US Fines Wells Fargo Nearly $100M for 'Unsound' Sanctions Compliance Practices

Along with the fine, the bank, as part of a settlement agreement with OFAC, must submit an annual sanctions compliance certification to the agency for the next five years. Wells Fargo will have to certify that it’s providing “adequate resources” to its compliance department, promoting a “culture of compliance” among senior management and conducting regular risk assessments, audits, training and more.

OFAC said the violations occurred between 2010 and 2015, "when Wells Fargo provided a software system developed by Wells Fargo's predecessor, Wachovia Bank" to a European bank. That bank, which OFAC didn’t name, used the software system to process 124 illegal transactions, including payments that violated the Iranian Transactions and Sanctions Regulations, the Syrian Sanctions Regulations and the now-repealed Sudanese Sanctions Regulations.

The software system stemmed from a 2006 agreement between Wachovia and the European bank in which the parties said the European bank had the “primary responsibility” to screen for “sanctions issues related to transactions processed on its Hosted versions” of the Eximbills software platform. The two banks also agreed the European bank wouldn’t process transactions with sanctioned jurisdictions through its hosted versions of Eximbills, and instead would use only its “own, separate systems, not provided by Wachovia, to manage such transactions.”

The next year, the European bank switched to a single platform to manage all its trade finance services, including those involving sanctioned jurisdictions and people, OFAC said. Wachovia then “specially designed a customized version” of Eximbills for the European bank “to ‘host’ on” its own systems to deal with transactions involving sanctioned jurisdictions. This custom version of Eximbills allowed Wachovia to redirect any potential sanctioned transaction back to the European bank if that bank “inadvertently sent a transaction involving a sanctioned jurisdiction or person to Wachovia's Comprehensive version of Eximbills.”

OFAC said this process led to seven sanctions violations, adding that the European bank “continued to rely on Wachovia's (and then Wells Fargo's) technology infrastructure at the bank's branch in Hong Kong and data facility in North Carolina to manage the 124 non-OFAC-compliant transactions.”

The agency also said there was “no indication” that senior management from Wachovia or Wells Fargo “had actual knowledge” that the European bank was using the platform to process sanctioned transactions. It also said a “lack of clear communications” within Wachovia led to “different interpretations” about whether it would be implicated in any potential sanctions violations involving the platform. “Regardless,” OFAC said, “Wells Fargo's senior management should reasonably have known” the bank was using the platform to conduct transactions with sanctioned parties.

OFAC said that after Wells Fargo acquired Wachovia in 2008, Wells Fargo employees “on multiple occasions” mentioned to senior management the “potential sanctions-related risks arising from the trade insourcing relationships it inherited from Wachovia. Nonetheless, there was no regular or systematic process in place at Wells Fargo to periodically review” whether the European bank was “appropriately screening Hosted trade instruments.”

Although Wells Fargo didn’t stop the European bank from using the platform to process sanctioned transactions until 2015, OFAC said Wells Fargo’s compliance teams “raised questions” about the relationship in the years prior. Around 2010 to 2011, as Wells Fargo began integrating the legacy Wachovia trade services businesses, a consultant told Wells Fargo that “contracts with insourcing clients contained inconsistent anti-money laundering and sanctions compliance clauses,” OFAC said, which “prompted Wells Fargo to begin the process of reviewing and standardizing its insourcing contracts.”

In 2012, Wells Fargo's lawyers “recognized potential parallels” between a “major” OFAC sanctions enforcement action that year and Wells Fargo’s Eximbills platform. Another OFAC enforcement action in 2013 got the “attention” of senior executives, the agency said, “who raised compliance questions” about the Eximbills platform. OFAC said these “discussions resulted in an internal working group,” which determined that the hosted platform was “relatively low-risk,” but they still developed a plan to protect the bank from sanctions risks. This included strengthening sanctions compliance language in “the relevant contracts,” obtaining “periodic certifications that the foreign banks were not placing potentially non-OFAC compliant items on Eximbills” and periodically auditing the foreign banks' Eximbills data.

But OFAC said this plan was never implemented because the recommendations were “rolled into a larger project that was reviewing the trade outsourcing/insourcing business at a more holistic level.” As a result, the European bank continued to process the “non-OFAC-compliant transactions” for at least two more years.

In late 2015, Wells Fargo “finally” discovered the compliance issues during a “business review” of its relationship with the European bank, OFAC said. “The issue was immediately escalated to senior management,” OFAC said, and Wells Fargo “promptly suspended” the bank’s access to Eximbills and submitted a voluntary disclosure to OFAC.

"Wells Fargo is pleased to resolve this legacy matter involving conduct that ended in 2015, which we voluntarily self-reported and fully cooperated with OFAC and the Federal Reserve Board to address,” a Wells Fargo spokesperson said March 31. The $30 million fine by OFAC is the agency’s largest civil penalty since April 2019, when it fined three branches of another bank, UniCredit Group, a combined $611 million for violating sanctions against Myanmar, Cuba, Iran, Libya, Sudan and Syria (see 1904150048).