Sanctions Compliance

Unravelling Swedbank's $3.4 million OFAC Sanctions Penalty

This week US regulators fined one of Sweden's leading banks $3.4 million for sanctions violations. This article will share the key insights from Swedbank's penalty. What mistakes were made? And what lessons can compliance and sanctions officers learn from the case?

Paul Dixon
,
June 23, 2023

Swedbank's 2023 Sanctions Penalty: Here's What Happened

Although we can only access the information that US regulators have released publicly, let's examine how Swedbank found itself in a financially and reputationally damaging quagmire. 

On June 20, 2023,  the US Department of the Treasury's Office of Foreign Assets Control (OFAC) announced a $3,430,900 settlement with Swedbank Latvia (a subsidiary of Swedbank) for apparent violations of OFAC's Crimea sanctions. The Riga-based bank isn't a small fish - with over one million customers, it's one of the country's largest financial institutions by assets.

In this PDF, you can view OFAC's full press release. And as reported by the Wall Street Journal (WSJ), this is one of the first resolutions Stockholm-based Swedbank has reached with OFAC (more are likely to follow).

So what did Swedbank's Latvian subsidiary get so wrong? 

Firstly, some background. As many of you reading are aware, Russia annexed Crimea in 2014, resulting in global sanctions, such as by the US and the EU, against Moscow.

OFAC said that throughout 2015 and 2016, a shipping industry client of Swedbank Latvia, the owner of three special purpose companies, used its e-banking platform from an IP address in Crimea while sending payments to individuals in Crimea, breaking imposed sanctions.

But the following is important: The above is a highly simplified version. 

Because the reality is that this complex case involves many moving parts, such as inadequate continuous monitoring protocols and failings in the correspondence banking system.

The next section will expand on the Swedbank Latvia case and reveal key learning points.

Insight 1: Continuous Monitoring Failings

The first revealing information OFAC released about the case (at the top of the charge sheet) sheds light on the customer onboarding procedures.

So what happened? In a nutshell, Swedbank's Latvian subsidiary onboarded the client at the center of the case before Russia's 2014 invasion of the Crimea region of Ukraine, meaning prior to the imposition of sanctions. We don't know the robustness of the KYC protocols - including sanctions screening - that took place in this initial process. 

But we do know that something went wrong in the customer continuous monitoring (or ongoing monitoring) process. 

Because the client could engage in prohibited financial transactions, violating sanctions regulations imposed after the primary onboarding. This reminds compliance teams of the importance of continuously knowing your customers' information as part of a robust anti-money laundering (AML) and sanctions compliance program.

And the bottom line is this: Conditions change. A customer who wasn't on a sanctions list before - could be on one in the near future (as happened in the Swedbank case).

Insight 2: Compliance Culture Failings

The above section discussed how continuous monitoring failures may have led to the sanctions breaches. But these failures are deeper than they first appear.

The Swedbank case is about to take another twist.

Because OFAC also revealed that Swedbank's Lativa subsidiary knew it had customers in Crimea. The bank also was aware that it was processing payments on behalf of a client in Crimea. OFAC states that the Swedbank subsidiary even possessed KYC and IP data indicating a physical presence in Crimea.

And an aggravating factor in this case (resulting in a more hefty financial penalty), according to OFAC, is that Swedbank 'failed to exercise due caution or care in neglecting to account for information in its possession.'

So they knew - but didn't do anything significant about it. A key takeaway for the compliance profession is that even the most robust AML and sanctions compliance programs are vulnerable. And compliance cultures can slip to the side of high risk.

The harsh fact is that internal forces, such as the commercial pressure to hit financial goals, can override a compliance team's best efforts to take the ethical course of action. 

It's important to note that we don't know the compliance team's complicity in the unlawful activity. After all, non-compliance employees can pressure, influence, and even threaten compliance teams to engage in illegal behavior that boosts a company's financial performance. 

Recommend reading: The following sanctions.io article discusses how compliance officers can mitigate personal liability when doing their job - especially in companies with a higher tolerance to regulatory risk.

Insight 3: Correspondent Banking Comes with Sanctions Violations Risks

The next revealing information that OFAC publicly released is about the role correspondent banking played in the case.

This sanctions.io blog post explains how correspondence banking functions, which may help some readers better understand the following section.

This type of banking is essential for the global payment system to work. How? Because it facilitates cross-border transactions, including in developing economies and emerging markets.

In the Swedbank case, the Latvian subsidiary (the respondent bank) outsourced banking services that it wasn't capable of performing to US-based banks (the correspondence banks).

And how does this work? Global banks make sizeable profits by executing international banking services for smaller regional banks. But it comes with risk. Because a correspondent bank, providing financial services to a respondent bank it has an alliance with, relies on the respondent bank to perform robust KYC processes on its clients.

But how is this information relevant in the Swedbank violations case?

To begin, here is some relevant background information. OFAC has not released the names of the US banks (acting as correspondence banks) involved in the Swedbank case. Nor have they said if any charges are coming the way of the US banks involved. 

And here is a simple version of what happened:

  • Between 2015 and 2016, the Swedbank Latvia client (evidently in Crimea) initiated 386 transactions totaling $3,312,120. US correspondent banks processed them.
  • In 2016 a US correspondent bank rejected the payments (on its e-banking platform), citing a potential connection to Crimea, and alerted Swedbank Latvia.
  • Swedbank Latvia then used a different US correspondence bank - the transactions were executed successfully.
  • OFAC claims the Riga-based bank knew the client was physically present in Crimea (as discussed previously) but turned a blind eye.

We now have a general grasp of what happened. But what is the crucial learning point? The major one is this: Acting as a correspondent bank is risky. But the risk can be mitigated by performing robust due diligence on partner respondent banks, including:

  • Verifying the identity and legal existence of the respondent bank
  • Reviewing the respondent bank's AML/CTF procedures
  • Assessing the respondent bank's risk management practices

Now back to the case. You may have noticed in the overview that OFAC confirmed that US banks performed transactions on behalf of Swedbank Latvia's client in Crimea.

And this case is far from over. What will happen next?

One has to wonder if, sooner or later, OFAC will announce that a major US bank (or more than one) is receiving a substantial penalty for failings in its sanctions compliance program regarding its dealings with Swedbank's Latvian subsidiary. 

Final Thoughts

To be fair to Swedbank and its subsidiary in Latvia, they are not the only businesses that have screwed up. Other organizations, such as Microsoft, have in 2023 already received OFAC fines for Crimea sanctions breaches. 

You can read about the Microsoft case in this sanctions.io blog post - Microsoft's 2023 Sanctions Penalties: 5 Key Learning Points

OFAC has also stated that Swedbank and Swedbank Lativa took significant remedial action in response to the apparent sanctions violations. 

The case still has more twists and turns to come. But it's already proving to be a stark reminder of the importance of robust Know Your Customer (KYC) protocols, effective continuous customer monitoring, and resilient compliance cultures. It also highlights the sanctions compliance risks associated with correspondent banking relationships. 

How sanctions.io Can Help

To learn more about how our sanctions screening service works and to receive answers to all your queries regarding the sanctions.io API, integrations, and more. Book a free Discovery Call now. 

7-Day Free Trial (No Credit Card Required)

We offer a free 7-day trial (no credit card is required) and will be delighted to walk you through our service. sanctions.io is a highly reliable and cost-effective solution for sanction checking. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their sanctions screening needs. 

New Sanctions Screening Guide
Download our FREE Sanctions Screening Guide and learn how to set up an effective sanctions screening process in your organization.
New Case Study
Discover how technology companies streamline global sanctions compliance with sanctions.io
Paul Dixon
Paul is a RegTech content writer & strategist with extensive experience in digital marketing and journalism. His work has appeared in the Guardian newspaper. He also holds a degree in International Relations, where he studied global sanctions compliance and cross-border finance.‍
Enjoyed this read?

Subscribe to our Newsletter right now and never miss again any new Articles, Guides and more useful content for your AML and Sanctions compilance.

Success! Your email has been successfully registered for our newsletter.
Oops! Something went wrong while submitting the form.