ICBC's New York Compliance Woes: Here's What Happened

On January 19, 2024, New York's Department of Financial Services (NYDFS) announced a penalty of $30 million to Chinese banking giant the Industrial and Commercial Bank of China (ICBC) for OFAC sanctions and AML compliance failings. The violations occurred at its New York City branch.

But that's not all. 

On the same day, the Federal Reserve Board announced an additional $2.4 million fine on ICBC's NY branch for Bank Secrecy Act (BSA) lapses.

So, what were the offenses?

On the OFAC sanctions compliance and AML side, here is how it went wrong for the Beijing-headquartered banking powerhouse:

Long-Standing Weaknesses in AML and OFAC Screening Compliance

A substantial mitigating factor in the case against ICBC is how long it took them to get their house in order. The consent order (a summary of the case) issued by the NYDFS stated that the New York branch was subjected to a cease-and-desist order from the Fed in 2018

Here are the issues the bank faced:

  • Shortcomings in compliance with AML requirements
  • Adherence to Office of Foreign Assets Control (OFAC) regulations
  • Corporate governance concerns
  • Customer due diligence problems
  • Suspicious activity monitoring issues

It was only in 2023 when all the listed issues were deemed adequate - a long way down the road and evidently too long for the regulators. The consent order also revealed that Know You Customer (KYC) violations (such as backdating books and records) occurred.

Now let's return to the other side of the case regarding the additional $2.4 million fine on ICBC's NY branch for Bank Secrecy Act (BSA) lapses. Here is how the Chinese bank found itself in the Fed's crosshairs:

Disclosure of Confidential Supervisory Information 

According to the press release, the Fed issued an enforcement action and fines against ICBC's NY branch for their unauthorized use and disclosure of confidential supervisory information (CSI). Falling within this includes communications from regulators following supervisory examinations.

So, what does this mean in plain English?

The confidential supervisory information given to ISBC got into the hands of a foreign banking regulator. We won't go into how in this article (it's in the consent order), but it was a violation, and the Fed punished them.

To conclude, let's briefly summarize some of the significant learning points that all compliance teams (regulated or non-regulated) can take away from this case:

1. Making Regulators Wait Is High Risk

The first learning point emphasizes the critical importance of timely and proactive responses to regulatory requests (in whatever legal form they take).

In recent years, there have been numerous cases of astronomical financial penalties for companies that didn't take action. For example, in 2023, Deutsche Bank was slapped with a $186 million penalty from the Fed for sanctions and AML violations in the US.

A mitigating factor (increasing the penalty) was that the Frankfurt-headquartered bank failed to make sufficient progress after the Fed and the New York State Department of Financial Services levied more than $300 million in penalties on the company between 2015-2017.

And the bottom line is this: Delaying or making regulators wait elevates the risk profile for an organization. 

Recommended reading: 3 Key Takeaways From Deutsche Bank's $186 Million Sanctions and AML Penalty

2. Compliance Culture Failings Lead to Trouble

The second learning point underscores the pivotal role of a robust compliance culture within an organization. The case of ISBC highlights how compliance culture failings can significantly contribute to regulatory troubles.

And look at the facts.

From the lapse in maintaining a robust AML program and inadequate record-keeping to the omission of timely reports on discovered violations, such as fraud, and the unauthorized sharing of confidential information, these failures unmistakably underscore a systemic breakdown in compliance culture.

3. Navigating the Disclosing of Information Minefield

The final learning point revolves around the intricate process of disclosing information and its potential pitfalls. 

In the ICBC case, shambolic handling of confidential supervisory information (CSI) led to regulatory scrutiny and fines. 

How confidential and sensitive information is managed, for example, when dealing with Suspicious Activity Reports (SARs), is an area of compliance that all teams need to get a handle on - especially when multiple jurisdictions are involved with varying regulations. 

Closing Thoughts & How sanctions.io Supports Sanctions Compliance

This report looked at the crucial learning points from the ICBC compliance lapses in 2024 at its New York branch. If you're interested in the most common failings leading to OFAC sanctions compliance, enjoy the quick clip we put out on sanctions.io's X (formerly Twitter) and LinkedIn pages.


One of the best ways for companies to fortify their sanctions compliance efforts - and be as far away from the cross hairs of regulators dishing out penalties in 2024 - is to invest in real-time sanctions screening technology. 

sanctions.io is a highly reliable and cost-effective solution for sanction checking. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their sanctions screening needs. 

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organization's compliance program:

Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial (no credit card is required).