Wells Fargo Fined $97.8 Million For Failing To Identify Sanctions Violations From A Legacy Wachovia Business - Export Controls & Trade & Investment Sanctions - United States

Gunnar Larson g at xny.io
Thu Apr 20 12:07:36 PDT 2023

United States: Wells Fargo Fined $97.8 Million For Failing To Identify
Sanctions Violations From A Legacy Wachovia Business
18 April 2023
by Alan R. Friedman , Darren LaVerne , Michael Martinez , Gary P Naftalis ,
Paul Schoeman , Jennifer S. Windom and Jessica A. Christy
Kramer Levin Naftalis & Frankel LLP
Your LinkedIn Connections
with the authors

On March 30, federal regulators announced that Wells Fargo Bank had entered
into settlements in which it agreed to pay $97.8 million in fines for
enabling sanctions violations between 2010 and 2015.1 In two separate
enforcement decisions, the Department of the Treasury's Office of Foreign
Assets Control (OFAC) and the Federal Reserve's Board of Governors found
that Wells Fargo provided a financial software platform called Eximbills to
an unnamed European bank (Bank A), which then used the software to process
124 transactions, totaling over $530 million, in violation of U.S.
sanctions for Iran, Sudan and Syria.2 Regulators concluded that Wells Fargo
reasonably should have known that Bank A was using the Eximbills software
in this manner and that its failures to promptly identify the apparent
violations were attributable to shortcomings in its risk-assessment and
oversight mechanisms.

Although these settlements did not involve criminal charges or penalties,
we note that the aggressive approach to sanctions enforcement is consistent
with the priorities articulated by the Department of Justice (DOJ). As we
have previously reported, in recent speeches, DOJ officials have repeatedly
emphasized a focus on sanctions enforcement, describing sanctions as "the
new FCPA."3

Eximbills originated with Wells Fargo's predecessor, Wachovia Bank. Prior
to its acquisition by Wells Fargo, Wachovia had provided Eximbills to Bank
A. Under a 2006 contract with Wachovia, Bank A agreed to screen its
Eximbills transactions for sanctions issues and to use its own separate
systems to process transactions that could run afoul of U.S. sanctions.

But in 2007, Wachovia sought to streamline its provision of services to
Bank A. Wachovia, acting at the direction of a mid-level manager, designed
a custom version of Eximbills for Bank A to host on its own servers, "in
part so that Bank A could use Eximbills to handle international trade
finance instruments involving OFAC-sanctioned jurisdictions and persons."4
Bank A began using this software around July 2008. Although Wachovia
attempted to distance itself from any transactions involving sanctioned
entities, Bank A's custom software "continued to rely on Wachovia's (and
then Wells Fargo's) technology infrastructure" at a bank branch in Hong
Kong and a data facility in North Carolina.5

In late 2008, Wells Fargo acquired Wachovia, along with its Eximbills
software and its relationship with Bank A. According to the OFAC Settlement
Agreement, Wells Fargo failed to follow up on warning signs about Bank A's
use of Eximbills throughout the acquisition process and for several years
thereafter. In 2013, after a number of employees had raised concerns that
customers using Eximbills might pose sanctions risks, Wells Fargo formed an
internal working group to review its insourcing business. This group
included a number of former Wachovia employees who had been involved in its
dealings with Bank A — but they did not disclose that Bank A's version of
Eximbills had been created in part to permit Bank A to engage in
non-OFAC-compliant transactions. The working group concluded that Wells
Fargo's relationship with Bank A was relatively low-risk. Although the
group recommended some protective measures, Wells Fargo permitted Bank A to
continue using Eximbills as before — in part due to the working group's
"low-risk" designation — until Wells Fargo completed its broad review of
its insourcing business.

In late 2015, in the course of this broad review, Wells Fargo discovered
that Bank A may have been using Eximbills to process prohibited
transactions. Wells Fargo promptly suspended Bank A's access to Eximbills,
disclosed its findings to OFAC and began an internal investigation.

Allegations and Settlements
In its Settlement Agreement with Wells Fargo, OFAC commented that there was
no sign that the senior management of either Wachovia or Wells Fargo had
actual knowledge that Bank A was using Eximbills to engage in prohibited
transactions. Nonetheless, OFAC found that "Wells Fargo's senior management
should reasonably have known that Bank A was using the [custom] Eximbills
platform to engage in transactions with OFAC-sanctioned jurisdictions and
persons," and concluded that these apparent violations constituted an
"egregious case."6 However, OFAC credited Wells Fargo for its voluntary
self-disclosure once it learned of Bank A's actions. Similarly, the Fed
found that Wells Fargo enabled OFAC violations through the shortcomings in
its risk management and oversight framework, but noted Wells Fargo's
voluntary reporting, full cooperation and remediation of the issue.

Under the Fed's Order of Assessment, Wells Fargo agreed to pay a civil
penalty of $67,762,500 for engaging in "unsafe or unsound practices" under
the Federal Deposit Insurance Act, 12 U.S.C. § 1818(i)(2)(B).7

Under the OFAC Settlement Agreement, Wells Fargo agreed to pay $30 million
to the Department of the Treasury in exchange for being discharged,
"without any finding of fault, from any and all civil liability in
connection with the Apparent Violations arising under the legal authorities
that OPAC administers."8 Further, Wells Fargo promised to adhere to a list
of compliance commitments for the next five years. These commitments

Management commitments: Senior management will review and support the work
of the company's sanctions compliance program.>
Risk assessment: Wells Fargo will implement a program to adequately assess
and address sanctions risks.
Internal controls: Wells Fargo will maintain, implement and enforce written
policies and procedures to ensure sanctions compliance.
Testing and audit: Wells Fargo will employ independent auditing and testing
functions accountable to senior management and will immediately address any
weakness that it encounters in these procedures.
Training: Wells Fargo will provide adequate OFAC-related training for its
employees, stakeholders, customers, clients and partners, and this training
will reflect the products and services that Wells Fargo offers and the
geographic regions in which it operates.
Annual certification: A senior-level executive or manager will provide
annual certification that Wells Fargo is complying with the above
These penalties underscore that federal regulators are vigorously pursuing
potential sanctions violations — even when such violations are admittedly
inadvertent and indirect.

Given this focus, companies need to invest in reviewing and, when
necessary, strengthening their sanctions procedures. Here, Wells Fargo
inherited these issues as part of its Wachovia acquisition. Corporate
lawyers have long diligenced in merger transactions corruption risks
arising under the FCPA and similar international statutes. The government's
focus on sanctions enforcement highlights the need to approach sanctions
risks and diligence with the same heightened scrutiny, if bidders and
issuers are not already doing so.


1. See Board of Governors of the Federal Reserve System, Press Release:
Federal Reserve Board fines Wells Fargo $67.8 million for inadequate
oversight of sanctions risk at its subsidiary bank (Mar. 30, 2023),

2. See Settlement Agreement with Wells Fargo Bank, N.A., COMPL-2015-562300
(Dep't of the Treasury Mar. 22, 2023),
In the Matter of Wells Fargo & Co., No. 22-011-CMP-HC (Bd. of Governors of
Fed. Reserve Sys. Mar. 24, 2022),

3. See Kramer Levin, Client Alert, Corporate Governance: 2022 Midyear
Review (July 5, 2022),

4. Settlement Agreement 2.

5. Id. at 2­–3.

6. Id. at 3.

7. Order of Assessment 2–3.

8. Settlement Agreement 5.

The content of this article is intended to provide a general guide to the
subject matter. Specialist advice should be sought about your specific

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 10870 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20230420/924b7cf7/attachment.txt>

More information about the cypherpunks mailing list