This case demonstrates why delegating monitoring of e.g. customers against watch-lists isn't enough. It also shows that algorithms (whether they be effected by humans or machines) must not be regarded as set in stone.

State Street Bank and Trust Co. is one of the USA's largest banks and it has long had operations in many financial centres around the world. Its compliance and risk management teams have, for many years, worked hard to be on top of an increasingly impossible task relating to the global financial crime issues. Sanctions is an extension of that and while it is generally a relatively straightforward data task (albeit one that many banks seem to find complicated and/or expensive and/or commercially undesirable, it remains important.

Sanctions are, usually, quite black and white: don't deal with this person or entity, don't supply those goods to anyone in that country and so on.

But there are also insidious sanctions for example those that say not to deal with anyone in a country. Those seem tailor made to trip up someone who is actually trying to do the right thing, but it goes wrong.

First, it's useful to note that the US Treasury imposed a "Finding of Violation" on State Street. This is the regulatory equivalent of being shown an angry face. There is no financial penalty, for example, attached to such a finding.

Here's what happened: a former employee of a long-time customer of State Street was in receipt of pension payments. State Street, on its customer's instructions, made payments to pensioners. One such pensioner, a US Citizen, lives in Iran, a fact known to State Street. Between January 2012 and September 2015, 45 payments totalling just over USD11,300 were sent to that pensioner's US bank account.

The offence, as found by OFAC, was a breach of The Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR), which, inter alia, prohibits "the exportation, re-exportation, sale or supply of services ... performed on behalf of a person in Iran."

Note the phrase "a person in Iran."

State Street's KYC monitoring software identified each of those 45 transactions as related to "a person in Iran." However, the division that specifically deals with pension, etc. payments appears to have decided that that provision did not apply to a US Citizen receiving money from a US corporation paid by a US bank into an account in the USA with a different US bank. After all, so far as State Street was concerned, there was no cross-border transaction. They did not send money to Iran. They did not pay the money into a US branch of an Iranian bank (not that there appear to be any). They did not pay the money to an agent for an Iranian individual or business. Again:

Payment made
- in US dollars
- by a US customer
- through a US bank
- to a US bank account
- held by a US citizen
- for a totally legitimate purpose
- of very small amounts (both individually and in aggregate)
- with no reason to be suspicious
- except the recipient lives in Iran.

It is the last two that are likely to cause conflict. There is nothing to say that this is what happened but it is easy to envisage that staff, well versed in money laundering and terrorist financing policies and procedures, would, in these circumstances, form the absolutely reasonable view that there was no reason to make a suspicious activity report for those reasons. It is, on a common sense basis, entirely reasonable for them to conclude that if there is nothing to raise suspicion, then the transactions should go ahead.

It would be easy for staff to assume that any ban on transfers to Iran relate to moneys where there is suspicion, either of the money itself or one or more of the parties. There isn't either here.

The situation is that all businesses that are affected by OFAC should simply set their system up to say "recipient in Iran, don't make this transaction."

It's here that the situation reaches a new level of complexity. There are several reasons why State Bank has been censured. The most interesting are:

State Street -

- Had actual knowledge that it was processing transactions on behalf of an individualwho was resident in Iran, as SSBT stopped, escalated, reviewed, and approved every one of the 45 distribution payments, each of which contained an explicit reference to Iran;
- Had escalation and review procedures for sanctions-related alerts that nonetheless failed to lead to correct decisions on 45 occasions; and
- Had compliance screening issues that continued for a year after the Federal Reserve Bank of Boston notified the bank ofa related issue pertaining to inadequate escalation procedures.

There is also that hyperbole: "Caused harm to the sanctions program objectives and the integrity of the ITSR by performing a service on behalf of an individualin Iran;" Seriously? USD11,300 (approx) over a period of more than two years is un-American conduct bordering on treason? Here's the thing: this is what exercises bureaucrats the world over. There is no point in trying to argue against it. Everyone subject to US sanctions law just has to bit their lip and take it.

Did you like what we did there, slipping in the point that this has extra-territorial application and application to foreign companies and individuals. If a Spanish bank had put the USD into the same account, that Spanish bank would be subject to OFAC action, too.

Why, if it's such a big deal did OFAC just scowl at State Street?

There were five reasons. Three aren't very interesting:

"- SSBT’s screening filter did appropriately identify and alert staff to the nexus to a sanctioned jurisdiction;
- The payments at issue may not have actually been transferred to Iran, though they were made on behalf of a person in Iran;
- SSBT took remedial action in response to the violations and enhanced its escalation procedures as they pertain to sanctions-related alerts;
- SSBT cooperated with OFAC by voluntarily self-disclosing the violations and entering into a tolling agreement with extensions."

"escalation" - translation - passed it to a supervisor for review.

That makes one of the other reasons particularly fascinating. It says "No SSBT managers or supervisors appear to have been aware of the conduct that led to the violations." There were previous failures in submitting cases for review meaning that the internal system left decisions to be made at a (relatively) junior level. If this had been money laundering related, would that have been a failure in training? Does that mean that the defence of "the bosses didn't know so the company is not to blame" works?

But then there is the most important lesson that all those subject to OFAC, etc. should consider: "There is a possibility that the funds transfers could have become licensed." So, if State Street or its customer had asked the US Treasury if it was OK to pay a pension even where the pensioner was in a country subject to blanket sanctions, the Treasury would, probably, have said it was.

On the surface, the case is a storm in a tea-cup but looking closely, it contains indicators of serious problems for businesses and individuals in the USA and beyond.