Red Flags for Software and Sanctions – OFAC Enforcement Wells Fargo Case Study
By Harold Jackson, Associate Attorney, Braumiller Law Group
On March 30, 2023, Wells Fargo agreed to remit $30,000,000 to settle its penalty liability across multiple sanctions programs with U.S. Department of the Treasury’s Office of Foreign Asset Controls. Across several years, Wells Fargo and its predecessor in Europe, Wachovia Bank, provided software that was used to process transactions with U.S.-sanctioned jurisdictions and persons.
What was the Software?
Wells Fargo acquired Wachovia and inherited Wachovia’s trade insourcing relationships, including a relationship with an undisclosed European bank (deemed “Bank A”) that was engaged in transactions that implicate U.S. sanctions. Wachovia used two different insourcing software solutions to moderate and maintain these relationships: the Comprehensive software solution, one where Wells Fargo processed trade transactions on behalf of the customer, and the Hosted software solution, one where it provided the software to the customer and the customer managed the transaction itself. The software platform was called “Eximbills.”
How did Wells Fargo violate U.S. sanctions?
Both the Comprehensive and Host solutions were provided to Bank A. After consulting with outside counsel, Wachovia and Bank A agreed in writing that Bank A had the responsibility to screen for OFAC sanctions for transactions processed on its Hosted solution, and Bank A agreed that it would refrain from processing transactions with OFAC-sanctioned jurisdictions or entities. Then, with knowledge of Bank A’s transactions, Wachovia took action to ensure that its personnel were not involved in “non-OFAC-compliant transactions.” Specifically, Wachovia created a mechanism in the software program that, in the event Bank A inadvertently sent a transaction involving a sanctioned jurisdiction or person to Wachovia’s Comprehensive version of Eximbills, the program would redirect the transaction to Bank A. Wells Fargo acquired Wachovia and continued this practice for seven years (plus). Throughout this time, Wells Fargo conducted reviews, audits, and risk assessments of its operations, but chose to not review the transactions dealing with Bank A’s Host solution use.
What are the Red Flags from this Wells Fargo enforcement action?
The enforcement publication outlined several aggravating factors that contributed to Wells Fargo’s culpability and civil liability, which can be identified in distinct red flags:
- The Specially Designed Software was in Violation – Don’t Evade Sanctions: OFAC determined the decision to design a software platform that would bounce violative transactions, knowing that they were likely violative and occurring, as “reckless disregard for U.S. sanctions requirements.” The key takeaway here is that Wells Fargo/Wachovia intentionally designed a program to skirt sanctions exposure to their immediate employees, even though the software was being used to violate U.S. sanctions, and the companies knew, or had reason to know, that this was occurring.
- Lack of Due Diligence in Mergers and Acquisitions: OFAC determined that allowing this practice to go on for seven years after Wells Fargo acquired Wachovia harbored a place for the violative transactions to occur without oversight from the bank. OFAC stated that “Wells Fargo failed to exercise a minimal degree of caution or care in failing to identify and prevent such transactions for seven years after it acquired Wachovia, despite potential sanctions concerns (including specifically with respect to possible facilitation issues) raised internally at senior-management levels on multiple occasions.”
- Risk Mitigation Starts with Senior Management: OFAC pointed out that the initial violation of specially designing the violative software was a mid-level management decision, not a senior-level decision. However, the software was allowed to remain in place for years. OFAC stated that “Wells Fargo’s senior management should reasonably have known . . . in light of the potential sanctions concerns raised internally to senior managers in Wells Fargo on multiple occasions, including after major sanctions enforcement cases . . .” This means that senior-level management is responsible for ensuring compliance across the company.
- Policy Goals are an Enforcement Priority: OFAC tends to increase penalties where the policy goals of the sanctions are undermined. OFAC provided that “By providing Bank A with a software platform specially designed to make it easier for Bank A to engage in . . . transactions with persons located in Iran . . . Wells Fargo undermined the policy objectives of . . . U.S. sanctions programs.”
- The More Sophisticated, The More Scrutiny: The more sophisticated your company is, the more scrutiny OFAC will place on your compliance and other operations, which is used to gauge your company’s knowledge or reason to know of a violation, and how comprehensive your compliance procedures must be. OFAC provides that “Wachovia, and its successor, Wells Fargo, are large and commercially sophisticated international financial institutions with sophisticated understandings of applicable sanctions requirements.”
As part of its Compliance Considerations, OFAC provided that:
“This action highlights the risks that companies may face when employees pursue new business opportunities or the preservation of existing business relationships without proper oversight . . . Moreover, when sanctions compliance risks are raised internally — including concerns arising from smaller, non-core business lines — companies should promptly seek to thoroughly investigate and address those risks.”
There are several major takeaways from this recent enforcement action. OFAC is targeting certain activities that are designed to evade or skirt sanctions. Mergers and acquisitions are low-hanging fruit when OFAC is seeking a company to investigate. Also, OFAC will look to senior management, the policy goals of the sanctions, and the sophistication of the company to assess civil liability when sanctions are violated. Companies should review their transactions and practices, including software, which is becoming an enforcement priority as programs can be used to evade sanctions.
1 OFAC Settles with Wells Fargo Bank, N.A. for $30,000,000 Related to Apparent Violations of Three Sanctions Program, U.S. Department of the Treasury, Enforcement Release March 30, 2023 (https://ofac.treasury.gov/media/931541/download?inline).