BMO Harris Bank on Wednesday escaped an OFAC fine, even though it admitted to having processed six funds transfers totaling $67,357 representing payment by a customer of sums to an Iranian entity from which the customer had purchased Persian rugs. The customer, apparently a retailer that purchased and resold Persian rugs from Iran, had been a bank customer since 2009 when the importation of rugs from Iran was still legal. Because the customer’s name contained the word “Persian,” the bank’s somewhat overzealous interdiction software had been resulting in hits for each transaction by the customer, so the bank put the customer on a false hits list to prevent transactions by the customer from being flagged each time.

On September 29, 2010, OFAC banned the importation of Iranian rugs but, apparently, the bank’s customer didn’t get the message. (That’s what you get for not reading the Federal Register cover-to-cover each morning!) The customer continued to import Iranian rugs and the bank continued to process related wire transactions. In 2011, a suspicious downstream bank in the transaction requested additional information. A Harris Bank employee apparently then learned that the payment was to Iran for Persian rugs but, because the customer was on the false hit list, did not do anything and, as a result, Harris processed five additional transactions for payments to Iran.

Normally such a scenario is a sure-fire guarantee that the company involved will get walloped with an OFAC fine, but in this case OFAC decided to show a little mercy, apparently feeling that the false-hit list was to blame and stating that the bank “may have been unaware of the risks associated with a false hit list that was not reviewed and updated regularly.” This is a bit strange given that the issue here had nothing to do with reviewing and updating the list. The customer, which was on the false hit list, was still a false hit. It had not become an SDN, and the violation did not result from an error in the list.

The violation occurred not because the bank did not review the list but because it did not review the transaction. And this reveals an all-too-common misunderstanding by front line employees about OFAC sanctions. They often see it merely as a list-checking exercise. Is the customer on the list? Nope. Okay, then, everything’s good to go. And this appears to be exactly what happened here. The front line bank employee saw that the customer wasn’t on the SDN list and was instead on the “false hit” list and that was the end of the inquiry

Even though this case really isn’t about a bad false hit list, OFAC used it as an opportunity to issue a “False Hits List Guidance.” The new guidance, if it can really be called that, states the obvious: namely, that false hit lists are a “legitimate” practice as long as you check them periodically to make sure that someone who was not an SDN two weeks ago did not suddenly become an SDN yesterday. Oddly, OFAC does not say anything in the guidance about the glaring lesson from the case at hand, so I’ll say it for them: just because a customer is on the false hit list does not mean that the transaction itself need not be reviewed. (Your welcome, OFAC.)

Of course, I can’t leave the guidance without reference to a tiny bit of silliness in it. The guidance says that a review of the list should be triggered by any “meaningful change” in the customer’s information such as “a change in ownership status, business activity, address, date of birth, place of business, etc.” Wait a second. Does this mean you can change your birth date? Really? Please tell me how you do that. My birthday comes really close to Christmas and I’ve always wanted to move it back into a more present-friendly zone such as June. Also, I bet a number of us would like to shave a few years off that birth date as well.

Permalink