Compliance Blog

Apr 17, 2023

OFAC Settles With Wells Fargo for $30,000,000.00

Mergers are becoming more and more common in the credit union industry. However, credit unions should exercise caution when merging, as generally, when credit unions merge, they step into each other’s shoes. This means that a new credit union may be liable for violations of the old credit union(s). One recent example of this is with Wells Fargo, N.A. (Wells Fargo), its acquisition of Wachovia Bank (Wachovia), and Wachovia’s relationship with a European bank.

On March 30th, the Office of Foreign Asset Control (OFAC) released (the “Release”) an announcement that it had settled with Wells Fargo for $30,000,000 for three apparent program violations. According to OFAC, Wachovia, and subsequently Wells Fargo, provided software to a European bank that then used the software to “process trade finance transactions with U.S.-sanctioned jurisdictions and persons.”

What Happened?

According to OFAC, the relationship with the European bank was originally initiated by Wachovia Bank (Wachovia). According to the Release, Wachovia provided software to the European bank that permitted the European bank to manage and process transactions on its own. The agreement between Wachovia and the European bank stated that it was the European bank’s responsibility to screen for OFAC issues and would not process transactions for OFAC sanctioned jurisdictions or entities. Eventually, Wachovia further created software that would allow the European bank to make transactions with OFAC sanctioned jurisdictions/entities.

After Wells Fargo acquired Wachovia in 2008, on multiple occasions over multiple years, Wells Fargo staff flagged the issue that the European bank may be using the Wachovia software to process transactions for OFAC-sanctioned jurisdictions and entities. However, Wells Fargo did not stop the European bank from using the software until 2015, seven years after it acquired Wachovia.

According to OFAC, this resulted in Wells Fargo facilitating 124 transactions for the European bank that involved sanctioned parties or jurisdictions. These transactions totaled approximately $532,068,794.

The Penalty

While the Release states that the maximum penalty for these above violations is $1,066,738,422.22, OFAC settled with Wells Fargo for $30,000,000. It did so because of a consideration of both aggravating factors and mitigating factors. The Release provides the following aggravating factors:

·       Wachovia bank demonstrated reckless disregard for U.S. sanction requirements even though it knew or should have known that the software provided to the European bank could be used to process transactions for sanctioned jurisdictions and entities;

·       Wells Fargo failed to exercise caution or care by failing to identify or prevent such transactions even though potential sanctions concerns were raised internally at the senior-management level;

·       By providing software to the European bank, Wells Fargo undermined U.S. policy objectives of three sanctions programs; and

·       Wells Fargo is a large and commercially sophisticated international bank with sophisticated understanding of U.S. sanction requirements.

The Release also provides the following mitigating factors:

·       There was no indication that Wachovia provided the software to the European bank for the purpose of processing sanctioned transactions;

·       Wells Fargo has a strong sanctions compliance program and the failure in this case was not the result of a systemic compliance breakdown;

·       The magnitude of the sanctions harm was limited and many of the violations related to subjects, such as agriculture or medicine, that may have been eligible for a general or specific license;

·       Wells Fargo had not received a penalty notice or Finding of Violation from OFAC “in the five years preceding the date of the earliest transaction giving rise to the Apparent Violations”;

·       After identifying the issue, Wells Fargo took steps to stop further transactions, voluntarily notify OFAC of the issue, and provided substantial cooperation to OFAC; and

·       Wells Fargo immediately suspended use of the software and instituted “a more robust risk management policy for new or revised product or service offerings. This policy seeks to identify and control any areas of risk, including sanctions-related risk, associated with new business initiatives prior to, during, and after implementation.”

OFAC also discusses the following compliance considerations that may be useful to credit unions:

“This action highlights the risks that companies may face when employees pursue new business opportunities or the preservation of existing business relationships without proper oversight. Such oversight is important across all business units within an organization, including lines of business that may be small relative to the larger organization or that involve products or services falling outside the larger organization’s core business. Moreover, when sanctions compliance risks are raised internally — including concerns arising from smaller, non-core business lines — companies should promptly seek to thoroughly investigate and address those risks. Finally, this action emphasizes the necessity for comprehensive due diligence regarding potential sanctions risk when one entity acquires another through merger or acquisition.”

Credit unions may find the above considerations as well as the aggravating and mitigating factors useful in creating their own OFAC compliance policy.

While most credit unions are not selling software to European banks, the above highlights the potential for issues to arise when a merger occurs. As such, credit unions may want to conduct due diligence in reviewing each other’s policies, procedures, and offerings before and after a merger occurs. You don’t want to be left holding a hot potato.


Online Compliance Training Subscriptions: For just one price, your entire credit union receives access to over 40 hot-topic compliance webinars per year, so your team can master challenges like BSA, data security, risk management, loss prevention, and more. Learn more. 


FCU Powers & Limitations, NCUA, Share Insurance, Reg E, and more! NAFCU’s Regulatory Compliance School On-Demand covers all the major regulations that impact your CU. Plus, earn your NAFCU Certified Compliance Officer (NCCO) when you pass the optional exams. View the agenda to see the full lineup.  

About the Author

Keith Schostag, NCCO, Senior Regulatory Compliance Counsel, NAFCU


Keith Schostag joined NAFCU as regulatory compliance counsel in February 2021. In this role, Keith assists credit unions with a variety of compliance issues.

Read full bio