State Street has agreed to pay about $7.5m to settle allegations that a subsidiary of the financial services firm received payments and redacted invoices from two Russian entities in order to circumvent US sanctions restrictions.

The settlement resolves 38 alleged violations of the Treasury’s Office of Foreign Assets Control’s (OFAC’s) sanctions related to the Ukraine-Russia conflict, marking a significant action in the sanctions enforcement arena.

Minimal compliance procedures

The subsidiary, Charles River Development, is a financial technology company specializing in software for communicating trading information. OFAC says Charles River allegedly altered the dates, reissued invoices, and accepted contractual payments from two clients that were majority-owned by Russian banks Sberbank or VTB Bank between 2016 and 2020.

The violations in question are tied to Executive Order 13662, which imposes stringent restrictions on financial and economic transactions involving Russian and Crimean entities. That directive restricts US companies and individuals from dealing in their new debt beyond specified periods of maturity, and the time periods differ based on when the debt was issued.

The issuance of an invoice represents a dealing in debt, and Charles River Systems was prohibited from accepting payments outside of the maturity periods, OFAC said. 

State Street acquired Charles River Development in 2018, and OFAC alleged the business maintained minimal compliance procedures before the acquisition. It said Charles River Systems was on notice that some of its payments were being scrutinized and delayed due to sanctions concerns, and it had at least two payments from two Russian clients rejected because they were outside the applicable payment windows. 

“Pursuant to the Economic Sanctions Enforcement Guidelines, OFAC concluded that the case was egregious and not voluntarily self-disclosed.”

OFAC 

OFAC said staff from Charles River Systems directly contacted the two Russian clients to ask about the outstanding invoices, and the Russian clients asked them to alter the dates of invoices to prevent the payments from being rejected by US banks. 

At least 18 staff members, including from accounting and collections, were involved in or aware of the reissuance of the invoices for the two Russian clients, according to the settlement agreement.

State Street’s response

State Street and Charles River terminated all relationships with the two Russian entities in February 2022, after Russia invaded Ukraine, the company said. “We take our sanctions responsibilities seriously and over the past few years, we have enhanced our global compliance and controls program by materially expanding our Sanctions Compliance team and implementing advanced screening technology to improve risk identification,” a State Street spokesman said.

OFAC noted that State Street notified OFAC of the sanctions violations in August 2020, five months after it concluded that its conduct raised questions regarding compliance with the sanctions in question.

At that time, the company and its subsidiary “implemented improved controls on relevant processes, provided training to in-scope staff, and determined not to renew any existing contracts with [these] customers,” said OFAC in the settlement agreement.

In a telling statement in the order, OFAC says: “Pursuant to the Economic Sanctions Enforcement Guidelines, OFAC concluded that the case was egregious and not voluntarily self-disclosed.”

It was self-disclosure that was too little and definitely too late.

Compliance commitments

OFAC did take State Street’s remedial measures into account, which is why it levied the fine without any finding of fault. But OFAC outlined a detailed list of sanctions-related compliance commitments State Street must undertake to satisfy the terms of the agreement.

Those commitments include (but are not limited to) the following:

• Having senior management review and approve the sanctions compliance program over the next five years;
• Ensuring the business commits to ensuring that its compliance units are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent’s sanctions risk.
• Ensuring the compliance units receive adequate resources, including in the form of human capital, expertise, information technology, and other resources, as appropriate, that are relative to Respondent’s breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
• Committing to having a senior management that promotes a “culture of compliance” throughout the organization.
• Conducting an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counterparties, transactions, or geographic locations, depending on the nature of the organization.
• Committing to OFAC-related recordkeeping policies and procedures to adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
• Responding promptly to any signs of learning of a weakness in internal controls pertaining to sanctions compliance and taking immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

This is just a sampling of the fuller list, but it’s a great outline of an effective OFAC sanctions compliance program, plus another reminder that companies face heightened scrutiny in this area, which is fraught with reputational risk.

It underscores the true meaning behind prompt self-reporting and having an effective sanctions compliance program that includes regular audits, comprehensive staff training on the broader implications of getting these directives wrong (underscoring the role your business plays in the greater geopolitical landscape), and fostering an organizational culture that prioritizes regulatory compliance in general.