On October 5, 2018, JPMorgan Chase Bank (JPMC) reached a $5.26M settlement with the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for apparent OFAC violations dating between January 2008 and February 2012.

Included in the announcement was notification of separate OFAC vioations related to the Foreign Narcotics Kingpin and Syrian Sanctions Regulations that took place between August 2011 and April 2014.

Details about the earlier violations suggest that there were gaps in JPMC’s reporting and escalation processes (and that despite red flags, staff members allowed transactions to proceed). What’s noteworthy about second case, however, is not that JPMC staff allowed 85 prohibited transactions from six customers (and Specially Designated Nationals) to occur. Rather, it was the following:

  1. That the institution’s screening system failed to “identify customer names with hyphens, initials, or additional middle or last names as potential matches to similar or identical names on the SDN List,” and
  2. That JPMC employees did not further vet results despite similarities in name, addresses and dates of birth.

On the positive side, JPMorgan Chase self-identified the weakness in its screening tool and took remedial actions to correct—ultimately moving to a new screening system in 2013. Once implemented, they rescreened close to 200 million customer records, discovered the transactions in question, and ultimately reported the violations to OFAC.

Due diligence when it comes to risk is worth it

For an organization the size of JPMorgan Chase, a $5M financial settlement probably isn’t going to break the bank (no pun intended!). But the same may not be true for businesses without a similar bottom line to fall back on.

The later violation could have been avoided altogether if JPMC had set procedures in place—a match resolution workflow, for example. And some education that staff had a responsibility to take extra steps to further vet information in the event one or more search terms came back positive.

Despite the screening tool lacking the ability to recognize hyphens, initials, and additional middle or last names—though a good restricted and denied party screening solution should be able to account for this information—there was still enough readily-available data (e.g., matching dates of birth, etc.) that, upon review, would have indicated that the six account holders, and those on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List, were potentially one and the same.

One sentence lesson

Screening everyone and every transaction isn’t enough to be compliant with OFAC and other U.S. export, trade and financial compliance laws—positive matches should always be fully vetted and cleared before a transaction can take place, ideally in an environment with set procedures and systems in place.