Skip to Main Content

Additional Nelson Mullins Alerts

Image of various forms of currency

March 1, 2022

Banks and FinTechs Beware: Here Come the Sanctions

What We Can Learn from Previous OFAC Actions Involving FinTech Companies

By Dowse Bradwell "Brad" Rustin, IV, Craig Nazzaro, Richard B. Levin

With Russia’s invasion of Ukraine last week, we saw a swift response by the U.S. beginning with President Biden’s Executive Order 14024 (“The EO”) and followed quickly by the Office of Foreign Assets Control’s (“OFAC”) severe restrictions on economic activity related to the Russian Federation. In total, the U.S. Treasury expects these sanctions to impact nearly eighty percent of the Russian Federation’s economy. On February 25, 2020, these programs were broadened to include political leaders of the Russian Federation, including Vladimir Putin (“President”) and Sergei Lavrov (“Minister of Foreign Affairs”), amongst others.

Summary of Impact on Banks and FinTech Companies

These changes pose a significant regulatory risk to U.S. financial institutions and FinTech companies. While an entity’s strong Bank Secrecy Act (“BSA”), anti-money laundering (“AML”) compliance program, and Office of Foreign Asset Control (“OFAC”) sanctions program should digest be able to address these new sanctions, the controls around your third-party due diligence and FinTech partnership program oversight most likely did not anticipate such a large-scale change to the regulatory landscape with a developed country that is extremely active in the payments, digital assets, and FinTech spaces. 

It is extremely important that financial institutions and FinTech companies immediately review their BSA and AML compliance and OFAC screening policies and procedures to ensure implementation of these sanction regimes. In addition, this is an opportunity for financial institutions to assess their (and their FinTech partners’) compliance management programs and ability to integrate these sanctions programs and quickly deploy controls. As explained more fully below, you should immediately review your company’s:

  • Know-your-customer (“KYC”) and customer identification programs;
  • Any anonymizing payment products such as digital asset payment portals; 
  • Programs to identify your customer’s counterparties;
  • Geolocation screening information;
  • IP address monitoring technology;
  • Screening for IP address misattribution (such as customers using VPNs to bypass geolocation);
  • Email address domain monitoring;
  • Physical address monitoring;
  • SDN list screening programs including “fuzzy” logic tools;
  • Implementation of OFAC-identified “red flag” warnings; and
  • Screening for flagged business identifier codes (“BICs”).

In addition, OFAC encourages regulated entities to avoid any procedures that would allow for temporary release of transactions during “pending” investigations. If not already in place, your company should also begin developing a robust risk assessment program that includes monitoring, testing, and sampling of transactions, as well as retroactive analysis of previous transactions under prior compliance programs. As always, if issues are identified, companies should immediately contact OFAC and coordinate with the agency through the self-disclosure program. 

What We Can Learn from History

Lessons from Venezuela Cryptocurrency

Historically, when nations have been subjected to significant sanctions regimes, government actors and businesses will turn to alternative, FinTech platforms for the movement of funds. Following extensive sanctions programs, the Venezuelan government launched its own digital currency and began transacting in digital assets. As reported by CoinTelegraph and Bitcoin.com, Venezuelan President Maduro has officially announced efforts to use digital asset exchanges to bypass sanctions programs. The firm is aware of many attempts by Venezuelan nationals and Venezuelan-related companies to use international and U.S.-based digital asset payment companies and exchanges to access cryptocurrency markets. It would not be a stretch for the Russian Federation to employ similar strategies to bypass U.S., U.K., E.U., and other nations’ sanctions programs. New sources, such as Politico and The Washington Post, have already identified digital assets as one of the ways that the Russian Federation and blocked persons will attempt to evade these sanctions programs.   

OFAC Enforcement Against BitPay

The FinTech company BitPay operated a digital asset payment system for merchants. On February 18, 2021, OFAC announced a monetary settlement with BitPay for OFAC screening failures. The BitPay Settlement serves as a guide for FinTech companies and FinTech-partnering financial institutions implementing sanctions programs. BitPay screened its merchant customers against OFAC’s Specially Designated Nationals and Blocked Persons lists (SDN Lists) and conducted due diligence to confirm that these merchants were not located in sanctioned jurisdictions. However, BitPay did not screen its customers’ customers at the time of the transaction. As a result, BitPay enabled persons—its customers’ customers—located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria to engage in digital currency-related transactions. In the Settlement, OFAC concluded that BitPay should have screened transaction data, including:

  1. Reviewing Internet Protocol (IP) addresses that appear to originate in Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payments using BitPay;
  2. Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
  3. Implementing a customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice equal to or above $3,000. As part of this process, BitPay will require that the merchant’s customer provide an email address, proof of identification/photo ID, and a selfie photo. 

OFAC did not determine that BitPay’s customer screening processing was lacking. Rather, the focus was on appropriate transaction monitoring to ensure that payment counterparties were not subject to sanctions programs.

Payoneer

Payoneer operates a money transmission and prepaid access service. On July 23, 2021, OFAC announced a monetary settlement with Payoneer for violations of multiple sanctions programs. The Payoneer Agreement determined that the company processed 2,201 payments for parties located in sanctioned nations and 19 payments on behalf of individuals on the SDN List. In the Settlement, the OFAC criticized Payoneer for:

  1. Weak algorithms that allowed close matches to SDN List entries not to be flagged by its filter;
  2. Failure to screen for Business Identifier Codes (BICs) even when SDN List entries contained them;
  3. During backlog periods, allowing flagged and pended payments to be automatically released without review; and
  4. Lack of focus on sanctioned locations, especially Crimea, because it was not monitoring IP addresses or flagging addresses in sanctioned locations. 

These enforcement actions reflect OFAC’s priorities, particularly as they relate to FinTech customer relationships. In late 2021, OFAC issued Sanctions Compliance Guidance for the Virtual Currency Industry that built upon OFAC’s Framework for OFAC Compliance Commitments. These documents drive home the need for FinTech companies to focus on:

  1. Customer counterparty screening;
  2. Robust Know-Your-Customer (KYC) procedures even if the entity does have a primary BSA obligation (i.e., even FinTech companies that are not federal money services businesses must have sufficient KYC programs to screen for OFAC prohibited transactions);
  3. Use of geolocation and IP address data for location determination;
  4. Screening for IP misattribution (i.e., use of VPN services);
  5. Active transaction monitoring, including monitoring for geolocation;
  6. Use of third-party transaction monitoring services, including certain blockchain analytics databases; 
  7. “Red flag” monitoring that specifically includes those OFAC-identified red flags on Page 17 of the Sanctions Compliance guidance; and
  8. Active risk management include self-disclosure to OFAC, root cause analysis, risk assessment, formal corrective action planning, and historical audits, monitoring, and testing.  

Initial Blocking Orders

The U.S. Department of the Treasury has engaged in broad-based sanctions programs against the Russian Federation, its financial sector, key industries, and governmental figures. 

  1. OFAC Directive 2 broadly restricts correspondent accounts, payable through accounts (PTAs), and transaction processing relating to Sberbank of Russia and its affiliated companies. Sberbank presently controls approximately one-third of all bank assets in Russia.  
  2. Simultaneously, OFAC issued full blocking sanctions on VTB Bank, Russia’s second-largest financial institution, which holds nearly twenty percent of all bank assets in Russia. 
  3. Shortly thereafter, OFAC added three additional financial institutions to its full blocking sanctions: Otkritie, Sovcombank, and Novikombank. 
  4. OFAC Directive 3 additionally blocks any equity transactions or debt transactions (with a maturity longer than 14 days) related to an additional group of Russian financial institutions and major industrial companies: 
    1. Credit Bank of Moscow;
    2. Gazprombank;
    3. Alfa-Bank;
    4. Russian Agricultural Bank;
    5. Sovcomflot;
    6. Russian Railways;
    7. Alrosa; 
    8. Gazprom;
    9. Gazprom Neft; 
    10. Rostelecom; 
    11. RusHydro; 
    12. Sberbank; and 
    13. Transneft.      

Additional Blocking Orders

Additions to OFAC's SDN List were extensive and include two financial institutions, VEB and PSB which are state-owned institutions that are crucial to financing the Russian defense industry, as well as 42 of their subsidiaries. These financial institutions play significant roles in the Russian economy, holding combined assets worth tens of billions of dollars. These subsidiaries which are now blocked include:

  • BELVEB OJSC, a bank located in Belarus;
  • VEB Leasing OJSC, a leasing company located in Russia;
  • Prominvestbank, a bank located in Ukraine;
  • VEB Capital, a financial company located in Russia;
  • VEB Engineering LLC, an investment project implementation services company located in Russia;
  • JSC Infraveb, an investment project support company located in Russia;
  • JSC VEB.DV, an investment project support company located in Russia;
  • VEB Asia Limited, a financial company located in Hong Kong;
  • LLC Infrastructure Molzhaninovo, an electric energy company located in Russia;
  • LLC Resort Zolotoe Koltso, a real estate and construction company located in Russia;
  • JSC Russian Export Center, an export-related company located in Russia;
  • LLC VEB Ventures, a financial company located in Russia;
  • LLC VEB Service, a business and management advisory company located in Russia;
  • LLC Special Organization for Project Finance Factory of Project Finance, a financial company located in Russia;
  • LLC SIBUGLEMET Group, a coal mining company located in Russia;
  • JSC ANGSTREM-T, a technology company located in Russia;
  • LLC NM-TEKH, a technology company located in Russia;
  • JSC SLAVA, a real estate company located in Russia;
  • JSC PFC CSKA, a sporting activities company located in Russia;
  • LLC Torgovy Kvartal-Novosibirsk, a property leasing company located in Russia;
  • LLC Baikal Center, a construction company located in Russia;
  • LLC Progorod, an infrastructure company located in Russia;
  • LLC VEB.RF Asset Management, a financial company located in Russia;
  • Eximbank of Russia JSC, an export support institution located in Russia as well as a commercial bank regulated by the Central Bank of the Russian Federation;
  • Russian Agency for Export Credit and Investment Insurance OJSC, an insurance agency located in Russia;
  • Alkes Treid, a financial company located in Russia;
  • Antares, a financial company located in Russia;
  • Elitnye Doma, a real estate company located in Russia;
  • PSB Innovations and Investments Limited Liability Company, a technology company located in Russia;
  • Era Fund Limited Liability Company, a technology company located in Russia;
  • PSB-Foreks, a financial company located in Russia;
  • Kholtsvud, a financial company located in Russia;
  • Kourf, a financial company located in Russia;
  • Management Company Promsvyaz LLC, an investment company located in Russia;
  • Paskal, a company that provides management consulting services in Russia;
  • PSB Biznes, a hospitality company located in Russia;
  • Saint-Petersburg International Banking Conference LLC, a financial company located in Russia;
  • Sergievo-Posad Lend, a financial company located in Russia;
  • PSB Avializing, a financial company located in Russia;
  • Tekhnosoft, a technology company located in Russia;
  • Trinitex, a real estate company located in Russia; and
  • PSB Lizing, a financial company located in Russia.

Treasury also stated that elites close to Russian President Vladimir Putin continue to leverage their proximity to the President to harm the stability of Ukraine. Treasury, therefore, blocked all property and interests in property of those listed below that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC.  In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, fifty percent or more by one or more by these individuals are blocked. The individuals are: 

  • Denis Aleksandrovich Bortnikov;
  • Aleksandr Vasilievich Bortnikov;
  • Petr Mikhailovich Fradkov;
  • Vladimir Sergeevich Kiriyenko; and
  • Sergei Vladilenovich Kiriyenko.

On February 25, 2022, OFAC imposed sweeping sanctions against Putin and other political figures in the Russian government. Though it is rare for OFAC to impose sanctions against foreign heads of state, there is precedent involving other “despots” such as Kim Jung Un, Alyaksandr Lukashenka, and Bashar al-Assad. In addition, the sanctions also target:

  • Sergei Lavrov, Minister of Foreign Affairs;
  • Sergei Shoigu, Minister of Defense; and
  • Valery Gerasimov, Chief of the General Staff of the Russian Armed Forces.

This latest round of sanctions builds off previous sanctions programs targeting members of the Russian Security Council:

  • Valentina Matviyenko, Chairwoman of the Council of Federation;
  • Sergei Naryshkin, Director of the Foreign Intelligence Service;
  • Vyacheslav Volodin, State Duma Speaker;
  • Sergei Ivanov, Special Presidential Representative for Environmental Protection, Ecology, and Transport;
  • Nikolai Patrushev, Secretary of the Russian Federation Security Council;
  • Vladimir Kolokoltsev, Interior Minister;
  • Alexander Bortnikov, Director of the Federal Security Service;
  • Igor Krasnov, Prosecutor General;
  • Igor Shchegolev, Presidential Plenipotentiary Envoy to the Central Federal District;
  • Vladimir Ustinov, Presidential Plenipotentiary Envoy to the Southern Federal District; and
  • Viktor Zolotov, Director of the Federal Service of National Guard Troops and Commander of the National Guard Troops.

Now is the Time

Now is the time to assess your compliance program and associated controls as well as your strategic partnerships and product offerings to confirm your institution is not only accounting for these significant changes but also to determine if your controls are sufficient and reasonable. You should consider these changes considering your current customers, the industries you service, and your various partnerships. Certain areas of bank operations are at a higher risk than others and your program and controls should reflect that. Those areas include:

  1. International wire transfers;
  2. Trade finance;
  3. Foreign exchange;
  4. Crypto and digital assets; and 
  5. International prepaid products. 

We anticipate that BSA/AML, OFAC, and Third-Party oversight programs will be an area with increased focus within upcoming exams given these far-reaching sanctions.