On June 20, 2023, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced in an Enforcement Release that it had reached a settlement with Swedbank Latvia AS (Swedbank Latvia), who agreed to remit $3,430,900 in connection with violations of the U.S. sanctions on the Crimea region of Ukraine. OFAC found that between February 2015 and October 2016, a Swedbank Latvia client based in Crimea engaged in 386 transactions involving U.S. correspondent banks in violation of Executive Order (E.O.) 13685, which imposed comprehensive sanctions on the Crimea region of Ukraine. 

Background

According to OFAC's Enforcement Release, prior to the imposition of U.S. sanctions in response to the Russian invasion of Crimea in 2014, Swedbank Latvia had onboarded a Crimea-based client involved in the shipping industry, who opened accounts for three special purpose companies (SPCs) that it owned. In March 2016, a U.S. correspondent bank rejected a payment that the client attempted to make through an online banking transfer from an IP address in Crimea. When Swedbank Latvia requested additional information from the client, the client told Swedbank Latvia that there was no connection to Crimea. A Swedbank "relationship manager" accepted the client's false assurances and again tried processing the payments through a different U.S. correspondent bank, which cleared the transactions. 

OFAC noted that Swedbank Latvia had collected and stored Know Your Customer (KYC) data, "including addresses, telephone numbers, and a customer questionnaire, clearly indicating that the client and the SPCs had a physical presence in Crimea." OFAC pointed out that while the bank collected and stored customer IP data which "would have indicated that the Client was present in Crimea," the bank "failed to incorporate this IP data into its sanctions screening processes." The apparent violations continued through October 14, 2016. 

Aggravating and Mitigating Factors

OFAC calculated a statutory maximum penalty of $112,322,552. Notably, Swedbank Latvia did not voluntarily self-disclose the apparent violations, but OFAC determined its conduct to be non-egregious, assigning a base civil penalty of $6,238,000. The disparity between the dollar value of the statutory maximum and base civil penalty highlights the importance of OFAC's egregiousness determination: in this case, were OFAC to have found the conduct to be egregious, the base civil penalty and the statutory maximum penalty would have been the same. The ultimate monetary penalty was adjusted downwards further based on, inter alia, the following mitigating and aggravating factors:

Aggravating factors:  

• Swedbank Latvia's reliance on false assurances from the client despite possessing contrary information. 
• Swedbank Latvia had knowledge that "it had customers in Crimea and had reason to know it was processing payments on behalf of the [client businesses] located in Crimea." 
• Swedbank Latvia's status as a "sophisticated financial institution with over one million customers" and as one of the largest banks in Latvia in terms of assets.  

Mitigating factors:  

• The conduct represented Swedbank Latvia's "first violation" under OFAC's Enforcement Guidelines (Appendix A to 31 C.F.R. Part 501). 
• The "significant remedial action" taken by Swedbank Latvia and its parent Swedbank AB, which included offboarding the client in February 2017, implementing geofencing (see below), bolstering internal procedures and controls regarding "high-risk customers" and flagged transactions, and improving communication with correspondent banks. Swedbank also expanded compliance staff to implement these improvements. 
• Swedbank Latvia "substantially cooperated" by conducting an "extensive" lookback, responding to OFAC requests, and tolling the statute of limitations. 

Takeaways

• This settlement marks the first Enforcement Release where OFAC has explicitly highlighted "geofencing" as a tool for sanctions remediation and compliance, demonstrating OFAC's increased understanding of the options and tools that businesses have to address the unique sanctions compliance challenges facing the online banking and e-commerce sectors. Here, OFAC credited Swedbank Latvia with implementing geofencing to prevent customers from sending online payments from IP addresses in "comprehensively sanctioned jurisdictions."  
• OFAC's promotion of geofencing and the use of IP screening is also noteworthy because other recent published enforcement actions discussing geolocation have focused on companies exclusively operating in virtual marketplaces. Swedbank Latvia appears to be the first public enforcement action focusing on a failure to effectively utilize IP screening involving a traditional bank. This settlement indicates that measures like geofencing are appropriate not just for cryptocurrency platforms and e-commerce sites, but for traditional banks and businesses with online marketplaces and platforms. 
• OFAC has progressively expanded the tools it views as effective for combatting cybercrime and complying with sanctions since 2015. OFAC first published guidance regarding IP geolocation in 2004. As we noted in Global Investigations Review's (GIR) The Guide to Sanctions regarding U.S. cyber-related sanctions, multiple OFAC settlements during the past several years have focused on companies' failure to properly utilize geolocation tools, and OFAC has recently encouraged companies to implement "geolocation restrictions" (see, e.g., OFAC's enforcement action involving Poloniex, LLC) or "IP blocking" (see, e.g., OFAC's enforcement actions involving Payward, Inc. and Tango Card Inc.). Geofencing offers the clarity of a specific definition: creating a virtual boundary for a physical geographic area.
• The settlement reiterates OFAC's expectation that information collected in the normal course of business should be incorporated into sanctions compliance programs. OFAC specifically flagged the fact that Swedbank Latvia collected and stored customer IP data that would have revealed the client's presence in Crimea. OFAC has repeatedly highlighted (most recently when it announced a settlement with Microsoft Corporation over the company's apparent sanctions violations in April 2023) that companies should ensure that existing customer information that would reveal potential sanctions issues must be included in sanctions screening processes.
• Finally, OFAC highlighted Swedbank Latvia as an example of persistent sanction evasion efforts in Crimea and Russia. Citing a March 2023 global advisory, OFAC urged companies to practice vigilance in light of the ongoing Russian invasion of Ukraine.

For more information, please contact members of Miller & Chevalier's Economic Sanctions and Export Controls practice:

Timothy P. O'Toole, totoole@milchev.com, 202-626-5552

Manuel Levitt, mlevitt@milchev.com, 202-626-5921

Caroline J. Watson, cwatson@milchev.com, 202-626-6083

Samuel B. Cutler, scutler@milchev.com, 202-626-5551

Lara Hakki*

Christopher Stagg*

Summer associate Katie Cantone-Hardy contributed to this alert.

*Former Miller & Chevalier attorney

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.