Castellum.AI

View Original

Understanding OFAC's SPFS Alert and the Impact on Banking Compliance

On November 21, OFAC issued an alert about Russian institutions using the SPFS (System for the Transfer of Financial Messages) to evade sanctions. This news was overshadowed by the designation of Gazprombank, the last major Russian bank yet to be sanctioned by the U.S. However, the risk of broader SPFS designations targeting non-Russian banks in Europe, China and elsewhere presents a major compliance challenge for financial institutions and fintechs.

In our latest webinar, Castellum.AI CEO Peter Piatetsky and VP of Growth Spencer Vuksic discussed the alert's impact, emerging regulatory expectations, and how compliance professionals can identify exposure to SPFS-linked institutions.

What is SPFS and How Does it Enable Sanctions Evasion?

SPFS, Russia’s alternative to SWIFT, was launched in 2014 in response to Western sanctions after Moscow annexed Crimea. Managed by the Russian Central Bank, SPFS allows Russian banks to bypass SWIFT for cross-border transactions, shielding them from the scrutiny of Western financial systems.

The system has grown significantly, especially after Russia’s invasion of Ukraine in 2022. Foreign banks in countries like Switzerland, China, Turkey and Kazakhstan have joined SPFS, facilitating transactions that evade sanctions and bolster Russia’s economy, often linked to military activities. By processing transactions between Russian entities and third-countries via SPFS, entities facilitating sanctions evasion or the trade of restricted goods can easily disguise the true origin of payments, creating a high-risk blind spot. This is especially concerning for global banks that offer correspondent banking services to the international financial sector.

Impact of OFAC’S SPFS Alert on Banking Compliance

1. Heightened compliance risks for banks using SPFS

OFAC’s alert is a clear warning: U.S. regulators are prepared to designate financial institutions using SPFS to facilitate sanctions evasion.

In OFAC’s own words: “OFAC views joining SPFS after publication of this alert as a red flag and is prepared to more aggressively target foreign financial institutions that take such action.”

Banks with correspondent relationships to institutions using SPFS are also vulnerable. Compliance teams must assess whether their counterparties are connected to SPFS and closely monitor their involvement in high-risk transactions, especially those related to arms and military supplies. 

2. Expect a crackdown from regulators

OFAC’s alert wasn’t just a warning—the Treasury Department clearly outlined the legal framework for further action under Executive Order 14024, allowing sanctions against SPFS-linked institutions. This alert was effectively written for general counsels and the heads of sanctions compliance.

Compliance professionals should prepare for additional actions against SPFS users, including potential designations beyond Russia. Institutions failing to address these risks proactively could face serious regulatory repurcussions.

3. Differences between OFAC and EU alerts

OFAC’s alert is explicit in its intent to sanction or restrict operations of institutions using SPFS, noting that “any foreign financial institution that joins or has already joined SPFS may be designated for operating or having operated in this sector.” 

Meanwhile, the EU’s approach has been more focused on restricting SPFS without also restricting Europe’s access to Russian energy. In June 2024, the EU implemented restrictions on SPFS as part of the 14th package of sanctions against Russia, but the EU’s restrictions primarily block the expansion of SPFS to additional EU banks and prohibits transactions between EU banks and non-EU banks who are linked to SPFS. 

This difference underscores the need for global compliance teams to track and adapt to potentially divergent regulatory requirements between the US and EU.

4. Leveraging data on institutions using SPFS

The Russian government stopped publicly disclosing SPFS participants in 2022, making it difficult for banks to identify risks.

Castellum.AI has been tracking SPFS since before this and has built a proprietary dataset of hundreds of institutions that are using SPFS, both within and outside Russia. This dataset includes entities with significant US operations and enables compliance teams to screen and risk-rate counterparties effectively.

5. How to leverage SPFS data for compliance

Compliance teams can use SPFS data to strengthen due diligence and risk management with two key steps:

  1. Screening for SPFS membership: Castellum.AI’s dataset helps identify whether counterparties are linked to SPFS, enabling banks to flag high-risk relationships and transactions.

  2. Risk-rating counterparties: Banks can assign higher risk ratings to entities using SPFS, especially those in countries with weak regulatory oversight or ties to sanctioned Russian entities.

Conclusion

OFAC’s recent alert is a wake-up call for compliance professionals. SPFS represents a sophisticated sanctions-evasion tool, and financial institutions must act now to mitigate associated risks. 

Banks should expect intensified regulatory scrutiny, particularly as OFAC moves to enforce the provisions of Executive Order 14024. Leveraging tools like Castellum.AI with comprehensive and updated SPFS dataset can provide critical insights into correspondent banking relationships and help institutions navigate these complex risks.

Get in touch with our team to learn more about SPFS coverage.


Further Reading