$1.1 Billion and Counting – The New Era of OFAC Enforcement

by BakerHostetler

On February 13, 2014, BNP Paribas ("BNP"), France's largest bank, announced in its fourth quarter results that it will soon be joining the growing community of banking institutions that, within the past five years, have been sanctioned for violations of the United States Department of Treasury's Office of Foreign Assets Control ("OFAC") regulations. OFAC is tasked with administering and enforcing economic and trade sanctions that are designed to protect U.S. foreign policy and national security. The Office prohibits trading with entities that are targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. All persons and entities within the U.S., including banks, bank holding companies, and their foreign branches, must comply with OFAC's regulations or face potentially sizable civil and criminal penalties.

BNP stated that its internal review had uncovered a "significant volume of transactions that could be considered impermissible under U.S. laws and regulations including, in particular, those of the Office of Foreign Assets Control."[1] As a result, the bank reported it has set aside a monumental $1.1 billion in anticipation of a settlement with U.S. regulatory authorities. BNP has presented its findings to the relevant U.S. authorities and the parties have entered into discussions. The transactions subject to the investigation occurred from 2002 through 2009 and, while a spokeswoman for BNP declined to identify the offending countries, media outlets have reported that they are Iran, Cuba, and Sudan. BNP is now facing investigations by six government agencies: the Justice Department, the United States Attorney's Office in Manhattan, the Federal Reserve, the Treasury Department, New York State's Department of Financial Services, and the Manhattan District Attorney.

Although BNP has reserved $1.1 billion for settlement, the amount assessed against the bank could be significantly larger. BNP explained that since there have not been any discussions with authorities regarding penalties, "considerable uncertainty" remains "as to the actual amount of fines or penalties that the U.S. authorities could impose."[2] The final penalties will be determined by the regulatory agencies once they complete their analysis of all offending transactions and decide the appropriate amount of restitution. Because banks often set aside less money than they will eventually need for settlement, it is quite possible that BNP's future settlement with OFAC could be record-shattering.


OFAC fines have skyrocketed since 2009, when Congress effected an increase in the statutory maximum per violation from a cap of $11,000 to $250,000 per violation or twice the value of the underlying transaction. When assessing fines, OFAC looks to a myriad of factors, including the awareness of senior management, the size and sophistication of the entity, and reporting procedures. The more sophisticated the entity being investigated, and the higher the level of knowledge of the infractions within the entity, the heftier the fines. However, if an entity self-reports a violation, fines can be slashed in half.

Congress's amendments to OFAC regulations have allowed regulators to rake in an unprecedented amount of fines. In 2008, before enhanced penalties became effective, total penalties amassed were approximately $3.5 million for 108 settled matters. Just one year later OFAC amassed an amount of over $772 million for just 27 matters -- increasing penalties per matter by nearly one-thousand-fold. Recent years have proven that this jump was no anomaly, but rather the beginning of a new era of heighted OFAC enforcement and penalty assessment. 2012 was the biggest year thus far, with OFAC windfalls of over $1.1 billion for only 16 matters. While 2013 penalties were significantly less, totaling $137 million for 26 matters, with BNP already foreshadowing a large settlement, 2014 could quite possibly exceed all prior years.


BNP is not the first banking entity to be snared by the long arm of OFAC. Included in these rising totals are a number of banks, all of whom have paid exorbitant fees to settle alleged OFAC violations. Most recently, in December of 2013, the Royal Bank of Scotland ("RBS") paid $33 million to settle OFAC violations arising out of transactions made in Iran, Sudan, Myanmar, and Cuba. Because RBS self-reported these violations, it was able to avoid paying the statutory maximum of over $132 million. 2013 also saw the settlement of an investigation of Italian bank Intensa Sanpaulo. In June 2013, Intensa Sanpaulo settled claims of processing wire transfers involving Cuba, Sudan, and Iran for almost $3 million. Société Générale SA, France's second largest bank, announced in its 2013 annual report that it had begun discussions with OFAC and commenced an internal audit as well.

As mentioned, 2012 was the highest grossing year for OFAC violations, in large part due to several massive settlements by European banks. In December 2012, HSBC famously paid a global $1.9 billion fine, $375 million of which went to OFAC to settle charges of conducting financial transactions for customers in Cuba, Iran, Libya, Myanmar, and Sudan. 2012 also had the highest ever settlement for OFAC violations, with ING Bank paying a record $619 million to settle claims arising out of transactions involving Cuba, Myanmar, Sudan, Libya, and Iran. Rounding out the class of international banks paying millions to OFAC in 2012 were Standard Chartered Bank and Bank of Tokyo-Mitsubishi UFJ, Ltd, which paid settlements of $132 million and $8.5 million, respectively.

Other major banks have also been subjected to substantial fines by OFAC. In 2011, JP Morgan Chase Bank settled with OFAC for over $88 million for engaging in banned transactions with Liberia, Iran, Sudan, and Cuba. Credit Suisse settled with OFAC and New York State for $536 million, which was split equally between the agencies, in late 2009. The British banks of Lloyds TSB Bank ("Lloyds") and Barclays Bank PLC ("Barclays") have also been hit with fines. Lloyds paid $217 million to OFAC in 2009, and Barclays settled with OFAC in 2010 for $176 million.


While the details of BNP's violations remain to be disclosed and a fine has yet to be assessed, BNP's actions are indicative of a global movement toward international and national banking institutions uncovering and disclosing past OFAC regulatory violations to U.S. regulators. Companies should assess their own risks relating to compliance with OFAC and implement monitoring procedures commensurate with their risk profiles. Accurately assessing, identifying, and documenting a company's overall risk of investigation by OFAC will communicate to regulators both that the company has a clear understanding of OFAC regulations and that it can properly appropriate compliance funds to prevent future violations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.