DFS Fines UniCredit Group $405 Million for Violations of Sanctions Laws

Bank and Its Affiliates Conducted Billions of Dollars in Illegal and Non-Transparent Payment Transactions to Countries Subject to Embargoes and Other Sanctions, Including Iran, Libya, Myanmar and Sudan

DFS Fine Part of $1.3 Billion Global Settlement Concluded with Manhattan District Attorney, Department of Justice, Department of Treasury, and the New York Branch of the Federal Reserve

Press Release
April 15, 2019


Bank and Its Affiliates Conducted Billions of Dollars in Illegal and Non-Transparent Payment Transactions to Countries Subject to Embargoes and Other Sanctions, Including Iran, Libya, Myanmar and Sudan

DFS Fine Part of $1.3 Billion Global Settlement Concluded with Manhattan District Attorney, Department of Justice, Department of Treasury, and the New York Branch of the Federal Reserve

Acting Financial Services Superintendent Linda A. Lacewell today announced that the New York Department of Financial Services (DFS) has fined UniCredit Group $405 million for violations of sanctions laws that involved billions of dollars in illegal and non-transparent transactions to clients in countries subject to sanctions, including Cuba, Iran, Libya, Myanmar and Sudan.  The $1.3 billion global settlement announced today was reached in conjunction with the Manhattan District Attorney, the U.S. Department of Justice, the U.S. Treasury Department, and the New York branch of the Federal Reserve Bank and stems from an investigation of the companies’ U.S. dollar payment transactions between 2002 and 2011.  Under today’s settlement, UniCredit Group will submit a compliance program, acceptable to DFS, to comply with U.S. and New York sanctions laws and regulations.

“UniCredit prioritized profit over compliance and security by deliberately engaging in billions of dollars of transactions with clients from sanctioned nations, including Iran, Libya, and Cuba, and then working to cover their tracks to avoid detection,” said Acting Superintendent Lacewell.  “Sanctions against dangerous foreign regimes and terrorist groups are critical to protect national security and uphold the integrity of our global financial system, and DFS will hold violators accountable to the fullest extent of the law.”

UniCredit AG Violations

In 2004, UniCredit AG implemented an automated transaction filtering tool, known as the “Embargo Tool,” to identify transactions containing information relevant to the Office of Foreign Assets Control (OFAC), indicating a connection to a person or entity prohibited by U.S. sanctions or OFAC’s Specially Designated Nationals list. However, at the time the companies implemented the Embargo Tool, the Core Compliance Team established detailed instructions for intentionally circumventing the tool for transactions prohibited by OFAC, in order to avoid inconveniencing bank customers. The instructional guide directed bank employees to violate New York law by submitting certain payment orders in what was euphemistically known as an “OFAC-neutral” manner, meaning without the involvement of U.S. banks or ensuring that the information implicating OFAC sanctions was not revealed in the payment messages sent to U.S. banks. 

The DFS investigation found that UniCredit AG conducted approximately 2,570 non-transparent U.S. dollar payment transactions, totaling approximately $5.4 billion, sent by UniCredit AG through the U.S banking system between 2002 and 2011.  DFS also found that between 2002 and 2011, UniCredit AG sent approximately 300 U.S. dollar payments (totaling approximately $61.5 million) through the U.S. banking system that were prohibited by OFAC and involved the use of non-transparent payment messaging. DFS also identified an additional 667 U.S. dollar payment transactions that were illegal under federal law, totaling approximately $660 million and sent by UniCredit AG through the U.S. banking system between 2002 and 2011, including some transmitted through financial institutions regulated by DFS.  These payments violated federal sanctions law applicable to countries such as Iran, Libya and Cuba.

The bank used non-transparent methods that included “cover payments” and “wire stripping,” with some transmitted through financial institutions regulated by DFS.  Under the cover payment method, the bank used Society of Worldwide Interbank Financial Telecommunications (SWIFT) payment messages to disguise transactions. The first SWIFT message, known as an MT103, included all details about the transaction, and UniCredit AG would send it directly to the prohibited beneficiary’s bank.  UniCredit AG would then send a second message, known as an MT202 or “cover payment” message, to the U.S. financial institution in New York that was clearing the U.S. dollar payment.   The “cover payment” message intentionally omitted details about the underlying parties to the transaction and was sent for the transaction to be settled in U.S. dollars.

UniCredit AG also used another deceptive practice known as “wire stripping,” which involved bank employees deliberately removing information identifying potentially sanctioned entities from payment messages and instructions to ensure customer payments were not impeded by sanctions prohibitions. For example, the Core Compliance Team instructed other employees to strip words such as “Sudan,” Myanmar” and “Tehran,” noting in one instance that such terms “should be deleted because of the US embargo against Iran.”

UniCredit AG maintained accounts and processed U.S. dollar payments on behalf of customers affiliated with the Islamic Republic of Iran Shipping Line (IRISL), despite sanctions prohibiting such activity. By sending approximately 1,319 OFAC-prohibited U.S. dollar payments, totaling nearly $75 million, through the U.S. financial system between 2004 and 2011, UniCredit AG assisted IRISL and IRISL-affiliated customers in accessing the U.S. financial system.

UniCredit S.p.A. Violations

DFS’s investigation also determined that UniCredit S.p.A. conducted approximately 957 U.S. dollar transactions, valued at $79.5 million, in violation of U.S. sanctions laws and regulations. 

In January 2007, OFAC designated Bank Sepah as a specially designated national, or “SDN”, which made it a prohibited entity, due to Bank Sepah’s role in developing Iran’s nuclear program.  At about the same time, Bank Sepah was designated as an entity subject to U.N. and E.U. sanctions laws as well.  In October 2007, UniCredit S.p.A. opened an account at the request of and under the control of the Italian government, for the purpose of holding and disbursing frozen funds belonging to Bank Sepah. 

In addition, UniCredit S.p.A. purposefully conducted illegal payments involving Cuban entities.  Nearly 60 percent of UniCredit S.p.A.’s impermissible transactions violated long-standing U.S. sanctions against Cuba.  Many of these transactions involved payments made pursuant to letters of credit related to the shipment of goods to Cuba from various locations worldwide.  These transactions spanned from at least 2003 through 2012, and the value for outbound payments during this time exceeded $50 million.  UniCredit S.p.A. also conducted payments that violated U.S. sanctions regarding Myanmar.  Intentionally deceptive methods enabled UniCredit S.p.A. to make more than $4 million in payments in violation of the sanctions against Myanmar between 2003 and 2012.

UniCredit Bank Austria Violations

DFS’s investigation found that UniCredit Bank Austria (UniCredit BA) carried out approximately 330 impermissible U.S. dollar transactions, valued at approximately $118 million, and conducted nearly 2,500 non-transparent U.S. dollar payments, totaling approximately $3.9 billion between 2004 and 2012. Like its affiliates, UniCredit BA used altered or non-transparent payment messages to process millions of dollars of transactions through U.S. financial institutions on behalf of customers who were subject to U.S. economic sanctions.  In 1999, UniCredit BA created its own written policy which instructed UniCredit BA employees how to handle payment processing involving countries that were affected by U.S. sanctions. However, the written policy also directed employees to use non-transparent methods when executing U.S. dollar transactions implicating U.S. sanctions, in order to hide the true nature of those payments.

UniCredit BA employed non-transparent payment messages involving Iranian parties.  Between May 2008 and 2012, UniCredit BA executed U.S. dollar payments involving goods transmitted through ports in Iran, executing 153 payments, totaling approximately $102 million, in direct violation of the laws and regulations of the U.S. and State of New York.

Sanctions Compliance Program

Under the settlement announced today, UniCredit S.p.A. will submit to DFS an acceptable OFAC compliance program, including a timetable for implementation, to ensure compliance with applicable OFAC regulations and New York laws and regulations by UniCredit Group’s global business lines. The program must include the following measures, among others:

  • An annual assessment of OFAC compliance risks arising from the global business activities and customer base of UniCredit Group’s subsidiaries, including risks arising from transaction processing and trade finance activities conducted by or through UniCredit Group’s global operations;
  • Policies and procedures to ensure compliance with applicable OFAC Regulations by UniCredit Group’s global business lines, including screening with respect to transaction processing and trade financing activities for the direct and indirect customers of UniCredit Group subsidiaries;
  • The establishment of an OFAC compliance reporting system that is widely publicized within the global organization and integrated into UniCredit Group’s other reporting systems in which employees report known or suspected violations of OFAC Regulations, and that includes a process designed to ensure that known or suspected OFAC violations are promptly escalated to appropriate compliance personnel for appropriate resolution and reporting;
  • Procedures to ensure that the OFAC compliance elements are adequately staffed and funded; and
  • Training for UniCredit Group’s employees in OFAC-related issues appropriate to the employee’s job responsibilities that is provided on an ongoing, periodic basis.
  • An audit program designed to test compliance with OFAC regulations.

DFS recognizes the bank’s substantial cooperation with the investigation and will ensure the bank upholds its pledge to rectify these matters.

A copy of the consent order can be found here.