On March 14, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced its first enforcement case of the year and its first ever involving dealings with a Russian designated for sanctions under Executive Order (E.O.) 14024, the basis for most of OFAC’s recent sanctions targeting Russia. OFAC settled for $3.74 million with Swiss-based global private banking conglomerate EFG International AG (EFG) for liability arising from 873 securities-related transactions involving EFG’s sanctioned customers in apparent violation of the Russian Harmful Foreign Activities Sanctions Regulations (RuHSR, implementing E.O. 14024), the Cuban Assets Control Regulations (CACR), or the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). OFAC’s public enforcement action against EFG – following shortly after the release of the Tri-Seal Compliance Note stressing the importance for non-U.S. individuals and entities of compliance with U.S. sanctions and export controls (discussed in our client alert) – highlights the critical importance of implementing a risk-based sanctions compliance program that (i) screens for U.S. sanctions risks, (ii) identifies any potential touchpoints to the United States, (iii) adequately implements compliance controls to prevent violations of U.S. sanctions arising from those touchpoints, and (iv) addresses the particular compliance risks stemming from the use of omnibus accounts. 

Below we summarize OFAC’s settlement with EFG and provide key takeaways for non-U.S. companies.

EFG Settlement

EFG is a global private banking group headquartered in Switzerland and operating globally through subsidiaries in tax-advantaged jurisdictions and through a brokerage in the United States. EFG offers wealth management services, including trading in securities, and relies – as do many other similar financial services entities – on consolidated “omnibus” accounts in the names of its subsidiaries to manage securities held for the benefit of its customers. Because activity through omnibus accounts is done in the name of the account holder (here, EFG’s subsidiaries), custodians and other counterparties do not have visibility into the ultimate beneficiaries. As a result of EFG’s subsidiaries using omnibus accounts to manage sanctioned customers’ assets, OFAC alleges that EFG caused U.S. parties to process 873 securities-related transactions with a total value of $30,409,488 on behalf of sanctioned parties that involved U.S. custodians or other U.S. entity counterparties. OFAC and EFG settled EFG’s liability with a civil monetary penalty of $3.74 million, based on OFAC’s determination that the conduct was not “egregious” and was voluntarily self-disclosed. Notably, OFAC suspended $1,000,000 of the $3,740,442 penalty in consideration of EFG completing its promised compliance commitments.

Apparent Violations of the CACR and FNKSR

Over four years ending in July 2018, EFG’s global subsidiaries in tax-advantaged privacy jurisdictions processed 727 transactions and transfers totaling almost $30 million for clients resident in Cuba or beneficially owned by Cuban nationals in apparent violation of the CACR. OFAC determined that EFG had reason to know of its customers’ links to Cuba yet still chose to route transactions through omnibus accounts with U.S. custodians or through its EFG Miami brokerage.  OFAC viewed as an aggravating factor the economic benefit to Cuba that resulted from the flow of unrestricted funds to the Cuba-linked customers’ accounts in connection with these transactions.

EFG Singapore also dealt with a Chinese national customer who was designated by OFAC as a Specially Designated Narcotics Trafficking Kingpin. Upon this designation, EFG Singapore properly imposed controls to prevent the customer’s account from trading or making payments but failed to inform the involved U.S. custodians and counterparties of the restrictions. EFG Singapore’s failure to notify these U.S. parties resulted in U.S. firms processing 141 securities transactions – primarily interest payments and dividend distributions – totaling nearly $500,000 in apparent violation of the FNKSR. 

Apparent Violations of the RuHSR

OFAC determined that EFG caused U.S. securities firms to process five dividend payments, with a combined value of $1,200, on behalf of one Russian individual who was blocked by OFAC in 2023 under E.O. 14024. Following the individual’s designation in 2023, EFG’s Swiss subsidiary properly imposed an internal restriction on the client’s account and notified U.S. counterparty custodians as to the positions it held for the sanctioned individual. OFAC found that “[d]ue to an error,” however, EFG erroneously omitted from its notification three securities positions held by the client but pledged to EFG Switzerland under the Swiss entity’s name. This omission resulted in EFG processing five or more dividend transactions related to this securities position through U.S. securities firms. 

Highlighted Remediation

OFAC favorably noted EFG’s remediation, including:

• Internally restricting the accounts of sanctioned clients to prevent credits or debits;
• Implementing additional compliance approval requirements for activities involving high-risk clients;
• Requiring notification to U.S. custodians and counterparties of securities positions held through omnibus accounts linked to sanctioned customers;
• Implementing a risk assessment framework requiring additional diligence for customers linked to high-risk jurisdictions; and
• Conducting annual sanctions risk assessments and instituting mitigating controls for identified risks.

Key Lessons Learned

As with all public OFAC enforcement actions, there are critical lessons in this settlement for global companies. From the conduct OFAC highlighted as well as its guidance set out in the “compliance considerations” in the public enforcement release, we highlight that non-U.S. individuals and entities that rely in any way on U.S. service providers must:

• Understand their touchpoints to the United States and how those touchpoints could indirectly cause U.S. persons to provide services to sanctioned parties or countries, including in particular any use of omnibus accounts involving sanctioned parties;
• Screen and conduct appropriate due diligence on customers and counterparties to identify U.S. sanctions risks; and
• Implement appropriate mitigating controls for U.S. sanctions risks, including ensuring that such controls mitigate the entirety of the sanctions risks (e.g., controls to restrict account activity by sanctioned parties need to be sufficiently broad to prevent activity involving sanctioned parties, such as interest and dividend payments with a U.S. nexus).

Conclusion

Non-U.S. individuals and entities must be aware of the U.S. sanctions risks from their business activities and any touchpoints to the United States. In both this public enforcement action and the Tri-Seal Compliance Note, OFAC is making clear its intention to hold non-U.S. individuals and entities liable for causing U.S. sanctions violations by providing the benefit of U.S. services to sanctioned customers. This risk is heightened when using a service where the U.S. provider does not have visibility into the indirect beneficiaries of its services. The U.S. sanctions risks from use of omnibus accounts may also arise in many other types of relationships with U.S. service providers, particularly where a non-U.S. individual or entity subscribes to a service – financial, software as a service (SaaS), or otherwise – in its own name and then provides benefits from that service to its customers. 

[View source.]