US President Donald Trump’s resurrection of sanctions against Iran in August and last month will force wire departments and correspondent banking units at US banks to dig deeper into the AML practices of their counterparties and the individual payments involved. However, even US banks with the best procedures could get stumped dealing with thousands of payments from dozens if not hundreds of counterparties such as foreign correspondent and regional banks. Throw in the potential for terrorists and other criminals to use cryptocurrency and the challenge can become overwhelming.
The Trump administration’s sanctions aren’t exactly brand new. They are largelyreimposed from what the Obama administration previously required and later lifted in 2016. The two tweaks are some temporary waivers to allow eight US allies to find alternative sources for Iranian revenues to be used for humanitarian expenses and some new designations of some Iranian entities. In a nutshell, foreign subsidiaries owned or controlled by US companies can’t do business in iran; a laundry list of individuals and other entities that had been removed from the Office of Financial Assets (OFAC) Specially Designated Nationals List (SDN) are reinserted; and non US persons engaged in Iranian industries related to energy and petrochemicals, shipping and ship-building among others may be targeted for sanction by US authorities.
What appears to be different from the Obama administration-imposed sanctions are the new opportunities for Iranian terrorists and other criminals to avert detection. One arises from the lack of a consistent approach to sanctions. Unlike the earlier iteration of the sanctions in advance of the nuclear deal with Iran, this time around the US doesn’t have the support of its European allies. Therefore, Iranian terrorists and other criminals can use one of the weakest links in the chain of payment transfers– those who aren’t affected by the sanctions.
“The most significant challenge for US banks will be the disconnect between US and European allies on the need for EU banks to navigate compliance with the EU blocking statute and US sanctions,” says Michael Lowell, a partner in the Washington DC office of the law firm Reed Smith who specializes in anti-money laundering regulations. “Because Europe has not reimposed its own sanctions against Iran this time around, European banks will have to decide whether to do business with Iran or play it safe.”
The good news is that many European banks may voluntarily decide they don’t want to participate in Iran-related transactions or entities fearing they could inadvertently violate US law. Even after the Obama administration lifted sanctions, larger foreign international banks were also often cautiously tracking any Iranian-related customers or payments. The La Hulpe,Belgium-headquartered global network SWIFT has also agreed to ban Iranian banks from using its network making their ability to move payments through to US banks far more difficult.
However, when there is a will there is a way and not all banks are created equal when it comes to AML preparedness. Small foreign banks and even US regional financial institutions might not be equipped to identify or handle deceptive transactions. “US banks should not blindly rely on counterparty screening efforts,” cautions Lowell.
Ultimately US banks they will have to do their own risk-profiling of their counterparties and correspondents to decide whether they want to keep those relationships or adjust the due diligence used. “Understanding the risk of those relationships is critical to mitigating the risk of sanctions violations,” says Debra Geister, director of Section 2 Financial Intelligence, an AML consultancy in Minneapolis. “There are certainly financial institutions that have fewer controls than others and there are those known to work with the Iranian leadership.”
The next line of defense is scrutinizing individual wire payments themselves. Because of the potentially high-volume of transactions flowing through a bank’s wire departments, taking a risk-based approach is the only option. Geister recommends that all wire transactions be reviewed by transaction monitoring systems with the risk labeled based on bank and customer originators and beneficiaries as well as the jurisidictions and destinations involved. “Understanding the customers’ customers, juridictional risk and patterns are the best weapons in protecting banks from secondary sanctions evasion,” says Geister. “Funds that flow to and from countries such as Turkey, Syria, Palestine and Venezuela to name a few should be reviewed and scrutinized.” Yet another red flag: transactions with too many intermediate hops.
“Wire departments may have to ask additional questions about the source of the funds, the originators and beneficiaries if they are worried about the procedures of the foreign or regional banks or the payments themselves,” agrees Henry Balani, a principal in the Blockchain Advisory Institute, a Chicago-headquartered bank focused on regulatory compliance requirements for firms using blockchain-based solutions. Of course, the question then becomes whether the bank has sufficient staff to do all the asking and what responses it is willing to accept or not.
Yet another way for Iranians to avoid US sanctions is to take advantage of an Achilles heel of some US banks– cryptocurrency transactions. Not all banks have adjusted their procedures and technology to incorporate virtual currencies. However, by listing cryptowallet addresses and other identifying information about two Iranian residents on its SDN List, OFAC has put US banks on notice they must more closely investigate cryptocurrency transactions. The two Iranians — Ali Khorashadizadeh and Mohhamad Ghorbaniyan– were accused of facilitating financial transactions related to the SamSam ransomware which held data hostage in exchange for payment in bitcoins.
“US banks need to tracking the entire path of ingress- where the funds were converted from Fiat currency to cryptocurrency and egress– from cryptocurrency to fiat currency,” says Geister. That’s not an easy task. Multiple exchanges in multiple countries could be used. So could privacy coins, or coins intentionally used to abscond identification between the time of ingress and egress.
What then? “When it comes to cryptocurrencies, one of the best courses of action is managing relationships with cryptocurrency exchanges with common customers,” suggests Joseph Ciccolo, president of Bit AML, a Roseville, California-based firm focused on AML compliance for cryptocurrencies. “Cryptocurrency exchanges are unlikely to disclose their priority wallet address or that of their customers. However, banks can still ask information on compliance with sanctions and screening of cryptoaddresses.”
Khorashadizadeh and Ghorbaniyan, says OFAC, used more than 40 cryptoexchanges, including some US-based exchanges, to convert more than 7,000 bitcoin transactions into Iranian rial, processing roughly 6,000 bitcoin worth millions of dollars on behalf of SamSam’s creators. The bitcoins received were part of the payment from SamSam’s victims. Iranian government officials recently said that some cryptocurrency exchanges have imposed restrictions on Iranian users so they cannot trade cryptocurrncies across borders. Those exchanges reportedly include Binance and Bittrex.
US banks which aren’t satisfied with the answers they receive from any exchanges on their sanctions policies may consider ending the customer relationship or prohibiting the bank customer from doing business with those exchanges altogether, says Ciccolo. Balani also recommends that US banks also ask their own customers far more questions about potential cryptocurrency transactions. Customers who are using cryptocurrency for the first time should be flagged as higher-risk, subject to a lot more scrutiny.
In the case of a cryptocurrency investment, has the customer consulted with an investment advisor as to the potential risks or made arrangements for the appropriate tax reporting to the proper authorities are two important questions, says Balani. Should a customer decide to use cryptocurrencies as a form of payment, the US bank needs to inquire as to whether arrangements have been made to exchange cryptocurrency into fiat currency in a timely manner. Yet another question: why is the customer accepting payment in cryptocurrency. Does it own a business that would benefit from a marketing promotion campaign? “A coffee shop might decide to accept bitcoins because it is a cool idea or the Ohio State government could accept bitcoins for tax payments because they want to be seen as progressive,” explains Balani.
Paper Trumps Tech
When it comes to showing they met the criteria for complying with US sanctions against Iran, US banks might ultimately be forced to rely on paperwork. The reason: “US banks may ultimately have to prove they took reasonable steps to follow US sanctions against Iran,” says Lowell.
Using transaction monitoring and wire filtering technology is certainly one reasonable step, but even the best might not enough. Given that OFAC’s SDN list will only keep growing, they can potentially generate far too many false positives for AML teams to investigate or they might not catch all suspicious fund transfers which take a convoluted path of relying on too many intermediaries or using cryptocurrencies. Tier One US banks may just decide to weigh risk with business rewards. They could avoid dealing with some correspondent banks and regional banks altogether or not do any business in cryptocurrencies.
Training AML analysts and investigators on the potential scenarios for money laundering that can be used by Iranians is always a good defense. However, given that criminals are always one step ahead of their targets, even that approach isn’t a guarantee of finding every nefarious transaction. Ultimately, when it comes to keeping the US govenment happy documentation of the multitude of preventative measures used to prevent a violaton of Iranian sanctions might be the best approach.