State Street Bank and Trust Company, which has many non-US branches and non-US affiliated banks, has received a 'finding of violation,' but no punishment, from the US Treasury's Office of Foreign Assets Control for breaking US sanctions against Iran. It has since made amends, as detailed in a recent Wolfsberg Questionnaire.

Between 1 January 2012 and 1 September 2015, according to OFAC, State Street acted as trustee for a customer’s employee retirement plan. In this capacity, it processed at least 45 pension payments totalling $11,365.44 to a plan participant who was a US citizen with a US bank account, but who was resident in Iran, in breach of sections 560.204 and 560.410 of the Iranian Transactions and Sanctions Regulations. State Street told OFAC about the small matter of its own accord. No monetary penalty ever springs from a "finding of violation."

State Street, according to the Treasury, appears to have known that it was sending payments to account at the request of or for the benefit of a person in Iran, not only because its internal system indicated that the beneficiary’s address was in Teheran, but also because its sanction-screening software produced an alert on each of the 45 payments due to the  Iranian address. Bank staff who oversaw the "beneficiary payments," as the Treasury calls them, were part of the business unit that had the business relationship with the retirement plan and used their own sanction-screening filter instead of State Street’s centralised sanction-screening system - something that OFAC appears not to like.   

Furthermore, the routine 'escalation' (the referral of problems upwards) procedures for the staff obliged them to refer  possible sanctions list matches to the compliance people who were aligned with the line of business - i.e. compliance people who were not sanctions specialists - rather than people in the central sanctions compliance unit who were. Even when the Federal Reserve Bank of Boston told the bank about a related issue pertaining to bad escalation procedures, it did nothing.

Things went wrong from there. State Street's "OFAC Compliance Programme" was therefore deeply flawed and the bank told OFAC about it. In 2015 it started "to ensure that all RSS payments are now screened by its central screening platform, eliminating disparities in the initial review process and that alerts with a sanctions nexus are handled through its central alert dispositioning process, which includes escalation to [its] central sanctions compliance unit for potential true hits."

On the slightly positive side of the ledger, OFAC did not detect evidence of any managers or supervisors at the bank actually being aware of the conduct that led to the violations; the bank's screening filter did identify and alert staff about money going to a sanctioned jurisdiction; the payments at issue might not have actually gone to Iran (though they were made on behalf of a person there); there is a chance that "the funds transfers could have become licensed," whatever that means; and the bank was very co-operative with OFAC once all was revealed.

The Wolfsberg Questionnaire

Evidence of the State Street's OFAC compliance reforms can be found in a remarkable document that it released around this time last year. In April the bank completed the Wolfsberg Questionnaire, which contains an overview of its anti-money-laundering policies and practices. Many financial institutions do this to impress HNW customers and shareholders. The Wolfsberg Group is an association of more than a dozen globally active private banks that makes pronouncements about financial crime.

In its self-assessment, State Street's global chief AML officer (C Michael Raffa) says yes to all 28 of Wolfsberg's stipulations. Its AML compliance 'programme' (plan of action) is approved by either its board or a senior committee (State Street declines to say which) and makes provision for a named 'officer' of the company who oversees its AML efforts. There are written AML policies in place and internal auditors (or perhaps some other external company - State Street is ambivalent on the subject) to assess adherence to it.

Moreover, the bank has policies to cut out dealings with shell banks, to cover relationships with politically-exposed persons (PEPs), their families and close associates, and record-retention procedures that comply with applicable laws. It applies its AML policies and practices to all branches and subsidiaries worldwide. It makes a risk-based assessment of its customer base and the transactions thereof, determining the appropriate level of "enhanced due diligence" or EDD to be applied to highly risky customers and transactions. It tries to identify those customers on whose behalf it operates accounts, requires its staff to collect information about customers' business activities, assesses its customers' AML efforts, reviews information about risky customers, opens records for all new customers that contain identifying documents and other "know-your-customer" (KYC) information, and completes a risk-based assessment on every customer to form an opinion about his transactional habits.

Additionally, State Street identifies and reports all the transactions that it has to in accordance with various countries' laws. Wherever cash transaction reporting is compulsory, it has procedures to spot 'structuring' (which happens when customers split transactions up to push them below the reporting threshold). It screens customers and transactions against lists of persons, entities and countres issued by all relevant governments, ensures that it only strikes up relationships with correspondent banks that possess licences to operate in their countries of origin, and uses SWIFT MT202/202COV and MT205/205COV message formats properly, adhering to the "Wolfsberg transparency principles" as well.

The four standards for payment messaging

State Street declares that it meets four "payment message standards," set by Wolfsberg in 2007, in the following ways.

• It does not omit, delete or alter information in payment messages for the purpose of avoiding detection of that information by any other financial institution in the payment process.
• It does not use any particular payment message for the purpose of avoiding detection of information by any other financial institution in the payment process.
• Subject to applicable laws, it co-operates as fully as practicable with other financial institutions inthe payment process when "requesting to provide information about the parties involved" (Wolfsberg's own slightly confusing words).
• It strongly encourages its correspondent banks to observe these principles.