Emigrant Bank's OFAC Penalty Reveals a Screening Vulnerability
Emigrant Bank is the oldest savings bank in New York City. In September 2023, OFAC penalized the Manhattan-headquartered financial institution for Iran sanctions violations. The monetary penalty was relatively small. But what's far larger is the significant lesson compliance professionals can learn from the case regarding the sanctions screening country fields problem.
But before we dive into it, let's review the ins and outs of the Emigrant Bank sanctions violation.
Emigrant Bank's 2023 Sanctions Penalty: Here's What Happened
On September 21, 2023, the US Treasury's Office of Foreign Assets Control (OFAC) announced that Emigrant Bank will pay a penalty of $31,867 for apparent violations of the Iranian transactions and sanctions regulations.
Remember, this article concerns the sanctions compliance insights rather than the monetary fine levied on them - pocket change for a bank with assets of more than five billion dollars.
So what did Emigrant Bank get so wrong to be on the receiving end of an OFAC slap on the wrist and the reputational damage that followed?
This happened: In 1995, Emigrant Bank opened a certificate of deposit (CD) account for two Iranian residents. This action went against Iranian transactions and sanctions regulations and should never have been allowed to occur.
What's baffling is that, up until Emigrant Bank closed the account in 2021 (yes, it took more than a quarter of a century for this to happen), both parties exchanged documents that should have triggered metaphorical red-flashing lights and ear-piercing alarm beeps at the bank's HQ on Chambers Steet in Manhattan.
Here is the paper trail OFAC revealed:
- Papers indicating Iranian residency
- Letters showing Iranian addresses
- Tax forms reflecting Iranian addresses
- Interest check & tax documents (sent by the bank)
- Periodic statements (sent by the bank)
- Emigrant Bank internal discussions and decisions
OFAC also alluded to three events that should have (but didn't) set alarm bells ringing even louder to trigger account closure action and voluntary self-disclosure to US regulators:
Event 1
In June 2016, the two account holders requested to send money from their account to another US bank. Emigrant Bank reviewed the transaction because the screening process red-flagged it for sanctions issues. When the receiving bank asked for more information, Emigrant Bank incorrectly thought the money transfer was allowed as personal help - the payment went ahead.
Event 2
Following Event 1, in a separate occurrence, Emigrant Bank modified the country code for the account within its customer database, changing it from the United States to Iran. Emigrant Bank's compliance program initially did not flag this address change to Iran as a potential sanctions concern.
Event 3
In April 2019, Emigrant Bank implemented improvements to its sanctions screening processes. The system subsequently generated an alert - mainly because the account country code was Iran. Emigrant Bank overrode the alert as they depended on incorrect guidance dating back to 2016.
So when did the penny finally drop for the bank realizing the Iranian sanctions violations?
In June 2021, the bank discovered the Iranian status of the account during a regulatory examination. They initially restricted the account, preventing outgoing transfers - but eventually closed it (also in 2021) and voluntarily self-disclosed the apparent violations to OFAC.
Emigrant Bank also took corrective measures by introducing additional sanctions training and searching for other accounts owned by individuals residing in comprehensively sanctioned countries.
In the following section, we'll reveal the gaping sanctions screening vulnerability that, in all likelihood, contributed to the violations.
The Sanctions Screening Weak Spot Compliance Teams Must Cover
Before diving into the weaknesses in this intriguing case, it's important to remember this: We only have information on hand that OFAC released in its enforcement release.
However, insights can be drawn that all sanctions compliance teams should heed.
The Country Fields Problem in Sanctions Screening
Here is a problem that many of you know: Not all core AML screening banking systems check country fields for matches on comprehensively sanctioned countries, such as Iran. Although some systems do screen country fields, the problem is that most occur by screening names alongside the country fields.
So, what does this mean in tangible terms?
It means that if an individual resides in Iran (it could easily be a country such as North Korea too), the AML system won't trigger a red flag based on the sole fact that Iran is one of the world's most sanctioned countries.
If the individual's name does not appear on a sanctions list, then no alert is generated, and a slippery and risky slope to non-compliance and sanctions violations begins to snowball.
Another problem is data quality. Even if an AML screening banking system specifically checks country fields for matches on comprehensively sanctioned countries, the success of the results is only as good as the data it's fed (more about that later in the article).
And the bottom line is this: If your AML system isn't waving red flags at you exclusively based on country fields - you have a problem. Also, even if it is, poor data quality may increase the risk of serious sanctions violations.
How To Solve the Country Fields Sanctions Screening Problem
Before we answer this, it's important to remember that each AML screening system in the financial sector is different and is often a mishmash of various processes (some automated and others manual) using multiple tools and technologies to identify suspicious transactions.
The specific configuration and components of AML screening systems can also vary widely from one organization to another, depending on resources and regulatory requirements.
And what does all this mean? Because of the complexity, not all financial institutions can guarantee they don't have a country fields sanctions screening problem. A case in point is Emigrant Bank - according to OFAC, they only became aware of the issue during a regulatory examination.
So what can financial organizations do to mitigate the risk of individuals from comprehensively sanctioned countries slipping through the net?
Here are the top tips:
Tip 1: Identify Non-Resident Customers and Verify Country Field
The first tip is straightforward:
- Identify your non-resident customers
- Run a core report
- Validate whether the country field contains data
If empty, incomplete, or contains patchy data, this could indicate a significant issue in your Know Your Customer (KYC) process that needs fixing. In addition, financial services companies should also check to see if the country field and passport information of the non-resident customers align (and that the data is comprehensive).
And remember that inaccurate, missing, patchy, or incorrect country field data will increase the risk of customers from comprehensively sanctioned countries not being identified, even if your AML system is screening based on country fields only.
Tip 2: Find an Affordable External Solution
If your AML system isn't producing alerts solely based on country fields (or you can't be sure that it is due to complexities described earlier), then the next tip involves plugging into your systems an external solution that does the job for you.
For example, with the sanctions.io API, you can screen your customers exclusively against jurisdictions that are comprehensively sanctioned (such as Iran).
And it's simple to set up, too. You can find more information in our knowledge base article - Best Practices for Screening Parameters - and scroll down to Screening against Sanctioned or High-Risk Jurisdictions.
Tip 3: A Manual Process Is Better Than Nothing
The final tip is most suitable for organizations with a low volume of customers accustomed to manually managing customers' KYC information. And it's an easy one: Grab your mouse, click on a program like Microsoft Excel, and do the tracking that way.
Although it may seem like an improvised approach compared to an automated one, it's far better than having nothing at all. It also shows a degree of pro-activity that regulators look favorably towards.
Closing Thoughts
In this article, we looked closely at Emigrant Bank's OFAC sanctions violations penalty and the challenges posed by the sanctions screening country fields issue for compliance teams.
As we wrap up, three general conclusions emerge:
- All core AML screening banking systems must check country fields exclusively for matches against comprehensively sanctioned countries.
- Compliance teams must ensure that this crucial process works effectively.
- Even if this process is in place, the success of mitigating the risk of breaking sanctions is determined by the data quality.
We mostly covered the first two points in this report. To learn more about number three, the following article from our blog will help: The Role of Data Quality and Governance in Successful AML Compliance Programs.
How sanctions.io Can Help
sanctions.io's cost-effective solutions are already helping financial services companies worldwide with their screening needs - including assistance with the country fields problem.
To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organization's compliance program:
We also offer a free 7-day trial (no credit card is required) and will be delighted to walk you through our service. sanctions.io is a highly reliable and cost-effective solution for sanction checking. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their sanctions screening needs.