The penalty:
Western Union Financial Services, Inc. Settles Potential Civil Liability for Apparent Violations of the Global Terrorism Sanctions Regulations. Western Union Financial Services, Inc. (“Western Union”), a money services business (MSB) headquartered in Denver, Colorado, has agreed to pay $401,697 to settle its potential civil liability for 4,977 apparent violations of the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (GTSR).
OFAC determined that Western Union voluntarily self-disclosed the apparent violations to OFAC, and the apparent violations constitute a non-egregious case. The statutory maximum civil monetary penalty amount for the apparent violations was $1,244,250,000, and the base civil monetary penalty amount for the apparent violations was $637,614.
The facts of the case:
Between December 9, 2010, and March 13, 2015, a bank (“the bank”) in The Gambia was one of Western Union’s principal Master Agents in The Gambia. In or around 2006, the bank established a Sub-Agent relationship with Kairaba Shopping Center (KSC), an entity that was subsequently designated by OFAC pursuant to the Global Terrorism Sanctions Regulations (GTSR) on December 9, 2010.
At the time the relationship with KSC was established, the bank provided Western Union with information relating to KSC. Western Union stored this information in its systems as an agent location of the bank, and not as a discrete legal entity acting as a sub-agent. During the entirety of the review period, in addition to its real-time transaction screening of remitters and beneficiaries, Western Union had a process to screen Master Agents and related sub-agents under the Master Agent structure. However, for the majority of the review period, Western Union did not screen location data for sanctions-related issues as part of its review process.
Western Union became aware that KSC was a potential sub-agent in early February 2015, but mistakenly believed at that time that KSC had operated from a single location, which was no longer active as of that date. On March 25, 2015, Western Union identified a second, active KSC location, and immediately suspended its relationship with KSC and deactivated its access to the Western Union network.
Between December 9, 2010, and March 13, 2015, Western Union processed 4,977 transactions totaling approximately $1.275 million, which were paid out to third-party, non-designated beneficiaries who chose to collect their remittances at KSC.
OFAC determined that Western Union processed transactions involving a Specially Designated National (SDN) for more than four years following the entity’s designation by OFAC, and that after Western Union discovered that this Sub-Agent was an SDN, failed to deactivate KSC’s access to the Western Union network immediately due to its mistaken belief that the Sub-Agent was already inactive. However, starting in 2013, two years prior to discovering the apparent violations, Western Union began a project to remediate the root cause of the apparent violations.
How we got the final settlement amount:
The settlement amount reflects OFAC’s consideration of the following facts and circumstances, pursuant to the General Factors under OFAC’s Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A.
OFAC considered the following to be aggravating factors:
(1) Western Union acted with reckless disregard for U.S. sanctions requirements by failing to immediately identify both KSC locations in searches conducted after it discovered that this Sub-Agent was an SDN, which resulted in a failure to deactivate KSC’s access to the Western Union network immediately;
(2) Western Union engaged in a pattern of conduct that involved processing transactions involving an SDN for more than four years following the entity’s designation by OFAC;
(3) Based on a review of all readily available information and with the exercise of reasonable due diligence, Western Union had reason to know that its Sub-Agent, KSC, was on the SDN List;
(4) By processing these transactions and allowing KSC to continue operating as a Western Union Sub-Agent and provide remittance services to its customers through a U.S. MSB, Western Union caused substantial harm to the sanctions program objectives, including by conferring economic or other benefit to an SDN and undermining the policy objectives of the GTSR; and
(5) Western Union is a large and commercially sophisticated international financial institution.
OFAC found the following to be mitigating factors:
(1) Western Union has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the earliest date of the transactions giving rise to the apparent violations;
(2) Western Union had a global sanctions policy in place at the time of the apparent violations that required its Master Agents to comply with the sanctions programs administered by OFAC and vet its Sub-Agents — a policy that seemed to be effective except in this instance;
(3) Prior to the apparent violations, Western Union had implemented a corrective action plan to close an identified gap in its internal controls related to sub-agent due diligence and screening.
(4) Following the discovery of the apparent violations, Western Union took additional remedial actions, including performing an immediate one-time screening of its Sub-Agent and location data, which did not identify any other Sub-Agents or locations that were on the SDN List; and
(5) Western Union cooperated with OFAC’s investigation by voluntarily self-disclosing the apparent violations and by executing and agreeing to extend multiple times a statute of limitations tolling agreement.
And the final paragraph dovetails nicely with the recently-published Framework document (convenient, no?):
In addition to the above, and as part of its settlement with OFAC, Western Union has agreed to sustain its commitment to implementing robust compliance procedures by ensuring that it continues to have a management team in place that: (1) is committed to a culture of compliance; (2) conducts regular risk assessments; (3) ensures that its internal controls appropriately mitigate its sanctions-related risks; (4) conducts regular audits; and (5) provides ongoing sanctions compliance training throughout the organization.
Mr. Watchlist wonders what the line is between “reckless” and either “careless” or “negligent”… because it seems that Western Union was at worst, negligent or incompetent. And there’s a big gap between that and “reckless”…. just saying.
Link: