us-sanctions 07 May 2020

OFAC says AmEx violated US sanctions by issuing card to designated German national

The US Department of the Treasury’s Office of Foreign Assets Control (‘OFAC’) has issued a ‘Finding of Violation’ notice to American Express Co. (‘AmEx’), after one of the company’s subsidiaries outside the United States mistakenly supplied a prepaid card to a German national sanctioned for alleged links to a black market nuclear network.

OFAC said that AmEx had ‘remediated and disclosed the violations to OFAC,’ and was not fined because ‘there is no monetary penalty associated with a Finding of Violation.’

In 2015, American Express Travel Related Services Co. issued the card to Gerhard Wisser, a German engineer who had been accused by US authorities of involvement in an alleged black market network run by Dr. Abdul Qadeer Khan, the scientist behind Pakistan’s atom bomb.

After issuing the card to Wisser, the AmEx subsidiary is said to have processed 41 transactions totaling $35,246.82, in violation of US sanctions though OFAC said it had concluded that ‘there was no willful or reckless behavior’ by AmEx because the card was issued by mistake.

When Wisser applied for the card, the AmEx screening system used to check for compliance had generated multiple ‘declined’ messages, OFAC explained in a 30 April statement. But the subsidiary ‘made several additional approval attempts which eventually led the risk engine to time out. The timing out of the risk engine then triggered the application to be automatically approved,’ OFAC said. It explained that, when the application was flagged for a manual review, the AmEx compliance analyst ‘incorrectly determined’ that Wisser was not the person whose name was on  the OFAC sanctions list.

OFAC said that Amex’s automatic approval of applications, in instances where the risk engine led to a system timeout, was ‘a critical shortcoming of its compliance program,’ and added, ‘This case highlights the importance of taking the steps necessary to ensure that automated sanctions compliance controls measures cannot be overridden without appropriate review.’