In this episode of Payments Pros, Keith Barnett welcomes his colleagues Rich Zack and Christy Tuttle to discuss how U.S. government sanction programs impact payment processors, banks, and the payments industry in general.
In this episode of Payments Pros, Keith Barnett welcomes his colleagues Rich Zack and Christy Tuttle to discuss how U.S. government sanction programs impact payment processors, banks, and the payments industry in general.
Keith, Rich, and Christy discuss the current atmosphere of sanctions in the payments industry and the recent joint guidance issued to banks by the OCC, the Fed, and FDIC. The guidance instructs banks on the regulators' expectations during bank examinations concerning third-party relationships, including payment processors, card issuers, blockchain, and anyone who has a form of bank partnership. The guidance covers initial due diligence, risk assessment, monitoring, ongoing due diligence, and termination of the relationship. Noncompliance with these requirements has led to sanctions against banks, payment processors, card issuers, and money transmitters.
Keith, Rich, and Christy also discuss the role of the Office of Foreign Asset Control (OFAC) in enforcing sanctions, particularly in light of the war in Ukraine, as well as the other agencies that enforce sanctions. Lastly, they also discuss what companies in the payments space can do to avoid violating sanctions, and what they should do if a violation is discovered.
Payments Pros – The Payments Law Podcast: Evaluating Government Sanctions in the Payments Industry
Host: Keith Barnett
Guests: Richard Zack and Christy Tuttle
Keith Barnett:
Welcome to another episode of Payments Pros, a Troutman Pepper podcast focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our FinTech and payments practices, as well as guest commentary from business leaders and regulatory experts in the payments industry. My name is Keith Barnett, and I am one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, consumerfinancialserviceslawmonitor.com. And don't forget to check out our other podcasts on troutman.com/podcast. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services and more, so make sure you subscribe to hear the latest episodes.
Today, I am joined by my colleagues Richard Zack and Christy Tuttle to discuss how US government sanction programs impact payment processors, banks, and the payments industry generally. Rich and Christy, thank you for joining me.
Richard Zack:
Thanks for having us, Keith.
Christy Tuttle:
Yeah, thanks.
Keith Barnett:
And I look forward to our discussion. I want to set this up by talking about the atmosphere today when it comes to payments and sanctions. And this information is not just for payment processors: it's for FinTechs, card issuers, banks, blockchain and anyone in the payments ecosphere. And that atmosphere generally is the KYC, know your customer, atmosphere.
The OCC, Fed and FDIC recently issued joint guidance last month, instructing banks on what they will be looking for during bank examinations concerning third party relationships. And by third party relationships, they are referring to the payment processors, card issuers, blockchain and anyone who has some form of bank partnership. And more specifically, they discuss what they expect with respect to initial due diligence, risk assessment, monitoring, ongoing due diligence and the termination of the relationship. And with those requirements come potential issues for payment processors and FinTechs with respect to compliance, because they are in partnership with the banks.
And so, we have seen banks, payment processors, card issuers and money transmitters sanctioned for failing to perform that initial due diligence, risk assessment, monitoring, or ongoing due diligence or anything else. And Rich and Christy are experts in that, and that's what we're going to talk about today.
And so, we will get started with my first question to Rich. I know that there is a lot of talk about sanctions, given the war in Ukraine and developments around the world. Can you give us some background on the most important issues for our audience?
Richard Zack:
Yes, Keith. With the war in Ukraine, that is at the top of the news. And the agency that controls, that enforces sanctions, the Office of Foreign Asset Control, that's the main agency, has been very active in issuing new sanctions. And typically, they come in a couple of different forms. People or entities can be placed on what's called the specially designated national list, which is a list of companies and businesses and governments and individuals that US persons are not permitted to do business with.
And also, OFAC administers and enforces sanctions from a broader perspective. If there's an embargo of a country, or a part of the government, OFAC enforces sanctions that prevent US persons from doing business with those particular governments. For example, there are numerous new sanctions in the last year with respect to Russia, which limit a US person's ability to do business there.
But OFAC has been active in other countries as well. There have been additional sanctions imposed in Iran, in Lebanon, and additional attention put on those areas by OFAC. The hottest issue is Russia and Ukraine, but OFAC and Treasury continue to be active in other countries around the world in prohibiting transactions with US persons.
Keith Barnett:
Just to follow-up on that a little bit, what is it that entities in the payment space cannot do? What does the law prevent them from doing?
Richard Zack:
Keith, this is one of the most important issues facing people in the payments industry, in the banking industry in general. Specifically, what sanctions generally prohibit are US persons from conducting financial transactions, with either what's called an SDN, that's a person on that list, or engaging in business in various sectors.
So, what's actually prohibited is the financial transaction itself. For example, you can have a conversation with someone on the OFAC's list: you can talk to them, you can exchange information, but you can't do a financial transaction with that person. If that comes across your platform as a payment processor, typically you are obligated to what's called block that transaction, and that means not conduct it.
And then, there are various other things that OFAC would require. Sometimes, you're required to impound the funds related to that transaction and notify OFAC. But in short, what the sanctions prohibit is the conducting of financial transactions with those entities, countries and individuals that OFAC has prohibited transactions with.
Keith Barnett:
Okay, understood. And Christy, some questions for you. Could you tell our listeners, what are the other agencies that are involved in banking and sanctions, generally, and looking at those regulations? It's not only OFAC, is it?
Christy Tuttle:
That's right, it's not OFAC alone. OFAC is the one that's primarily responsible for actually adding entities, adding people to that SDN list. But when, say, a US financial institution, or some sort of US entity does transact with an SDN, or does violate the sanctions that OFAC imposes, there are other agencies that often get involved.
A big one is the Department of Justice. The Department of Justice will work with OFAC to bring enforcement actions, either civil or criminal, against US entities that violate sanctions. Another important actor in the space that deals more with export controls, but that really work hand-in-hand with the economic sanctions, the export controls are administered by the Bureau of Industry and Security, which is called BIS, and that sits in the Department of Commerce.
And what we've seen in particular over the last year and a half, particularly since Russia's invasion into Ukraine, is increased coordination between these agencies. DOJ, BIS, OFAC have all increased staffing, and they've entered into a lot of inter-agency agreements to work together to try to be more aggressive in enforcing sanctions.
Keith Barnett:
And with that, given the increased aggressive nature from the regulators, do you have any tips that you can generally provide to folks within the payment space as to how to avoid or not run into these regulators? How do you avoid violating sanctions?
Christy Tuttle:
I think one place to start is to evaluate your risk. Generally speaking, the sanctions issues come up when you have transactions between the US and a foreign entity that is either sanctioned itself or that is in a jurisdiction or a country that's sanctioned.
So, if you are primarily dealing with US-to-US financial transactions that are only transacting through US banks, your risk is going to be a lot lower. It increases a lot if you're involved in international payments, and then particularly international payments in higher risk jurisdictions where there's a lot of sanctions activity going on.
So, one key initial step is the importance of screening, is having full information on the parties who are involved; both their identities, so that they can be run through the various sanctions lists, as well as where they're located and making sure you have good geographic information.
Keith Barnett:
Rich, do you have any thoughts on that?
Richard Zack:
I think Christy is exactly right. The evaluation of the risk is the most important thing to do. And if you look at the guidance that OFAC gives, that is really the first step in determining what steps you need to take, Keith, as you said, to avoid violating sanctions.
One of the reasons why the international payments system is so risky for banks and financial institutions is, as Christy said, you're more likely to come in contact with people that are sanctioned, but you also have so much less information available to you about who you're transacting. So, if you can imagine, you're conducting a transaction with a person who is not a customer of the bank or the payment processor or the other financial institution, that is in another country, and the information that you have before you about the identity of that person is limited. And because that person is located in another country, your ability to get more information is limited.
And so, assessing that risk is really important. And then, reviewing the OFAC guidance to determine the level of auditing, the level of due diligence you need to take, the number of people that you have employed at your institution dedicated to avoiding sanctions, all those things are super important in keeping your people protected, your employees protected and your business in compliance with the sanctions laws.
Keith Barnett:
Thanks, Rich. Another question I have is, are these sanctions like criminal statutes where a violation has to be knowing, or is the standard different?
Richard Zack:
So, the standard is different with respect to most sanction. It is really what's called a strict liability standard, meaning that if you transact with an entity or an individual that is sanctioned, you have violated the law. You don't have to know that person is subject to sanctions. As long as you do the transaction, or facilitate it in some way, you've committed a violation.
Now, in order for you to be criminally liable, for the Department of Justice to have interest in that violation, there does have to be a knowing element, most likely, to that, or a reckless element in dealing with the sanctioned party. So, if you knowingly, over time, consistently interact with sanctioned parties and conduct transactions with them, you're more likely to get criminally prosecuted.
But merely because you don't know who you're transacting with, that is not a defense to a sanctions violation. The way the law is written, it's moved the risk from, say, OFAC to the person conducting the transaction. And that's why you see such heavy compliance programs and such expensive compliance programs in the financial industry, because the banks, payment processors, they don't have the defense of, "We didn't know." They're required to know.
Keith Barnett:
That's really interesting. And one last question, for the both of you actually. What happens if you as a business operator find a violation? And Christy, we'll start with you. Rich, if you have anything to add, that would be great.
Christy Tuttle:
So that's always the million-dollar question. The first thing you want to do if you find that a violation has occurred is to look into it more deeply. And whether that is conducting a full-scale internal investigation or using your monitoring and auditing function to dig into it further, you want to understand the scope of the issue. Are we talking about one transaction that slipped through? Are we talking about an issue that created a whole pattern of transactions? And really understand what you're looking at.
And then, internally, you want to figure out how to remediate that going forward. Whether it is changes to your compliance program, whether it occurred because of some willful act by an employee and there could be some discipline involved, but you want to manage it internally.
And then it's the real question of, do I take the next step to self-disclose it to a government agency? So OFAC, DOJ, BIS, everyone has published guidance about the importance of self-disclosure. But it's not clear, if you actually look at the history of enforcement actions that either came out of self-disclosure, or enforcement actions that occurred in the absence of any self-disclosure, whether or not the benefit of self-disclosure is really real.
You want to have good legal counsel at that point. Talk through the options and really consider whether the answer is we self-disclose and we resolve it, pay a penalty, get a release, or whether we take care of the issue internally and know that we fixed it going forward, but sit on it and not disclose.
Richard Zack:
And just to add to that, there are going to be certain things. I know OFAC talks about each business, each person has to assess their risk, and that's clearly important. But there are going to be certain things that OFAC or DOJ or BIS will expect to see at your business, regardless of who you are.
So, for example, in the banking industry, you will be required to check everybody you transact with, against the various lists that Christy mentioned earlier. So, you will have to have a system in place to continually run checks to make sure that people you are sending money to, or receiving money from, are not on the list, or not otherwise subject to sanctions. And that's a very difficult process. It's more difficult than it sounds, and sometimes you don't have full information.
Other industries or other businesses don't have to have that; their risk is lower. But they will have to have some compliance system in place, particularly if they do business internationally. And as Christy said, the most difficult decision you will make if you discover a violation is whether to report that.
Now, particularly the enforcement agencies that we've mentioned here are focused on getting businesses to come forward and report the fact that sanctions violations have occurred. But that does not mean that, in every case, either that the government agency will be interested in hearing your report or that it's going to be in the best interest of the business.
Now, everybody who discovers a violation needs to stop the violation if it's ongoing, needs to remediate, as Christy said, and that remediation could take various forms like additional training. It might even require termination of employees, reorganizations of parts of the business. But that difficult decision as to whether and which agency to go to will be the most difficult one for you.
The other ones, those are risk management techniques that you have to use, and risk management questions that you have to answer. But it's very difficult to gauge what the consequence will be to the business of either reporting or not reporting it. And those are the toughest questions.
Keith Barnett:
Thanks, Rich. And one of the things that I do want to add before we leave the audience, is keep in mind the FTC and the CFPB have also initiated enforcement actions throughout the years against the payments industry, payment processors in particular, money transmitters in particular, FinTechs as well. And along the way with the sanctions, there are compliance requirements there. So that's another area for those in the payments industry to look out for.
That's all we have for today. Rich and Christy, thank you for joining us today.
Richard Zack:
Thanks very much, Keith.
Christy Tuttle:
Yeah, thanks, it was fun.
Keith Barnett:
Sure. Yeah, no, this was great. And thank you to our audience for listening to today's episode.
And do not forget to visit our blog, consumerfinancialserviceslawmonitor.com, and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher or whatever platform you use, and we look forward to the next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.