On November 19, 2018, the Paris-based bank Société Générale SA announced that it has agreed to pay a total of $1.34 billion in penalties as part of its settlement with federal and state authorities to resolve U.S. sanctions violations involving Cuba, Iran, and Sudan. That amount is the second largest penalty ever imposed on a financial institution for U.S. economic sanctions violations. This settlement demonstrates a level of cooperation that is becoming increasingly common in large-scale investigations. Pursuant to this settlement, Société Générale entered into agreements with the New York State Department of Financial Services (DFS), the Federal Reserve, the Office of Foreign Assets Control, the U.S. Attorney’s Office for the Southern District of New York (SDNY), and the Manhattan District Attorney’s Office.
This settlement is notable, however, for several reasons beyond the significant sum and numerous agencies involved. It highlights the critical importance of a robust and adequately staffed compliance program and underscores the necessity of centralized and detailed policies and procedures.
In a Consent Order related to Société Générale’s sanctions violations, DFS identified deficiencies in the bank’s sanctions compliance program and internal controls. DFS noted that the bank had no centralized sanctions compliance function, and that a group policy mentioned U.S. sanctions regulations only in passing. DFS also found that the bank lacked a global sanctions compliance training program and instead provided only sporadic training.
The importance of a strong compliance program was emphasized in a separate DFS Consent Order that Société Générale also entered into on November 19. That Consent Order related to deficiencies in the New York branch’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program, which were previously addressed in a 2009 agreement with the DFS. The DFS Consent Order noted that the bank’s BSA/AML compliance program was effective for four years following the 2009 agreement, but subsequent examinations identified deficiencies, including:
Challenges maintaining a core and stable compliance team and a lack of succession planning. DFS noted that the New York branch failed to fill the Chief Compliance and Bank Secrecy Act position for several months after employee resignations, resulting in a void of key leadership at the branch;
The New York branch’s compliance staff failed to conduct suspicious activity investigations in a timely manner;
The branch lacked a clear and defined methodology for customer risk assessment policies and procedures and did not develop a comprehensive rolling review due diligence program;
The branch’s committee on financial crime and prevention did not meet at scheduled frequencies and failed to always include key committee members when it did meet; and
Audit reports were held by Internal Audit until management of the business that was reviewed had a chance to respond to the report, contrary to “sound practice” that internal audit reports be issued at an appointed time based on written policies and procedures.
The significant penalties levied against Société Générale highlight the importance of not only adequate policies and procedures but also the importance of dedicating sufficient resources to the compliance function so that it operates in an efficient and meaningful way. Further, these sizable penalties underscore the need for continuous evaluations of any compliance program.