The Office of Foreign Asset Control (“OFAC”) announced on June 20 that Swedbank Latvia AS (“Swedbank Latvia”), a subsidiary of Swedbank AB (“Swedbank AB”) headquartered in Riga, Latvia, agreed to pay $3,430,900 to settle its potential civil liability for 386 “apparent” violations of OFAC sanctions involving Crimea. Specifically, Swedbank Latvia allegedly allowed a client to initiate payments from Crimea through an e-banking platform that ultimately were processed by a U.S. correspondent bank. The settlement amount reflects OFAC’s determination that Swedbank Latvia’s conduct was “non-egregious” – but not voluntarily self-disclosed.
Although unrelated to this OFAC action, Swedbank Latvia was the topic of a 2019 internal investigation report commissioned by Swedbank AB revealing that from before 2007 through 2016, Swedbank Latvia (and Swedbank Estonia) actively pursued certain high-risk customers as a business strategy. This conduct, related to the Danske Bank scandal and its now-notorious Estonian Branch, resulted in Swedish and Estonian authorities ordering Swedbank AB in 2020 to pay a record 4 billion Swedish Krona (then, approximately $38 million) in anti-money laundering related penalties.
This OFAC enforcement action involves alleged conduct which occurred even before Russia’s 2022 unprovoked invasion of Ukraine, the ensuing host of expanded U.S. sanctions, and the recent drive by U.S. regulators and prosecutors to combat the attempted evasion of Russia sanctions and export controls. The enforcement action reflects how OFAC can learn of potential sanctions violations through other financial institutions. It also emphasizes, once again, some of the risks inherent in providing correspondent bank services to foreign banks, and the need for good communication between U.S. and foreign banks. It further reflects the need for a financial institution (or any company) to integrate customer data into a sanctions compliance program, keep up to date on evolving sanctions, and pursue potential red flags of non-compliance – including in the face of customer representations of compliance.
The Apparent Violations
Prior to Russia’s 2014 invasion of the Crimea region of Ukraine, Swedbank Latvia onboarded a shipping industry client in Crimea (the “Client”) that owned three special purpose companies (“SPCs”), each with an account at Swedbank Latvia. When Swedbank Latvia onboarded the Client and the SPCs, Swedbank Latvia obtained Know Your Customer (“KYC”) data, including addresses, telephone numbers, and a customer questionnaire, indicating that the Client and the SPCs had a physical presence in Crimea. Although Swedbank Latvia collected and stored customer internet protocol (“IP”) data, it did not integrate this IP data into its sanctions’ screening processes. According to OFAC, if this IP data had been screened later at the time of the Apparent Violations, it would have indicated that the Client was present in Crimea.
After Russia’s invasion, and throughout 2015 and 2016, the Client used Swedbank Latvia’s e-banking platform from an IP address in Crimea to send payments to persons in Crimea through U.S. correspondent banks (the “Apparent Violations”). The Client initiated 386 transactions totaling $3,312,120 through accounts belonging to the SPCs that were processed through U.S. correspondent banks.
Importantly, around March 2016, the Client tried to send payments from an IP address in Crimea using the e-banking platform to a U.S. correspondent bank, which rejected the payments due to a potential connection to Crimea and alerted Swedbank Latvia. Although Swedbank Latvia attempted to obtain additional information from this U.S. correspondent bank and requested additional information from the Client, it did not receive a response from the U.S. correspondent bank and the Client falsely assured Swedbank Latvia that the transactions did not involve Crimea. Based on this representation, a relationship manager at Swedbank Latvia re-routed the rejected payments to a different U.S. correspondent bank, which processed the transactions.
The Penalty Calculation
According to OFAC, the statutory maximum civil monetary penalty was the astronomical amount of $112,322,552. Interestingly, OFAC found that Swedbank Latvia did not voluntarily self-disclose the Apparent Violations, because a third-party was required to and did notify OFAC first of the Apparent Violations. Presumably, this third-party was the U.S. correspondent bank which rejected the attempted March 2016 transaction.
Nonetheless, OFAC found that the Apparent Violations constituted a “non-egregious” case. Applying its Economic Sanctions Enforcement Guidelines, OFAC found that the base civil monetary penalty was $6,238,000, and that further consideration of the General Factors under the Enforcement Guidelines yielded a settlement amount of $3,430,900. The following were “aggravating factors” tending to increase the penalty: (1) “Swedbank Latvia failed to exercise due caution or care in neglecting to account for information in its possession regarding its Client’s presence in Crimea and by solely relying on the Client’s assurances when it possessed contrary information, including KYC and IP data”; (2) “Swedbank Latvia knew it had customers in Crimea and had reason to know it was processing payments on behalf of the three SPCs located in Crimea”; and (3) “Swedbank Latvia is a sophisticated financial institution with over one million customers and is one of the largest banks in Latvia by assets.”
However, the following were “mitigating factors” tending to reduce the penalty: (1) “Swedbank Latvia did not receive a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the Apparent Violations”; (2) “Swedbank AB and Swedbank Latvia substantially cooperated by conducting an extensive lookback, providing well organized responses to OFAC’s requests for information, and by tolling the statute of limitations”; and (3) “Swedbank AB and Swedbank Latvia took significant remedial action in response to the Apparent Violations,” including “[i]mplementing geofencing that prevents customers from sending payments through online banking platforms from IP addresses in comprehensively sanctioned jurisdictions[,]” and “[i]mplementing enhanced diligence and transparency protocols for responses to correspondent banks.”
Integrating Information and Responding to Red Flags
OFAC concluded its announcement by offering these two observations regarding the importance of effective, risk-based sanctions compliance controls, and investigating any red flags that arise:
[Sanctions compliance] controls should account for changes to applicable sanctions and incorporate all relevant available information to conduct responsive and regular screening. As this matter shows, such efforts should include ensuring that KYC information (such as passports, phone numbers, nationalities, and addresses) and IP data are appropriately integrated into sanctions screening protocols.
In addition, this case illustrates the importance of undertaking reasonable efforts to investigate red flags. Ignoring or failing to heed such warnings can cause apparent violations to multiply quickly. Rather than dismissing such concerns and relying on unsubstantiated assurances, financial institutions and other persons made aware of such issues should diligently work to identify risks that may exist.