Sanctions have been around for a long time but as we approach the tenth anniversary of 9/11 it is clear they have shot up the scale of risks to be prioritised by financial institutions including trust and corporate service provider businesses the world over.
Why is this? One reason is that the threats the international community wishes to curtail have become more pronounced – international terrorism and nuclear proliferation have garnered more international consensus than apartheid did in the 1980’s for example; but the most important driver has been the increased willingness of the US authorities and the US courts to exercise jurisdiction extra territorially.
Most countries domesticate UN or EU sanctions and no more. The United States is exceptional. In addition to domesticating UN Sanctions it also imposes its own extensive sanctions regimes policed by a department of the US Treasury – the Office of Foreign Asset Control (OFAC).
The US government has long regarded sanctions as key tools in support of their foreign policy objectives. That is important because the US regards anybody who does business with a person sanctioned by it, as effectively ‘trading with the enemy’. A number of UK banks have discovered this to their cost recently.
The following two commonly held misconceptions about OFAC sanctions can lead to flaws in the compliance controls of financial services businesses:
- OFAC sanctions only apply to US persons. They are not relevant to foreign trust company businesses which only need to be aware of the sanctions that are in force in the jurisdictions where they operate;
- OFAC sanctions only apply to US$ transactions.
- Whilst technically OFAC sanctions apply only to US persons, in the sense that only US persons can commit the offence of breaching them, they can and do impact non-US persons in a number of important ways. For example:
- OFAC applies to all transactions that take place in the US including all US$ payments whoever makes them, whether or not they have a presence in the US. This means that all US$ transactions involving an OFAC sanctioned party are liable to be blocked or frozen by US correspondent banks. All such blocked and frozen transactions are reported to the US authorities who, unsurprisingly track the identity of the foreign financial institutions that do business with OFAC sanctioned parties;
- OFAC applies to all US persons including US person employees of non US businesses operating outside of the US. The effect is that if a US person employee processes a transaction in any currency in contravention of OFAC they will commit a criminal offence;
- OFAC applies to all non US persons operating within the US. Where the US presence is through a subsidiary, US jurisdiction is unlikely to permeate to the parent, but where the US presence is in the form of a branch or agency, the entire corporate body may become subject to US jurisdiction in respect of its activities in the US;
- It is an offence for any person (US or not) to conspire to cause a US person to contravene OFAC by for example stripping payee details from payment messages to avoid a US person from identifying and blocking a payment involving an OFAC sanctioned party.
The USA PATRIOT Act enacted in October 2001 imposed an obligation on US banks operating correspondent accounts to force their foreign bank customers to comply with US regulations. Downward pressure was in turn applied to bank customers including trust companies.
But, in a number of instances, foreign banks are said to have implemented ‘special procedures’ on behalf of sanctioned customers to disguise their identity, thus undermining the dual objectives of the PATRIOT Act and OFAC sanctions.
ABN Amro, Credit Suisse, Barclays and RBS have collectively been fined almost US$1 billion by the US authorities in the last three years for such conduct. Nothing that the banks did was illegal in the jurisdictions in which the ‘stripping’ activity took place. It was illegal only as matter of US law which was applied extra territorially.
In the ABN AMRO case, the US authorities were able to exercise jurisdiction by claiming that the Dutch bank was a US person by virtue of its US branch. The fear in Washington was that the same stick could not be wielded against foreign banks operating US correspondent accounts with no branch or subsidiary on American soil.
The response has been to apply direct pressure to foreign banks to force them to comply with US sanctions, at the risk of losing the privilege of doing business in dollars through the New York financial markets.
This has resulted in a comprehensive ‘export’ of US compliance obligations. The thinking goes that, if the US authorities have foreign banks by their correspondent accounts, their hearts and minds will follow.
An international bank without a US correspondent account is effectively shut out of the global financial markets. One consequence has been that banks have begun to apply pressure on their trust company business clients to implement even more robust sanctions compliance controls.
Further ammunition is provided under Section 319 of the PATRIOT Act, which permits US authorities to hold foreign banks responsible for the financial misdeeds of their customers and gives them the power to forfeit funds from a foreign bank’s US correspondent accounts for infractions of US law.
This is a particularly effective disincentive for two reasons: firstly, as the action is brought against a bank’s property not against the bank itself, no wrongdoing needs be proven against the bank for the provision to bite; and secondly, the civil and not the more onerous criminal standard of proof applies.
Of even greater concern are the anti-terrorism laws enacted in 1992 and 1996 which permit victims of terrorist attacks to bring civil actions against financial institutions that are alleged to have provided material support or resources, including financial services, to a foreign terrorist organisation in breach of the US Anti-Terrorism Act.
The US civil plaintiff bar that waged the tobacco class litigation wars of the 1980s and 90s now have foreign banks firmly in their sights on behalf of the victims of terrorist attacks. Contingency fee arrangements in the US permit lawyers to recruit potential plaintiffs who pay no legal fees unless they win and bear no risk of costs if they lose. These lawyers are presumably well aware of the reputational cost to banks of defending claims brought by the victims of terrorism.
NatWest is currently defending a series of claims by US citizens and the heirs of foreign citizens injured or killed in ten terrorist attacks in Israel in 2002 and 2003. It is claimed that, by having maintained accounts and processed transfers in the UK for Interpal (a Palestinian charity registered with the UK Charities Commission), NatWest provided material support to terrorist organisations such as Hamas.
At the time the accounts were maintained by NatWest in the UK, Interpal was designated as a terrorist organisation only by the authorities in Israel. It was only later in 2003 that Interpal was sanctioned by OFAC.
At all material times NatWest acted lawfully in the UK where the accounts were operated. Nevertheless, the bank now finds itself defending, at considerable expense, a claim that, whether it succeeds or not, will have done nothing to enhance its reputation. If the claims succeed, the US Anti-Terrorism Act’s ‘treble damages’ provisions are likely to guarantee that the sums in damages will be very substantial.
It is difficult to conceive of more powerful disincentives for non-US banks and other financial services businesses to act contrary to US foreign policy objectives wherever they conduct their business, whether they maintain presence in the US or not.
Consequently, it has become imperative that non-US financial services businesses understand the expanded reach of US law in designing their own compliance regimes. With no prospect of a change in policy on extra territoriality by President Obama the costs of compliance to the non-US banking sector look set to continue to soar.
What are the lessons? Critically all financial services businesses must recognise that the nature of criminal, regulatory and civil liability risk has ‘gone global’. Too many institutions encourage a jurisdiction specific ‘silo mentality’ to risk management and express surprise when a risk manifests from outside of their limited field of vision.
The devastating effects of the US housing collapse on UK banks is a symptom of this mentality. Clouds are gathering for financial services businesses internationally – many of them are ill equipped to withstand the consequences of a hurricane that has at its epicentre an OFAC sanctions breach or a ‘treble damages’ class action brought by victims of an act of terrorism claimed to have been ‘facilitated’ by the institutions inadequate sanctions compliance controls.
We now live in a ‘but for’ era – all financial services businesses must recognise that they will be held liable for acts that might not have occurred ‘but for’ the weaknesses in their financial crime prevention controls. Robust international sanctions compliance procedures are not a ‘nice to have optional extra’. They are an imperative.