The history of OFAC’s foray into IP Addresses, Dialing Pre-Fixes, and Email Address…
The video above is a high level 1 minute summary. The below article is in depth!
Did you know OFAC’s 2019 settlement with Standard Chartered Bank (SCB) referenced the word “fax” 21 times? It also mentioned email addresses, IP Address, and logins from sanctioned countries.
The web announcement did not include these details, however the lengthy Settlement Agreement did cover these in detail. (For those who have recently started following Settlements, OFAC used to provide two documents: high level summary via a webpost and they’d also provide a settlement agreement providing more details. Nowadays, they’ve combined this into one document per announcement.) I will include all relevant links at the bottom of the article. Now back to the History of OFAC’s first settlement touching on these topics.
Payment Instructions Faxed from Iranian Fax Numbers
The settlement agreement has multiple pages dedicated to “faxed” instructions where the customers would fax in their payment instructions. These faxes were sent from Iranian phone numbers. Thus, putting the bank in a position to carry out payments instructions benefiting persons and/or companies located in comprehensively sanctioned countries.
In its remedial efforts, SCB searched for all received faxes having Iranian dialing codes (“98, +98, or +0098”) “and identified 11,809 faxed payment instructions”. It also took preventative measures to prevent this in the future. However, no details were provided about those measures.
Why is this Important?
Does your company allow users to transmit payment instructions or RFI responses via email, fax, or phone? If so, does your Sanctions Program have controls in place to prevent users located in comprehensively sanctioned countries and/or jurisdictions from using those communication mediums?
Customers / Users may provide telephone, cell, and fax numbers during account opening, KYC / CDD /EDD, Identity Validation, etc. This information is hopefully captured in your institutions CRM and/or KYC system. Potential Considerations:
- Work with your engineering partners to create rules that either prevent adding numbers having a dialing code from a sanctioned country/jurisdiction,
- Work with your engineering partners to create rules that identify customers / users with a document telephone number, cell phone number, or fax number where the dialing code points to a sanctioned country/jurisdiction,
- The rule searching for these phone numbers should trigger a manually created case in your case management tool for review by an experienced analyst.
- If your institution can receive faxed instructions from clients, consider scouring your fax history as SCB (i.e. understand and verify your institution’s exposure, exposure may be hire in those countries physically closer to a sanctioned country or jurisdiction).
“IP Address” makes its OFAC Debut
“IP Address” makes its OFAC debut in the SCB settlement and is mentioned 4 times. The OFAC settlement states: “SCB did not implement any controls to restrict access from jurisdictions subject to comprehensive sanctions until April 2013…”. Although SCB did this for one of its product portals, it failed to apply it enterprise wide and therefore applied it to a 2nd product portal a year later.
Why is this important? Because it reminds us that most global FIs, MSBs, FinTechs, Payment Processors, etc have various products, platforms, domains, and login sites. And, through mergers and acquisitions, they may have acquired legacy products having separate login screens, domains, platforms, etc. OFAC pointing out that SCB implemented IP Address controls for one product in 2013 and another in 2014 reminds us that when working with your engineering, network admins, and security resources it is important to:
- have an inventory of all access points where customers/users can login,
- each of those should be updated equilaterally to prevent logins from comprehensively sanctioned countries and/or jurisdictions,
- your institutions annual audit scope should include sanctions penetration testing to verify if it is possible to logon to any of your companies sites with a IP Address from a comprehensively sanctioned country and/or jurisdiction.
- You may also consider asking your technical and security resources, in the case of Disaster Recovery or Backup Contingency activation, are those IP Address controls applied? Depending on your institution’s DRP and BCP design those IP controls may or may not be applied as expected. Again, its worth testing.
“Email Address” makes its OFAC Debut
SCB was the first to get dinged (officially via an SL) for many themes that most banks had not even considered until the release of their settlement agreement. For those institutions with tech savvy sanctions compliance officers, the writing was on the wall. Their lessons learned should not be lost upon us.
and also listed an email address which contained the name of the Iranian Person and the petrochemical company group.
Now, the above may seem innocuous, however when you consider its potential implications, the impact is much greater. Additionally, as we have seen with OFAC settlements in recent years (e.g. SCB, Bitgo, BitPay) refer to email addresses as well as the 2020 Berkshire settlement which refers to the contents within the email chains!
despite numerous warning signs over a period of several years regarding the company’s Iranian connections, including direct communications with the petrochemical company, the receipt of emails and faxes from Iranian companies and/or telephone numbers, and the rejection of transactions involving the petrochemical company by U.S. financial institutions. SCB’s failure to connect the information resulted in the bank continuing to process transactions involving the company for several years until blocking its account…
Why is this important? Because most Sanctions programs out there do not consider screening email addresses, having email content rules relating to sanctions countries/jurisdictions, do not have monitoring rules for email domains, nor do they have monitoring rules for website domains. Potential Considerations:
- work with your technical resources to query email addresses maintained by your institution (customers, users, contracts, vendors, etc.) and search for emails matching those on the OFAC list.
- work with your technical resources to query the “top level domain” of email addresses (used to denote country) maintained by your institution (for customers, users, employees, contracts, vendors, etc.) and search for emails ending in: “.CU”, “.IR”, “.KP”, or “.SY”. Here is a website that provides you with a list of Internet Country Codes (top level domains): https://www.worldstandards.eu/other/tlds/
- work with your technical resources to query the “top level domain” of website addresses (used to denote country) maintained by your institution (for customers, users, employees, contracts, vendors, etc.) and search for emails ending in: “.CU”, “.IR”, “.KP”, or “.SY”. Here is a website that provides you with a list of Internet Country Codes (top level domains): https://www.worldstandards.eu/other/tlds/
- Consider creating rules to monitor these and manually create and escalate compliance reviews to your seasoned compliance analysts via your case management tool.
- In addition to having rules for internet country codes, consider screening email addresses and website addresses against those maintained by OFAC on its SDN list.
- your institutions annual audit scope could include sanctions penetration testing aimed at verifying which products allow users to update their details with an email or website address located in a sanctioned country
What the SCB Settlement Agreement Taught Us
- Do not process payment instructions from SDNs or customers/users located in, travelling through, or being a resident of a sanctioned location.
- Do not process customer/user requests from emails, fax numbers, phone calls, or online logins stemming from sanctions locations.
- Have controls in place to identify, flag, and prevent customers from being able to connect or transmit instructions from sanctions locations.
- Augment your sanctions program to include rules and/or screening that monitors internet country codes, as well as email/web addresses provided by OFAC on its SDN list.
If you found this helpful, please Like and Share on Linkedin!!
Noe Compliance is available to help you. Call Us Today!
Related Links:
SCB Settlement links:
- https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190409
- https://home.treasury.gov/system/files/126/20190408_scb_webpost.pdf
- https://home.treasury.gov/system/files/126/scb_settlement.pdf
- https://home.treasury.gov/policy-issues/financial-sanctions/civil-penalties-and-enforcement-information
Internet Country Code links:
- https://www.worldstandards.eu/other/tlds/
- https://en.wikipedia.org/wiki/.ir
Links to other OFAC settlements that touch on Monitoring Emails:
- https://home.treasury.gov/system/files/126/20201230_bitgo.pdf
- https://home.treasury.gov/system/files/126/20210218_bp.pdf
- https://home.treasury.gov/system/files/126/20201020_berkshire.pdf
Link to US Treasury page for OFAC civil penalties enforcements:
- https://home.treasury.gov/policy-issues/financial-sanctions/civil-penalties-and-enforcement-information
Early on in my Sanctions Compliance career, years ago, I came across an example of a bowtie used by car manufacturers to model the various causal threats and consequences linked to safety feature failures. It was at that moment I saw the potential for this tool and created my own version related to sanctions.
While going through some files from years ago, I found my Sanctions Compliance focused bowtie. My bowtie was focused on understanding the causal threats and consequences relating to Sanctions Screening failures for global financial institutions.
I look forward to updating its contents to address risks we see today, such as Synthetic Identity, IP Blocking, Crypto/Blockchain: Risks (Anonymity, Mixers, L2 Protocols preventing Travel Rule compliance, MultiSigs, Mining location, etc).
In the mean time, it would be a shame to keep this tucked away in a drive somewhere. So, I thought I would share this with my network as it may inspire you to build a similar analysis for yourself. Enjoy! I placed a link to the PDF and PPT below.