COMPL-2017-604694

SETTLEMENT AGREEMENT

This settlement agreement (the "Agreement") is made by and between the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and UniCredit S.p.A.

I. PARTIES

1. OFAC administers and enforces economic sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and proliferators of weapons of mass destruction, among others. OFAC acts under Presidential national emergency authorities, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.

2. UniCredit S.p.A. is the parent company of the UniCredit Group, headquartered in Milan, Italy.

II. APPARENT VIOLATIONS

3. OFAC conducted an investigation of UniCredit S.p.A. in connection with more than 600 transactions processed to or through the United States or involving U.S. financial institutions in apparent violation of various OFAC sanctions programs.

4. OFAC determined that UniCredit S.p.A. did not voluntarily self-disclose the Apparent Violations and that the Apparent Violations constitute an egregious case.

III. FACTUAL STATEMENT

5. For a number of years, up to and including 2012, UniCredit S.p.A. processed hundreds of transactions through U.S. financial institutions that involved countries, entities, and/or individuals subject to the sanctions programs administered by OFAC. UniCredit S.p.A. appears to have engaged in conduct that removed, omitted, or did not reveal references to, or the interest or involvement of, sanctioned parties in U.S. Dollar ("USD") payment messages sent to or through U.S. financial institutions. The specific payment practices the bank utilized in order to process sanctions related payments to or through the United States included the use of Society for Worldwide Interbank Financial Telecommunication ("SWIFT") Message Type (MT) 202 cover payment messages that did not reference the involvement of sanctioned parties or jurisdictions; executing payments pursuant to trade finance agreements that did not identify the involvement of sanctioned parties or countries subject to the sanctions programs administered by OFAC; and executing commercial transactions with knowledge of interests of countries or entities subject to the sanctions programs administered by OFAC by sending USD payment messages through U.S. financial institutions omitting any reference to such interests. UniCredit S.p.A. conducted transactions in this manner in apparent violation of the Cuban Assets Control Regulations, 31 C.F.R. Part 515; the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560; the Burmese Sanctions Regulations, 31 C.F.R. Part 537; the Sudanese Sanctions Regulations, 31 C.F.R. Part 538; and the Syrian Sanctions Regulations, 31 C.F.R. Part 542.
6. During the course of an internal transaction and conduct review, UniCredit S.p.A. provided information indicating that, prior to 2009, the bank addressed sanctions risk management within the banking group by issuing specific sanctions guidance documents to individual financial institutions and business lines that primarily pertained to European Union (EU) and United Nations (UN) sanctions programs, and some documents prohibited or advised against USD transactions on behalf of sanctioned entities. Beginning in 2009, the UniCredit Group began to incorporate restrictions imposed by the sanctions programs administered by OFAC into its compliance policies. On June 23, 2009, UniCredit S.p.A. issued a group-wide sanctions compliance policy, entitled "Anti money laundering and countering of terrorist financing." The group-wide policy included the requirement for entities operating outside of the United States to adopt the same cautions as those within the United States, explicitly referencing "OFAC lists," but also allowed for the Holding Company to issue exceptions, known as non-binding opinions (NBO), which had to be approved by the Reputational Risk Committee permitting, in this context, certain non-U.S. entities to conduct transactions in non-U.S. currency with entities on the U.S. sanctions lists or non-sanctioned entities located in sanctioned countries.
7. UniCredit S.p.A. applied for an exception to the compliance requirements allowing UniCredit S.p.A. to continue processing transactions in Euro (EUR) and currencies other than USD. UniCredit S.p.A.’s application for exception focused specifically on a limited number of financial institutions, including banks located in Burma, Cuba, Iran, Sudan, and Syria, citing claims that without the exception, the bank would be "forced to close... all the correspondent banking activity" pertaining to certain clients. The UniCredit Group Risk Committee approved the NBO in support of UniCredit S.p.A. that pertained only to the Syria­related portions of the bank's request for an exception. The NBO further explained that certain transactions would be authorized for two specific banks located in Syria, but required the transactions be expressed in EUR or currencies other than USD. No transactions pursuant to this NBO are included in the Apparent Violations that are the subject of this agreement.
8. From 2009 to 2014, the UniCredit Group continued to distribute group-wide policies that clearly addressed OFAC sanctions concerns and restricted the processing of transactions denominated in USD on behalf of entities and individuals subject to OFAC sanctions. However, OFAC's assessment is that UniCredit S.p.A. did not enforce the policies sufficiently and continued to process USD transactions, largely related to export and import of non-controlled goods from or to Cuba and Iran, in apparent violation of various sanctions programs administered by OFAC and in contravention of the UniCredit Group policies until at least 2012.
9. From 2007 to 2012, UniCredit S.p.A. processed forty-nine transactions to or through the United States on behalf of financial institutions and other parties on OFAC's List of Specially Designated Nationals and Blocked Persons (the "SDN List") and 656 transactions on behalf of entities located in countries subject to comprehensive OFAC sanctions at the time the payments occurred or related to shipments of non-controlled goods to or from those countries.
10. Prior to 2008, UniCredit S.p.A. processed a number of transactions to or through U.S. financial institutions on behalf of sanctioned parties by using SWIFT MT202 payments to process the payment or as cover payments for MTI103 payments. By utilizing this payment structure, UniCredit S.p.A. ensured that references to sanctioned parties were only included in the MT103s, which it sent directly to non-U.S. beneficiary institutions. Intermediary financial institutions located in the United States only received the MT202s, which did not reference underlying sanctioned parties involved in the transactions.
11. In 2007, UniCredit S.p.A. used MT202 cover payment messages when the bank executed a transaction destined for an entity located in Iran by sending an MT103, which disclosed the ultimate beneficiary's location in Iran, directly to UniCredit S.p.A.'s U.S. correspondent bank. The UniCredit Group employees determined UniCredit S.p.A. processed the payment through its U.S. correspondent bank due to a "correction" in the payment processing system that had been set to send USD payments through UniCredit S.p.A.'s U.S. correspondent bank using MT103 payment messages rather than the typical MT202 cover payments. Between December 4, 2007 and December 6, 2007, UniCredit Group employees discussed the use of the MT103 payment message for payments sent to its U.S. correspondent and the possibility of funds being frozen due to sanctions concerns with that processing method. In a December 4, 2007 email, a UniCredit Group employee in the UniCredit Global International Service Division stated that when processing payments using an MT103 to the U.S. correspondent bank, "the network should not insert the Iranian address of the beneficiary or the correction must be removed." UniCredit S.p.A. ultimately decided to remove the "correction" requiring MT103 payment messages to the bank's U.S. correspondent and maintained processing payments by sending MT202 cover payments to another U.S. correspondent bank.
12. Similarly, UniCredit S.p.A. resubmitted approximately seven payments that constituted Apparent Violations after a U.S. financial institution rejected the initial payment instructions, in which UniCredit S.p.A. modified payment messages to remove references to sanctioned parties, routed the resubmitted payment through a U.S. financial institution, and did not include a reference to an OFAC-sanctioned country or party in the second set of payment instructions. In multiple instances between 2008 and 2011, UniCredit S.p.A. resubmitted payments by manipulating an entity or individual's address located in a country subject to OFAC sanctions or omitting a reference to a sanctioned country in the payment details, thereby concealing the involvement of a sanctioned party or country.
13. In addition to the use of MT202 cover payment messages to process payments through U.S. financial institutions, UniCredit S.p.A. processed small salary payments on behalf of its client, an entity organized under Italian law and located in Italy that was wholly owned by the Government of Iran. Although aware through its KYC processes that the company was owned by the Government of Iran, UniCredit S.p.A. nevertheless processed the payments including the entity's name and address in Italy but without any reference to the entity's ownership by the Government of Iran. During a May 10, 2017 meeting with OFAC, the bank's counsel stated that "the bank did realize it was an Iranian-owned entity" at the time it originated the USD payments to be processed through the United States.
14. UniCredit S.p.A. also processed USD transactions through the United States pursuant to letters of credit involving the delivery of goods to and from countries subject to OFAC sanctions. As a matter of practice, as the issuer of the letters of credit, UniCredit S.p.A. had in its possession documentation associated with the purpose of the trade finance instrument and the transactions it financed. The majority of transactions at issue in this case related to one customer and its partially owned subsidiary. UniCredit S.p.A. structured a business arrangement in which the bank issued letters of credit on behalf of the company for the delivery of goods to Cuba, processed transactions pursuant to the letters of credit as well as commercial transactions to third-party exporters for the delivery of goods to Cuba, and received reimbursement of such payments from the partially owned subsidiary. It appears that UniCredit S.p.A. processed the payments through financial institutions in the United States without including any references to the underlying trade with OFAC-sanctioned countries.

Pursuant to the practices described above:

15. From on or about January 10, 2007, to on or about December 31, 2012, UniCredit S.p.A. processed 478 electronic funds transfers in the aggregate amount of $42,156,832.99 to or through financial institutions located in the United States in apparent violation of the prohibitions against the dealing in property in which Cuba or a Cuban national has an interest, 31 C.F.R. § 515.201.
16. From on or about November 9, 2007, to on or about November 9, 2011, UniCredit S.p.A. processed 78 electronic funds transfers in the aggregate amount of $2,904,292.37 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation of services from the United States to Iran, 31 C.F.R. § 560.204.
17. From on or about November 9, 2007, to on or about January 15, 2009, UniCredit S.p.A. processed three electronic funds transfers in the aggregate amount of $2,728,538.20 to or through financial institutions located in the United States in apparent violation of the prohibition against transactions involving blocked property involving an interest of Iran, 31 C.F.R. § 560.211.
18. From on or about May 19, 2009, to on or about June 1, 2009, UniCredit S.p.A. processed two electronic funds transfers in the aggregate amount of $196,155.61 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation, reexportation, sale, or supply of any goods, technology, or services from the United States to a person in a third country undertaken with knowledge or reason to know that such goods, technology, or services are intended specifically for supply, transshipment, or reexportation, directly or indirectly, to Iran, 31 C.F.R. § 560.204.
19. From on or about February 12, 2007, to on or about January 13, 2012, UniCredit S.p.A. processed 41 electronic funds transfers in the aggregate amount of $1,455,348.01 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any financial services from the United States to Burma, 31 C.F.R. § 537.202.
20. From on or about June 8, 2007, to on or about July 20, 2011, UniCredit S.p.A. processed eight electronic funds transfers in the aggregate amount of $362,597.51 to or through financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any services from the United States to Sudan, 31 C.F.R. § 538.205.
21. From on or about September 8, 2011, to on or about September 19, 2011, UniCredit S.p.A. processed two electronic funds transfers in the aggregate amount of $113,823 to or though financial institutions located in the United States in apparent violation of the prohibitions against the exportation or reexportation, directly or indirectly, of any services from the United States to Syria, 31 C.F.R. §542.207.
22. UniCredit S.p.A. has taken remedial actions by prioritizing compliance from the top levels of the bank's senior management, incorporating compliance adherence into all employees' goal setting forms, redesigning its compliance framework and supporting policies, increasing the frequency and content of its employee training program, including enhanced in­ person training requirements for targeted employees and required online training for all employees, developing a risk assessment methodology based on customer base, product, and geographies, enhancing its screening capabilities, and developing a helpline and communication channels for whistleblowers, as well as Group Compliance communications to employees around the responsibility and opportunity for employees to report unacceptable conduct.

IV. TERMS OF SETTLEMENT

OFAC and UniCredit S.p.A. (hereafter referred to as "Respondent") agree as follows:

23. Respondent has terminated the conduct outlined in paragraphs 5-14 above and has established, and agrees to maintain, policies and procedures that prohibit: and are designed to minimize the risk of the recurrence of, similar conduct in the future.
24. Respondent agrees to provide OFAC with copies of all submissions to the Board of Governors of the Federal Reserve System (the "Board of Governors") in the same form provided to the Board of Governors pursuant to the "Order to Cease and Desist Issued upon Consent Pursuant to the Board of Governors" (Docket Nos. 19-017-B-FB, 19-017-CMP-FB) relating to the OFAC compliance review, subject to receiving the required approvals and consents from the Board of Governors.
25. In consideration of the undertakings of Respondent in paragraph 26 below, Respondent agrees to a settlement in the amount of $37,316,322, and OFAC agrees to release and forever discharge Respondent, without any finding of fault, from any and all civil liability in connection with the Apparent Violations, as described in paragraphs 15-2 I, arising under the legal authorities that OFAC administers. Respondent's obligation to pay OFAC such settlement amount shall be deemed satisfied up to an equal amount by payments in satisfaction of penalties assessed by U.S. federal officials arising out of the same patterns of conduct during the same time periods.
26. Respondent waives (i) any claim by or on behalf of Respondent, whether asserted or unasserted, against OFAC, the U.S. Department of the Treasury, and/or its officials and employees arising out of the facts giving rise to the enforcement matter that resulted in this Agreement, including but not limited to OFAC's investigation of the Apparent Violations, and (ii) any possible legal objection to this Agreement at any future date.
27. Compliance Commitments: Respondent has terminated the conduct described above and has established, and agrees to maintain, sanctions compliance measures that are designed to minimize the risk of recurrence of similar conduct in the future. Specifically, OFAC and Respondent understand that the following compliance commitments have been made:

a. Management Commitment

Respondent commits that senior management has reviewed and approved Respondent's sanctions compliance program.
i. Respondent commits to ensuring that its senior management, including senior leadership, executives, and/or the board of directors, are committed to supporting Respondent's sanctions compliance program.
ii. Respondent commits to ensuring that its compliance unit(s) are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent's OFAC risk.
iii. Respondent commits to ensuring that its compliance unit(s) receive adequate resources-including in the form of human capital, expertise, information technology, and other resources, as appropriate-that are relative to Respondent's breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
iv. Respondent commits to ensuring that Senior Management promotes a "culture of compliance" throughout the organization.
v. Respondent's Senior Management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, and acknowledges its understanding of the apparent violations at issue, and commits to implementing necessary measures to reduce the risk of reoccurrence of similar conduct and apparent violations from occurring in the future.

b. Risk Assessment

i. Respondent conducts an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessments will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.

c. Internal Controls

i. The Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures are relevant to the organization, capture Respondent's day­ to-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.
ii. Respondent has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into Respondent's internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent's risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal and/or external audits.
iv. Respondent commits to ensuring that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance program's policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanction compliance program's policies and procedures into Respondent's daily operations. This process includes consultations with relevant business units, and ensures that Respondent's employees understand the policies and procedures.

d. Testing and Audit

i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent's OFAC-related risk assessment and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding result pertaining to its sanctions compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

e. Training

i. Respondent commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondent's sanctions compliance efforts.
ii. Respondent commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
iii. Respondent commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent's training program includes easily accessible resources and materials that are available to all applicable personnel.

f. Annual Certification

On an annual basis, for a period of five years, starting from 180 days after the date the Agreement is executed, a senior-level executive or manager of Respondent will submit to OFAC a certification confirming that Respondent has implemented and continued to maintain the sanctions compliance measures as committed above.
28. Should OFAC determine, in the reasonable exercise of its discretion, that Respondent appears to have materially breached its obligations or made any material misrepresentations under Paragraph 27 above (the "Compliance Commitments"), OFAC shall provide written notice to Respondent of the alleged breach or misrepresentations and provide Respondent with 30 days from the date of Respondent's receipt of such notice, or longer as determined by OFAC, to determine that no material breach or misrepresentations has occurred or that any breach or misrepresentation has been cured.
29. In the event OFAC determines that a material breach of, or misrepresentation in, this Agreement has occurred due to a failure to perform the Compliance Commitments, OFAC will provide notice to Respondent of its determination and whether OFAC is re-opening its investigation. The statute of limitations applying to the Apparent Violations shall be deemed tolled until a date 180 days following Respondent's receipt of notice of OFAC's determination that a breach of, or misrepresentation in, this Agreement has occurred.
30. Should the Respondent engage in any other violations of the sanctions laws and regulations administered by OFAC - including those that are either apparent or alleged - OFAC may consider Respondent's sanctions history, or its failure to employ an adequate sanctions compliance program or appropriate remedial measures, associated with this Agreement as a potential aggravating factor consistent with the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, Appendix A.
31. This Agreement shall not in any way be construed as an admission by Respondent that Respondent engaged in the Apparent Violations.
32. This Agreement has no bearing on any past, present, or future OFAC actions, including the imposition of civil monetary penalties, with respect to any activities by Respondent other than those set forth in the Apparent Violations.
33. OFAC may, in its sole discretion, post on OFAC's website this entire Agreement and/or issue a public statement about the factors of this Agreement. including the identity of any entities involved, the settlement amount, and a brief description of the Apparent Violations.
34. This Agreement consists of 10 pages, and expresses the complete understanding of OFAC and Respondent regarding resolution of OFAC's enforcement matter involving the Apparent Violations. No other agreements, oral or written, exist between OFAC and Respondent regarding resolution of this matter.
35. This Agreement shall inure to the benefit of and be binding on each party, as, well as its respective successors or assigns.

[signatures]