Rising US Enforcement Calls for Better Sanctions Screening, Industry Officials Say

Amber Goodrich, a compliance analyst with CSI, said she “absolutely” expects U.S. government agencies in 2025 to continue to impose large penalties for trade violations. Speaking during a webinar hosted by the compliance firm, Goodrich also said companies should expect government agencies to increasingly look to coordinate on investigations.

The Bureau of Industry and Security and DOJ have partnered on a range of export control investigations in recent months through their joint Disruptive Technology Strike Force, including by unveiling charges earlier this month against several people for Russia- and Iran-related export breaches (see 2409170054). And BIS has said it plans to continue to issue large corporate enforcement penalties for export control violations (see 2409120053).

But Goodrich specifically pointed to an enforcement action against Wells Fargo this month by the Office of the Comptroller of the Currency, which said it found “deficiencies” in the bank’s financial crimes risk management practices and anti-money laundering controls, including its suspicious activity reporting and customer due diligence. An agreement between the comptroller and the bank requires Wells Fargo improve its Bank Secrecy Act and anti-money laundering programs, as well as its U.S. sanctions compliance procedures.

The order, which came after the OCC in 2018 fined Wells Fargo $500 million for “unsafe or unsound practices” stemming from its compliance practices, requires the bank to submit a “written plan” to the OCC within 120 days that outlines the steps it needs to take to “achieve and sustain compliance” with U.S. sanctions administered by the Office of Foreign Assets Control. A “Compliance Committee” created by the bank must review the plan and monitor Wells Fargo’s implementation of those actions at least once every quarter.

The bank also agreed to take other steps to improve its sanctions compliance program, including enhancing sanctions testing, making sure its compliance staff have the “appropriate knowledge, skills, and experience needed,” and a host of other “remedial” measures. Wells Fargo said it has been “working to address a substantial portion of what’s required in the formal agreement, and we are committed to completing the work with the same sense of urgency as our other regulatory commitments.”

Although this enforcement action was levied by the OCC, Wells Fargo could still be “subject to potential violations from OFAC or any of the other regulators as well,” Goodrich said. OFAC fined Wells Fargo nearly $100 million last year for allegedly breaching U.S. sanctions against Iran, Syria and Sudan (see 2303310017).

“We are seeing that joint effort with all of the different regulatory agencies" becoming involved in sanctions violations and "recognizing this is a real issue," she said.

Goodrich also pointed to the recent expansion of the statute of limitations for civil and criminal violations of U.S. sanctions administered by OFAC, as well as a similar expansion to OFAC recordkeeping requirements that will take effect next year (see 2409110017).

These changes make it “very important” for companies to make sure their “retention programs are up to date and that you're keeping the information that you might need to disprove a potential violation,” Goodrich said. “Just really making sure that everything is being kept, all necessary information is retained in a format that's easily accessible, I think, is going to be really important to prepare for any potential audits.”

Olivia Valone, an enterprise account executive at risk intelligence firm Kharon, said she’s seeing companies “steer” toward conducting more due diligence on their transactions to identify possible sanctions risks. She said part of that effort includes finding all companies that have ties to a sanctioned entity, especially if they’re majority owned by the sanctioned entity.

The “volume” of recent U.S. sanctions designations “has been very significant,” she said, and “creates a big operational burden” for industry compliance departments.

Valone specifically pointed to the more than 400 designations issued by the U.S. in August, targeting people and companies in Russia and across Asia, Europe and the Middle East for aiding Russia’s war effort against Ukraine (see 2408230031). She said Kharon has identified another 170 subsidiaries with ties to those designated companies that weren’t added to any U.S. sanctions list. They include businesses in the U.K., the EU and even the U.S.

She said compliance personnel are increasingly expected to not only focus on “high-risk jurisdictions” like Russia when conducting due diligence. “This issue is global in nature,” Valone said. “These are, in some cases, pretty sophisticated actors, and they know what are the jurisdictions that they can ultimately use to obfuscate.”

Goodrich recommended that companies first identify their risk through a risk assessment and tailor their compliance program from those results, which should likely include some type of automated customer screening tool. "I don't know that anybody's able to do this manually anymore,” she said.