A closer look at sanctions monitorships and recent enforcement actions

The issuance and structure of sanctions monitorships is often like other types of monitorships. Regulators and law enforcement agencies are increasingly reliant on independent monitorships as part of enforcement actions following the identification of misconduct or potential corporate crime. The specific nature of sanctions laws and regulations, the binary context of sanctions compliance, the technology systems required to maintain compliance, inconsistencies across geographies and the evolving financial landscape are unique factors that require specific attention.

This chapter sets forth the legal and historical contexts of sanctions monitorships, recent enforcement actions, the regulatory bodies and other influential organisations involved in the issuance and enforcement of sanctions laws, and specific challenges for institutions placed under a sanctions monitorship.

Legal context of a sanctions monitorships

Sanctions laws and regulations are implemented by numerous countries and governing bodies. Sanctions can be considered an extension or application of a country’s foreign policy, which can be unique to a single country (unilateral sanctions) or jointly applied by multiple countries (multilateral sanctions). Generally, the majority of sanctions are implemented by the United States, the United Nations and the European Union.

US sanctions law, dictated by presidential executive orders and through acts of Congress, requires compliance by the following groups and entities:

• US citizens and permanent residents, regardless of current location;
• companies and other entities established under US law;
• people and organisations located within the United States, regardless of origin; and
• branches of US companies and other entities outside the United States.

Sanctions compliance within the United States is applied through the concept of strict liability.^[2] All individuals and entities subject to US sanctions law are required to comply regardless of explicit awareness of non-compliance or provable intent to evade the law. In the event of a violation or non-compliance with sanctions law, the competent regulatory body or law enforcement agency may choose to pursue civil and criminal action. The extent of penalties often depends on the severity of the infraction and other extenuating circumstances, such as whether the conduct is considered wilful or reckless. In the case of criminal prosecution, penalties against an individual may include a prison sentence, although fines are the most common penalty.^[3] In addition to monetary penalties, companies and organisations may be required to commit to remediation efforts or enforcement actions by a regulator or law enforcement, which can include the appointment of an independent monitor.

The US Department of Justice (US DOJ) or other US regulatory bodies may issue various enforcement actions as a result of non-compliance with US sanctions law. These enforcement actions may result from external investigations or proactive disclosures. The Office of Foreign Assets Control (OFAC) and the US DOJ encourage companies to voluntarily self-disclose all potentially wilful violations of the statutes implementing the US government’s primary export control and sanctions regimes.^[4] If a company (1) voluntarily self-discloses export control or sanctions violations, (2) fully cooperates and (3) remediates the violations appropriately and in a timely manner, there is a presumption that the company will receive a non-prosecution agreement (NPA) and pay a limited or, potentially, no fine. The US DOJ may enforce criminal resolutions, such as a deferred prosecution agreement (DPA) or guilty plea if the violations exhibit aggravating factors, such as the export of particularly sensitive items, repeated violations, the involvement of senior management and significant profit. In these instances, the US DOJ will issue, or recommend to a sentencing court, a monetary fine but will not require the appointment of a monitor if the company provides evidence of an established and effective compliance programme being in place at the time of resolution.

The US DOJ continues to evolve its policy and enforcement priorities focusing on white-collar and corporate crime and wrongdoing. From 2021 to 2023, the US Attorney General’s Office announced several priorities and actions that the US DOJ is implementing to strengthen efforts to combat corporate crime.^[5] The first priority pertains to addressing the rapidly increasing intersection between corporate crime and both US and global security. The second priority focuses on assessing historical misconduct when determining the appropriate resolution, and the record of misconduct speaks to a company’s commitment to compliance programmes and instituting the appropriate culture to disincentivise criminal activity. Last, the US Attorney General’s Office stated that the department will modify prior guidance and its stance on the use of corporate monitors. Specifically, she states: ‘Instead, I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the DPA or NPA.’^[6] The US Attorney General’s Office reinforcement of efforts to combat corporate crime is a strong indicator to financial institutions and corporations of the likelihood of a required monitorship following the identification of criminal activity or significant compliance violations.

On 17 February 2023, the US DOJ and the US Bureau of Industry and Security of the US Department of Commerce (BIS) launched the Disruptive Technology Strike Force (Strike Force), led by the US DOJ’s National Security Division and BIS. The Strike Force brings together government experts, including from the Federal Bureau of Investigation, Immigration and Customs Enforcement, Homeland Security Investigations and 14 US Attorneys’ Offices to target illicit actors, strengthen supply chains and protect critical technology from being acquired or used by adversaries.^[7] On 16 May 2023, the Strike Force announced its first five enforcement actions, two of which involved disruption of networks assisting Russian military and intelligence to obtain advanced technology and testing equipment with military applications.^[8] While these task forces are in their infancy, settlements or resolutions to the cases they bring may also require the imposition of an independent monitor.

Historical context and trends

Recent sanctions enforcement actions and monitorships

From 2018 to 2023, OFAC issued 102 enforcement actions.^[9] Historically, regulators and law enforcement agencies have focused most enforcement actions and monitorships resulting from sanctions violations on financial institutions. In recent years, however, corporations and financial technology (fintech) companies have been the subject of increased scrutiny and penalties following the discovery of sanctions violations.

Financial technology

Fintech companies, which apply technology and other innovative solutions to assist with the delivery of various financial services, continue to be evaluated for their proper adherence to sanctions compliance and regulatory expectations, and remedial action is enforced following the identification of deficiencies or violations.

Binance Holdings, Ltd

In November 2023, Binance Holdings, Ltd (Binance), a global virtual currency (VC) exchange, agreed the largest settlements in history.^[10] Binance agreed to a US$968,618,825 penalty for apparent sanctions violations and a US$3.4 billion penalty with the Financial Crimes Enforcement Network for Bank Secrecy Act (BSA) violations, and to retain an independent compliance monitor for five years. Between 2017 and 2022, Binance facilitated VC transactions between US users and users in sanctioned jurisdictions or blocked persons, resulting in violations of OFAC sanctions programmes. According to OFAC, Binance management knew of and permitted users in sanctioned jurisdictions despite understanding the potential for OFAC violations. Binance management also encouraged users to circumvent the company’s controls.^[11]

Bittrex, Inc

In October 2022, Bittrex, Inc (Bittrex), a Washington-based crypto asset trading platform, agreed to a US$24,280,829.20 settlement for sanctions programmes violations. Bittrex failed to prevent users in sanctioned jurisdictions^[12] from conducting VC-related transactions totalling approximately US$263,451,600.13. Based on internet protocol (IP) address and physical address information collected about each customer at onboarding, Bittrex had reason to know that users were in sanctioned jurisdictions but was not properly screening this information.^[13]

CoinList Markets LLC

In December 2023, CoinList Markets LLC (CLM), a California-based VC exchange agreed to a US$1,207,830 settlement for a processing violation of OFAC’s Russia and Ukraine sanctions. CLM processed 989 transactions for users in Crimea between April 2020 and May 2022.^[14]

Payward, Inc d/b/a Kraken

In November 2022, Payward, Inc d/b/a Kraken (Kraken), a Delaware-based VC exchange with international operations, agreed to a US$362,158.70 settlement for violations of sanctions against Iran. According to OFAC, Kraken failed to implement geolocation tools in a timely manner, resulting in provision of services to users in Iran.^[15]

OFAC assessed monetary and other penalties to nine fintech companies in 2022 and 2023, resulting in nearly US$1 billion in settlements.^[16] While regulators did not require monitorships in all instances, the record high settlement and monitorship of Binance and other settlements are a strong indication that fintech companies will continue to be subject to regulatory scrutiny. The operating model of fintech companies provides data points such as IP addresses. Regulators have taken the position that transacting institutions must screen all available data points for sanctions compliance, as evident by the Kraken and Bittrex settlements. This is a warning to other fintech companies that failure to meet these expectations could lead to severe penalties.

Financial institutions

Emigrant Bank

In September 2023, Emigrant Bank (Emigrant), a New York bank, agreed to a US$31,867.90 civil settlement for violations of Iran OFAC sanctions. Emigrant maintained a certificate of deposit account for approximately 26 years for individuals residing and located in Iran. Emigrant processed transactions between 2017 and 2021 totalling US$91,051.13. Emigrant had actual knowledge of the Iranian addresses and locations of the account holders.^[17]

Swedbank Latvia AS

In June 2023, Swedbank Latvia AS (Swedbank Latvia)^[18] in Latvia agreed to a US$3,430,900 settlement for 386 apparent violations of OFAC sanctions on Crimea. A customer of Swedbank Latvia used Swedbank Latvia’s e-banking platform from an IP address in Crimea to send payments to persons in Crimea through US correspondent banks throughout 2015 and 2016.^[19]

Wells Fargo Bank, NA

In March 2023, Wells Fargo Bank, NA (Wells Fargo) agreed to a US$30 million settlement for 124 sanctions violations. From 2008 through 2015, Wells Fargo^[20] provided a foreign bank in Europe with software that that bank used to process trade finance transactions with US-sanctioned jurisdictions and persons. Wachovia customised a trade insourcing software platform for general use by the European bank. According to OFAC, Wachovia knew or should have known that this would result in trade finance transactions with sanctioned jurisdictions and persons.^[21]

Large corporations

Microsoft Corporation

In April 2023, Microsoft Corporation (Microsoft), a Redmond, Washington multinational technology company, agreed to a US$2,980,265.86 settlement. According to OFAC, Microsoft failed to identify and prevent the use of its products by prohibited parties. Microsoft exported services or software from the United States to comprehensively sanctioned jurisdictions and to specially designated nationals (SDNs) or blocked persons.^{[22] [23]} Although Microsoft is not currently the subject of a monitorship, the actions taken against the organisation highlight regulators’ increased efforts to seek enforcement actions against corporations, not solely financial institutions. Corporations could also face settlements that include provisions for an independent monitor.

ZTE Corporation

ZTE Corporation (ZTEC), a telecommunications company based in China, entered into a plea agreement with the US DOJ in 2017, including the provision of an independent monitor. ZTEC conspired to evade US sanctions law through the illegal shipping of US goods and technology to Iran.^[24]

The enforcers

Legislative bodies, governments and intergovernmental organisations implement various forms of sanctions law, resolutions or restrictive measures. In most cases, related government branches, regulatory bodies and law enforcers are responsible for enforcing and monitoring sanctions compliance. The primary enforcers of sanctions measures include the United States, the United Nations, the European Union, and other countries and influential organisations.

United States

OFAC and BIS, as well as financial regulators such as the Office of the Comptroller of the Currency and the Federal Reserve Bank and state-level regulators such as the New York State Department of Financial Services (NYDFS), have a role in monitoring of sanctions compliance. OFAC maintains the SDN and blocked persons lists, which identify restricted individuals, companies and other entities requiring activity to be blocked or frozen. Within the Department of Commerce, BIS maintains the Denied Persons List, a catalogue of individuals denied export privileges, and the Export Administration Regulations, which apply export controls to specific commodities, technology, software and other items.

The NYDFS implemented its 504 Rule for Transaction Monitoring and Filtering Program Requirements and Certifications following prior investigations into its regulated institutions having identified various deficiencies. The 504 Rule clarifies transaction monitoring and filtering programme requirements. It specifically requires management to certify that a filtering programme is reasonably designed to interdict transactions prohibited by OFAC, similar to Sarbanes–Oxley Act of 2002 requirements.^[25]

United Nations

The United Nations enacts sanctions regulations through resolutions, and the UN Security Council sets the specific criteria for targeting individuals and entities. The UN Security Council is composed of 15 member countries, with each member participating or voting to enact sanctions resolutions. Member states of the United Nations are each obliged to adopt and comply with the UN sanctions resolutions but may also create their own laws and regulations and enforcement bodies.

European Union

The European Union imposes sanctions law through restrictive measures developed by the European External Action Service and agreed to by the Council of the European Union. The European Union implements all UN-issued sanctions resolutions, and EU Member States are required to enact individualised legislation for sanctions monitoring and enforcement, including penalties for violations.

Other nations

Various other countries enact sanctions law and compliance requirements and establish local authorities to oversee enforcement. The following are some examples:

• United Kingdom: The Office of Financial Sanctions Implementation (part of HM Treasury) establishes and administers sanctions.
• Australia: The Department of Foreign Affairs and Trade enacts general sanctions policy.
• Singapore: The Monetary Authority of Singapore administers financial sanctions.

Influential organisations

Several notable organisations have taken steps to further develop principles and guidance to aid in anti-money laundering (AML), terrorist financing and sanctions compliance.

Financial Action Task Force

In 1989, seven countries came together to create the Financial Action Task Force (FATF) with the primary goal of developing recommendations on international standards to combat money laundering and terrorist financing. The FATF has grown to 39 members, each required to adhere to the FATF recommendations. Additionally, the FATF publishes mutual evaluation reports, which evaluate a country’s adherence to the FATF recommendations.

The Wolfsberg Group

The Wolfsberg Group, an international organisation composed of 13 global banks, develops and publishes guidance for global banks on the framework and best practices for managing and combating financial crime risk.

The legal requirements

The United States, the United Nations and the European Union have implemented more numerous and comprehensive sanctions regimes than other countries or intergovernmental bodies. Upon implementation of a law or restriction, various regulatory bodies, such as OFAC, are tasked with enforcement.

In the United States, the President may enact sanctions regulations through acts of Congress or executive orders. The UN Security Council implements sanctions or resolutions, and all member states are expected to adopt the passed resolutions. The European External Action Service prepares restrictive measures to which member states are expected to adhere.

Unique challenges of sanctions monitorships and compliance

Financial institutions under a sanctions monitorship

Financial institutions under a sanctions monitorship encounter several challenges to comply with the terms of a monitorship and regulatory requirements. Unique aspects of a sanctions monitorship include (1) the global scope versus the regional scope of the remediation, (2) the level of remediation efforts and regulator involvement, (3) the effect on ‘business as usual’ of monitorship requirements and (4) system enhancements and technology changes. Specific challenges also include data issues and inconsistent or conflicting regulation of sanctions law against certain countries, and the requirements of a DPA or consent order may be more restrictive than the law.

Global versus regional scope

The scope of the monitorship presents a challenge to financial institutions based on its size, geographies where it operates, number of customers, products and services offered, and delivery channels. For example, sanctions violations may originate from one region or branch of a financial institution, leading to localised remediation efforts of the regional sanctions compliance programme. A financial institution with a more expansive footprint and global presence may require enhancements to the global sanctions compliance programme and compliance elements unique to each region. It is imperative that regional sanctions personnel are properly trained on the requirements of the global sanctions compliance programme and on the sanctions laws of the jurisdictions where the financial institution conducts business or processes transactions. Further, changes and enhancements made to a global sanctions compliance programme may require implementation in the applicable regional sanctions compliance programmes.

Remediation efforts and regulator involvement

Monitorships exhibit varying levels of involvement by multiple enforcement bodies and consulting firms. A financial institution may be simultaneously complying with multiple DPAs or consent orders involving more than one enforcement body.^[26] Depending on the scope of the engagement or applicable conflicts of interest, the enforcement bodies may engage different consulting firms to carry out the work. As such, the financial institution may handle requests for information and meetings from multiple firms, resulting in potential duplication of efforts and increased burden on personnel. Additionally, the enforcement body’s level of direct involvement may vary. For example, an enforcement body may be satisfied with receiving updates from the monitor on the status of the engagement, while another may prefer to have regular meetings or submit special requests in addition to those made by the monitor.

Regulatory and jurisdictional conflicts

Financial institutions may encounter potential conflicts between the requirements of a DPA and the application of sanctions laws across various countries. Specifically, the requirements of the applicable DPA or consent order may be more restrictive than the governing laws of the jurisdiction where the financial institution resides or conducts business. As such, the financial institution may be required to implement additional programme enhancements beyond those necessary to comply with regional sanctions laws, which may necessitate an increase in compliance budget or personnel. Further, the application of sanctions laws against a particular country may vary across jurisdictions. Specifically, sanctions implemented against a country such as Cuba by the United States may not be honoured by other countries, resulting in conflict for financial institutions with customers transacting with both Cuba and the United States.

Balancing ‘business as usual’ with monitorship requirements

Financial institutions working with a monitor to oversee compliance with a DPA or consent order face the unique challenge of balancing ‘business as usual’ responsibilities with the additional work required to comply with monitor, regulator or law enforcement requests. In addition to day-to-day responsibilities and requests from the monitor, the sanctions or compliance teams are often responding to requests from internal audit or compliance assurance. The monitor may submit a substantial number of document requests and schedule meetings to gain a better understanding both of the knowledge and expertise of the staff and of the financial institutions sanctions compliance process. These simultaneous requests can place significant strain on resources.

The monitor may also identify findings and recommendations to improve the sanctions compliance programme, including enhancements to policies and procedures, improvements to processes or programme documents, and the addition or reassignment of sanctions personnel. The increased workload to comply with the terms of the monitorship, remediate findings and implement enhancements may require the financial institution to hire additional full-time staff or outsource to external firms.

It is imperative that the business or corporate functions of the financial institution remain aware of challenges being faced and the effort and financial commitment needed to comply with the terms of the monitorship. The sanctions compliance team should regularly update the governance oversight committee, senior leadership and directors on the progress of the monitorship and any significant changes required to remediate the monitor’s findings. Without full commitment from the financial institution to approve additional funding or increase staff, the sanctions compliance team may struggle to balance business as usual with monitorship requirements, posing additional compliance risk to the institution.

Data, sanctions technology and personnel

Data challenges

Data presents a challenge to financial institutions in complying with sanctions laws, as the volume and format of available data vary across institutions and jurisdictions. Frequently, data sources can be truncated, incomplete and disjointed across systems or platforms within the institution, making it difficult to maintain real-time watch list screening practices. In addition, the data must be screened against state, federal and international watch lists, depending on regulatory requirements. Further, institutions with a global presence face the challenge of differing data privacy laws and translation or transliteration processes. Finally, the volume of data can further complicate sanctions screening. The difficulty in monitoring the flow of payments increases as an institution expands its customer base and products and services. Specific challenges include customer onboarding and identity verification, transaction screening and watch list updates.^[27]

System technology

Additional challenges for financial institutions facing sanctions monitorships include the implementing enhancements recommended by the monitor. This often involves enhancements to sanctions screening technology, changes to, or the implementation of, case management systems and improvements to list management processes. Implementing system changes or new technologies presents additional risk as system downtime can lead to backlogs of required regulatory filings, such as potential circumvention attempts and voluntary self-disclosures. Further, changes to sanctions screening technology and system settings may increase the number of sanctions alerts and cases.

During the covid-19 pandemic, several jurisdictions noted an increased use of new and emerging IT tools to assist with the prevention and supervision of terrorism financing, specifically in respect of sanctions screening. Additionally, new systems have been developed on blockchain technology.^[28] The use of new technology may pose increased risk of potential sanctions programme violations if the systems are not fully tested or sufficiently calibrated. Users of new technology should educate their regulators on their system’s process and output so that the agencies are more comfortable with its use.

Sanctions personnel and training

System enhancements and new technology implementation requires financial institutions to conduct supplementary training for sanctions personnel and a formal compliance training programme. Training ensures that staff are deploying the sanctions screening technology properly and serves as an important control in the mitigation of sanctions compliance risk exposures. In addition, a monitor may make recommendations to augment or reduce the number of sanctions compliance personnel based on the appropriateness of roles and responsibilities, sanctions experience and industry knowledge. The proposed changes in roles or responsibilities might result in staff attrition or a heavier workload for the sanctions team.

Maintaining sanctions compliance

Financial institutions face continuous challenges in maintaining compliance with local and international sanctions laws. Specifically, the following can affect a financial institution’s sanctions compliance programme.

Evolving sanctions regulation and regimes

Sanctions regulation and regimes are continually evolving, creating a moving target for financial institutions striving to achieve compliance with regulatory standards. Effectively monitoring these changes and staying informed about the global political climate mitigates the risk inherent to financial institutions posed by these changes. Methods of staying current include requiring vendors to provide updated lists, monitoring government websites through subscriptions and creating tailored news alerts. In addition, consulting external sanctions experts or counsel can ensure that an institution stays aware of sanctions developments. Sanctions counsel can actively track pending sanctions legislation and provide real-time advice on developments. Financial institutions must also remain diligent in updating sanctions-related policies, procedures and process documents to reflect these changes; train personnel on any developments affecting their day-to-day responsibilities; and rescreen customers who may be affected by regulatory changes.

Jurisdiction or extraterritoriality issues

It is critical that financial institutions maintain continuous awareness of both domestic and international sanctions requirements. Sanctions measures and requirements for compliance can be complex, and the level of cooperation between jurisdictions varies. In certain circumstances, economic sanctions imposed by one jurisdiction may result in measures being imposed against entities located in another country. Examples include the scope and application of the Trading with the Enemy Act and the International Emergency Economic Powers Act.^[29] In addition, some economic sanctions may conflict with the sanctions laws enacted in another country, creating a challenge for financial institutions conducting business in both countries as to which sanctions laws they must follow. Further, some jurisdictions have enacted blocking statutes to shield entities in a particular jurisdiction by disallowing the recognition of certain extraterritorial sanctions imposed by other countries.^[30] The European Union established one such blocking statute, which nullifies US sanctions against commercial trade with Iran.^[31]

Further, many sanctions measures are not absolute in their application and include exemptions. Entities in the United States, for example, may apply for specific licences for (1) the release of blocked funds, (2) travel under specified conditions to jurisdictions that the sanctions measures would otherwise prohibit or (3) exporting certain commodities that support medical and agricultural needs in sanctioned jurisdictions.^[32] The myriad complexities in the application and enforcement of sanctions efforts across jurisdictions can present challenges in maintaining an effective sanctions compliance programme.

Global trade processes and data privacy laws

In addition to evolving regulations and jurisdictional conflicts, international trade finance continues to operate using outdated technology and processes that create risk of sanctions evasion. Specific examples include (1) trade agreements written before the emergence of digital commerce, (2) transactions accompanied by large amounts of paperwork and (3) trade financing that depends on traditional banking methods.^[33] A large portion of the trade industry is still based on paper documents and antiquated processes that slow international commerce and have a significant effect on the economy. Specifically, drawbacks of the global trade process include (1) trucks and containers standing idle at ports, (2) cash flow tied up in goods awaiting the production of trade documents and (3) a lack of visibility and inventory status.^[34] Further, missing documentation, inadequate global location tracking, and diluted or forfeited data pose challenges to sanctions compliance efforts.

In addition, data privacy laws differ across jurisdictions. In certain countries, such as Zimbabwe and South Korea, data privacy laws limit or restrict the provision of confidential data across jurisdictions. Further, colleagues working within the same institution with a global presence may not be permitted to share information unless both are physically present in the jurisdiction where the data is stored. Lack of access to certain information poses a challenge to financial institutions in complying with international sanctions laws and poses risks of sanctions violations.

Digital assets

Digital assets, such as cryptocurrencies, present challenges to financial institutions in complying with regulatory sanctions due to the wide array of products and services and the thousands of cryptocurrencies in circulation. The complexity of cryptocurrency makes it difficult to identify and control inherent risks, making cryptocurrencies attractive to entities in sanctioned countries. Although many cryptocurrency products are traceable and regulated in certain jurisdictions,^[35] sanctioned entities can access cryptocurrencies through non-traditional means, such as the dark web, or cryptocurrency mining, which creates anonymity, and may further rely on mixers or tumblers to obscure the source of funds.^[36] This anonymity increases the difficulty of identifying sanctions circumvention attempts.

Furthermore, cryptocurrency and other digital asset transactions introduce additional identifying information, including digital wallet and IP addresses, and other forms of geolocation information unique to digital or online activity. The availability of this type of information introduces additional screening and due diligence requirements. From November 2018 to November 2023, OFAC added approximately 600 cryptocurrency addresses to its SDN list found to be associated with entities and individuals responsible for various offences, such as use of mixers to facilitate theft and laundering, facilitating payments to Hamas^[37] and exchanging proceeds of a ransomware attack.^[38] In October 2021, OFAC published guidance regarding virtual currencies that details regulatory expectations for sanctions compliance.^[39]

The future

Artificial intelligence (AI) is the future for sanctions and BSA and AML compliance, but it is also a new area of focus for regulators and law enforcement. Financial institutions investing in AI implementation to improve efficiencies should be fully versed in the solution to explain it easily to regulators and law enforcement. The AI should also be customisable to account for the dynamic nature of economic sanctions. Further, the use of AI will require the introduction of a quality assurance (QA) component. In addition to the time spent to review the output of AI, the QA review introduces further risk of potential human error to the process.

Sanctions technology can automate repetitive and menial tasks to improve financial institutions’ sanctions compliance efficiency. If not properly tuned or maintained, however, it could magnify inaccuracies by repeating the same fault on multiple occasions. Financial institutions should conduct periodic model and data validation testing to ensure that the system performs exactly as intended.

Conclusion

Law enforcement and regulatory bodies are becoming more comfortable with the inclusion of an independent body as part of a settlement to ensure that their remediation requirements are met. Specifically, regulators and law enforcement agencies appear to be increasing the penalties and frequency of enforcement actions, including the use of monitorships, for economic sanctions violations. Financial institutions and corporations should prepare for the possibility of receiving a monitor as part of a settlement. If this is the case, the institution needs to plan and prepare to manage the process as smoothly as possible. The institution and its staff will be challenged to maintain business as usual while also responding to requests from the monitor, regulators, and internal or external auditors. Financial institutions, fintech companies and corporations can all benefit from evaluating whether their current programme complies with sanctions law and regulation, keeping in mind the continuing and evolving complexities of sanctions compliance. Further, sanctions technology and AI may be a focus for regulators and law enforcement agencies in future sanctions monitorships as the use of AI becomes more prevalent in financial institutions and sanctions compliance programmes.

Endnotes

^[1] Patrick J McArdle is a partner and Steven McCarthy is a director at Guidehouse. Natalia Prokofyev and Jason Thibault, associate directors at Guidehouse, also assisted with the drafting of this chapter.

^[2] Electronic Code of Federal Regulations, ‘Appendix A to Part 501 – Economic Sanctions Enforcement Guidelines’, at https://www.ecfr.gov/cgi-bin/text-idx?SID= ccac94aaa0387efe2a9c3fca2dc5a4ab&mc=true&node=ap31.3.501_1901.a&rgn=div9 (last accessed 1 Feb. 2024).

^[3] 18 US Code § 981; 18 US Code § 982; 18 USC. § 3571(d); 18 USC. § 3572(a).

^[4] See, e.g., US Department of Commerce, Department of the Treasury and Department of Justice, ‘Tri-Seal Compliance Note: Voluntary Self-Disclosure of Potential Violations’ (26 Jul. 2023), at https://ofac.treasury.gov/media/932036/download?inline (last accessed 1 Feb. 2024 ); US Department of Justice (US DOJ), ‘NSD Enforcement Policy for Business Organizations’ (1 Mar. 2023), at https://www.justice.gov/file/1570996/download (last accessed 1 Feb. 2024, and ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ (13 Dec. 2019), at https://www.justice.gov/nsd/ces_vsd_policy_2019/dl (last accessed 1 Feb. 2024).

^[5] US DOJ, ‘Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the New York City Bar Association’s International White Collar Crime Symposium (28 Nov. 2023), at https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-new-york (last accessed 1 Feb. 2024); ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 Oct. 2022), at https://www.justice.gov/opa/speech/deputy-attorney-hgeneral-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute (last accessed 1 Feb. 2024).

^[6] ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 Oct. 2022), at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national -institute (last accessed 1 Feb. 2024).

^[7] US Department of Commerce, ‘Justice and Commerce Departments Announce Creation of Disruptive Technology Strike Force’ (17 Feb. 2023), at https://www.commerce.gov/news/press-releases/2023/02/justice-and-commerce-departments-announce-creation -disruptive (last accessed 5 Feb. 2024).

^[8] US Department of Justice, Officer of Public Affairs ‘Assistant Attorney General for National Security Matthew G. Olsen Delivers Remarks Announcing Disruptive Technology Strike Force Cases’ (16 May 2024), at https://www.justice.gov/opa/speech/assistant-attorney-general-national-security-matthew-g-olsen-delivers-remarks-announcin-1 (last accessed 12 Feb. 2024).

^[9] US Department of the Treasury , ‘Civil Penalties and Enforcement Information’, at https://ofac.treasury.gov/civil-penalties-and-enforcement-information (last accessed 24 Jan. 2024).

^[10] US Department of the Treasury ‘U.S. Treasury Announces Largest Settlements in History with World’s Largest Virtual Currency Exchange Binance for Violations of U.S. Anti-Money Laundering and Sanctions Laws’ (21 Nov. 2023), at https://home.treasury.gov/news/ press-releases/jy1925 (last accessed 24 Jan. 2024).

^[11] US Department of the Treasury, ‘OFAC Settles with Binance Holdings, Ltd. for $968,618,825 Related to Apparent Violations of Multiple Sanctions Programs‘ (21 Nov. 2023), at https://home.treasury.gov/news/press-releases/jy1925 (last accessed 24 Jan. 2024).

^[12] Specifically, Crimea region of Ukraine, Cuba, Iran, Sudan and Syria.

^[13] US Department of the Treasury, ‘OFAC Settles with Bittrex, Inc. for $24,280,829.20 Related to Apparent Violations of Multiple Sanctions Programs’ (11 Oct. 2022), at https://ofac.treasury.gov/media/928746/download?inline (last accessed 25 Jan. 2024).

^[14] US Department of the Treasury, ‘OFAC Settles with CoinList Markets LLC for $1,207,830 Related to Apparent Violations of the Ukraine-/Russia-Related Sanctions Regulations’ (13 Dec. 2023), at https://ofac.treasury.gov/media/932406/download?inline (last accessed 24 Jan. 2024).

^[15] US Department of the Treasury, ‘OFAC Settles with Virtual Currency Exchange Kraken for $362,158.70 Related to Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (28 Nov. 2022), at https://ofac.treasury.gov/media/929541/download?inline (last accessed 25 Jan. 2024).

^[16] US Department of the Treasury, ‘Civil Penalties and Enforcement Information’, at https://ofac.treasury.gov/civil-penalties-and-enforcement-information (last accessed 25 Jan. 2024).

^[17] US Department of the Treasury, ‘OFAC Settles with Emigrant Bank for $31,867.90 Related to Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (21 Sept. 2023), at https://ofac.treasury.gov/media/932156/download?inline (last accessed 2 Feb. 2024).

^[18] A subsidiary of Swedbank AB (publ) (Swedbank AB), an international financial institution headquartered in Stockholm, Sweden.

^[19] US Department of the Treasury, ‘OFAC Settles with Swedbank Latvia for $3,430,900 Related to Apparent Violations of Sanctions on Crimea’ (20 Jun. 2024), at https://ofac.treasury.gov/media/931911/download?inline (last accessed 5 Feb. 2024).

^[20] As well as its predecessor, Wachovia Bank.

^[21] US Department of the Treasury, ‘OFAC Settles with Wells Fargo Bank, N.A. for $30,000,000 Related to Apparent Violations of Three Sanctions Programs’ (30 Mar. 2023), at https://ofac.treasury.gov/media/931541/download?inline (last accessed 2 Feb. 2024).

^[22] In violation of OFAC’s Cuba, Iran, Syria and Ukraine/Russia-related sanctions programmes.

^[23] US Department of the Treasury, ‘OFAC Settles with Microsoft Corporation for $2,980,265.86 Related to Apparent Violations of Multiple OFAC Sanctions Programs’ (6 Apr. 2023), at https://ofac.treasury.gov/media/931591/download?inline (last accessed 25 Jan. 2024).

^[24] United States of America v. ZTE Corporation, Plea Agreement (2 Mar. 2017), at https://www.justice.gov/opa/press-release/file/946276/download (last accessed 1 Feb. 2024).

^[25] New York State Department of Financial Services, Superintendent’s Regulations, ‘Part 504 Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications’ (1 Jan. 2017), at https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=Ie3242420479311e6b718fc8ac47ba487& originationContext=documenttoc&transitionType=Default&contextData=(sc.Default) (last accessed 1 Feb. 2024).

^[26] Such as the NYDFS, the US DOJ or, in the United Kingdom, the Prudential Regulatory Authority.

^[27] Computer Services, Inc, ‘The 4 Major Challenges of Real-Time Sanctions Screening’ (14 Sept. 2023), at https://www.csiweb.com/what-to-know/content-hub/blog/the-4-major -challenges-of-real-time-sanctions-screening/ (last accessed 1 Feb. 2024).

^[28] Council of Europe Typologies Report, ‘AML/CTF Supervision in Times of Crisis and Challenging External Factors’ (25 Jan. 2022), pp. 10–11, at https://rm.coe.int/typologies -report/1680a54995 (last accessed 1 Feb. 2024).

^[29] International Bar Association, ‘United States extraterritoriality: European Union sovereignty at stake’, at https://www.ibanet.org/article/CF85E59E-6564-4AA3-9408-3F47C6449C9D (last accessed 1 Feb. 2024).

^[30] See, e.g., ‘Anti-Foreign Sanctions Law of the People’s Republic of China’ (10 Jun. 2021), at http://www.npc.gov.cn/npc/c30834/202106/d4a714d5813c4ad2ac54a5f0f78a5270.shtml (last accessed 1 Feb. 2024).

^[31] European Commission, ‘Updated Blocking Statute in support of Iran nuclear deal enters into force’ (6 Aug. 2018), at https://ec.europa.eu/commission/presscorner/detail/en/IP_18_4805 (last accessed 1 Feb. 2024).

^[32] US Department of the Treasury, ‘OFAC License Application Page’, at https://home.treasury.gov/policy-issues/financial-sanctions/ofac-license-application-page (last accessed 1 Feb. 2024).

^[33] See, e.g., World Economic Forum, ‘Top 10 Emerging Technologies of 2023’ (26 Jun. 2023), at https://www3.weforum.org/docs/WEF_Top_10_Emerging_Technologies_of_2023.pdf (last accessed 1 Feb. 2024); and ‘These 5 technologies have the potential to change global trade forever’ (6 Jun. 2018), at https://www.weforum.org/agenda/2018/06/from-blockchain -to-mobile-payments-these-technologies-will-disrupt-global-trade/ (last accessed 1 Feb. 2024).

^[34] IOTA Foundation, Supply Chains blog posts, at https://blog.iota.org/tag/supply-chains/page/3/ (last accessed 1 Feb. 2024).

^[35] Such as Switzerland and the United States.

^[36] Cryptocurrency tumblers or mixing services are utilised to mix potentially identifiable, illicit or tainted cryptocurrency funds with others in order to obfuscate the fund’s original source or ownership. See Ciphertrace, ‘Mixers, Tumblers, Foggers’, at https://ciphertrace.com/glossary/mixer-tumbler-fogger/ (last accessed 1 Feb. 2024).

^[37] Chainalysis, ‘OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses’ (10 Aug. 2023), at https://www.chainalysis.com/blog/ofac-sanctions/ (last accessed 25 Jan. 2024).

^[38] US Department of the Treasury, press release ‘Treasury Designates Virtual Currency Money Launderer for Russian Elites and Cybercriminals’ (3 Nov. 2023), at https://home.treasury.gov/news/press-releases/jy1874 (last accessed 1 Feb. 2024); and press release ‘Treasury Sanctions Russian Ransomware Actor Complicit in Attacks on Police and U.S. Critical Infrastructure’ (16 May 2023), at https://home.treasury.gov/news/press-releases/jy1486(last accessed 1 Feb. 2024).

^[39] US Department of the Treasury, Office of Foreign Assets Control, ‘Sanctions Compliance Guidance for the Virtual Currency Industry’ (Oct. 2021), at https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf (last accessed 1 Feb. 2024).