PRINT
COMPL-2017-603768
SETTLEMENT AGREEMENT
This settlement agreement (the "Agreement') is made by and between the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and UniCredit Bank Austria AG ("Bank Austria").
I. PARTIES
1. OFAC administers and enforces economic sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and proliferators of weapons of mass destruction, among others. OFAC acts under Presidential national emergency authorities, as wen as authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.
2. Bank Austria is the Austrian subsidiary of UniCredit S.p.A., the parent company of the UniCredit Group headquartered in Milan, Italy. Bank Austria is headquartered in Vienna, Austria.
II. APPARENT VIOLATIONS
3. OFAC conducted an investigation of Bank Austria in connection with more than 120 transactions processed to or through the United States or involving U.S. financial institutions in apparent violation of various OFAC sanctions programs.
4. OFAC determined that Bank Austria did not voluntarily self-disclose the Apparent Violations, the Apparent Violations identified below in Paragraph 15 constitute a nonegregious case. and the Apparent Violations identified below in Paragraphs 16-20 constitute an egregious case.
III. FACTUAL STATEMENT
5. For a number of years, up to and including 2012, Bank Austria processed transactions through U.S. financial institutions that involved countries, entities, or individuals subject to the sanctions programs administered by OFAC. Bank Austria appears to have engaged in conduct that removedm, omitted, or did not reveal references to, or the interest or involvement of sanctioned parties in U.S. Dollar ("USD”) payment messages sent through U.S. financial institutions. The specific payment practices the bank utilized in order to process sanctions related payments to or through the United States included the use of Society for Worldwide Interbank Financial Telecommunications (“SWIFT”) Message Type (MT) 202 cover payment messages that did not reference the involvement of sanctioned parties or jurisdictions and executing payments related to trade finance agreements that did not identify the involvement of sanctioned parties or countries subject to the sanctions programs administered by OFAC to or through U.S. financial institutions in apparent violation of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560; the Sudanese Sanctions Regulations, 31 C.F.R. Part 538; the Burmese Sanctions Regulations, 31 C.F.R. Part 537; the Syrian Sanctions Regulations, 31 C.F.R. Part 542; and the Cuban Assets Control Regulations, 31 C.F.R. Part 515.
6. Bank Austria's use of non-transparent payment practices began as early as 1998, when the bank drafted a policy to address instances in which payments were stopped in the United States due to references in the payment instructions to OFAC-sanctioned countries. Bank Austria identified a policy from 2000, which replaced earlier versions published in 1998 and 1999 and provided instructions for processing commercial payments involving U.S. financial institutions including an instruction to replace the ordering party's information with a generic phrase, thereby obfuscating the nexus to a jurisdiction subject to sanctions programs administered by OFAC. While the 2000 policy was believed to be superseded by subsequent instructions, it appears Bank Austria continued to use, for a limited number of payments, nontransparent payment practices until 2012.
7. Prior to mid-2009, UniCredit S.p.A. appears to have addressed sanctions risk management within the banking group by issuing specific sanctions guidance documents to individual financial institutions and business lines. Beginning in 2009, the UniCredit Group began to incorporate restrictions imposed by the sanctions programs administered by OFAC into its compliance policies. On June 23, 2009, UniCredit S.p.A. issued a group-wide sanctions compliance policy, entitled "Anti money laundering and countering of terrorist financing." The group-wide policy included the requirement for entities operating outside of the United States to adopt the same cautions as those within the United States, explicitly referencing "OFAC lists," but also allowed for Holding Companies to issue exceptions, known as non-binding opinions (NBO) which had to be approved by the Reputational Risk Committee. Bank Austria applied for an exception to the implementing compliance requirements regarding non-U.S. dollar payments involving specific Iranian banks, stating conflicts between so doing and compliance with local law requirements, as well as the importance of maintaining Bank Austria's relationships with Iranian banks, including reasons for income generation, continuity of services to clients with business ties to Iran, and combatting disadvantages stemming from certain bank competitors continuing to maintain their own relationships with Iranian banks. The UniCredit Group Risk Committee approved the NBO in support of Bank Austria, which stated that existing business with Iranian entities and Iranian financial institutions could continue, but should be processed in Euro (EUR) or in currencies other than USD. After June 2009, however, Bank Austria processed eight outbound payments involving a sanctioned person or financial institution through the United States.
8. Between 2010 and 2014, the UniCredit Group issued additional group-wide policies that addressed sanctions issues, including the sanctions programs administered by OFAC. During this period, Bank Austria appears to have requested exceptions to the more stringent sanctions policies and noted its deviation from the group-wide policies. On multiple occasions, Bank Austria noted that the bank maintained relationships with entities and individuals subject to the sanctions programs administered by OFAC, as well as entities and individuals headquartered and located in countries subject to the sanctions programs administered by OFAC. In a May 4, 2011 presentation to the Bank Austria Management Board, Bank Austria explained the bank's rationale for not ceasing business with such entities, financial institutions, and individuals after the imposition of OFAC sanctions, and stated that Bank Austria Customer Relationship Managers strongly supported the maintenance of relationships with both banks and individuals subject to OFAC sanctions at the reduced levels at which the Bank was conducting such business at that time. In addition, Bank Austria opined on multiple occasions that the sanctions programs administered by OFAC were not legally binding or relevant to Bank Austria.
9. From 2007 to 2012, Bank Austria processed transactions to or through the United States on behalf of financial institutions and other parties on OFAC's List of Specially Designated Nationals and Blocked Persons (the "SDN List") or located in countries subject to comprehensive OFAC sanctions at the time the payments occurred. Bank Austria appears to have engaged in a pattern or practice of processing USD transactions on behalf of OFACsanctioned parties in a manner that did not reveal the involvement of the sanctioned parties from intermediary financial institutions located in the United States.
10. Bank Austria processed a number of transactions to or through the United States pursuant to standard settlement instructions from Iranian banks instructing Bank Austria not to mention identifying information related to OFAC-sanctioned countries by routing SWIFT MT103s (which included underlying party information) directly to foreign correspondents and routing MT202s, which did not reference underlying sanctioned parties or countries, through U.S. financial institutions, thereby not revealing the involvement of the parties or countries subject to the sanctions programs administered by OFAC. Bank Austria also appears to have processed treasury payments through the United States on behalf of Iranian bank customers in a manner different from how it processed other treasury payments. The bank's standard process involved sending a single MT202 through any intermediary parties and ultimately to the beneficiary financial institution; however, Bank Austria's process for Iranian treasury payments was to effect two separate MT202s-one of which it sent through the U.S. intermediary financial institution (without a reference to the Iranian bank) and the second of which it sent to the ultimate beneficiary bank (with a reference to the Iranian bank).
11. In November 2009, SWIFT implemented the use of a new form of cover payment message (called the "MT202COV"), which fully disclosed sender and receiver information to third-party banks, including U.S. banks, designed to allow financial institutions wanting to use cover payments for commercial reasons the ability to provide complete transactional transparency to their upstream correspondents. On multiple occasions, Bank Austria discussed the new MT202COV and how the bank would continue to process payments involving customers or transactions subject to U.S. sanctions. On November 9, 2009, an employee in Bank Austria's Foreign Payments Department requested clarification from another Foreign Payments Department employee on the processing of transactions on behalf of a specific customer of Bank Austria. In a conversation regarding the processing of transactions on behalf of Syrian banks, a Bank Austria employee stated that after a conversation with UniCredit Group employees, it was decided that Bank Austria should not change the payment processing procedures with Syrian banks in response to the implementation of the MT202COV.
12. Between at least 2009 and 2012, Bank Austria resubmitted six payments after a U.S. financial institution rejected the initial payment instructions, in which Bank Austria modified payment messages to remove references to sanctioned parties, routed the resubmitted payment through a U.S. financial institution, and did not include a reference to an OFAC sanctioned country or party in the second set of payment instructions. In one such instance, Bank Austria appears to have replaced the Iranian address of the ordering party with an address in Austria in the resubmitted payment. In another instance, Bank Austria appears to have modified a beneficiary's address from Tehran, in the original payment, to Dubai in the resubmitted payment.
13. In addition to conducting commercial payment business through the United States on behalf of financial institutions and entities subject to OFAC sanctions, Bank Austria also conducted trade finance transactions through the United States involving such entities. Under certain trade finance agreements, Bank Austria processed USD transactions involving OFACsanctioned countries using MT202 cover payments through the U.S. financial system in apparent violation of the sanctions programs administered by OFAC. As a matter of practice, as the issuer or confirming bank of the letters of credit, Bank Austria had in its possession documentation associated with the purpose of the trade finance instrument and the transactions it financed, including the involvement of OFAC-sanctioned countries, and therefore had reason to know of the sanctions nexus at the time the bank processed the payments. However, Bank Austria processed the transactions pursuant to letters of credit through financial institutions located in the United States without reference to the underlying trade with OFAC-sanctioned countries.
14. The majority of trade finance transactions subject to this investigation were processed by Bank Austria pursuant to letters of credit it had issued or confirmed on behalf of its customers Liechtenstein Corporate I and its subsidiary, Hong Kong Corporate I (herein referred to collectively as "Liechtenstein Corporate I"), an exporter of cotton from suppliers in Central Asia to "Far East countries," including Bangladesh, Pakistan, China, and Turkey. Correspondence with clients and trade agreements between Bank Austria and Liechtenstein Corporate 1 as early as 2010 documented the transshipment of goods through Iran. As a result, Bank Austria had knowledge or reason to know of the Iranian nexus to these transactions prior to processing them On March 27, 2012, Bank Austria submitted a request to the Austria Reputational Risk Committee for an exception from then-current sanctions policies to continue its business with Liechtenstein Corporate 1, a customer Bank Austria employees identified as an important top client due to the amount of revenue it generated for the bank. The application for exception explained the cotton at issue in the transactions was stored in Bandar Abbas, Iran, as well as the business reasons for the transshipment through Iran, such as increased costs of alternate routes, and further noted that "Bandar Abbas," the Iranian port, was no longer mentioned in the relevant trade documents.
Pursuant to the practices described above:
15. From on or about December 10, 2008, to on or about March 26, 2012, Bank Austria processed 60 electronic funds transfers in the aggregate amount of $68,934,664.76 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation, reexportation, sale, or supply of any goods, technology, or services from the United States to a person in a third country undertaken with knowledge or reason to know that such goods, technology, or services are intended specifically for supply, transshipment, or reexportation, directly or indirectly, to Iran, 31 C.F.R. § 560.204.
16. From on or about January 8, 2007, to on or about January 12, 2010, Bank Austria processed 26 electronic funds transfers in the aggregate amount of $1,651,712.28 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any services from the United States to Sudan, 31 C.F.R. §538.205.
17. From on or about January 3, 2007, to on or about November 13, 2012, Bank Austria processed 25 electronic funds transfers in the aggregate amount of $1,735,559.74 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation of services from the United States to Iran, 31 C.F.R. § 560.204.
18. From on or about January 22, 2007, to on or about December 11, 2008, Bank Austria processed eight electronic funds transfers in the aggregate amount of$34,215.54 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any financial services from the United States to Burma, 31 C.F.R. §537.202.
19. From on or about August 17, 2011, to on or about September 7, 2011, Bank Austria processed four electronic funds transfers in the aggregate amount of$2,766,718.64 to or though financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any services from the United States to Syria, 31 C.F.R. §542.207.
20. From on or about April 27, 2007, to on or about February 20, 2009, Bank Austria processed four electronic funds transfers in the aggregate amount of $142,548.04 to or through financial institutions located in the United States in apparent violation of the prohibitions against the dealing in property in which Cuba or a Cuban national has an interest, 31 C.F.R. § 515.201.
21. UniCredit S.p.A., as the parent company of Bank Austria and the UniCredit Group, has taken remedial action by prioritizing compliance from the top levels of the bank's senior management, incorporating compliance adherence into all employees' goal setting forms, redesigning its compliance framework and supporting policies, increasing the frequency and content of its employee training program, including enhanced in-person training requirements for targeted employees and required online training for all employees, developing a risk assessment methodology based on customer base, product, and geographies, enhancing its screening capabilities, and developing a helpline and communication channels for whistleblowers, as well as Group Compliance communications to employees around the responsibility and opportunity for employees to report unacceptable conduct.
IV. TERMS OF SETTLEMENT
OFAC and Bank Austria (hereafter referred to as "Respondent") agree as follows:
22. Respondent has terminated the conduct outlined in paragraphs 5-14 above and has established, and agrees to maintain, policies and procedures that prohibit, and are designed to minimize the risk of the recurrence of, similar conduct in the future.
23. In consideration of the undertakings of Respondent in paragraph 24 below, Respondent agrees to a settlement in the amount of $20,326,340, and OFAC agrees to release and forever discharge Respondent, without any finding of fault, from any and all civil liability in connection with the Apparent Violations, as described in paragraphs 15-20, arising under the legal authorities that OFAC administers. Respondent's obligation to pay OFAC such settlement amount shall be deemed satisfied up to an equal amount by payments in satisfaction of penalties assessed by U.S. federal officials arising out of the same patterns of conduct during the same time periods.
24. Respondent waives (i) any claim by or on behalf of Respondent, whether asserted or unasserted, against OFAC, the U.S. Department of the Treasury., and/or its officials and employees arising out of the facts giving rise to the enforcement matter that resulted in this Agreement, including but not limited to OFAC's investigation of the Apparent Violations, and (ii) any possible legal objection to this Agreement at any future date.
25. Compliance Commitments: Respondent has terminated the conduct described above and has established, and agrees to maintain, sanctions compliance measures that are designed to minimize the risk of recurrence of similar conduct in the future. Specifically, OFAC and Respondent understand that the follow ing compliance commitments have been made:
a. Management Commitment
i. Respondent commits that senior management has reviewed and approved Respondent's sanctions compliance program.
ii. Respondent commits to ensuring that its senior management, including senior leadership, executives, and/or the board of directors, are committed to supporting Respondent's sanctions compliance program.
iii. Respondent commits to ensuring that its compliance unit(s) are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent's OFAC risk.
iv. Respondent commits to ensuring that its compliance unit(s) receive adequate resources-including in the form of human capital expertise, information technology, and other resources, as appropriate-that are relative to Respondent's breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
v. Respondent commits to ensuring that Senior Management promotes a "culture of compliance" throughout the organization.
vi. Respondent's Senior Management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, and acknowledges its understanding of the apparent violations at issue, and commits to implementing necessary measures to reduce the risk of reoccurrence of similar conduct and apparent violations from occurring in the future.
b. Risk Assessment
i. Respondent conducts an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessments will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.
c. Internal Controls
i. The Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures are relevant to the organization, capture Respondent's dayto-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.
ii. Respondent has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into Respondent's internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent's risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal and/or external audits.
iv. Respondent commits to ensuring that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance
program's policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanction compliance program's policies and procedures into Respondent's daily operations. This process includes consultations with relevant business units, and ensures that Respondent's employees understand the policies and procedures.
d. Testing and Audit
i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent's OFAC-related risk assessment and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding result pertaining to its sanctions compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated
e. Training
i. Respondent commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondent's sanctions compliance efforts.
ii. Respondent commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
iii. Respondent commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent's training program includes easily accessible resources and materials that are available to all applicable personnel.
f. Annual Certification
i. On an annual basis, for a period of five years, starting from 180 days after the date the Agreement is executed, a senior-level executive or manager of Respondent will submit to OFAC a certification confirming that Respondent has implemented and continued to maintain the sanctions compliance measures as committed above.
26. Should OFAC determine, in the reasonable exercise of its discretion, that Respondent appears to have materially breached its obligations or made any material misrepresentations under Paragraph 27 above (the "Compliance Commitments"), OFAC shall provide written notice to Respondent of the alleged breach or misrepresentations and provide Respondent with 30 days from the date of Respondent's receipt of such notice, or longer as determined by OFAC, to determine that no material breach or misrepresentations has occurred or that any breach or misrepresentation has been cured.
27. In the event OFAC determines that a material breach of, or misrepresentation in, this Agreement has occurred due to a failure to perform the Compliance Commitments, OFAC will provide notice to Respondent of its determination and whether OFAC is re-opening its investigation. The statute of limitations applying to the Apparent Violations shall be deemed tolled until a date 180 days following Respondent's receipt of notice of OFAC's determination that a breach of, or misrepresentation in, this Agreement has occurred.
28. Should the Respondent engage in any other violations of the sanctions laws and regulations administered by OFAC - including those that are either apparent or alleged - OFAC may consider Respondent's sanctions history, or its failure to employ an adequate sanctions compliance program or appropriate remedial measures, associated with this Agreement as a potential aggravating factor consistent with the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, Appendix A.
29. This Agreement shall not in any way be construed as an admission by Respondent that Respondent engaged in the Apparent Violations.
30. This Agreement has no bearing on any past, present, or future OFAC actions, including the imposition of civil monetary penalties, with respect to any activities by Respondent other than those set forth in the Apparent Violations.
31. OFAC may, in its sole discretion, post on OFAC's website this entire Agreement and/or issue a public statement about the factors of this Agreement. including the identity of any entities involved, the settlement amount, and a brief description of the Apparent Violations.
32. This Agreement consists of 10 pages, and expresses the complete understanding of OFAC and Respondent regarding resolution of OFAC's enforcement matter involving the Apparent Violations. No other agreements, oral or written, exist between OFAC and Respondent regarding resolution of this matter.
33. This Agreement shall inure to the benefit of and be binding on each party, as, well as its respective successors or assigns.
[signatures]
1) For consolidated comment on the UniCredit Bank Austria AG case, see Civil Enforcement Information - UniCredit Bank Austria AG (Settlement 2 of 3 in web post) (2019).