Over the past few days, we here at MoFo’s National Security Practice Group have outlined the extraordinary pace of activity that the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) maintained in 2019 as well as the notable lessons from OFAC’s enforcement actions against financial institutions last year. OFAC dramatically ramped up its enforcement activity in 2019 – and the agency is showing no signs of slowing down this year. Today we’ll focus on the Top 10 lessons to be gleaned from OFAC’s 2019 enforcement actions against non-financial institutions.
Nearly two-thirds – 19 out of 30 – of the enforcement actions that OFAC announced last year were directed at entities that were not financial institutions (“FIs”), with 10 of the 19 involving non-U.S.-based companies (including non-U.S.-based subsidiaries or affiliates of U.S. companies). Interestingly, over a third of the non-FI cases resulted in findings of egregiousness, resulting in significantly higher penalties. Each of these enforcement cases showcases OFAC’s standards for “trade-based” corporate sanctions compliance. OFAC’s focus on trade-based compliance means that all exporters, importers, or businesses engaged in any type of international trade – especially those that operate in high-risk industries like shipping, mining, oil and natural gas, and defense – should be attuned to OFAC’s regulations, guidance, and enforcement activity.
In addition, OFAC outlined its compliance expectations last year by releasing its Framework for OFAC’s Compliance Commitments (“Framework”), which outlined the agency’s view of the five “essential components” of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC has made clear in both the Framework and its enforcement cases that it will consider favorably those companies that have implemented a comprehensive compliance program, especially those in line with the Framework.
Through enforcement actions, OFAC has showcased its compliance expectations and increased pressure on financial and non-financial companies alike to adopt increasingly sophisticated compliance measures. Companies should familiarize themselves with the lessons gleaned from these enforcement actions. To assist, we’ve provided the top 10 lessons from OFAC’s 2019 enforcement cases against non-FIs for you here.
1. Your submissions to OFAC should be accurate and complete. In the DNI Express Shipping Company and Southern Cross Aviation cases from August and the General Electric case from October, OFAC provided cautionary tales about the costs of not complying with OFAC’s subpoena requests. Each company failed to give OFAC complete and accurate information about its sanctions violations from the outset. In the DNI and Southern Cross cases in particular, the initial misinformation served as a glaring red flag to OFAC about the companies’ failure to take sanctions compliance seriously. These cases show that when responding to OFAC subpoenas and other information requests you should (A) accurately point out past mistakes, (B) provide highly detailed responses, (C) provide clear and organized submissions, (D) comply with OFAC’s Data Delivery Standards, and (E) provide complete information on the scope and volume of apparent violations.
- Accurately point out past mistakes. In DNI and Southern Cross, OFAC deemed that several of the companies’ responses were contradictory, false, materially inaccurate, incomplete, and/or contained misleading statements – which, in one case, was further exacerbated by the fact that the company failed to amend or correct its past submissions to OFAC. In General Electric, OFAC pointed out as an aggravating factor that the company “did not provide its primary submissions to OFAC in a clear and organized manner and the submissions contained numerous inaccuracies.” As a result, OFAC noted that it had to endure a “substantial resource burden,” and that there remained “substantial uncertainty” about the totality of the benefits conferred to a Cuban company in violation of the Cuban Assets Control Regulations (“CACR”).
- Provide highly detailed responses. OFAC emphasized that responses to administrative subpoenas must be accurate, complete, timely, and in accordance with sanctions regulations and definitions. When asked about specific instances of violations, merely providing a copy of your Export Management Manual (as one of the companies in these cases did) will not suffice. Working with outside counsel is a “plus” in demonstrating your commitment to compliance; in one of these cases, OFAC found that the company’s engagement of outside counsel served as a mitigating factor when assessing its penalties.
- Provide clear and organized submissions. In General Electric, OFAC pointed out that the company failed to provide its primary submission to OFAC in a “clear and organized manner,” which may have resulted in an aggravated penalty. In contrast, in Apollo, HotelBeds, and ZAG, OFAC determined that each company provided information to OFAC in a clear and well-organized manner, which served as a mitigating factor in assessing penalties.
- Comply with OFAC’s Data Delivery Standards. OFAC noted in General Electric that the company’s failure to provide clear and organized submissions to OFAC contradicted the agency’s Data Delivery Standards. Like the Framework, these guidelines were issued in early 2019, and serve to inform companies of OFAC’s preferred format for receiving administrative subpoena responses, self-disclosures, and other reports. Companies can benefit from heeding OFAC’s organizational guidance, as the agency may reward organizations that make an effort to ease the agency’s administrative burden.
- Provide complete information on the scope and volume of apparent violations. The bottom-line dollar value of apparent violations may play a role in OFAC’s assessment of penalties. In the Apple case from November, OFAC determined that the volume and total amount of the payments underlying the company’s potential violations were “not significant” compared to the total volume of its annual transactions, and, accordingly, the comparatively low dollar volume of the potential violations was deemed a mitigating factor. In contrast, in General Electric, OFAC found that the “large volume of high-value transactions” in violation of the CACR served as an aggravating factor.
2. Beware sectoral sanctions and their timing requirements. Many of OFAC’s Sectoral Sanctions Identifications (“SSI”) directives place restrictions on “equity” and “debt” with “maturity” longer than a certain time period. However, companies shouldn’t be thrown off by this financial lingo. While these terms may suggest to non-sanctions experts that the SSI rules were targeted at FIs, the Haverly case from April unequivocally demonstrates that OFAC’s rules apply to FIs and non-FIs alike. In Haverly, the company issued an invoice to an entity subject to OFAC’s SSI Directive 2 – which, at the time, required payment in less than 90 days to avoid sanctions liability. However, due to Russian tax law issues, Haverly was not able to collect payment on the invoice until approximately nine months after submitting the initial invoice. While FIs rejected the initial payments to Haverly after determining the transaction was prohibited by OFAC’s regulations, Haverly – acting on the advice of the SSI entity – re-issued and re-dated its invoice in order to bypass the banks’ sanctions protocols. As a result, Haverly collected the payment for a debt that was nine months past due, which, in OFAC’s view, constituted the collection of a debt with a maturity greater than 90 days in violation of Directive 2; such a payment was for a “debt” that was nine months past due.
3. When in doubt, request a license. In Haverly, OFAC noted that it “would have likely authorized the [violative] transactions had Haverly requested a license.” OFAC stated in an FAQ that the sale of goods to an entity subject to an SSI directive is permissible so long as the payment terms do not extend past the applicable period, and that “[i]n the event that a U.S. person believes that it may not receive payment in full by the end of the relevant payment period, the U.S. person should contact OFAC to determine whether a license or other authorization is required.” While such requests may take time for OFAC to process, if granted, they guarantee compliance with OFAC’s regulations.
4. Sanctions screening must be effective and do more than flag exact name matches. OFAC’s Framework lists defaults in screening software or filters as one of the most common root causes of sanctions violations. Merely utilizing screening software is not enough to be compliant: you must ensure that the screening software is actually effective. At a minimum, and as mentioned in the Framework, a company’s screening tool must be able to pick up on alternative spellings of sanctioned parties, new additions to sanctions lists, and other pertinent information. Last year, OFAC’s enforcement cases demonstrated, for example, that screening software also must (A) recognize upper/lower case spellings, punctuation, and addresses, (B) identify abbreviated or alternative names of sanctioned parties, (C) screen all relevant counterparties; and (D) screen when initiating and renewing relationships (and periodically thereafter).
- Recognize upper/lower case spellings, punctuation, and addresses. In the Apple case from November, the company hosted an app developer on its platform that was later designated as a Specially Designated National (“SDN”). OFAC stated that while the company screened the SDN’s name after it was designated, the company’s screening tool did not flag the SDN developer because the sanctions screening tool did not match the upper case name “SIS DOO” in the system with the lower case name “SIS d.o.o.” as written on OFAC’s SDN List. The company’s screening tool also did not flag that the address of the app developer matched the address that OFAC published.
- Identify abbreviated or alternative names. In the General Electric case from October, OFAC penalized General Electric for accepting payments from an SDN that could have been prevented if the company’s screening software worked effectively. General Electric deposited checks from a Cuban SDN operating in Canada. Each check contained the SDN’s full name. However, General Electric’s screening software only screened an abbreviated version of the SDN’s name and thus failed to identify it as an SDN. This failure led General Electric to continue to accept unlawful payments for several years.
- Screen all relevant counterparties. A fundamental decision that companies must make in establishing their screening systems is determining which categories of counterparties should be screened. In doing so, companies should conduct risk assessments as part of their decision-making process. In the Apple case, OFAC pointed out that the company’s screening tool did not flag the name of another SDN who owned the app developer SDN. This SDN was listed as an “account administrator” in the relevant account but not as a “developer.” At the time, the company only screened developers against the SDN List. The upshot is that companies should carefully consider how exhaustive to be in their screening, as red flags may be lurking in not-so-obvious places.
- Screen when a relationship is initiated and renewed (and periodically thereafter). The General Electric case involved payments to a Canadian customer with whom the company had an established relationship. General Electric’s failure to realize it was facilitating payments on behalf of an SDN may have been due to the fact that it did not conduct appropriate diligence on customers and counterparties when it renewed its relationship with the Canadian customer whose transactions led to General Electric’s violations. OFAC emphasized that “[o]ngoing compliance measures should be taken throughout the life of commercial relationships.”
5. “KYCC” (Know Your Customer’s Customer/Counterparty) isn’t just for banks. While KYCC is not the regulatory standard, OFAC is increasing pressure on U.S. companies – especially those in what it deems high-risk industries such as shipping, mining, oil and natural gas, and defense – to generally know their customers’ lines and regions of business, vendors, and other counterparties, and how they are all ensuring sanctions compliance. In 2019, OFAC highlighted the importance of auditing downstream counterparties including (A) sublessees, (B) materials suppliers, and (C) third-party payers.
- Audit and obtain compliance certificates from your sublessees. In OFAC’s Apollo case from November, Apollo required its aircraft engine lessees to enter into a written contract containing a provision prohibiting “maintaining, operating, flying, or transferring the engines to any countries subject to United States or United Nations sanctions.” However, “Apollo did not periodically monitor or otherwise verify its lessee’s and sublessee’s adherence to the lease provision requiring compliance with U.S. sanctions laws[.]” As a result, Apollo did not discover that its aircraft engines were subleased to Sudan Air, an SDN. This case shows that enhanced sanctions diligence may be required above and beyond mere contractual commitments, especially if you are operating in a high-risk industry. For example, OFAC advised that companies may want to obtain compliance certificates from its lessees or sublessees, or periodically audit its counterparties to ensure adherence to the contract.
- Audit and obtain certificates from your materials suppliers. In the e.l.f. Cosmetics case from last January, e.l.f. imported false eyelash kits from Chinese suppliers that contained materials from North Korea. OFAC noted that the case highlighted that companies sourcing products from overseas take on significant risks when they do not conduct supply chain due diligence, especially when importing from a country like China that is known to import materials from North Korea. As with the sublessees mentioned above, additional due diligence may be necessary, including supply chain audits and obtaining compliance certificates.
- Monitor payments from your customer’s customer. OFAC hit General Electric with a hefty penalty for accepting payments from a Cuban entity in violation of the CACR on behalf of the company’s Canadian customer over the course of several years. As these violations occurred, General Electric interacted primarily with the Canadian customer, including in connection with negotiating agreements, entering into contracts, and issuing invoices. However, the Cuban customer of the Canadian company paid General Electric on behalf of the Canadian company in more than 65% of the total transactions. OFAC pointed out that General Electric failed to identify the Cuban entity’s name on the checks that General Electric deposited, and that the company also failed to heed the “widely published” relationship between its Canadian customer and the Cuban entity. The case showcases OFAC’s elevated KYCC expectations, even when it comes to nonbanks.
6. Assess, monitor, and train your foreign subsidiaries. U.S. companies with foreign subsidiaries should train their foreign employees on their U.S. sanctions obligations and monitor them for compliance. Specifically, companies should (A) audit and monitor foreign subsidiaries, (B) train and re-train employees of foreign subsidiaries, and (C) conduct pre- and post-merger diligence.
- Audit and monitor foreign subsidiaries. OFAC emphasized in Stanley Black & Decker that U.S. companies should conduct sanctions-related due diligence both prior to and after mergers and acquisitions. While Stanley Black & Decker trained its newly acquired foreign subsidiary on sanctions compliance and obtained assurances from its managers that no transactions were being conducted with Iran, its subsidiary continued to export goods there. Had Stanley Black & Decker monitored its foreign subsidiary (for example, through testing and auditing its compliance procedures), the company could have avoided running afoul of OFAC’s Iran sanctions program.
- Train, train, train your foreign employees. In OFAC’s PACCAR case from August, PACCAR’s Netherlands-based subsidiary failed to heed signs on multiple occasions that it was selling goods to customers who ultimately re-sold the goods to Iran. OFAC emphasized that these kind of issues may be avoided if a company establishes and enforces a “robust sanctions compliance program” in the U.S. and abroad, including by conducting sanctions-related training for foreign employees and taking appropriate steps to audit and monitor foreign subsidiaries for OFAC compliance.
- Conduct pre- and post-merger diligence. OFAC’s Kollmorgen case from last February shows that implementing a wide range of pre- and post-acquisition sanctions compliance measures for foreign subsidiaries can earn you some leeway from OFAC. Kollmorgen involved a U.S. company’s Turkish affiliate that deceived its U.S. parent about its continued transactions with Iran. Despite the deception, OFAC looked favorably on the numerous steps that Kollmorgen took to ascertain and implement the subsidiary’s compliance, including identifying the subsidiary’s Iran-related customers and applying controls to block them, conducting in-person trainings for the subsidiary’s employees, implementing reporting measures (including a sanctions compliance hotline), requiring the subsidiary’s customers to agree to modified terms of sale prohibiting the resale of any of its products to Iran, and conducting continuous manual reviews of the subsidiary’s database. The relatively miniscule $13,381 penalty, despite the egregious nature of the Turkish affiliate’s sanctions evasion, reflects OFAC’s strong approval of the company’s numerous sanctions compliance measures.
7. OFAC is focused on the maritime industry (and other high-risk industries). OFAC has been especially focused on “high-risk” industries, such as those related to shipping, logistics, and other international transactions. In 2019, OFAC expressed time and time again that high-risk industries should implement strict “risk-based compliance measures” and maintain a “culture of compliance,” signaling that OFAC will continue to focus on industries with higher risks of touchpoints to sanctioned entities and jurisdictions. For example, OFAC highlighted in MID-SHIP, PACCAR, Aero Sky, and Apollo that participants in the maritime, trucking, and aviation industries should consider themselves “high risk,” thus warranting enhanced due diligence and sanctions compliance. Many expect the maritime industry to receive particular attention this year, as OFAC is reportedly planning to release guidance warning ship insurers, banks, charter companies, port owners, crews, and captains that they face sanctions exposure if they cannot account for the legitimacy of the cargoes they carry. To cut down on its risk exposure, high-risk industry participants should develop and maintain rigorous sanctions compliance programs that demonstrate management’s commitment to compliance.
- Heed warning signs. Companies found to ignore red flags, such as payments that are blocked or rejected by FIs, won’t be doing themselves any favors. Instead, OFAC may find such companies to have deficient compliance controls. For example, in PACCAR, OFAC found that employees of the company’s Netherlands-based subsidiary ignored warning signs indicating that the trucks were destined for Iran. In one instance, the subsidiary received drafts of its invoices that referenced buyers in Iran, and in another instance, a sales manager sold trucks to a dealership after having been introduced to the dealership’s Iranian buyer. The MID-SHIP case, which involved the re-submission of a payment to a blocked vessel that had been previously blocked by the company’s FI, also demonstrates the importance of training employees to recognize warning signs.
- Even if you’re not an FI, stripping still doesn’t pay. In the MID-SHIP case, MID-SHIP’s Chinese subsidiary attempted to remit a payment related to a blocked vessel. Its U.S. bank rejected the payment for “security reasons,” and the subsidiary suspected that the rejection occurred because the blocked vessel’s name appeared in the remittance field. MID-SHIP re-submitted the payment without using the vessel’s name. OFAC honed in on this fact as an aggravating factor when assessing MID-SHIP’s violations, noting that MID-SHIP’s managers “knew of, and participated in, the conduct giving rise to the apparent violations,” ultimately finding that the company’s “culture of compliance” was deficient.
8. Audit your supply (and distribution) chain. OFAC emphasized in the e.l.f. Cosmetics case that the company appeared to not have exercised sufficient due diligence in its supply chain, and unwittingly purchased false eyelashes that incorporated materials from North Korea. While conducting due diligence on customers and clients is a common practice, many companies fail to realize they also should conduct due diligence on their supply and distribution chains, intermediaries, and other relevant counterparties.
9. Ensure your accurate understanding of the scope of OFAC’s regulations, including its general licenses. In the Aero Sky case from December, Aero Sky negotiated and entered into a contract with Mahan Air, an SDN designated under OFAC’s Global Terrorism Sanctions Regulations (“GTSR”). The company mistakenly believed that now-revoked General License I, “Authorizing Certain Transactions Related to the Negotiation of, and Entry into, Contingent Contracts … Related to the Export or Reexport to Iran of Commercial Passenger Aircraft and Related Parts and Services,” authorized its dealings with the airline. However, General License I only applied to SDNs designated under the Iranian Transactions and Sanctions Regulations and explicitly carved out dealings with SDNs designated under other sanctions programs, such as Mahan Air, which was designated under the GTSR. As a result, OFAC found Aero Sky’s conduct to be reckless.
10. Focus on the sufficiency of your sanctions compliance programs. Last but certainly not least, each of OFAC’s enforcement cases last year demonstrate that the agency is honing in on the sufficiency (or insufficiency) of sanctions compliance programs.
- In Haverly, OFAC emphasized that if Haverly had a compliance program with proper internal controls in place (as suggested by the Framework), it may have been able to recognize that the delayed collection of payment was prohibited. If its employees had received effective sanctions compliance training under a sanctions compliance program, the violations may not have occurred.
- In MID-SHIP, OFAC stressed that the company’s violations demonstrate the benefits that companies operating in high-risk industries, such as international shipping and logistics, can realize by implementing risk-based compliance measures and maintaining a culture of compliance where senior management sets a positive example of compliance.
- In e.l.f. Cosmetics, OFAC noted that a “risk-based approach to sanctions compliance” should include supply chain audits, when appropriate.
- In PACCAR, OFAC noted that “U.S. parent companies can mitigate risk to sanctions exposure by proactively establishing and enforcing a robust sanctions compliance program.”
- Finally, OFAC has repeatedly pointed to the Framework in its enforcement actions, serving as a not-so-subtle hint that companies should be consulting OFAC’s Framework when designing or reevaluating their compliance programs.
Companies should also note an interesting development in the sanctions space: as we mentioned in our OFAC 2019 Year in Review Part 1, a Texas district court issued a decision on New Year’s Eve, vacating an OFAC penalty against a non-FI. The case involved a $2 million penalty issued in 2017 against ExxonMobil Corp. (“Exxon”) for entering into a several contracts with Rosneft, a Russian oil and gas firm. While Rosneft was not blocked under OFAC’s regulations, its CEO – who signed contracts with Exxon on behalf of Rosneft – was designated as an SDN. The district court vacated the penalty because it found that OFAC had not provided fair notice of its interpretations of the Ukraine-Related Sanctions Regulations, pointing to conflicting White House press statements and noting that OFAC issued a pertinent FAQ after Exxon’s conduct occurred. It remains unclear whether and how OFAC will respond to the decision, so it’s worth keeping an eye out for any future developments.
In light of the spike in OFAC’s enforcement actions last year, which have already begun again this year, companies in all industries should take care to ensure that they comply with U.S. sanctions. Companies (particularly those in high-risk industries) should ensure they have implemented a rigorous compliance program that emphasizes the five essential components of compliance, as set out in OFAC’s Framework. As always, Morrison & Foerster’s National Security Practice Group stands ready to provide counsel on any of your sanctions issues that may arise. Happy 2020!
Reema Shocair Ali, a national security analyst in the firm’s D.C. office, assisted in the preparation of this client alert