COMPL 1100361
SETTLEMENT AGREEMENT
This settlement agreement (the "Agreement”) is made by and between the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and UniCredit Bank AG.
I. PARTIES
1. OFAC administers and enforces economic sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and proliferators of weapons of mass destruction, among others. OFAC acts under Presidential national emergency authorities, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.
2. UniCredit Bank AG is a German subsidiary of UniCredit S.p.A., the parent company of the UniCredit Group headquartered in Milan, Italy. UniCredit Bank AG is headquartered in Munich, Germany. UniCredit Bank AG was formerly known as Bayerische Hypo-und Vereinsbank AG ("HVB"), prior to its merger with UniCredit S.p.A. in 2005.
II. APPARENT VIOLATIONS
3. OFAC conducted an investigation of UniCredit Bank AG in connection with more than 2,100 transactions processed to or through the United States or involving U.S. financial institutions in apparent violation of various OFAC sanctions programs.
4. OFAC determined that UniCredit Bank AG did not voluntarily self-disclose the Apparent Violations and that the Apparent Violations constitute an egregious case.
III. FACTUAL STATEMENT
5. For a number of years, up to and including 2011, UniCredit Bank AG operated U.S. dollar (USD) accounts on behalf of the Islamic Republic of Iran Shipping Lines (IRISL) and several companies owned by or otherwise affiliated with IRISL UniCredit Bank AG managed the accounts of those companies in a manner that did not identify the interest or involvement of IRISL in transactions sent to or through U.S. intermediaries. UniCredit Bank AG implemented auto-transfer mechanisms and selectively applied controls on those companies' accounts and processed transactions involving an interest of IRISL to or through the United States for almost two years after OFAC added IRISL to the List of Specially Designated Nationals and Blocked Persons (the "SDN List") in September 2008. UniCredit Bank AG's processing of these transactions appears to have violated the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. part 544 (WMDPSR).
6. Over the same period, in addition to processing payments in which IRISL had an interest, UniCredit Bank AG also processed USD payments in a non-transparent manner- for example, by confirming that payment instructions did not include references to U.S.-sanctioned persons and countries-through financial institutions in the United States on behalf of persons subject to the WMDPSR and other U.S. sanctions programs. UniCredit Bank AG processed transactions in this manner in apparent violation of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR); the Sudanese Sanctions Regulations, 31 C.F.R. part 538 (SSR); the Cuban Assets Control Regulations, 31 C.F.R. par 515 (CACR); the Burmese Sanctions Regulations, 31 C.F.R. part 537 (BSR); and the Syrian Sanctions Regulations, 31 C.F.R. Part 542 (SySR); and the WMDPSR.
7. In early 2012, at the direction of its Management Board, UniCredit Bank AG initiated a voluntary review of USD-denominated SWIFT messages processed between January 2007 and December 2011 by UniCredit Bank AG. On October 19,2012, UniCredit Bank AG produced a comprehensive investigation report detailing the process and factual findings of the investigation. UniCredit Bank AG initiated additional reviews, including investigations into specific customer relationships, trade transactions, and syndicated loans, as well as investigations into potential non-transparency issues. Collectively these investigations involved the review of substantial volumes of electronic and other data and interviews of numerous employees. Throughout its reviews, UniCredit Bank AG provided OFAC with multiple document productions and responses to requests for information. UniCredit Bank AG also reported the results of its reviews to OFAC and other investigating agencies in a series of meetings and presentations between 2012 and 2018. In its submissions, UniCredit Bank AG disclosed certain transactions that raise compliance issues, namely transactions that were both subject to U.S. jurisdiction for purposes of the relevant OFAC sanctions regulations and involved an OFACsanctioned party, where UniCredit Bank AG was unable to identify a contemporaneous exemption, general license, or specific license under the relevant OFAC sanctions regulations that would have exempted or authorized the payment.
IRISL-Related Conduct
8. In the mid-2000s, UniCredit Bank AG developed business relationships with IRISL, IRISL Europe GmbH ("IRISL Europe"), and dozens of entities owned, controlled, or otherwise affiliated with IRISL. Specifically, between approximately April 2004 and September 2008, UniCredit Bank AG opened, and the bank's Hamburg brunch maintained, accounts denominated in USD and other currencies for at least 34 corporate entities owned or controlled by, or otherwise affiliated with, IRISL (collectively referred to herein as "the IRISL-affiliated customers" or "the IRISL-affiliated entities")
9. Based on UniCredit Bank AG's internal treatment of the accounts, it appears that the bank knew or should have known that the accounts were directly connected to IRISL and that IRISL had an interest in transactions UniCredit Bank AG processed from, to, or through the accounts. According to standard UniCredit Bank AG policies, the bank's Customer Relationship Managers ("CRMs") were responsible for documenting various business relationships between customers and assigning a single Customer Engagement Group number (referred to as an "EVD") to affiliated customers. As part of this process, the CRM who was assigned to IRISL and its affiliated entities, who was an employee identified in documents UniCredit Bank AG submitted to OFAC as "BE-2," analyzed the IRISL-affiliated entities in order to create the "IRISL Customer Group" and assigned the majority of the IRISL-affiliated entities to IRISL's EVD. By September 2008, 33 of the 34 IRISL-affiliated entities shared the same customer group number. Based on information gathered during the course of this investigation, the bank determined that IRISL owned, directly or indirectly, each of the 33 companies in its EVD group
10. In addition to the common EVD, UniCredit Bank AG also created various internal links between accounts belonging to IRISL and IRISL-affiliated entities, including the use of pledge accounts and a cash management service called the Auto-Dispo Service (ADS). As early as January 2006, UniCredit Bank AG considered accounts belonging to six IRISL-affiliated companies to be "pledged accounts" for IRISL Europe. IRISL Europe's authority to use the six IRISL-affiliated companies' UniCredit Bank AG accounts as pledged assets demonstrates that IRISL Europe had authorization over, and a property interest in, those companies and their accounts
11. UniCredit Bank AG provided the ADS to IRISL and two of its affiliated entities, Ashtead Shipping Company Limited ("Ashtead") and Byfleet Shipping Company Limited ("Byfleet"). The ADS was a cash management service that UniCredit Bank AG offered to its corporate customers generally, and it allowed enrolled customers to transfer funds automatically from "source accounts" to "target accounts" on an ongoing basis. UniCredit Bank AG described the ADS, as it related to IRISL's accounts, as follows:
Under the auto-dispo arrangement, USD payments into the relevant Ashtead [or Byfleet] "source" accounts transferred automatically to an IRISL "target" account on a book entry basis without any further involvement of the US financial system.
12. As early as June 2006, UniCredit Bank AG had applied the ADS to one IRISL USD target account and one IRISL Europe USD target account. UniCredit Bank AG connected each of the target accounts with an Ashtead USD source account and a Byfleet USD source account, allowing IRISL and IRISL Europe to receive USD payments through the Ashtead and Byfleet accounts without their names appearing on the payment instructions. Under the ADS arrangement, the bank processed incoming credits to the Ashtead and Byfleet accounts and then initiated automated book entry transfers to deposit the funds into IRISL and IRISL Europe's target accounts. Under this arrangement, UniCredit Bank AG was the only financial institution with knowledge or documentation showing that the funds were actually destined for IRISL and IRISL Europe rather than Ashtead or Byfleet, as indicated on the payment instructions.
13. On September 10, 2008, pursuant to Executive Order 13382 of June 28, 2005, "Blocking Property of Weapons of Mass Destruction Proliferators and Their Supporters" ("E.O. 13382"), OFAC designated IRISL for providing services to Iran's Ministry of Defense and Armed Forces Logistics, which was previously designated for its role in Iran's ballistic missile program. In addition to IRISL, OFAC also designated 18 companies (including IRISL Europe and an IRISL-owned subsidiary in the United Kingdom, "Irinvestship Ltd.") that were owned or controlled by, or acting or purporting to act for or on behalf of, directly or indirectly, IRISL. These designations blocked all property and interests in property of IRISL and the 18 companies that were in the United States, that thereafter came within the United States, or that were or thereafter came within the possession or control of United States persons, and prohibited transactions by U.S. persons or in the United States that involved the property or interests in property of IRISL and the 18 companies. Two of the 18 companies designated, IRISL Europe and lrinvestship Ltd., were part of UniCredit Bank AG's EVO group for IRISL.
14. Immediately following OFAC's designation of IRISL, employees within UniCredit Bank AG's Compliance department and Legal department initiated an email discussion regarding the bank's handling of USD transactions on behalf of IRISL and IRISL affiliated companies. On September 11, 2008, Bank Employee 9 ("BE-9"), a member of UniCredit's unit within the Compliance department responsible for financial sanctions (referred to herein as the "UWC"), sent an email to a member of UniCredit's Legal department (BE-16), and copied two Compliance officers (BE- 10 and BE-12) and a Senior Compliance officer (BE- 19), summarizing OFAC's designation of IRISL and requesting guidance on how to proceed with respect to UniCredit's customers that were part of the IRISL customer group (EVO). In an email dated the following day, in-house counsel stated that "it is out of the question that we continue to carry out USD transactions with these companies because of the risk that such transactions could be 'impounded' in the United States if, in effectuating such transactions, there happened to be payments in or via the United States." Further, the Legal department recommended proceeding "with the utmost care and vigilance in its dealings, in view of our own interests in the United States, and, in particular, the interests of HVB NY [i.e., UniCredit Bank AG's New York Branch]."
15. On September 12, 2008, an in-house counsel within the bank's Legal department sent an email, which the bank characterized as an "internal advisory note" to selected bank departments, including employees within the UWC, instructing them not to process any USD transactions for "Iranian shipping companies" designated by OFAC. On September 15, 2008, a UniCredit Bank AG Compliance Officer in UWC (BE-9) sent an email to members of the IRISL CRM team (BE- 1, BE-2, and BE-53), copying UniCredit Bank AG's Legal department (BE-16) as well as several members of the UWC, stating that the processing of USD payments to or from all clients within the IRISL customer group was prohibited. UniCredit Bank AG slated that to identify clients owned by IRISL, the UWC used the EVD number for IRISL and added all members of the IRISL EVO group to the bank's filter list to monitor for USD activity" within 48 hours of the designation. Nevertheless, the 2008 guidance was not promulgated as a formal policy of the bank. UniCredit Bank AG did not produce documentation to OFAC showing that the bank drafted or distributed instructions on how to implement the email directive.
16. Despite the issuance of this directive, it does not appear that the bank's employees followed the directive for all IRISL-affiliated customers. The bank processed a significant number of USD payments on behalf of certain IRISL-affiliated customers that were not listed as SDNs through the United States following IRISL’s designation and in contravention of the policy set out by the email directive. Specifically, UniCredit Bank AG processed a significant number of transactions on behalf of the following IRISL-affiliated entities: Ashtead, Fairway Shipping Limited ("Fairway"), and Hanseatic Trade Trust & Shipping GmbH ("HTTS"). Given IRISL's involvement in opening and maintaining the affiliated entities' accounts at UniCredit Bank AG (in addition to other connections between the SDN and its affiliated entities), IRISL appears to have had an interest in transactions processed through the accounts, and the transactions constituted property or interests in property of IRISL that were in the United States.
17. Ashtead was a wholly owned subsidiary of IRISL registered in the Isle of Man and first became a UniCredit Bank AG customer in 2004. As a wholly owned subsidiary of IRISL, Ashtead became property in which IRISL had an interest (and thus subject to U.S. sanctions as set forth in E.O. 13382) at the time OFAC designated IRISL on September 10, 2008. Between 2004 and October 2008, UniCredit Bank AG opened five USD accounts for Ashtead, and two accounts were connected to the USD accounts UniCredit Bank AG maintained for IRISL and IRISL Europe through an ADS arrangement. As Ashtead was part of the IRISL customer group (EVO), the bank's UWC added Ashtead to its sanctions filter list following the September 2008 policy directive and ceased processing outbound USD payments beginning on September 12, 2008. However, although the bank's controls stopped any outgoing USD payments from the Ashtead accounts, the bank's controls did not prohibit UniCredit Bank AG from opening a new USD account for Ashtead (finalized in October 2008 - one month after OFAC's designation of IRISL) or from processing inbound payments, many of which were ultimately destined for the IRISL target accounts through the ADS arrangement. Employees explained in interviews that UniCredit Bank AG had not instituted any controls or restrictions to prevent IRISL's use of this [ADS] arrangement, or, to their recollection, raised this issue with their supervisors. As a result, it appears that IRISL exploited the ADS arrangement in order to circumvent U.S. sanctions by routing funds transfers to Ashtead's accounts rather than its own.
18. Separately, in July 2008, UniCredit Bank AG opened a number of accounts, including a USD account, for Fairway, a newly incorporated UK-based entity that initially was included as a member of IRISL's customer group. It appears that IRISL, through its wholly owned subsidiary, Irinvestship (which OFAC had designated along with IRISL on September 10, 2008), had an interest in accounts UniCredit Bank AG maintained on behalf of Fairway. For example, UniCredit Bank AG's account documentation showed that Fairway utilized a secondary address that matched the street address for Irinvestship that was published on OFAC's SDN List. In addition, it appears that IRISL used at least one Fairway account as a nominee account, in which IRISL placed and managed its assets under Fairway's name. In a July 2009 email exchange available to UniCredit Bank AG, IRISL employees referenced the Fairway account as "our nominate account" and instructed a customer to correct the routing of a payment so that it was sent to a Fairway account instead of an IRJSL account. The email also included the following instruction (emphasis is original): "please don't mention name of IRISL/vessel/line/voyage in your payment." Other connections between IRISL, Irinvestship, and Fairway (including the use of interchangeable email addresses, Irinvestship employees conducting business on behalf of Fairway, and Irinvestship being authorized to act as power of attorney over Fairway accounts) demonstrated IRJSL's interest in the company's accounts at UniCredit Bank AG.
19. Shortly after OFAC's designation of IRISL and the issuance of the 2008 policy directive, UniCredit Bank AG's Relationship Team requested that the bank's UWC remove Fairway from the IRISL customer group because according to a "[t]elephone call with [BE-2, the IRISL CRM]" it was "not an IRISL group company [and] payment may be made in USD." On September 24, 2008, the UWC complied with the request, based on the Jack of ownership by IRISL, and on the next day the IRISL CRM team emailed an IRJSL-affiliated employee (IAC-4) to inform him that the bank would once again start to process payments in all currencies on behalf of Fairway.
20. Approximately three months later in December 2008, UniCredit Bank AG began receiving inquiries from a U.S. bank (the bank's primary USD correspondent) regarding transactions involving Fairway's USD accounts that referenced the phrase "crew wages." Upon further review, at least two members of UniCredit's Compliance Department (BE-9 and BE- 10) determined that the payments related to crews working on IRISL-owned vessels. On January 15, 2009, in response to one of these inquiries, a member of UniCredit's Compliance team (BE-11) emailed the service provider that managed the payment processing function for UniCredit Bank AG with instructions to provide the U.S. bank with details regarding a particular payment but added the following instructions: "the details of the ship (M.v. Diamond) may not be transmitted under any circumstances (OFAC listed)."
21. After receiving multiple such inquiries from the U.S. bank, UniCredit Bank AG re-added Fairway to its internal sanctions tilter in January 2009. During the subsequent month, UniCredit flagged 99 USD payments involving Fairway that also referenced “crew wages" in the payment instructions and rejected all 99 transactions due to the ..higher risk profile" of any USD transaction associated with an IRISL affiliated vessel." Specifically, the bank's Compliance department rejected all of the transfers "after Fairway refused to provide the names of the vessels associated with the crew wages." Nevertheless, in or around December 2009, UniCredit Bank AG's Compliance department removed Fairway from the bank's internal monitoring list once again. The minutes from a meeting on December 10, 2009 indicate that the bank made this decision because "evidence has been provided that Fairway-Shipping does not belong to IRISL." The meeting minutes did not address Fairway's "higher risk" payments, the company's failure to respond to information requests, or the fact that Fairway's ownership information had been provided by an IRISL employee (IAC-9). UniCredit Bank AG continued processing USD transactions on behalf of Fairway until July 2010, at which point Fairway on its own accord stopped processing USD transactions through the bank.
22. Separately, between July 16, 2009 (approximately nine months after OFAC designated IRISL) and December 29, 2009, UniCredit Bank AG opened nine USD accounts for a new IRISL-affiliated German customer, HTTS. Although IRISL did not own HTTS, it appears that IRISL, through IRISL Europe and its managing director, had an interest in these accounts and in payments effected on behalf of HTTS. UniCredit's account documentation showed that the managing director was HTTS' sole beneficial owner, that the managing director was an Iranian citizen whose German residency visa was predicated on his employment by IRISL Europe, and that the other two signors on HTTS’ USD accounts were also Iranian citizens whose German residency visas were valid "only so long as they remained employed by IRISL." In addition, the bank's account documentation showed that HTTS utilized an address in Hamburg that was adjacent to the address OFAC had published on the SDN List for IRISL Europe.
23. UniCredit Bank AG's CRM did not alert the UWC to these potential connections between HTTS and IRISL or propose to include HTTS in the IRISL customer group. Nonetheless, after it opened the above-referenced accounts for HTTS, UniCredit’s CRM team interacted and corresponded with IRISL Europe employees (rather than dedicated HTTS employees) regarding account-related matters. UniCredit Bank AG's investigation identified that the IRISL employees used their IRISL Europe and HTTS email addresses interchangeably, and at least one IRISL employee (IAC-1) utilized both HTTS and IRISL Europe signature blocks interchangeably in his emails. Despite knowing of the various connections between IRISL and HTTS, based on the absence of ownership by IRISL, UniCredit Bank AG never included HTTS in its IRISL customer group and appears not to have applied the bank's IRISL-related compliance policy to HTTS.
24. Beginning in May 2011, UniCredit Bank AG began receiving a number of inquiries from a U.S. bank asking for additional details on payments originated from or destined for HTTS accounts at UniCredit Bank AG. In response to each inquiry, a member of the Relationship Team requested information directly from HTTS and forwarded HTTS's response verbatim to the U.S. bank, without any apparent effort to corroborate statements such as "no vessel as well as no Iran and IRISL is involved." Only after a UniCredit Compliance Officer learned of the U.S. bank's inquiries did the bank's Compliance unit decide "to review the customer [HTTS] more closely from a sanctions perspective." The Compliance Officer reviewed the passports and Germany residency visas of the three authorized signers on the HTTS accounts, and after seeing the references to, and connections with, IRISL, he instructed the CRM to inform HTTS that as of May 28, 2010, UniCredit Bank AG would not process any USD payments on behalf of HTTS.
25. In addition, UniCredit processed a limited number of transactions on behalf of additional IRISL-affiliated entities that were not designated as SDNs: Irinvestship, Byfleet, Adara Shipping, Cobham Shipping, Darking Shipping, Effingham Shipping, Extrim Shipping, and Farnham Shipping. UniCredit account information shows that IRISL, IRISL Europe, or Irinvestship had an interest in the USD accounts UniCredit maintained on behalf of the non-designated entities. Each of the companies utilized addresses that directly referenced IRISL or IRISL Europe (in addition to, or instead of, their own business names), and the sole authorized signor for all but one was an individual OFAC subsequently designated in part due to his role as a Director of several OFAC-designated IRISL-affiliated entities.
"OFAC Neutral Process"
26. Separate from the conduct described above, UniCredit Bank AG's head office ("HVB Munich") and several branches and a subsidiary appear to have employed a practice of processing USD payments through financial institutions in the United States on behalf of persons subject to other U.S. sanctions programs in a manner that did not disclose the interest of the sanctioned parties from U.S. financial institutions. The practice appears to have started in or around 2002, when the bank launched an initiative called Project Embargo to "assist the Bank in complying with applicable German and European sanctions laws and regulations" and to ensure that UniCredit Bank AG complied with its clearing agreement with its main U.S. correspondent bank. A critical part of Project Embargo's mission was to build and implement a transaction filtering system (referred to herein as "the Embargo Tool"). As described in detail below, however, the Project Embargo team designed and implemented policies and practices that purposefully did not disclose the involvement of OFAC-sanctioned persons or countries in transactions sent to the United States.
27. Then-HVB's Management Board was directly involved with the creation of Project Embargo, approving the project's initiation, budget, appointing a Steering Committee to supervise the project, and approving the appointment of the project's team leader, HVB AG employee BE-I 79. The Project Embargo team was comprised of members of the bank's Compliance division and external consultants, and the team consulted with HVB AG's Legal department and operational divisions throughout the project and reported to the project's Steering Committee (comprised of senior representatives from the Management Board, the bank's General Secretariat, the Operating Divisions, the Legal department, and functional units).
28. In August 2004, the Project Embargo team deployed its Embargo Tool. Among other procedures designed to implement compliance with EU and German sanctions laws, the Project Embargo team, distributed a guide for "Transactions Affected by OFAC" (herein referred to as "the Guide"), and began implementing the procedures detailed by the Guide at the bank's Munich branch. As part of the implementation process, the Project Embargo team disseminated the Guide to the UWC, each operational division that participated in the drafting process, and other operational departments (including, for example, the department responsible for Iranian banking relationships). The Guide provided step-by-step instructions for handling transactions that "hit'' on an "OFAC-relevant term in the Embargo Tool. The Guide included "procedures/instructions on how transactions desired for reasons of business policy can be executed in an OFAC neutral manner." The Guide offered two flow charts (collectively referred lo herein as "the OFAC Neutral Process") that detailed the steps a payment operator should take after the Embargo Tool flagged a payment for "OFAC suspicion" (i.e., because the payment contained a reference to an OFAC-sanctioned person or country). Specifically, the OFAC Neutral Process directed payment operators to engage in a "consultation with the specialist unit" (also referred to as the "relevant product unit") prior to deciding what action to take. After the consultation step. the operator could take one of three options:
Option 1: "Change of the route"
Under this option (later referenced by a member of UniCredit Bank AG's Legal department in an unrelated discussion as the "buffer bank structure"), the payment operator would cancel the existing payment order and create a new payment order that inserted a non-U.S. financial institution between the U.S. institution and the sanctioned party consistent with the then-applicable "U-Turn" exception for Iran. The effect of this option was that the payment message sent to the U.S. financial institution would not reference the sanctioned party.
Option 2: "Correction by The HVB specialist unit"
Under this option, the payment operator would either edit the payment instructions to remove or alter an OFAC-relevant reference so that the payment would be "OFAC neutral," or the operator would remove optional SWIFT data fields when they included an OFAC-relevant reference.
Option 3: "Return to originator and new customer order, if necessary"
Under this option, the payment operator would contact UniCredit Bank AG's customer to see whether the customer would like to re-submit the payment order to "evaluate alternative transactions that are not objectionable with regards to OFAC and submit a new transaction in the form of a new customer order. The customer must issue a new order without the OFAC connection. Otherwise the order cannot be issued via HVB Group."
The Guide included the following instruction:
"In case there is no way to execute the payment OFAC neutral then you have to obtain a safe replacement order from the customer. The sender bank's OFAC-relevant payment order must be cancelled and resubmitted in that case."
29. Employees interviewed by UniCredit Bank AG during the course of this investigation confirmed that they implemented at least some aspects of the OFAC Neutral Process set forth in the Guide. Employees stated that they reviewed cover payments that hit on the Embargo Tool because they contained OFAC-relevant terms in the MT103 messages to non-US banks, and their practice was to authorize the release of those payments if they did not include OFAC-relevant information in the MT202 message to US correspondent banks. Employees also confirmed that payment messages that hit on the Embargo Tool due to terms in optional SWIFT message fields were replaced with messages without those terms
30. It appears that UWC employees understood that their U.S. correspondents had legal obligations pursuant to U.S. sanctions laws not lo process certain transactions involving OFAC-sanctioned entities or interests. In addition, UWC employees appear to have expressed concern for liability stemming from processing "OFAC-relevant" payments. For example, Project Embargo's team leader, BE-179, stated as early as February 2004 that OFAC-relevant transactions should be processed "discreetly" and "there should be no publicity." During the same time period, BE-179 also raised concerns about the potential for liability or reputational damage that might result from processing errors. Finally, it appears that UniCredit Bank AG considered conducting a cost-benefit analysis of its customers engaging in transactions relating to OFAC-sanctioned countries' and parties' activity to determine which customers were worth the potential liability issues and reputational harm. Project Embargo meeting minutes reflect that BE-179 suggested utilizing the OFAC neutral process for "profitable" customers, stating that "customer relationships which generate no earnings should not be continued." He stated that transactions relating to profitable business should "be structured in a way that they will not become conspicuous."
31. Despite these concerns about liability and reputational damage, HVB AG does not appear to have sought legal review (either from its internal Legal department or from external counsel) of the Guide and the OFAC Neutral Process prior to implementing them, other than an informal inquiry to a "New York lawyer" at the outset of Project Embargo in April 2004. On March 16, 2005, BE-179 and another bank employee presented to the UniCredit Bank AG Audit Committee on the topic of Project Embargo. Due to concerns about "possible collisions with American law" identified in the presentation, the Audit Committee requested legal review. In April 2005, per the Audit Committee's suggestion, BE-182 sought legal guidance from an external law firm regarding "risks in general" of “whether OFAC could take action against the New York Branch [of HVB AG] for an OFAC infringement by HVB Munich [i.e., the bank's head office]." Notably, the request for guidance did not specifically address the bank's OFAC Neutral Process or its nontransparent payment methods. In August 2005, the UWC provided the bank's Legal department with a description of the bank's OFAC Neutral Process, but during the investigation UniCredit Bank AG informed OFAC that it did not find a response from its Legal department.
32. On December 19, 2005, OFAC, the Board of Governors of the Federal Reserve System, the New York State Banking Department, and the Illinois Department of Financial and Professional Regulations, Division of Banking issued a combined Order of Assessment of a Civil Monetary Penalty and Monetary Payment (the "Order") to ABN AMRO. Collectively, the Order assessed an $80 million penalty against ABN AMRO in response to conduct that the bank's non-U.S. branches had engaged in, including removing or obscuring references to sanctioned parties in payment instructions transiting the United States. After U.S. agencies published the ABN AMRO penalty, on March 6, 2006, HVB AG requested legal counsel from an external U.S. law firm regarding the likelihood that HVB will become subject to sanctions imposed by US authorities for processing transactions that otherwise complied with German, EU, and United Nations sanctions requirements. On May 7, 2006, the firm responded to the request and recommended that HVB AG assess its OFAC risk, put in place an OFAC compliance program, and periodically reassess the bank's risk and adjust the program as necessary. The firm also provided a detailed description of the ABN AMRO action, outlining payment practices the bank had engaged in that led to the penalty. The firm's description of ABN AMRO's activities stated that "[t]he non-U.S. offices established a procedure of systematically removing information from wire transfer requests that identified the request as relating to individuals and entities in Libya and Iran. This was not a case in which the ABN AMRO non-U.S. offices simply transmitted requests that they received without knowing that they were problematic under the OFAC regulations. Rather, the staffing those offices intentionally removed information that otherwise would have gone to the U.S. office" of ABN AMRO.
33. After some additional initial legal opinions and discussions regarding the ABN AMRO penalty and HVB AG's payment practices, the bank discussed and implemented certain Iran-related controls (such as prohibiting USD business for Bank Saderat in September 2006 and for Bank Sepah in January 2007). The Legal department informed the UWC that it was "pursuing a zero-tolerance policy as regards any addresses of persons making or receiving payments being disguised or other ‘creative' solutions being employed" with respect to payments. However, HVB AG continued processing USD payments involving OFAC sanctioned parties pursuant to these practices until at least December 2011.
Oil-Related Transactions
34. Separately, but during the period during which the bank's employees followed the OFAC Neutral Process, HVB AG processed a significant number of transactions on behalf of its customer, a Swiss company, or two of the company's subsidiaries, which related to shipments of oil which appear to have ultimately been destined for Iran and/or a Government of Iran entity identified on OFAC's SDN List. Each of the transactions involved letters of credit issued by HVB AG to enable its Swiss customer to take delivery in Kazakhstan of oil purchased from suppliers in Kazakhstan, Turkmenistan, or Azerbaijan. Despite references to the oil's onward shipment by the Swiss customer to Iran in documents available to HVB AG, the bank submitted payment instructions through the United States or U.S. financial institutions that did not contain any references to Iran. HVB AG was the issuing bank for each of the letters of credit, and in its role as the issuing bank, the bank had a commercial obligation to review the invoices, bills of lading, and other shipping documentation to ensure that it complied with the terms and conditions or the letter of credit. Because of its commercial obligation to review this documentation, HVB AG demonstrated at least a reason to know of the onward delivery of the goods underlying the letters of credit.
Pursuant to the practices described above:
35. From on or about October 26, 2007 to on or about September 30,2011, UniCredit Bank AG processed 1,879 electronic funds transfers in the aggregate amount of $287,807,794 to or through financial institutions located in the United States in apparent violation of the prohibition against transactions involving blocked property of designated proliferators of weapons of mass destruction and their supporters, 31 C.F.R. § 544.201.
36. From on or about January 3, 2007, to on or about September 19, 2011, UniCredit Bank AG processed 177 electronic funds transfers in the aggregate amount of $215,569, 168 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation of services from the United States to Iran, 31 C.F.R. § 560.204.
37. From on or about January 12, 2007, to on or about June 22, 2010, UniCredit Bank AG processed 41 electronic funds transfers in the aggregate amount of $8,658,759 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation of services from the United States to Sudan, 31 C.F.R. § 538.205.
38. From on or about April 3, 2007, to on or about September 13, 2011, UniCredit Bank AG processed 31 electronic funds transfers in the aggregate amount of $8,696,382 to or through financial institutions located in the United States in apparent violation of the prohibitions against the dealing in property in which Cuba or a Cuban national has an interest, 31 C.F.R. § 515.201.
39. From on or about January 9, 2007, to on or about September 28, 2009, UniCredit Bank AG processed 25 electronic funds transfers in the aggregate amount of$208,191 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation of services from the United States to Burma, 31 C.F.R. § 537.202.
40. From on or about April 19, 2011, to on or about August 19,2011, UniCredit Bank AG processed three electronic funds transfers in the aggregate amount of $5,918,060 to or through financial institutions located in the United States in apparent violation of the prohibitions against the prohibition against transactions involving blocked property of the Government of Libya, 31 C.F.R. § 570.201.
41. On or about February 25, 2008, UniCredit Bank AG processed one $558,648 electronic funds transfer to or through financial institutions located in the United States in apparent violation of the prohibition against transactions involving blocked property of specially designated global terrorists, 31 C.F.R. § 594.201.
42. On or about December 27, 2011, UniCredit Bank AG processed one $50,000 electronic funds transfer to or through financial institutions located in the United States in apparent violation of the prohibition on the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a U.S. person, wherever located, of any services to Syria, 31 C.F.R. § 542.207.
43. UniCredit Bank AG on its own initiative has taken extensive remedial actions to strengthen its compliance controls and to enhance the institution's culture of compliance over time. Since 2009 in particular, UCB AG has devoted substantial resources and has made significant investments in rem ediation and compliance enhancement, including updating and enhancing compliance policies and procedures, strengthening compliance-related communications and reporting lines, enhancing information technology and information management systems, significantly upgrading and elevating the compliance function, boosting compliance resources, staff, and expertise, expanding and enhancing staff training, instilling lessons learned, and reinforcing the tone from the top.
44. UniCredit Bank AG provided substantial cooperation to OFAC by expending a significant amount of resources to conduct an extensive internal investigation and transaction review of payments processed between 2002 and 2011 by the bank's offices in London, Athens, Milan, Vienna, New York, Zurich, and Asia, as well as at a subsidiary in Germany. UniCredit Bank AG also responded to multiple inquiries and requests for information, executed a statute of limitations tolling agreement and signed multiple extensions to the agreement.
45. UniCredit Bank AG provided the results of its reviews in multiple reports to OFAC and other agencies, with clear and organized references to transaction records, the results of its electronic and other document reviews, and employee interviews.
IV. TERMS OF SETTLEMENT
OFAC and UniCredit Bank AG (hereafter referred to as ”Respondent") agree as follows:
46. Respondent has terminated the conduct outlined in paragraphs 5-34 above and has established, and agrees to maintain, policies and procedures that prohibit, and are designed to minimize the risk of the recurrence of, similar conduct in the future.
47. In consideration of the undertakings of Respondent in paragraph 48 below, Respondent agrees to a settlement in the amount of $553,380,758.68, and OFAC agrees to release and forever discharge Respondent. without any finding of fault, from any and all civil liability in connection with the Apparent Violations, as described in paragraphs 35-42, arising under the legal authorities that OFAC administers. Respondent's obligation to pay OFAC such settlement amount shall be deemed satisfied up to an equal amount by payments in satisfaction of penalties assessed by U.S. federal officials arising out of the same patterns of conduct during the same time periods.
48. In consideration of the undertakings of OFAC in paragraph 47 above, Respondent agrees and represents:
A. Within fifteen (15) days of the date Respondent receives the unsigned copy of this Agreement, to:
(i) sign, date, and mail an original signed copy of this Agreement to Alexandre Manfull, Sanctions Compliance and Evaluation Division, Office of Foreign Assets Control, U.S. Department of the Treasury, 1500 Pennsylvania Avenue, NW, Washington, DC 20220. Respondent should retain a copy of the signed Agreement and a receipt or other evidence that shows the date that Respondent mailed the signed Agreement to OFAC; and
(ii) pay or arrange for the payment to the U.S. Department of the Treasury the amount of SI0S,876,230. Respondent's payment must be made either by electronic funds transfer in accordance with the enclosed "Electronic Funds Transfer (Erl) Instructions," or by cashier's or certified check or money order payable to the "U.S. Treasury" and referencing COMPL 1100361. Unless otherwise arranged with the U.S. Department of the Treasury's Bureau of the Fiscal Service, Respondent must either:
(1) indicate payment by electronic funds transfer, by checking the box on the signature page of this Agreement; or (2) enclose with this Agreement the payment by cashier's or certified check or money order.
B. To waive (i) any claim by or on behalf of Respondent, whether asserted or unasserted, against OFAC, the U.S. Department of the Treasury, and/or its officials and employees arising out of the facts giving rise to the enforcement matter that resulted in this Agreement, including but not limited to OFAC's investigation of the Apparent Violations, and (ii) any possible legal objection to this Agreement at any future date.
49. Compliance Commitments: Respondent has terminated the conduct described above and has established, and agrees to maintain, sanctions compliance measures that are designed to minimize the risk of recurrence of similar conduct in the future. Specifically, OFAC and Respondent understand that the following compliance commitments have been made:
a. Management Commitment
i. Respondent commits that senior management has reviewed and approved Respondent's sanctions compliance program.
ii. Respondent commits to ensuring that its senior management, including senior leadership, executives, and/or the board of directors, are committed to supporting Respondent's sanctions compliance program.
iii. Respondent commits to ensuring that its compliance unit(s) are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent's OFAC risk.
iv. Respondent commits to ensuring that its compliance unit(s) receive adequate resources-including in the form of human capital, expertise, information technology, and other resources, as appropriate-that are relative to Respondent's breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
v. Respondent commits to ensuring that Senior Management promotes a "culture of compliance" throughout the organization.
vi. Respondent's Senior Management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, and acknowledges its understanding of the apparent violations at issue, and commits to implementing necessary measures to reduce the risk of reoccurrence of similar conduct and apparent violations from occurring in the future.
b. Risk Assessment
i. Respondent conducts an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessments will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.
c. Internal Controls
i. The Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures are relevant to the organization, capture Respondent's day to-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.
ii. Respondent has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into Respondent's internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent's risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal and/or external audits.
iv. Respondent commits to ensuring that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance program's policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanction compliance program's policies and procedures into Respondent's daily operations. This process includes consultations with relevant business units, and ensures that Respondent's employees understand the policies and procedures.
d. Testing and Audit
i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent's OFAC-related risk assessment and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding result pertaining to its sanctions compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
e. Training
i. Respondent commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondent's sanctions compliance efforts.
ii. Respondent commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
iii. Respondent commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent's training program includes easily accessible resources and materials that are available to all applicable personnel.
f. Annual Certification
i. On an annual basis, for a period of five years, starting from 180 days after the date the Agreement is executed, a senior-level executive or manager of Respondent will submit to OFAC a certification confirming that Respondent has implemented and continued to maintain the sanctions compliance measures as committed above.
50. Should OFAC determine, in the reasonable exercise of its discretion, that Respondent appears to have materially breached its obligations or made any material misrepresentations under Paragraph 49 above (the "Compliance Commitments"), OFAC shall provide written notice to Respondent of the alleged breach or misrepresentations and provide Respondent with 30 days from the date of Respondent’s receipt of such notice, or longer as determined by OFAC, to determine that no material breach or misrepresentations has occurred or that any breach or misrepresentation has been cured.
51. In the event OFAC determines that a material breach of, or misrepresentation in, this Agreement has occurred due to a failure to perform the Compliance Commitments, OFAC will provide notice to Respondent of its determination and whether OFAC is re-opening its investigation. The statute of limitations applying to the Apparent Violations shall be deemed tolled until a date 180 days following Respondent's receipt of notice of OFAC's determination that a breach of, or misrepresentation in, this Agreement has occurred.
52. Should the Respondent engage in any other violations of the sanctions laws and regulations administered by OFAC - including those that are either apparent or alleged - OFAC may consider Respondent's sanctions history, or its failure to employ an adequate sanctions compliance program or appropriate remedial measures, associated with this Agreement as a potential aggravating factor consistent with the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, Appendix A.
53. This Agreement shall not in any way be construed as an admission by Respondent that Respondent engaged in the Apparent Violations.
54. This Agreement has no bearing on any past, present, or future OFAC actions, including the imposition of civil monetary penalties, with respect to any activities by Respondent other than those set forth in the Apparent Violations.
55. OFAC may, in its sole discretion, post on OFAC's website this entire Agreement and/or issue a public statement about the factors of this Agreement, including the identity of any entities involved, the settlement amount. and a brief description of the Apparent Violations.
56. This Agreement consists of 18 pages, and expresses the complete understanding of OFAC and Respondent regarding resolution of OFAC's enforcement matter involving the Apparent Violations. No other agreements, oral or written, exist between OFAC and Respondent regarding resolution of this matter.
57. This Agreement shall inure to the benefit of and be binding on each party, as well as its respective successors or assigns.
Respondent accepts the terms of this Settlement Agreement this 14th day of April, 2019
[SIGNATURES]
Notes:
1) For consolidated comment on the UniCredit Bank AG (Germany) case, see Civil Enforcement Information - UniCredit Bank AG (Settlement 1 of 3 in web post) (2019).
2) The system version of this settlement agreement is broken into two parts due to length. As of the date it was issued, it is the only document in the system so divided.