Why You Need to Assess the Risk of Russian Sanctions on Your Institution
The U.S. government has introduced sanctions against Russian banks, companies, oligarchs, and its elite in retaliation for its invasion of the Ukraine. That may seem a world away for financial institutions focused on their local communities, but the potential impact shouldn’t be ignored.
Sanctions like these are part of the ever-evolving risk environment that banks, credit unions, mortgage companies, and fintechs operate in. Global events can impact your institution—whether you have relationships with foreign correspondent banks or not.
Let’s take a look at the risks financial institutions should consider when assessing the impact of Russian sanctions.
- Implementing sanctions
- Know your customers
- Regulatory scrutiny
- Cyber attacks
- Economic impact & inflation
Then we’ll raise some of the questions to ask when deciding if a business line or partner continues to make sense in a changed environment.
Russian sanctions shouldn’t be new to financial institutions that deal with correspondent banks and other foreign financial institutions. When Russia annexed Crimea in 2014, the U.S. introduced sanctions. U.S. institutions should also be accustomed to adjusting to sanctions imposed against countries like North Korea, Iran, and Syria—common sources of OFAC violations.
Any financial institution that deals with foreign entities should have a compliance management system that addresses and oversees foreign relationships and OFAC compliance.
- Knowledge of both new and existing regulations
- Policies and procedures in place to implement them
- Proactive monitoring of compliance activities
- Audit and control features that demonstrate their compliance
- Up-to-date logs and compliance documentation
The challenge here is the large volume of potentially impacted transactions and the ability of financial institutions to identify sanctioned entities and individuals. While there should already be systems in place, the question is whether more resources will be needed if there is an increased volume of compliance activity.
Know your customer. Financial institutions are required to know their customers, but international ownership can get murky. Ongoing due diligence is a must.
Consider a Utah community bank that had a niche business line of helping foreigners legally register their aircraft in the United States. When the Paradise Papers leaked in 2017, the bank learned that an offshore company it had served since 2013 belonged to Russia’s wealthiest oligarch and friend of Russian President Vladimir Putin, Leonid Mikhelson. OFAC had sanctioned Mikhelson’s energy company (but not Mikhelson himself) in 2014 after Russian military interference in Ukraine.
While the bank knew the company’s owner “was Russian,” the details were hazy since it was registered under a Panamanian company. (The account had also been onboarded long before today’s more rigorous due diligence processes.)
Make sure you know your customers—and have reviewed long-standing customers who may have been onboarded before stricter standards were put in place.
Regulatory scrutiny. Just because your institution doesn’t do business with Russia doesn’t mean your institution is off the hook. Relationships with international correspondent banks can be complex. It’s not always easy to sleuth out ownership and rules can be open to interpretation.
If you have foreign relationships, it’s possible examiners will be especially interested in them during your next exam. Make sure you can document the reasons for your decisions.
Cyberattacks. Experts are warning of an increased risk of Russian-based cyberattacks. It’s not just retaliation for the sanctions, though that plays a role. It’s also profitable. Ransomware attacks are often resolved when the victim pays the perpetrator with cryptocurrency. With Russia cut off from U.S. financial institutions and the U.S. dollar, untraceable cryptocurrency becomes even more attractive.
Inflation and economic impact. Experts suggest Russian sanctions could impact the stock market, increase energy prices, and contribute to inflation—contributing to both financial and credit risk at your institution.
Assessment: Does this business line still make sense for us?
When the risk environment changes, smart institutions evaluate the impact. For example, even with a strong CMS in place, a financial institution should reconsider if its foreign relationships remain worthwhile by reassessing the risk when there is a major geopolitical change.
When updating the risk assessment, determine if:
- New risks have been introduced
- The likelihood of adverse impacts has increased (i.e., violations are more likely)
- The impact of adverse impacts has increased (i.e., violations will be treated more harshly by regulators)
- New or strengthened controls could mitigate risk
- There are sufficient resources to institute controls
- The activity or relationship still falls within the institution’s risk tolerance
If the inherent risk (the risk before considering controls) has increased significantly and your institution doesn’t have the ability or desire to introduce controls that can mitigate the risk, it might not be worthwhile anymore.
If your institution is able to implement controls, the residual risk (the risk after controls are considered) might make your institution comfortable with the activity despite the increased inherent risk.
The Utah community bank with an oligarch issue had debated closing its aircraft niche in 2014, fearing the reputation risk after one of the planes it registered touched down in Iran, according to The New York Times, but decided to continue with increased due diligence and staffing. It reevaluated risk and decided the activity was acceptable when more controls and monitoring were added.
Don’t be caught off guard by a changing world. Make sure your financial institution has a strong risk management program that proactively monitors emerging and existing risks. There is plenty in business you can’t plan for, but you can keep your eyes focused on risk.
Now’s the time to make sure your risk assessments are strong enough to keep up with the pace of global change. Download our webinar:
On Guard: Strengthening Risk Assessments