Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

OFAC Sanctions: Lessons from Deutsche Bank

Michelle M. Lucci, CSS, CRCM
June 8, 2021
Read Time: 0 min

Real consequences from OFAC sanctions violations

OFAC compliance has increased in complexity and clarity with guidance released within the past few years and institutions need to take notice to avoid penalties.

Would you like others articles like this in your inbox?

Importance of Compliance

OFAC sanctions can have real world impact

The Office of Foreign Assets Control (OFAC) of the U.S. Treasury Department has long administered and enforced economic and trade sanctions against foreign countries, regimes, terrorists, international narcotics traffickers, and transnational organized crime. However, OFAC compliance has increased in complexity and clarity with guidance released within the past few years. The civil monetary penalties and reputational risk are strong reasons why financial institutions need to employ seasoned sanctions officers and automated scanning solutions.  

One recent case study garnered worldwide attention in the compliance industry, with lessons learned on what NOT to do in a sanctions program. On September 9, 2020 Deutsche Bank Trust Company Americas (DBTCA) agreed to pay two civil monetary penalties – one for $157,500 and the other for $425,600 – to the Department of the Treasury OFAC for violations of the Ukraine-Related Sanctions Regulations. What can AML professionals learn from the DBTCA case?  

First Penalty

Conducting proper due diligence is key

The first penalty resulted from DBTCA processing a large payment through the U.S. that related to a series of purchases of fuel oil that involved a property of interest of a designated oil company in Cyprus.  

At the time it processed the payment, DBTCA had reason to know of the designated oil company’s potential interest but did not conduct sufficient due diligence to determine whether the oil company’s interest in the payment had been extinguished. DBTCA did not do their homework and missed a significant piece of the puzzle. 

Second Penalty

Payments sent to entity on OFAC sanctions list

DBTCA agreed to remit $425,600 for processing 61 payments destined for accounts at Krayinvest Bank, a designated entity on the OFAC sanctions list.  

There are two reasons for the breakdown in controls: 

  • The designated financial institution’s Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC) was not uploaded into DBTCA’s interdiction software at the time of designation (each payment contained the BIC). 
  • The payments contained an almost identical match to the bank’s name and address but DBTCA set their sanctions screening tool to Exact Match. As such, only a payment with an exact Specially Designated Nationals (SDN) List match would trigger manual review.  

Five things to look for in an OFAC screening software.

learn more
Framework Document

A Framework for OFAC Compliance Commitments

On May 2, 2019, OFAC issued their Framework document, which is a must-read for anyone with sanctions responsibilities. OFAC recommends a risk-based approach to sanction compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).  

Although the level of sanctions risk varies by institution, OFAC recommends the SCP contain the following five essential components: 

  • Management commitment 
  • Risk assessment 
  • Internal controls 
  • Testing and auditing 
  • Training  
OFAC Official Guidance

Root causes associated with OFAC violations

“Root Causes of OFAC Sanctions Compliance Program Breakdown or Deficiencies Based on Assessment of Prior OFAC Administrative Actions”  

This section of the Framework document contains a compilation of specific root causes associated with apparent violations of the regulations it administers to assist with designing, updating, and amending their respective SCP.  

In other words, these are errors that financial institutions and other entities have made previously for which they most likely incurred penalties and now this information is a part of OFAC’s official guidance. Essentially, they are fair warning to all U.S. persons or persons subject to U.S. jurisdiction, including entities that conduct business in or with the U.S. or with U.S. origin goods or services.  

The issues with DBTCA’s interdiction software mentioned above in the second penalty, is covered in the “Root Causes” section Number VI Sanctions Screening Software or Filter Faults which states:   

“At times, organizations have failed to update their sanctions screening software to incorporate updates to the SDN or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties.” 

If DBTCA had set the filter to display more results the software would have returned possible matches thereby prompting a manual review. 

The risk-based approach mentioned in the Framework includes decisions that must be made with regards to software. It is always a balance to generate quality results and limit time spent on false positives, however, with the publication of this enforcement action financial institutions should think twice on setting the filter to return only Exact Matches.  

Key Takeaways

How financial institutions can strengthen OFAC compliance

There are a lot of things financial institutions can glean from Deutsch Bank's violations and the OFAC Framework. 

  • Conduct a thorough assessment of OFAC risk and understand sanction requirements 
  • Follow the Framework for OFAC Compliance Commitments document when developing a risk-based SCP  
  • Understand the root causes of other financial institution’s deficiencies 
  • Update OFAC screening software for all scanning requirements (within the Framework document) 
  • Remember that exact match software logic may be too risky for any institution 

If an institution receives a possible match and are uncertain about the sanction requirements or the specific potential match, don’t hesitate to call OFAC for guidance and carefully document the conversation. It is better to be safe than sorry with the stakes this high. Your institution’s safety and soundness depend on it. 

Ensure your institution's OFAC compliance.

learn more
About the Author

Michelle M. Lucci, CSS, CRCM

Regulatory Compliance Director
Michelle Lucci, Abrigo’s Regulatory Compliance Director, has over 30 years of banking experience and is a Certified Sanctions Specialist (CSS), a Certified Regulatory Reporting Manager (CRCM) and a Certified Anti–money Laundering Specialist (CAMS). Prior to joining Abrigo, she served as a Commissioned FDIC Bank Examiner for both Risk Management and Consumer Compliance in the New York and Atlanta FDIC regions, acted as Examiner-In-Charge

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.