Jun
15
So Easy Even a Kingpin Can Do It
Posted by Clif Burns at 7:51 pm on June 15, 2010
Category: OFAC
Yesterday when I posted on the latest release of civil penalty information by the Office of Foreign Assets Control (“OFAC”), I promised to do a second post on the $11,000 penalty paid to OFAC by GEICO General Insurance Company (“GEICO”). The penalty was paid to settle charges that GEICO provided an automobile insurance policy to a Specially Designated Narcotics Trafficker (“SDNTK”).
There is no indication whether this violation was voluntarily disclosed. My cynical guess (not based on a single fact) is that the whole deal came to light when the SDNTK ran into someone. GEICO then suddenly discovered its insured was an SDNTK and tried to use that as an excuse not to pay out for the damages to the other driver.
But here’s what is most interesting about OFAC’s announcement of the GEICO penalty settlement. The agency noted:
The settlement amount reflects OFAC’s consideration of the following General Factors: GEICO does not screen its existing policyholders database for SDNs as the SDN list is updated but only on an annual basis. GEICO has committed to making improvements to remedy this gap in its OFAC compliance program.
Based on this statement, it would appear that the SDNTK was listed as such by OFAC after GEICO had issued the policy. Because GEICO screened its database of customers annually, it continued to provide insurance for a period of time after the designation. Bad gecko.
But this is a problem that bedevils every compliance program. How often should customer lists be scanned? Based on this statement from OFAC, annually is not enough. Instead the agency seems to suggest that every company must rescan its customer list each and every time OFAC adds someone to the SDN list. This seems overly burdensome and not justified by any significant benefit. A better policy would be for OFAC to establish a safe harbor for companies that rescan their customer lists at specified intervals, such as monthly or bi-weekly.
Permalink
Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
7 Comments:
Great title!!
Im still amazed that a company as large as Geico would only check the SND List for new Kingpins annually, especially since it seems like OFAC adds new SDNTKs every week. They have to do better than that, right? It just seems very irresponsible.
The best option would be for them to invest in a solution that continually screens for restricted parties. That way, they enter a name into the database once and it’s checked every time the list is updated. Much less time-consuming than manual bi-weekly or monthly checks.
Burdensome? Yes, but I don’t see any other legitimate option. In my own area, banking, there are automated services (the simplest example would be crediting interest, a more exotic one might be overnight sweeps to a money market account.) that you simply shouldn’t be providing once an entity is listed.
In addition, leveraging off Caroline’s point, many automated solutions allow you to establish whitelists, or known false positives. These need to be re-checked upon list updates as well.
The last time I calculated the mean time between list updates (I know, I’m a nerd) it was 11 days. Even if you set a customer data review to be monthly, you basically are letting 2 list updates go by before you check your existing customers. If you elect to do it quarterly, well….
Granted some of this risk is mitigated by the opportunity to catch the customer via transaction scanning, but not all.
@Erich, Caroline, Scott. I certainly agree that there is no choice but to rescan your entire customer list each time OFAC updates the SDN list. That’s pretty much what OFAC said with respect to GEICO.
I’m just saying here that this can be burdensome for many companies, particular as balanced against the few instances in which these frequent scans find a blocked SDN. Instead, OFAC ought to provide a safe harbor for scanning customer lists at a defined interval albeit less frequent than each update. I’m not holding my breath, however.
If this had been an exporter who creates jobs instead of one of the Treasury’s darling financial institutions, there would have been at least search warrants, a grand jury investigation and a six-figure fine.
The problem with all of the software services is that they don’t screen non-European names all that well and as a result you get far more false positives than real hits. This is true even of software services with “dynamic screening” that rechecks names from past screenings whenever there is a new addition. This creates a “Boy Calling Wolf” reaction, and it is not unreasonable that folks like GEICO would reduce the time spent chasing their tails required by the false positives generated by all these software services.
I work for a mailorder company that sells to government agencies, individual soldiers, individual law officers, etc. I receive the OFAC update notification everytime there is a change to the list. I import them (there are 3 text files) into our ERP. When orders are processed, the system checks against the list. The import takes about 5 minutes. Not such a burden when you consider who you are NOT going to sell to.
The fine was modest yet sent out a signal of OFAC’s expectations in a public manner. And I can verify sighting a Gecko rep at a recent OFAC compliance seminar, asking very thoughtful questions and paying close attention. I’m going to swim against the tide and characterize this as one of the more thoughtful OFAC penalty interventions (and we know there are many that don’t fairly rise to that level).
