On March 30, federal regulators announced that Wells Fargo Bank had entered into settlements in which it agreed to pay $97.8 million in fines for enabling sanctions violations between 2010 and 2015.[1] In two separate enforcement decisions, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Federal Reserve’s Board of Governors found that Wells Fargo provided a financial software platform called Eximbills to an unnamed European bank (Bank A), which then used the software to process 124 transactions, totaling over $530 million, in violation of U.S. sanctions for Iran, Sudan and Syria.[2] Regulators concluded that Wells Fargo reasonably should have known that Bank A was using the Eximbills software in this manner and that its failures to promptly identify the apparent violations were attributable to shortcomings in its risk-assessment and oversight mechanisms. 

Although these settlements did not involve criminal charges or penalties, we note that the aggressive approach to sanctions enforcement is consistent with the priorities articulated by the Department of Justice (DOJ). As we have previously reported, in recent speeches, DOJ officials have repeatedly emphasized a focus on sanctions enforcement, describing sanctions as “the new FCPA.”[3]

Background

Eximbills originated with Wells Fargo’s predecessor, Wachovia Bank. Prior to its acquisition by Wells Fargo, Wachovia had provided Eximbills to Bank A. Under a 2006 contract with Wachovia, Bank A agreed to screen its Eximbills transactions for sanctions issues and to use its own separate systems to process transactions that could run afoul of U.S. sanctions.

But in 2007, Wachovia sought to streamline its provision of services to Bank A. Wachovia, acting at the direction of a mid-level manager, designed a custom version of Eximbills for Bank A to host on its own servers, “in part so that Bank A could use Eximbills to handle international trade finance instruments involving OFAC-sanctioned jurisdictions and persons.”[4] Bank A began using this software around July 2008. Although Wachovia attempted to distance itself from any transactions involving sanctioned entities, Bank A’s custom software “continued to rely on Wachovia’s (and then Wells Fargo’s) technology infrastructure” at a bank branch in Hong Kong and a data facility in North Carolina.[5]

In late 2008, Wells Fargo acquired Wachovia, along with its Eximbills software and its relationship with Bank A. According to the OFAC Settlement Agreement, Wells Fargo failed to follow up on warning signs about Bank A’s use of Eximbills throughout the acquisition process and for several years thereafter. In 2013, after a number of employees had raised concerns that customers using Eximbills might pose sanctions risks, Wells Fargo formed an internal working group to review its insourcing business. This group included a number of former Wachovia employees who had been involved in its dealings with Bank A — but they did not disclose that Bank A’s version of Eximbills had been created in part to permit Bank A to engage in non-OFAC-compliant transactions. The working group concluded that Wells Fargo’s relationship with Bank A was relatively low-risk. Although the group recommended some protective measures, Wells Fargo permitted Bank A to continue using Eximbills as before — in part due to the working group’s “low-risk” designation — until Wells Fargo completed its broad review of its insourcing business.

In late 2015, in the course of this broad review, Wells Fargo discovered that Bank A may have been using Eximbills to process prohibited transactions. Wells Fargo promptly suspended Bank A’s access to Eximbills, disclosed its findings to OFAC and began an internal investigation.

Allegations and Settlements

In its Settlement Agreement with Wells Fargo, OFAC commented that there was no sign that the senior management of either Wachovia or Wells Fargo had actual knowledge that Bank A was using Eximbills to engage in prohibited transactions. Nonetheless, OFAC found that “Wells Fargo’s senior management should reasonably have known that Bank A was using the [custom] Eximbills platform to engage in transactions with OFAC-sanctioned jurisdictions and persons,” and concluded that these apparent violations constituted an “egregious case.”[6] However, OFAC credited Wells Fargo for its voluntary self-disclosure once it learned of Bank A’s actions. Similarly, the Fed found that Wells Fargo enabled OFAC violations through the shortcomings in its risk management and oversight framework, but noted Wells Fargo’s voluntary reporting, full cooperation and remediation of the issue.

Under the Fed’s Order of Assessment, Wells Fargo agreed to pay a civil penalty of $67,762,500 for engaging in “unsafe or unsound practices” under the Federal Deposit Insurance Act, 12 U.S.C. § 1818(i)(2)(B).[7]

Under the OFAC Settlement Agreement, Wells Fargo agreed to pay $30 million to the Department of the Treasury in exchange for being discharged, “without any finding of fault, from any and all civil liability in connection with the Apparent Violations arising under the legal authorities that OPAC administers.”[8] Further, Wells Fargo promised to adhere to a list of compliance commitments for the next five years. These commitments include:

  • Management commitments: Senior management will review and support the work of the company’s sanctions compliance program.

  • Risk assessment: Wells Fargo will implement a program to adequately assess and address sanctions risks.

  • Internal controls: Wells Fargo will maintain, implement and enforce written policies and procedures to ensure sanctions compliance.

  • Testing and audit: Wells Fargo will employ independent auditing and testing functions accountable to senior management and will immediately address any weakness that it encounters in these procedures.

  • Training: Wells Fargo will provide adequate OFAC-related training for its employees, stakeholders, customers, clients and partners, and this training will reflect the products and services that Wells Fargo offers and the geographic regions in which it operates.

  • Annual certification: A senior-level executive or manager will provide annual certification that Wells Fargo is complying with the above commitments.

Takeaways

These penalties underscore that federal regulators are vigorously pursuing potential sanctions violations — even when such violations are admittedly inadvertent and indirect.

Given this focus, companies need to invest in reviewing and, when necessary, strengthening their sanctions procedures. Here, Wells Fargo inherited these issues as part of its Wachovia acquisition. Corporate lawyers have long diligenced in merger transactions corruption risks arising under the FCPA and similar international statutes. The government’s focus on sanctions enforcement highlights the need to approach sanctions risks and diligence with the same heightened scrutiny, if bidders and issuers are not already doing so.


[1] See Board of Governors of the Federal Reserve System, Press Release: Federal Reserve Board fines Wells Fargo $67.8 million for inadequate oversight of sanctions risk at its subsidiary bank (Mar. 30, 2023), https://www.federalreserve.gov/newsevents/pressreleases/enforcement20230330a.htm.

[2] See Settlement Agreement with Wells Fargo Bank, N.A., COMPL-2015-562300 (Dep’t of the Treasury Mar. 22, 2023), https://home.treasury.gov/system/files/126/20230330_wells_fargo_settlement.pdf; In the Matter of Wells Fargo & Co., No. 22-011-CMP-HC (Bd. of Governors of Fed. Reserve Sys. Mar. 24, 2022), https://www.federalreserve.gov/newsevents/pressreleases/files/enf20230330a1.pdf.

[3] See Kramer Levin, Client Alert, Corporate Governance: 2022 Midyear Review (July 5, 2022), https://www.kramerlevin.com/en/perspectives-search/corporate-governance-2022-midyear-review.html.

[4] Settlement Agreement 2.

[5] Id. at 2­–3.

[6] Id. at 3.

[7] Order of Assessment 2–3.

[8] Settlement Agreement 5.