Investors should worry about sanction violators

The departments of the Treasury and Justice, along with the Federal Reserve, have imposed ever-increasing fines against financial institutions for violating U.S. economic sanctions programs against countries such as Iran, but without apparent effect. Almost each month brings another revelation and fine.

These violations, and resultant fines, flow directly from breakdowns in the financial institutions' internal controls.

Investors should be concerned with the impact that repeated failure by financial institutions to address the risks — financial, operational, regulatory and reputational, and attendant management and board failures — might have on valuation and investor portfolios. Investor due diligence on targeted companies should include a specific focus on economic sanctions compliance as well as close attention to increased regulatory enforcement.

According to Sen. Carl Levin at a July 17 hearing, HSBC Holdings PLC conducted approximately 25,000 transactions totaling $19 billion connected to Iran from 2001 to 2007. Eighty-five percent of the transactions were expunged of references to Iran to avoid scrutiny. In June, ING Bank N.V. paid $619 million in settlement for “apparent” violations of U.S. sanctions against Cuba, Iran, Burma, Sudan and Libya.

If you are Thomas J. Curry, comptroller of the currency, who endured some hard questioning concerning the ability of his office to regulate HSBC, what would you be thinking? If you are Adam J. Szubin, director of the Office of Foreign Assets Control, the agency of the Treasury Department responsible for administering economic sanctions programs, what are you thinking to avoid being a witness at the next hearing?

It seems to me you would begin by looking to see if the fines and penalties assessed have been effective. Perhaps the first thing you would find is that the HSBC and ING cases are not unique. These events follow:

• the $88.3 million penalty assessed by OFAC against J.P. Morgan Chase & Co. in 2011;
• Barclays Bank PLC's $176 million fine in 2010;
• Lloyds Banking Group PLC's $217 million assessment in 2009,
• Credit Suisse AG's $536 million in 2009, and
• Australia and New Zealand Banking Group Ltd.'s fine of $5.75 million in 2009.

This trail of fines begins long before any of HSBC's supposed misdeeds. Your review would quickly persuade you that warnings to the financial institutions community through fines have not engendered better compliance.

Next, you might focus on the once-and-done nature of a fine — once paid it is over — because the money is what gets the publicity in these frequently multijurisdictional cases. For example, the Lloyds case involved the Department of Justice as well as New York state and county authorities, and the U.K.'s Financial Services Authority. And you would come to understand that each settlement required some mix of the financial institution undertaking additional internal controls, hiring external monitors to certify internal auditors' findings (in the case of Lloyds, to the U.K.'s FSA), reporting regularly to OFAC, and agreeing to potential additional penalties should further violations be discovered.

Looking at this history, you would probably come to the conclusion that fines and reporting are not solving the problem of lax internal controls leading to massive violations of multilateral, United Nations-supported, economic sanctions programs. So to avoid the congressional hot seat again, you might ask your staff to provide a list of possible enforcement mechanisms already in regulatory tool boxes that can bring home to financial institutions the need for stronger OFAC compliance. Reminding them that fines and reporting have not worked, a regulator might direct your staff to be creative and to draw on other parts of the executive branch for examples.

Here is what part of that report might look like, short of criminal prosecutions:

1. Increase fines. As the fines imposed to date do not seem to have quelled the violations, perhaps larger ones will. In this age of bank fragility, however, there is a point of diminishing returns to this approach.
2. Increase internal control oversight. Move more quickly to require outside, independent monitors, for longer periods of time and with more stringent reporting requirements.
3. Hold management accountable. This is a management-penalty-box approach. Violations of internal controls reflect management failure, and deviation from the well-managed bank standard. Better coordination among a bank's regulators would result in pressure at the holding company level (overseen by the Federal Reserve), and the national bank level (OCC), etc., on directors and senior managers to take more responsibility for compliance matters. This effort could be implemented through restrictions on pay and bonuses, by requiring different skill sets in senior management, independent directors, among other means.
4. Hold individuals accountable. This is an individual-penalty-box approach. Nothing sends a greater chill through the international business community than the prosecution of individuals for violating anti-corruption laws. In the banking world, the enforcement and regulatory communities have a series of penalties they can apply, from banning an individual from working in the financial services industry for a period of time to prosecution. Even at the time-out level, the reputational damage to an individual would have a strong deterrent effect on other bankers.
5. Emphasize management. Regulators should increase focus on management quality and put this critical factor in supervising banks to use as an enforcement tool.
6. Hold banking licenses in suspense. This is a corporate-penalty-box approach. Restricting a violator's ability to perform some, or all, banking services in a particular jurisdiction for some period of time would affect the financial institution on an on-going basis, reminding the senior management and board of the loss in revenue and market share caused by its failure to implement sound internal controls.
7. Debarment and suspension. This is a version of the “corporate penalty box” involving the normal application of the rule that the government only conducts business with responsible contractors. A finding of “non-responsibility” as a result of an OFAC or interagency penalty for violating sanctions would prevent a bank from performing governmental contract work.

There are other types of penalties, I am sure, that can be considered. The point here is that the ones now being applied do not appear to be deterring banks from engaging in violations of economic sanctions laws. Given these events, regulators should be looking for other ways to promote compliance.

On the private side, this same analysis should encourage financial institutions to appreciate the pressure on the financial institution regulators and OFAC to improve compliance with the economic sanctions programs. Understanding the regulators' position should help compliance officers get senior management agreement to the proposition that an ounce of prevention spent auditing and enforcing internal controls will probably be worth more than the pound of cure dished out later by a bank's regulator.

D.E. Wilson Jr. is a partner in the Washington office of the Venable LLP law firm. With the Department of the Treasury, he was principal deputy assistant secretary for management from 1985 to 1986 and deputy and acting general counsel from 1986 to 1988.