screening by the Numbers
In 2020, BPI undertook an empirical study to update some of the findings in its 2018 AML and sanctions data study[25] and better understand the resources banks devote to sanctions screening and their effectiveness. Twenty-four banks contributed 2019 data to this effort, with asset sizes ranging from over $25 billion to over $1 trillion. In almost all cases, the data reflects information for U.S. entities only. Finally, the number of “hits” reported are for OFAC lists only and do not reflect banks’ own internal lists and other potential sources. 

In 2019, 21 institutions reported screening over 224.5 million wires, generating alerts in approximately 11.74% of cases on average, with a median of 20.2%. They reported true sanctions matches for this screening with an overall median of .0003%. Furthermore, 19 institutions screened over 32.2 million international ACH transactions, generating alerts in a median of approximately 7.2% of cases and resulting in the rejection of transactions due to OFAC matches in approximately .0005% of cases on average, with over half of the reporting institutions reporting no true matches at all. Twenty institutions, as part of their screening of customers and related parties, reported true matches in a median of .0003% of cases, with half of the reporting institutions reporting no true matches at all. Finally, for the seven institutions that reported screening RTP and/or Zelle payments in 2019, not one institution reported a sanctions match.

The proposed rule would clarify for financial institutions and their examiners that transaction screening should be reasonably designed to detect and prevent sanctioned parties from transacting by or through regulated financial institutions, and could provide guidance regarding fuzzy matching capabilities and how sanctions screening tools should be evaluated.[26] As in the Framework, the rule would acknowledge that different financial institutions may have different risk tolerances and divergent commercial approaches to compliance based on the factors unique to them including (but not limited to) their customer base, product offerings and the markets in which they operate. A small regional bank’s program may differ from that of a large multinational financial institution but such divergence may well be consistent with OFAC’s expectations.[27] The banking agencies’ corresponding acknowledgment of these factors, and their acceptance of risk-based controls that may include, for example, non-comprehensive screening, would finally allow financial institutions to direct their energies toward the highest-risk activities that threaten the U.S. financial system and the U.S. national security and foreign policy interests advanced by U.S. sanctions. 

OFAC could help to promote convergence among financial institutions’ sanctions compliance programs by encouraging private sector initiatives to develop best practices, such as through the creation of a Wolfsberg Group for sanctions, among other initiatives. Because different countries’ sanctions regimes may give rise to conflicts of law, the barrier to entry for global private sector initiatives in the sanctions realm is higher than it is in the AML context. Accordingly, support from the U.S. government for such an initiative could alleviate the current barriers to meaningful progress.

These steps would allow financial institutions and the federal banking agencies to converge on a shared understanding of the compliance measures actually demanded by the U.S. sanctions regime. With the benefit of this shared understanding requiring risk-based compliance, including with respect to sanctions screening, each financial institutions’ program could focus on areas such as:

1.     Applying appropriate controls for sanctions compliance and reporting;
2.     Conducting ongoing, risk-based analysis of sanctions screening and detection processes to assess the continued efficacy of the approaches, parameters, and assumptions being used;
3.     Documenting the institution’s current methodology and coverage for screening and detection, along with the underlying assumptions and parameters; and 
4.     Providing governance and management oversight, including policies and procedures governing changes to the sanctions screening program, to confirm that changes are defined, managed, controlled, reported and audited.

Ultimately, extracting diminishing marginal returns through fine-tuning of screening tools rarely, if ever, results in significant interdictions and carries massive opportunity and resource costs. Strong KYC and sanctions screening and analytics are important components of sanctions compliance programs. But OFAC, in cooperation with the federal banking agencies, would further U.S. sanctions policy objectives if it took the action necessary to enable financial institutions to shift compliance resources to areas of greater risk without fear of a negative examination. As OFAC has long contemplated, true risk-based compliance would do much to advance U.S. sanctions policy objectives. 

C. OFAC Should Clarify Expectations for Screening Domestic-Only Transactions

As part of any rulemaking, OFAC and the federal banking agencies must mutually recognize that financial institutions should spend relatively fewer resources on screening domestic transactions or, alternatively, a subset of low-risk domestic transactions, because such transactions present a substantially lower risk given targets of sanctions are almost entirely based outside of the United States.[28] Financial institutions must make judgments about what resources to dedicate to screening and enhanced diligence for particular types of transactions. But while U.S. sanctions almost uniformly target foreign persons or entities, banks are effectively compelled by the federal banking agencies to screen domestic transactions, regardless of whether there is a specific, identified risk, and regardless of the amount of the transaction. This is especially wasteful because almost all U.S. financial institutions perform screening of their own clients so the risk that a domestic transaction will result in a sanctions violation is low because the originators and beneficiaries of such transactions have already been screened. Similarly, OFAC could identify specific screening standards for monitoring domestic payments, including payments made through new technologies such as Real Time Payments and Zelle transactions since domestic customers are already routinely screened against sanctions lists, and bank Know Your Customer practices typically take into account the sanctions risks presented by customers.

There is precedent for treating certain low-risk domestic transactions differently from higher-risk international transactions. In 1997, OFAC advised the National Automated Clearing House Association that “the ACH system may rely on [Receiving Depository Financial Institutions] for compliance with OFAC sanctions programs[.]”[29] According to OFAC, this reliance was predicated, in part, on NACHA requiring originators of ACH payments to acknowledge “that the ACH system may not be used for transactions in violation of U.S. law.”[30] OFAC further advised that international or cross-border ACH payments do not provide “the compliance safeguards present in wholly domestic ACH transactions,” and are thus excluded from its guidance regarding ACH payments.[31]

A truly modern sanctions regime that reflects risk-based compliance may also enable banks to rely on each other’s customer screening for certain payments. While a particular individual or entity may conduct business through multiple banks, it is often the case that the originating bank is closer to the individual or entity than the other banks; thus, that bank has had the most direct opportunity to onboard and otherwise conduct KYC on that customer. The approach of allowing banks to rely on other financial institutions’ screening can be especially productive in the context of RTP and Zelle when payments occur within a “closed loop” of participants whom participating U.S. financial institutions have already screened at the time of onboarding and for which transactions occur in real time.[32]

Indeed, OFAC’s existing Frequently Asked Questions already contemplate that, in at least some cases, banks playing intermediary roles without direct relationships with transaction parties have reduced compliance obligations vis-à-vis those banks that have direct relationships with those parties. For example, OFAC’s FAQ #116 provides that in a wire transfer where a transacting party may not be identified on the Specially Designated Nationals and Blocked Persons (“SDN”) List but nevertheless falls within OFAC’s 50 Percent Rule, a U.S. bank operating solely as an intermediary, with no direct relationship with the entity and absent knowledge or reason to know that the party’s interest in the transaction is blocked, “OFAC would not expect the bank to research the non-account parties listed in the wire transfer that do not appear on the SDN List.”[33] This sensible approach can and should be extended to other areas to reduce duplicative and otherwise unnecessary screening and to leverage the good compliance work already being done by those financial institutions that are the closest to the transaction and transacting parties. At a minimum, OFAC should revise FAQ #116 so that it explicitly applies to transactions other than wire transfers in which banks play intermediary roles.

More effective risk-based compliance may also mean recognizing that banks may rely on the compliance of non-financial institutions to reduce duplicative screening and other duplicative controls. At least one existing OFAC FAQ (FAQ #753) permits financial institutions to rely on the facts presented by U.S. travelers to ensure compliance with sanctions targeting certain travel to Cuba.[34] Furthermore, with regard to sectoral sanctions requirements that target certain forms of “new debt” including commercial payment terms, the due diligence and other controls of the commercial parties at the initiation of a “new debt” transaction are the most effective means of ensuring that the requirements of such sectoral sanctions are met. OFAC should work with the industry to identify other areas where financial institutions may not be best situated to obtain and review documents or facts about underlying transactions that are, themselves, subject to OFAC sanctions requirements. In turn, OFAC’s FAQs and Enforcement Guidelines should be updated to account for this delineation of compliance responsibilities and the banking agencies should take notice. This would include acknowledging in General Factor B of the Enforcement Guidelines that a financial institution may not have knowledge or reason to know that the parties to covered transactions are engaging in unlawful activity. It would also include acknowledging in General Factor D that despite the banks’ size and sophistication, it may sometimes be the case that their customers were the parties best positioned to identify a sanctions risk and prevent the occurrence of a regulatory violation.

Improving FAQ #419
OFAC’s FAQ #419, for example, requires financial institutions to “ensure that payment terms conform with the applicable debt prohibitions.”[35] To do so, financial institutions must review invoices for commercial transactions—specifically, invoice dates—to determine whether the customer’s payment is within a specific, authorized tenor. Invoice dates have not traditionally been a data source of interest from a sanctions compliance perspective, so adding this level of review requires new investments of time and resources. And, more importantly, the banks’ response when they identify prohibited transactions may undermine U.S. foreign policy and national security objectives, because they are required to return the payment to the sanctions target (rather than simply allowing a payment due from the sanctions target within 14 days of invoicing to be received on day 15 or 16). In fact, one bank reported that in 2019, all of the transactions it rejected pursuant to the Russia/Ukraine sectoral sanctions were based on FAQ #419; and the funds in each of those cases were sent back to the targets of sectoral sanctions.

There are better ways to allocate responsibility for sanctions compliance between financial institutions and non-financial companies. For example, OFAC FAQ #753 states that financial institutions are not required to independently verify that an individual customer’s travel to Cuba is authorized. Rather, FAQ #753 provides that “[a] financial institution may rely on U.S. travelers to provide their certifications of authorized travel directly to the person providing travel or carrier services when processing Cuba travel-related transactions, unless the financial institution knows or has reason to know that the travel is not authorized by a general or specific license.”[36] Unlike FAQ #419, this FAQ shifts responsibility for sanctions screening or monitoring away from the financial institution that does not have the best visibility into the underlying commercial (or leisure) activity and onto the service provider most directly tied to the transaction that requires screening (i.e., travel).[37] If an approach similar to FAQ #753 could be applied to FAQ #419, a portion of the compliance burden could be shifted away from the financial institutions and to the transacting parties that establish the payment terms in the first place.[38]

II. Promoting Innovation

A. Effective Sanctions Programs Require Signals from the Agencies Regarding Innovation and Advanced Detection Activities

Compliance programs that feature comprehensive screening typically involve screening a combination of accounts and transactions against the SDN List and other restricted party lists, geographic terms related to various country-based sanctions programs and proprietary lists developed by institutions based on their own past diligence.[39] Such screening helps to ensure that financial institutions block or reject transactions in accordance with regulatory requirements, refrain from providing services to the targets of U.S. sanctions or, in the case of sectoral sanctions, avoid dealings in restricted securities.[40] Though not mandated by law or specifically required by OFAC, the federal banking agencies (and, accordingly, financial institutions) view comprehensive screening as a de factoregulatory requirement. But comprehensive screening produces almost all false positives that must then be investigated at a high cost of time and resources. While screening can prevent abuse of the U.S. financial system and yield valuable information to the U.S. government, comprehensive screening may not be the ideal methodology to promote the policy objectives of U.S. sanctions programs. 

B. OFAC Should Issue a Statement Encouraging Innovative Approaches to Sanctions Compliance 

OFAC should issue an innovation statement, similar to the Financial Crimes Enforcement Network and the federal banking agencies’ Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing,[41]formally encouraging financial institutions to develop and implement new sanctions compliance tools and methodologies.

The Joint Statementencourages banks and credit unions to pursue innovative approaches to addressing illicit financial threats. In addition to recognizing the vital contribution of private sector innovation and investment in new technological solutions to combatting money laundering and other threats, the Joint Statementemphasizes that FinCEN and the federal banking agencies are committed to cooperative engagement with financial institutions. Perhaps most importantly, the Joint Statementprovides a safe harbor: it expressly affirms that FinCEN and the federal banking agencies “will not automatically assume that the banks’ existing processes are deficient” when innovative transaction screening systems identify suspicious activity. The Joint Statement further notes that “FinCEN will consider requests for exceptive relief [under its regulations] to facilitate the testing and potential use of new technologies and other innovations, provided that banks maintain the overall effectiveness of their BSA/AML compliance programs.”[42]

OFAC and financial institutions alike would benefit from a comparable statement addressing OFAC’s sanctions regulations. That statement would endorse the creation of individual and collective efforts by banks to study innovative approaches to sanctions compliance. For example, OFAC should support the development of shared resources to facilitate and expedite the clearing of screening “hits” between and across financial institutions. OFAC should also encourage larger financial institutions to develop and test new technologies for compliance programs (e.g., machine learning, artificial intelligence). Once such products are scaled, they can more easily be utilized by smaller institutions thus benefiting all financial institutions and, ultimately, the U.S. government policy interests reflected in the regulatory compliance requirements. 

An innovation statement would give financial institutions greater license to develop and implement new tools that might be better able to detect sanctions evasion, abuse of the U.S. financial system through new techniques or technologies, new networks, webs of related parties and novel typologies, and other emerging risks. These innovations could be especially effective if there is greater information sharing between the government and the private sector or opportunities for information sharing among financial institutions. Most importantly, a joint statement between OFAC and the banking agencies would give financial institutions a safe harbor to develop and implement these tools without fear of being punished for their existing risk-based compliance tools, approaches, and models.

Financial Institutions’ Investments in Sanctions Compliance
Financial institutions have played a central role in the implementation of U.S. sanctions by depriving sanctions targets of access to the financial system.[43] U.S. banks in particular have been leaders in advancing U.S. policy interests over the past two decades by committing greater and greater attention and resources to preventing sanctions targets from exploiting the U.S. financial system.

While the financial services industry has had experience in developing, implementing, testing, and improving sanctions compliance programs and tailoring those programs to respond to increasingly complex sanctions regulations, other industries with far less developed compliance programs are now beginning this process as they are increasingly the subjects of OFAC enforcement actions. But much of the sanctions compliance pressure on these non-financial industries is effectively transmitted to the financial institutions that serve them. For example, if a designated individual attempts to remit payment to a U.S.-based manufacturer for goods provided or services rendered, then a financial institution that provides the manufacturer commercial banking services or clears the transaction is required to block that payment. Similarly, even though OFAC sometimes places the compliance burden on a non-financial industry entity,[44] financial institutions often must nevertheless carry the burden of gathering information for their own compliance efforts (e.g., assessing the invoicing between a U.S. service provider and its Russian customer). Financial institutions therefore face more compliance pressure—from increasingly complex risk vectors—than ever before.

Due to the critical role they play in effectively implementing OFAC sanctions programs, banks have devoted enormous resources to their sanctions compliance operations. In its 2019 Cost of Compliance Report, Thomson Reuters found that compliance budgets continue to rise for financial institutions: 63 percent of surveyed respondents reported that they expected their compliance budgets to slightly or significantly increase over the coming year and 97 percent of surveyed respondents reported that their compliance teams would maintain or grow in the coming year.[45] One bank reported that between 2017 and 2019, its sanctions compliance staff increased 1.5x and its overall spend on sanctions resources increased by 2.5x. These findings are not surprising and reflect a decades-long trend.[46]

III. Prohibiting Anonymous Shell Companies

A. Sanctioned Parties Frequently Use Anonymously Owned Shell Companies to Disguise Ownership and Evade Sanctions

The United States has lagged behind several of its global peers in addressing the anonymity that shell companies enjoy with respect to their beneficial ownership. The Financial Action Task Force has criticized the country for being a shelter for criminals and kleptocrats seeking to launder money by adopting the corporate form and cloaking their ownership. While there may be valid reasons for corporate owners to keep their ownership secret from the public in some cases, these do not exist for the state incorporating them, law enforcement or the financial institutions on which they rely for banking and other financial services. While federal regulations require financial institutions to know their customers and conduct ongoing monitoring of account information, there is currently no requirement that states record the beneficial ownership of the legal entities they incorporate nor is there a national register for financial institutions to consult. This system results in not only increased money laundering risk within the U.S. financial system but also increased sanctions risk. In many cases, targets of sanctions are better able to mask their property interests in the United States—and thus evade detection by financial institutions, OFAC and law enforcement—than in other global jurisdictions.

B. Congress Should Pass Legislation Prohibiting Anonymous Shell Companies

Congress should promptly enact, and the president should sign, legislation ending the use of anonymous shell companies. Sanctions evaders often use anonymous shell companies to hide their illicit activity and related financial resources. Indeed, in the Treasury Department’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing, the Department found that the “[m]isuse of legal entities to hide a criminal beneficial owner or illegal source of funds continues to be a common, if not the dominant, feature of illicit finance schemes.”[47]BPI has signed multiple letters and publicly testified before the Senate in support of legislation to end anonymous shell companies, including S. 2563, the ILLICIT CASH Act, and H.R. 2513, the Corporate Transparency Act.

Congress should enact legislation requiring covered companies to identify their beneficial owners, which would assist law enforcement officers with identifying money launderers, terrorism financers, human traffickers and sanctions evaders, among other bad actors. A federal beneficial ownership directory that financial institutions can access for due diligence collection and verification purposes is the most effective mechanism for addressing this gap. Such a bill would assist not only law enforcement but also financial institutions with detecting sanctions evaders and effectively implementing sanctions compliance programs.

IV. Maximizing OFAC Resources to Improve the Quality of Restricted Party Lists and Expedite Licensing 

A. The Increasing Length and Staleness of Restricted Party Lists Increases False Positives and Consumes Bank Resources

OFAC is responsible for adding and removing names from the SDN List and other restricted party lists. These lists tend to grow longer over time as the number of annual designations increases and the number of delistings decreases.[48]But longer lists do not necessarily mean more effective U.S. sanctions and, in some cases, stale or incomplete identifying information can frustrate banks’ screening efforts and the broader objectives of U.S. sanctions. OFAC has been increasingly attentive to delistings and list maintenance (e.g., by adding aliases and other identifying information about sanctions targets) with the resources available to it but, nevertheless, as its restricted party lists grow the demands of the sanctions regime consume compliance resources. 

Designating major companies or individuals with significant international commercial and financial footprints is an effective use of sanctions authority because of their reliance on the U.S. and international financial systems. Naming less prominent individuals or entities with little to no exposure to that system may have a chilling effect by diminishing the targets’ appetite to “test” the U.S. financial system and by discouraging non-U.S. persons from engaging in transactions with U.S.-sanctioned parties. But the greater number of such targets that remain on OFAC’s lists, the more likely they are to create “noise” in financial institutions’ screening systems because of near matches, false hits and the generation of other, non-actionable alerts. Such “noise” consumes compliance resources that could otherwise be used to develop some of the more innovative approaches to compliance discussed above. So while adding a particular name to the SDN or other restricted party lists advances some U.S. interests it may also undermine others. 

A Note on Post-Designation Screening
The experience of financial institutions suggests that screening accounts immediately after the imposition of sanctions accounts for the overwhelming majority of assets blocked under a given sanctions program. Ongoing cross-border transaction screening can also result in incremental benefits largely through the episodic capture of payments that sanctioned counterparties do not realize transit the U.S. financial system. Other screening activities yield more limited benefits that are incommensurate with the investment and, critically, the risk management opportunity cost.

B. The Expansion and Increased Complexity of U.S. Sanctions Have Compounded Conflict of Law Compliance Challenges and Other Demands for OFAC’s Resources

The United States has deployed new sanctions programs that demand more and more resources at OFAC. One of the additional complexities caused by U.S. sanctions that—in effect—are increasingly extraterritorial is that they must confront the laws and regulations of other jurisdictions. Meanwhile, U.S. sanctions against Russia and Venezuela, in particular, have targeted individuals, entities and governments with commercial and financial footprints far greater than many past targets of U.S. sanctions. These developments have tended to result in unforeseen or unexpected developments that have necessitated immediate U.S. government licensing or compliance guidance. OFAC has done an extraordinary job of being responsive to the demands for its attention, whether in the form of requests for administrative guidance or license applications. However, the more that the United States uses sanctions as a policy tool to confront global challenges, the more financial institutions and others will demand OFAC resources. While such demands necessarily reflect financial institutions’ own interests, they frequently also reflect the interests of the U.S. government such as in avoiding confrontation with allied governments and other collateral consequences of new sanctions programs. 

C. OFAC Should Dedicate Resources to Further Prioritize List Maintenance and Address Acute Licensing and Compliance Demands

OFAC should marshal its resources to further improve the quality of its restricted party lists and to alleviate the acute licensing and compliance demands created by expanded U.S. sanctions programs. To the extent that Congress and the Treasury Department can make more resources available to OFAC for these purposes, they should do so. 

OFAC should ensure its restricted party list entries contain sufficient information (e.g., aliases, addresses, and dates of birth) to enable banks to make informed judgments about whether “true hits” occur. Many entries on the SDN List, especially older ones, do not provide adequate notice to financial institutions. This can cause needless delays to lawful transactions by producing false positives in screening. Inadequate information about sanctions targets also means that compliance departments must commit greater resources to resolving even true matches. As described above, recent BPI studies have found that in 2017 true matches from screening against OFAC lists generate very few true matches. Any further improvements that reduce the “noise” in screening systems (such as delisting persons whom OFAC has determined no longer present a threat to U.S. national security or foreign policy interests) would help to improve the quality and efficiency of existing screening controls. 

By updating its lists to either remove designated persons or provide additional identifying information, OFAC would help financial institutions avoid these negative consequences and facilitate a more effective system for identifying sanctioned targets and activity.

In addition, OFAC should prioritize the licensing and compliance demands created by novel and ambitious new sanctions programs. The conflict of law challenges that multinational banks and others confront because of such programs can only be resolved through creative, collaborative efforts between OFAC and the affected banks. OFAC should marshal all available resources to anticipate and quickly engage on urgent issues that arise as it implements new sanctions programs. 

V. Rationalizing the Practice of Model Validation

A. Banks Apply the Federal Banking Agencies’ 2011 Guidance on Model Risk Management to Sanctions Screening Tools

The federal banking agencies’ 2011 Guidance on Model Risk Managementwas generally understood to be focused on financial models, and does not mention models used for sanction screening. As noted in the Introduction, the Government Accountability Office has also found that the Guidance was invalid. Nonetheless, agency examiners continue to expect full compliance with the Guidance as if it were a binding regulation, and bank compliance officers treat it the same way. In so doing, banks devote extraordinary resources to documenting compliance with the Guidance, and find it difficult to prove to examiners that those approaches are consistent with the Guidance.

Federal Bank Exams
Given the lack of any direct or express statutory authority, the federal banking agencies examine financial institutions’ sanctions compliance programs under their general safety and soundness authority, and utilize memorandums of understanding to govern the sharing of bank-specific compliance deficiencies detected during examinations.

While the FFIEC’s BSA/AML Examination Manual directs examiners to review banks’ compliance with U.S. sanctions programs, it recognizes that “[t]he federal banking agencies’ primary role relative to OFAC is to evaluate the sufficiency of the bank’s implementation of policies, procedures, and processes for complying with OFAC-administered laws and regulations, not to identify apparent OFAC violations.”[49] Prior versions of the Manual did not mention specific sanctions screening procedures and provided only vague guidance regarding the elements of a properly designed OFAC compliance program. The recently updated version of the Manual offers greater insight into the parameters of a sanctions screening program. Nevertheless, while the revised Manual’s language is helpful, banking agencies have not historically taken into account OFAC’s risk-based approach guidance when performing their reviews.

OFAC and the federal banking agencies do not appear to have a shared understanding about model validation in the sanctions context. According to the federal banking agencies’ Guidance, a “model” is “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”[50] Because “[t]he use of models invariably presents model risk,” meaning “the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports,” the agencies issued guidance on how banks can effectively manage those risks.

Many banks routinely treat sanctions screening filters as “models.” By doing so, the bank becomes subject to additional governance expectations. For example, banks report that a significant portion of their sanctions-related exam questions from the federal banking agencies can pertain to model validation for sanctions filters. However, sanctions filters differ in material ways from other financial models, such as models used in capital stress tests. Most significantly, sanctions filters are not designed for predictive quantitative analysis or financial decision making, nor do they predict or “estimate” potential sanctions activity. Instead, sanctions filters are designed to identify sanctions concerns within a given transaction, as that transaction occurs, and generate an alert for subsequent investigation. Unlike in the context of quantitative methods, there is no data with which to validate and calibrate sanctions models. A financial institutions’ model framework must be flexible enough to make quick adjustments to address innovative attempts by sanctions targets to access the U.S. financial system and other emerging typologies, rather than the system-wide adjustments that would apply to a capital or liquidity model. As such, extensive and repeated model validation is of limited utility for improving sanctions filters.[51]

Because many banks treat sanctions filters as models, the banking examiners often require financial institutions to devote significant compliance resources and time to model validation of their sanctions compliance tools. For example, Table 1 provides an illustration of what an examiner could ask a bank as part of its sanctions review. Banks indicate that the level of detail reflected in the table below is typical for an exam.

These test name variations demonstrate the tenuous connection between testing and real-world sanctions scenarios. While the esoteric name variants listed above may relate to a true sanctions match, the most significant historical catches that financial institutions have made in the past have been based on obvious matches (e.g., “Libya” or “Iraq”). Few, if any, hits are based on exotic detection scenarios (e.g., “Ir@n”). Thus, by seeking to fine-tune screening tools as if they were models, the banking agencies actually do a disservice to the foreign policy and national security objectives of the U.S. sanctions regime: they divert financial institutions’ human and capital resources away from higher-value activities that more effectively prevent sanctions evasion.

B. OFAC and the Banking Agencies Should Clarify the Application of Model Risk Management Guidance to Sanctions Screening Models

To address this lack of shared understanding, OFAC should work with the federal banking agencies to affirm that sanctions screening tools are not considered “models” and that the Guidance does not apply to them. They should clarify that bank examiners need not review model validation in this context. Furthermore, OFAC should provide training to the banking agencies to clarify its expectations for the contours of appropriate and effective risk-based sanctions screening tools. 

Formal clarification from the agencies that the Guidance does not apply to sanctions screening models would allow banks to devote their resources to higher-impact sanctions compliance activities, as opposed to model calibration and validation activities, which do not yield significant results. It will be important to provide financial institutions with flexibility on how to implement a risk-based approach as they consider innovative approaches to screening and sanctions compliance generally, as discussed supra Part II.[52]

VI. Establishing a Public-Private Information Sharing Framework

A. Information About Sanctioned Individuals and Sanctions Evasion Techniques Is Siloed

Many of the problems outlined above are further exacerbated by limits on communication between and among banks and government about sanctions threats, patterns of behavior, and compliance efforts. Generally, banks learn of sanctions threats when the Treasury Department or other U.S. government agencies communicate those threats to the public (e.g., by announcing designations or new sanctions programs). While financial institutions have developed their own tools for gathering and analyzing financial intelligence, such information is typically siloed within each institution. Thus, each financial institution has different intelligence and therefore the U.S. sanctions regime presents an inconsistent front to global threats that may be vulnerable to evasion or other exploitation.

In the absence of open lines of communication between and among the U.S. government and banks, the latter are unable to focus their resources and attention on those sanctions targets or typologies that the intelligence community, law enforcement or policymakers view as most threatening. While the Treasury Department and other agencies share such intelligence on an ad hocbasis as classification levels and competing legal and policy demands allow,[53] financial institutions are often informed at the same time as the public. There are meaningful policy reasons for this approach, but it ultimately deprives the U.S. government of the opportunity to learn more about a potential sanctions target’s pattern of behavior and network (through the financial institutions), which could be even more valuable to the designation process.

B. Congress Should Create a Public-Private Information Sharing Framework

Congress should create a public-private sector entity, much as it has done with the Bank Secrecy Act Advisory Group, to facilitate greater information sharing among and between agencies, sectors and institutions that are primarily impacted by U.S. sanctions programs. This entity could facilitate a greater exchange of threat information to further build out enforcement and compliance networks. It could better determine when formal notice and comment rulemaking should be utilized and leveraged so that sanctions programs are more readily implementable by covered entities. The group could also release specific guiding principles for different industries (for example, the financial, manufacturing, shipping, and travel sectors). The Treasury Department and/or the intelligence community should consider developing this kind of framework to the extent authorized under existing statutory authorities. The framework would need to account (in the Enforcement Guidelines, for example) for the fact that, in some cases, financial institutions would obtain knowledge or reason to know of accounts or activities subject to OFAC sanctions requirements that they would not otherwise have had. 

The establishment of a regular, public-private information sharing framework would further U.S. policy interests in several ways.

First, U.S. financial institutions would benefit tremendously from receiving a limited, selective, declassified briefing on certain acute threats to the U.S. financial system. The Treasury Department’s Office of Intelligence and Analysis and Office of Terrorism and Financial Intelligence, as well as the intelligence community more broadly, could work in an open and collaborative way with financial institutions to help them target their compliance efforts to those threats to the financial system that could most effectively be combatted with financial crimes compliance tools. Highly sensitive intelligence need not be declassified and shared, nor imminent designations prematurely disclosed.

Second, more open lines of communication could help the intelligence community and policymakers better understand how sanctions targets are responding to particular sanctions measures. For example, increases in certain categories of banking activity in China or in certain cryptocurrencies—which may be visible to banks but not the government—could signal sanctions evasion techniques by the North Korean government. Information sharing could also contribute to the refinement of OFAC’s restricted party lists insofar as the private sector can share proprietary intelligence about complex networks of sanctioned persons that is otherwise siloed. 

Third, and relatedly, guidance from the U.S. government regarding the general types of threats to the U.S. financial institution could help banks target their resources more effectively. In addition, the U.S. government could collaborate with financial institutions to identify potential overlap between sanctions and anti-money laundering concerns (e.g., how cryptocurrencies could be used for both sanctions evasion and money laundering). The receipt of declassified briefings would enable financial institutions to more closely monitor priority sanctions targets, which, in turn, may produce valuable intelligence for the U.S. government.

Fourth, bank compliance resources could be used more efficiently if they weren’t disproportionately dedicated to research and enhanced diligence, particularly in regard to ownership. The intelligence community and the Treasury Department should consider whether there are appropriate frameworks within which they could further declassify or otherwise disclose information about the relationships of sanctions targets to particular entities. While some of this information is disclosed to the public already (i.e., subsequent OFAC designations), additional information sharing would allow U.S. financial institutions to redirect the resources they currently spend individually on determining 50 percent ownership to other compliance efforts. And, as with the information-sharing described above, regular discussions about this issue could provide an opportunity—to the extent permitted by law—for the banks to share their own information about the relationships of sanctions targets with the intelligence community. 

Finally, a successful framework for public-private information sharing would need to consider the impact that such information sharing would have on financial institutions’ exposure to civil and criminal liability.[54] For example, the Enforcement Guidelines state that OFAC will consider the level of knowledge that a financial institution has about the underlying violation when assessing whether and to what extent to pursue civil enforcement action. Such knowledge may also contribute to a criminal referral by OFAC to the Department of Justice, who may prosecute a willful violation of IEEPA. A successful public-private framework would be accompanied by a safe harbor—if not a statutory one than through unambiguous agency guidance—to ensure that any knowledge obtained by a financial institution through its participation in the framework would not be used against it in any subsequent civil or criminal enforcement action. 

Conclusion

A combination of factors has resulted in a current sanctions environment that demands the use of compliance resources on relatively low-risk activities despite the Treasury Department’s repeatedly affirmed preference for a risk-based approach to compliance. Yet, as outlined above, there are several concrete steps that various stakeholders—the Executive Branch, Congress and the private sector—could take to improve the system. They should seize the opportunity to ensure that the financial sector’s efforts and resources are efficiently and effectively leveraged to achieve critically important U.S. national security, foreign policy and financial integrity objectives.


[1]U.S. Dep’t of the Treasury, OFAC – Sanctions Programs and Country Informationhttps://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx.

[2]The Trump administration has expanded the use of sanctions, adding approximately 785 individuals and entities to the Treasury Department’s sanctions list in 2019 alone, and using existing and new sanctions authorities to address an increasingly broad range of issues. See, e.g., Alan Rappeport & Katie Rogers, Trump’s Embrace of Sanctions Irks Allies and Prompts Efforts to Evade Measures, N.Y. Times(Nov. 15, 2019), https://www.nytimes.com/2019/11/15/us/politics/trump-iran-sanctions.html.

[3]The U.S. Department of Justice criminally prosecutes “willful” violations, often after a referral from OFAC. After a relatively quiet year in 2018, OFAC took more aggressive enforcement actions in 2019, reaching settlements or issuing penalties in 26 instances with a total monetary value of nearly $1.3 billion. SeeU.S. Dep’t of the Treasury, 2019 Enforcement Information, Civil Penalties and Enforcement Information(Feb. 5, 2020), https://home.treasury.gov/policy-issues/financial-sanctions/civil-penalties-and-enforcement-information/2019-enforcement-information.

[4]For example, the 2017 Countering America’s Adversaries Through Sanctions Act (“CAATSA”) codified sanctions against Russia and made it more difficult for the Executive Branch to provide sanctions relief to Russia without congressional approval. SeeH.R. 3364, 115th Cong. (2017), https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/countering-americas-adversaries-through-sanctions-act. OFAC’s subsequent delisting of two companies owned by Russian oligarch Oleg Deripaska, EN+ and Rusal, led to a confrontation with Congress because of the exercise of congressional oversight mandated under CAATSA. See Press Release, U.S. Dep’t of the Treasury, OFAC Notifies Congress of Intent to Delist En+, Rusal, and EuroSibEnergo (Dec. 19, 2018), https://home.treasury.gov/news/press-releases/sm576;see alsoLetter from Sen. Ron Wyden, Ranking Member of Senate Committee on Finance, et al. to Hon. Steven Mnuchin, Secretary of the Treasury, re: En+ Group PLC (May 16, 2019), https://www.finance.senate.gov/imo/media/doc/051619%20Letter%20to%20Mnuchin%20on%20Rusal%20Braidy%20Investment.pdf.

[5]See, e.g.,Defending American Security from Kremlin Aggression Act, S. 3336, 115th Cong. (2017-2018), S. 482, 116th Cong. (2019-2020). 

[6]The Bank Policy Institute is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost two million Americans, make nearly half of the nation’s small business loans and are an engine for financial innovation and economic growth.

[7]50 U.S.C. ch. 35 § 1701 et seq.

[8]See U.S. Dep’t of the Treasury, A Framework for OFAC Compliance Commitmentshttps://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.

[9]The agencies have based their role in sanctions on their general safety and soundness authority, but have not articulated how sanctions screening meets that standard. As explained by the D.C. Circuit Court of Appeals, an unsafe or unsound practice for purposes of section 1818 “refers only to practices that threaten the financial integrity of the association.” Johnson v. OTS, 81 F.3d 195, 204 (D.C. Cir. 1996); see also Gulf Federal Savings & Loan Association v. Federal Home Loan Bank Board, 651 F.2d 259, 264 (5th Cir. 1981) (“The breadth of the ‘unsafe or unsound practice’ formula is restricted by its limitation to practices with a reasonably direct effect on an association’s financial soundness.”). On Oct. 20, 2020, the federal banking agencies proposed a rule that would provide that examination criticisms “should not include ‘generic’ or ‘conclusory’ references to safety and soundness,” and it remains to be seen whether finalization of that rule will cause agency examiners to allow banks greater latitude to implement risk-based approaches to sanctions compliance. Role of Supervisory Guidance, 85 Fed. Reg. 70512, 70515 (proposed Nov. 5, 2020), https://www.fdic.gov/news/board/2020/2020-10-20-notice-sum-d-fr.pdf.

[10]Board of Governors of the Federal Reserve System, SR 11-7: Guidance on Model Risk Management(April 4, 2011), https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm; Office of the Comptroller of the Currency, OCC 2011-12: Guidance on Model Risk Management(April 4, 2011), https://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf; FDIC, FIL-22-2017: Adoption of Supervisory Guidance on Model Risk Management(June 7, 2017), https://www.fdic.gov/news/financial-institution-letters/2017/fil17022.pdf.

[11]Letter from Thomas H. Armstrong, General Counsel, U.S. Gov’t Accountability Off., to Sen. Thom Tillis, United States Senate, re: Board of Governors of the Federal Reserve System—Applicability of the Congressional Review Act to Supervision and Regulation Letter 11-7 (Oct. 22, 2019), https://www.gao.gov/assets/710/702190.pdf.

[12]OFAC’s 50 Percent Rule requires that entities not specifically designated by OFAC and appearing on its restricted party list, but that are owned, 50 percent or more, by individuals or entities that are specifically designated, be treated as though they too are the subject of U.S. sanctions. See U.S. Department of the Treasury, Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property Are Blocked(Aug. 13, 2014), https://home.treasury.gov/system/files/126/licensing_guidance.pdf.

[13]Indeed, secondary sanctions now apply to an expanding set of such primary targets: not only Iran, the principal target of secondary sanctions for many years, but also now Russia, North Korea and others. See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Sanctions Kunlun Bank in China and Elaf Bank in Iraq for Business with Designated Iranian Banks (July 31, 2012), https://www.treasury.gov/press-center/press-releases/pages/tg1661.aspx.

[14]For example, when clients wish to sell shares in Petróleos de Venezuela, S.A., the Venezuelan state-owned oil company, banks must conduct multiple inquiries and follow several manual steps to process the transaction, if authorized. This has resulted in a significant increase in resource deployment. SeeExec. Order No. 13850, 3 C.F.R. 55243 (2018),https://home.treasury.gov/system/files/126/venezuela_eo_13850.pdf. A recent survey of financial services firms by Deloitte, for example, found that “expanded sanctions programs/complexity of sanctions requirements” was the number one driver of increased sanctions compliance costs. Fred Curry, Analysis, Managing Sanctions Compliance is Complex, Deloitte(2015), https://www2.deloitte.com/us/en/pages/advisory/articles/
manage-sanctions-compliance-challenges-opportunities-survey.html
.

[15]31 C.F.R. § 501, Appendix A.

[16]Compliance professionals at financial institutions also review OFAC enforcement actions to ascertain the reasons why OFAC enforces violations in given circumstances.

[17]U.S. Dep’t of the Treasury, A Framework for OFAC Compliance Commitments,https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.

[18]See, e.g.Are All Commercial Banks Regulated and Supervised by the Federal Reserve System, or Just Major Commercial Banks?, Federal Reserve Bank of San Francisco (November 2006), https://www.frbsf.org/education/publications/doctor-econ/2006/november/commercial-banks-regulation/.

[19]See The Clearing House, A New Paradigm: Redesigning the U.S. AML/CFT Framework to Protect National Security and Aid Law Enforcement(February 2017), https://www.theclearinghouse.org/-/media/tch/documents/tch%
20weekly/2017/20170216_tch_report_aml_cft_framework_redesign.pdf
.

[20]See FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual (hereinafter “FFIEC, BSA/AML Manual”) (updated April 2020), https://www.ffiec.gov/press/PDF/FFIEC%20BSA-AML%20Exam%20Manual.pdf.

[21]See id.at “Scoping and Planning Introduction.”

[22]Sanctions screening algorithms differ by financial institution, which regularly test their algorithms and fuzzy matching systems to understand whether the results are within their risk tolerance.

[23]U.S. Dep’t of the Treasury, OFAC Risk Matrices (for financial institutions as of June 2005)https://home.treasury.gov/system/files/126/matrix.pdf.

[24]U.S. Dep’t of the Treasury, A Framework for OFAC Compliance Commitments, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.

[25]BPI, Getting to Effectiveness – Report on U.S. Financial Institution Resources Devoted to BSA/AML & Sanctions Compliance, (Oct. 29, 2018), available at https://bpi.com/wpcontent/uploads/2018/10/BPI_AML_Sanctions_Study_vF.pdf.

[26]As discussed throughout this paper, existing sanctions laws and regulations do not provide sufficient guidance to financial institutions or their bank examiners. It would therefore be helpful for any new guidance not only to affirm a risk-based approach to sanctions compliance, but also clarify that a bank’s sanctions screening tools should be calibrated based on its risk profile.

[27]In contrast to existing OFAC regulations, the Financial Crimes Enforcement Network’s regulations provide considerable detail on the Treasury Department’s expectations for bank compliance. For example, 31 C.F.R. § 1020.210 sets forth the requirements of an anti-money laundering program for certain financial institutions; § 1020.220 sets forth Customer Identification Program requirements for banks, savings associations, credit unions and certain non-Federally regulated banks; and, notably, § 1020.315 limits otherwise applicable reporting requirements with respect to transactions in currency between banks and “exempt person[s],” including banks “to the extent of such bank’s domestic operations.” 

[28]For example, OFAC could permit U.S. banks to rely on robust KYC programs to create a program or exemption process like TSA pre-check, which would allow institutions not to screen covered customers’ domestic transactions. This process could be done on a risk-adjusted basis and could be subject to internal controls at the financial institution, thus reducing the risk of true matches slipping through the controls.

[29]Letter from R. Richard Newcomb, Director of OFAC, to Elliott C. McEntee, president and CEO of The National Automated Clearing House Association, re: Domestic ACH (March 20, 1997), https://www.nacha.org/system/files/2019-07/OFAC-Domestic-ACH-Policy.pdf.

[30]Id.

[31]Id.

[32]Notably, the compulsion of the banks to screen domestic transactions has hindered the development of a modern, real-time payment system in the United States.

[33]See U.S. Dep’t of the Treasury, OFAC FAQ #116, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/116(pursuant to the 50 Percent Rule, an entity that is owned by a person on the SDN List is to be treated as an SDN itself).

[34]U.S. Dep’t of the Treasury, OFAC FAQ #753, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/753.

[35]U.S. Dep’t of the Treasury, OFAC FAQ 419,https://home.treasury.gov/policy-issues/financial-sanctions/faqs/419.

[36]U.S. Dep’t of the Treasury, Cuba Sanctions, OFAC FAQ 61, https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/cuba-sanctions; OFAC FAQ #753, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/753

[37]See supra notes 45 and 46. Of course, FAQ #61 does not absolve financial institutions of responsibility: while banks must still screen the relevant transactions, they may do so without collecting additional documentation like travel itineraries. Additionally, as the FAQ says, financial institutions’ reliance extends only to the point where they “know[] or [have] reason to know” that travel is not authorized by the sanctions regime.

[38]Furthermore, FAQ #61 demonstrates that such reliance need not provide full immunity to financial institutions, but ought to mitigate any potential enforcement action based on the relevant reliance.

[39]The term “comprehensive screening” is used to refer to the extensive screening protocols in place at most financial institutions. This term is not meant to connote that all banks screen every transaction by every customer, but rather recognizes that banks differ in the level or amount of screening they do.

[40]Financial institutions invest significant resources in screening for compliance with sectoral sanctions, with a particular focus on reviewing invoices. In 2017, institutions reported that sectoral sanctions alone almost universally increased sanctions program costs—with the smallest institutions experiencing a median increase of 20 percent.

[41]Board of Governors of the Federal Reserve System, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing(Dec. 3, 2018), https://www.federalreserve.gov/newsevents/pressreleases/
files/bcreg20181203a1.pdf
(“These innovations and technologies can strengthen BSA/AML compliance approaches, as well as enhance transaction monitoring systems. The Agencies welcome these types of innovative approaches to further efforts to protect the financial system against illicit financial activity. In addition, these types of innovative approaches can maximize utilization of banks’ BSA/AML compliance resources.”).

[42]Id.

[43]SeeNeil Bhatiya & Edoardo Saravalle, America Is Addicted to Sanctions-Time for an Intervention, Center for a New American Security(Aug. 6, 2018), https://www.cnas.org/publications/commentary/america-is-addicted-to-sanctions-time-for-an-intervention(“Sanctions work because they cut targets off from dealing with U.S. citizens and American financial institutions—a complete severance from the world’s largest economy and its most important financial center.”).

[44]See, e.g., 31 C.F.R. § 501.603(a)(1) (requiring that any U.S. person, including but not limited to a financial institution, who holds blocked property, submit a report on such blocked property to OFAC). 

[45]Stacey English & Susannah Hammond, Cost of Compliance 2019: 10 Years of Regulatory Change, Thomson Reuters Regulatory intelligence,http://images.financial-risk-solutions.thomsonreuters.info/Web/ThomsonReutersFinancialRisk/%7B06436eff-ec12-40cd-a2d1-3f8ceab757a9%7D_Regulatory_Intelligence_Cost_of_Compliance_2019_FINAL.pdf.

[46]Brian Monroe, Special Contributor Report: the Costs of Compliance – Expectations for Bending the Cost Curve, Association of Certified Financial Crime Specialists (Dec. 27, 2019), https://www.acfcs.org/special-contributor-report-the-costs-of-compliance-expectations-for-bending-the-cost-curve/.

[47]U.S. Dep’t of the Treasury, National Strategy for Combating Terrorist and Other Illicit Financing(February 2020), https://home.treasury.gov/system/files/136/National-Strategy-to-Counter-Illicit-Financev2.pdf.

[48]Johnpatrick Imperiale, Sanctions by the Numbers: U.S. Sanctions Designations and Delistings, 2009-2019 Center for a new American security(Feb. 27, 2020), https://www.cnas.org/publications/reports/sanctions-by-the-numbers(“Despite high-profile cases of removing individuals and companies from sanctions, notably the Russian aluminum company RUSAL, overall the Trump administration has delisted fewer entities over the last several years.”)

[49]FFIEC, BSA/AML Manual, https://www.ffiec.gov/press/PDF/FFIEC%20BSA-AML%20Exam%20Manual.pdf.

[50]Board of Governors of the Federal Reserve System, SR 11-7: Guidance on Model Risk Management(April 4, 2011), https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm.

[51]The Guidancedefines model validation as the “processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses.Id. at 9.

[52]85 Fed. Reg. 40,827 (July 7, 2020); see alsoLetter from Naeha Prakash, Assoc. Gen. Counsel and Sr. Vice President for Consumer and Reg. Affairs, Bank Policy Institute to the Honorable Brian Brooks, Acting Comptroller of the Currency, re National Bank and Federal Savings Association Digital Activities (Docket ID OCC-2019-0028, RIN 1557-AE74) (Aug. 3, 2020), https://bpi.com/wp-content/uploads/2020/08/BPI-Digital-Activities-ANPR-Comment-Letter-2020.08.03.pdf.

[53]Different agencies involved with sanctions implementation and enforcement, including the White House, the State Department, the Treasury Department and Congress, should also collaborate with one another to ensure consistent messaging to banks and the public about U.S. sanctions programs.

[54]The Cybersecurity Information Sharing Act of 2015 (“CISA”) provides a model for protection against liability that might otherwise apply to participants in the CISA framework, provided that information sharing with the Department of Homeland Security about detected cyber-attacks is made in accordance with CISA.