Posted by Brian Monroe - bmonroe@acfcs.org 11/09/2021
OFAC, Fed, NYDFS penalize Mashreq bank $100 million for sanctions failures, just three years after $40 million fine for similar issues
The skinny:
- The U.S. Treasury’s Office of Foreign Assets Control (OFAC), Federal Reserve and the New York State Department of Financial Services (NYDFS) Tuesday issued coordinated enforcement actions totaling $100 million against Dubai-based Mashreqbank for purposely omitting details on payment transactions with ties to Sudan.
- The case is eerily similar to other international bank “stripping” cases that have cropped up since 2009 – there have been nearly a dozen over a little more than a decade with forfeitures and penalties of more than $12 billion, including one case alone of more than $9 billion.
- Part of the message the NYDFS wants to relay to the broader international banking sector is that operations with branches in the United States had better police their correspondent networks – particularly those in riskier regions with a propinquity to destabilized, extremist and terror hotspots.
The largest and oldest bank in the United Arab Emirates will pay a host of federal and state regulatory and sanctions agencies $100 million for dealings with a blacklisted regime designated as a state sponsor of terror – just three years after paying $40 million for similar acrimonious actions and compliance inactions.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC), Federal Reserve and the New York State Department of Financial Services (NYDFS) Tuesday issued coordinated and interlinked enforcement actions, orders and penalties against Dubai-based Mashreqbank for purposely omitting details on payment transactions with ties to Sudan.
The investigation by NYDFS uncovered that Mashreqbank “instructed its employees to avoid populating certain fields in the payment messages sent between banks so as to conceal the prohibited Sudanese element of these transactions.”
Such a move would effectively bypass the sanctions filters at other banks, evading the triggering of an alert or potential for intermediary institutions to freeze any of the transactions.
The country has been on U.S. blacklists since the 1990s for terror ties and human rights abuses.
The U.S., after reviewing the country’s progress in recent years and after Sudan satisfied several prerequisites to better stamp out extremist groups, removed the designation in December.
The case is eerily similar to other international bank “stripping” cases that have cropped up since 2009 – there have been nearly a dozen over a little more than a decade with forfeitures and penalties of more than $12 billion, including one case alone of more than $9 billion.
In those enforcement actions, senior executives, and in one instance even the compliance team itself, institutionalized the practice of scrubbing interbank payment messages in wires for links to countries on U.S. watchlists, including Iran, North Korea, Sudan, Cuba and others.
In the latest action, and a prior $40 million penalty against the bank by the Fed and NYDFS in 2018, regulators also highlighting a lack of culture, the importance of senior executive support and even a willingness to make examples out of staffers in and out of compliance – the dreaded specter of individual liability and a potential career killer.
The emphasis on compliance culture and individual liability, as well as the importance of empowered and informed AML and sanctions teams feeling they have the support and courage to speak up, should be a message banks large and small take to heart.
“While the details surfacing in this case may seem outlandish and alarming to compliance and investigative teams in most organization, with some likely even commenting ‘that could never happen in our organization,’ the reality is, it can and does,” said Jon Elvin, a former banking executive and Chief BSA/AML Officer, now the Executive Director of Strategy and Corporate Impact at ACFCS.
“The truth is, organizations, events, personalities and financial incentives can unduly shape behavior, broadly and in certain smaller sub-culture divisions,” he said, a nod to high-profile federal enforcement actions in recent years where pockets of non-compliant teams evaded program rules and brought the wrath of regulators.
This is why “corporate culture” is critical.
“Employees, especially those in risk management, compliance and investigative channels MUST know they have a responsibility and the support to do the right thing always,” Elvin said.
After main Swiss correspondent conduit gets pinched, house of cards falls
In the case of Mashreqbank, this resulted in other banks processing prohibited payments totaling more than $4 billion between 2005 and 2009.
The practice only ended in 2009 after a Swiss bank used by Mashreqbank to process these transactions rejected a Sudan-related U.S. dollar-denominated transaction.
Ironically, the next day, news broke that the Swiss bank was “being investigated by the New York County District Attorney’s Office for violating economic sanctions rules,” according to the NYDFS.
That prodded Mashreqbank leaders to realize the jig was up, concluding that U.S. authorities would likely follow the tainted transaction trail back to them.
Not knowing when regulators or investigators would come knocking, the bank quickly closed all U.S. dollar accounts held by Sudanese banks, but still tarried on disclosing the plethora of prohibited transactions to the NYDFS for another six years, until 2015 – in that time squeezing in a few more transactions with the off-limits locale.
Between 2010 and 2014, Mashreqbank’s New York Branch processed additional Sudan-related, prohibited payments, totaling approximately $2.5 million, according to the NYDFS consent order.
These transactions, though in violation of sanctions rules, were “less obviously tied to Sudan,” according to the consent order. “For example, a number of these customers were not residents or domiciled in Sudan, and their payment instructions did not reference Sudan.”
So how did Mashreq game the system and prevent intermediary banks from seeing that a Sudanese financial institution was the actual originator?
They “covered” their tracks.
From January 2005 through the early part of 2009, Mashreq used a series of “cover payments” to “conceal the Sudanese connections to transactions,” primarily on behalf of the privately-owned Sudanese bank Blue Nile, that would otherwise have been prohibited by OFAC, according to penalty documents.
This process involved the use of a specific SWIFT payment message used for inter-bank transfers, called the MT202.
The messaging format allowed certain fields that typically had to be filled out in other payment message types to remain blank, and still move the funds.
Because of the “bank-to-bank nature of these payment instructions, MT-202s merely instructed intermediary banks to move funds across correspondent banking networks without identifying the original ordering bank or ultimate bank,” according to the NYDFS.
The result: the funds would flow through intermediary banks, some in the United States and other partner jurisdictions, without those financial institutions knowing their source was a blacklisted region and entity.
But what about the final bank in the chain?
Wouldn’t they block or reject the transaction and alert OFAC?
Not exactly, especially if the bank was located in a country outside the U.S.
“The originator and beneficiary information would be contained only in a separate bank-to-bank payment message which was sent by Mashreq directly to the ultimate beneficiary bank,” according to the NYDFS.
The last piece of the puzzle: the “final payment pursuant to this series of messages was a foreign bank, so that it could complete the OFAC-prohibited payment without necessarily violating U.S. law.”
SWIFT finally caught on in 2009, eventually changing its payment message format in an “effort to make the cover payment methodology more transparent,” according to the consent order.
How did Mashreq garner attention of authorities? Risky correspondent portals
Overall, the bank has nearly 40 branches globally and assets totaling more than $44 billion, roughly $1.5 billion of that figure in the New York branch, which has been operating in Gotham, along with a predecessor, since 1989.
In all, Mashreq has 14 domestic branches in the United Arab Emirates and 26 branches and representative offices abroad, including in Bahrain, Egypt, Hong Kong, India, Kuwait, Qatar, the United Kingdom, and the United States.
Part of the message the NYDFS wants to relay to the broader international banking sector is that operations with branches in the United States had better police their correspondent networks – particularly those in riskier regions with a propinquity to destabilized, extremist and terror hotspots.
The penalty could have been higher, but the NYDFS stated the bank gave “substantial cooperation with the investigation and its ongoing remedial efforts,” including retooling is compliance program by adding hundreds of compliance staff and upgrading systems and technology.
Even so, the bank, as part of the negotiated settlement, must report at regular intervals on the “status and sustainability” of its sanctions compliance program.
The current $100 million sanctions penalty was borne out of the October 2018 enforcement action and $40 million fine, which though mainly focused on AML compliance failings, ordered Mashreq to engage a third-party for a transactional lookback to uncover any missed sanctions violations.
To read ACFCS coverage of the prior Mashreqbank penalty, click here.
In the previous action, the NYDFS and Fed chastised the bank for a bevy of financial crime compliance deficiencies, including lax oversight of dollar clearing portals for high-risk countries, monitoring and reporting on suspicious activity and policies for dealing with rogue regimes.
The regulators also required the bank to hire an outside consultant and engage in a transactional lookback to find any missed instances of aberrant activity during a six-month period in mid-2016.
“Mashreqbank failed to fully comply with critical New York and federal banking laws aimed at combating international money laundering, terrorist financing and other related threats by failing to provide adequate oversight of transactions by customers in high-risk regions,” said former Superintendent Maria Vullo in a statement at the time.
To read the full action, click here.
ACFCS noted at that time the penalty continued a trend of federal and New York regulators focusing on foreign banks with operations in the United States that also have sprawling correspondent banking networks.
A rising fear, particularly when those connections touched banks in regions to be at a higher risk for money laundering, corruption or terror finance.
For instance, Mashreq’s New York branch offers correspondent banking and trade finance services and provides U.S. dollar clearing services to clients located in Southeast Asia, the Middle East and Northern Africa – regions that “present a high risk in connection with financial transactions,” according to the NYDFS.
The weak AML oversight of these portals was magnified due to the financial throughput through these arenas.
The branch engaged in a substantial amount of U.S. dollar clearing activity for foreign customers in high risk jurisdictions – with some components of the program still processing alerts manually.
For example, in 2016, the branch cleared more than 1.2 million U.S. Dollar transactions with an aggregate value of over $367 billion.
In 2017, the branch cleared more than one million U.S. Dollar transactions with an aggregate value exceeding $350 billion.
In the settlement documents, NYDFS examiners noticed a sharp decline in AML and OFAC program performance between 2014 and 2016, going from “satisfactory” to overall abysmal scores in just two years.
But some lines in the order had compliance analysts chafing, including this one: “A bank’s programs should improve sufficiently over time as the institution receives the benefit of the guidance provided by the examiners and works to implement-solutions to issues uncovered during examinations.”
Compliance program ‘lacked detail, nuance or complexity’
At the time of the 2016 Examination, the branch’s BSA/AML and OFAC policies “lacked detail, nuance or complexity,” according to the 2018 order.
“Shortcomings included failing to make appropriate use of relevant information in Know Your Customer (KYC) files, including documentation detailing the customer’s line of business and anticipated activity,” which are typically key metrics woven into AML risk assessments, with final figures then sensitizing the transaction monitoring system.
Examiners also noted that even with more staffing, AML analysts were absolutely overwhelmed by alert volumes, leading to increasingly longer lag times to even review or disposition alerts.
“At the time of the 2016 Examination, the New York Branch had accumulated a three-month backlog in its generation of any transaction monitoring alerts,” according to DFS.
Deluge of alerts overwhelmed AML staff
With some 1,500 to 1,600 alerts typically generated per month during that period, the gap between analyst and analyzed only widened.
The rising tide of alerts surged to roughly 2,000 a month as 2017 waned – with only one reviewer doing both the first and second-line reviewers of the same alert, defeating the purpose of a second pair of eyes as a backstop as it was the same reviewer.
Examiners continued to find faults across both AML and sanctions related to the number of analysts reviewing transaction alerts and sanctions hits.
“The branch maintained inadequate documentation concerning its dispositions of OFAC alerts and cases, with branch compliance staff failing to properly substantiate its rationales for waiving specific alerts and cases,” according to the action,
Examiners noted as well that the issues at Mashreq in New York were further compounded by a disconnect between the branch and the head office, leading to a third-party auditor in 2017 also failing to highlight areas needed for improvement.
Organizations that have sound internal controls effectively challenge and see accountability demonstrated by leaders, a dynamic as well harped on by regulators in expensive and expansive penalties under the seemingly innocuous term “the tone at the top.”
But when it comes to top executives – in and out of compliance – creating the “right expected behavior is essential. If they do not believe this, problems will surface,” Elvin said.
That can be difficult when, at many institutions, the fincrime compliance function and the business line have been natural enemies since time immemorial.
“Often there can be natural tension between risk and front-line business generation areas,” Elvin said.
“Stronger cultures shape open and transparent discussion and I recall stories from colleagues across the industry where those sometimes get strained in certain one-off situations, but in the end, the right actions and outcomes are usually reached in healthy corporate cultures.”
In reviewing some of the details in this specific situation, just as in other similar bad outcome events, “I would suspect, that several ‘in the trenches’ staff observed and knew certain things were not right.”
But that begs the question: why didn’t they speak up? What led to some feeling they could or should not escalate?
That answer gets to the very heart of what are the practical, tangible aspects of a “culture of compliance,” or, in this case, a lack thereof.
“If you must think twice, you already have the answer,” Elvin said. “This is a good reminder to those leaders, board of directors, supervisors, and practitioners, to reinforce the expected behaviors and channels of escalation for warranted situations.”
But the penalty figure and potential remediation costs – typically estimated to be more than 10 times the actual fine – could have been far worse without the bank’s quick and complete commitment to clean up shop.
The regulator acknowledged that Mashreqbank exhibited “laudable conduct” in not quibbling about the penalty and engaged in “strong cooperation in this matter, including demonstrating a commitment to remediating the shortcomings identified, and to building an effective and sustainable BSA/AML and OFAC compliance infrastructure.”