At the end of April, the US Office of Foreign Assets Control (OFAC) announced a Finding of Violation against American Express Travel Related Services Company (Amex) for issuing a pre-paid credit card to, and processing transactions on behalf of, a Specially Designated National (SDN). According to OFAC, the violations followed a system error in Amex's automated name-screening system.

Earlier this year, OFAC announced a US$ 7,829,640 settlement with Switzerland-based Société Internationale de Télécommunications Aéronautiques (SITA) for providing computer services and software subject to US jurisdictions for the benefit of sanctioned airlines.

For financial institutions?whose services are increasingly automated and online? these cases remind us that software and digital services must be designed and tested to ensure compliance with US sanctions inside and outside the United States.

Here are three things to keep in mind during your next sanctions risk assessment, compliance audit, or new product review.

First, ask ?What if?? when implementing name screening controls. According to OFAC, Amex's centralised name screening tool 'timed out? after receiving multiple requests from an external issuer, allowing the SDN's card application to be processed.

The lesson: compliance and IT should work together to test name screening schematics before going live. In this case, a dependent process (card issuance) was allowed to proceed after a name screening failure. A back-up manual control also failed.

Second, know your software and data. SITA became subject to OFAC's jurisdiction because it provided software and services that were either US-origin or depended on US-based servers or facilities. The use of US-based servers or other facilities, or involvement of US persons, in performing services involving a sanctioned party or territory can provide OFAC with a sufficient jurisdictional ?hook? to pursue an enforcement action.

In another example, in January 2017 OFAC issued a Finding of Violation against Toronto-Dominion Bank for processing online securities trades through a US broker on behalf of persons in Cuba and Iran. According to OFAC, the action highlighted 'the risk associated with online payment platforms when the financial institution is unable to restrict access for individuals and entities located in comprehensively sanctioned countries?.

Third, if you have it, screen it. Many OFAC cases have hinged on a financial institution's failure to screen data in its possession before processing transactions subject to OFAC jurisdiction. In June 2019, Western Union settled for US$ 401,697 after processing almost 5,000 transactions involving a Specially Designated Global Terrorist acting as a sub-agent in The Gambia. Western Union apparently stored the sub-agent's name in a database field that was not subject to automated name screening.

In another case, in October 2018 JPMorgan Chase paid US$ 5,263,171 for OFAC violations involving a settlement mechanism operated on behalf of a non-US organisation whose members included sanctioned entities. According to OFAC, the bank received the names of the sanctioned entities but failed to screen them before settling payments.

Understanding OFAC regulations is one thing. But, as shown above, tech-savvy compliance is key as more financial services go digital.