Lessons Learned from OFAC’s 2021 Enforcement Actions So Far
Lessons Learned from OFAC’s 2021 Enforcement Actions So Far
As peak summer holiday season approaches, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) continues to remind the private sector of the importance of strict economic sanctions compliance. OFAC issued eight enforcement actions in the first half of this year for apparent violations of 11 different sanctions regimes resulting in penalties/settlements of over $13.5 million. This puts OFAC on pace to match last year’s 17 enforcement actions, but falls short of the 30 enforcement actions it issued in 2019. Although the settlement amounts so far in 2021 were lower than the equivalent period in years past, this does not indicate that OFAC is going soft on enforcement. Rather the agency is resolving some of the lower value, non-egregious cases in its pipeline, and we anticipate more significant resolutions may be coming. Below we examine several lessons learned from OFAC enforcement actions during the first half of 2021.
The past six months have served as yet another reminder that any transaction that clears through the United States must comply with OFAC sanctions, even when the originator and receiver are located abroad. This includes transactions involving (A) U.S. dollars and U.S. dollar accounts abroad, as well as (B) foreign exchange and (C) digital currencies.
As a corollary to the last lesson, OFAC continues to focus on ensuring that companies that use the U.S. financial system have technological controls in place to prevent users in sanctioned jurisdictions from accessing their U.S.-based services. In particular, OFAC expects companies to screen geolocation information from IP addresses and block transactions involving sanctioned countries, continuing a trend seen in OFAC’s case against BitGo, Inc. late last year. As discussed above, BitPay processed transactions on behalf of customers who appear to have been located within sanctioned jurisdictions; IP address screening likely would have identified these transactions as prohibited. OFAC also noted this deficiency in its case against SAP SE, discussed in more detail below.
OFAC has continued its emphasis on ensuring that U.S.-origin services – such as software and cloud-based services – cannot be accessed remotely from outside the United States to benefit parties in sanctioned jurisdictions like Iran. Similar to OFAC’s case against Société Internationale de Télécommunications Aéronautiques SCRL (SITA) last year, OFAC found that SAP SE exported software and related services to Iranian end-users in apparent violation of the Iran Transactions and Sanctions Regulations (“ITSR”). SAP, a software company headquartered in Germany, relied on third-party resellers to deliver a portion of its products and services to end-users. Several of these resellers provided SAP’s U.S.-origin services to users in Iran in violation of the ITSR. This case should provide a warning to third-country companies that do business in sanctioned jurisdictions to not use U.S.-based software or cloud services for that sanctioned country business. In addition to its settlement with OFAC, SAP also entered into the first non-prosecution agreement with the U.S. Department of Justice under the Department’s new export control and sanctions voluntary self-disclosure (“VSD”) policy, as well as a settlement with the U.S. Department of Commerce’s Bureau of Industry and Security, resulting in combined penalties of more than $8 million.
Compliance programs should be commensurate with company size and sophistication. Recent OFAC enforcement actions as well as OFAC’s enforcement guidelines indicate that large multinational companies and financial institutions may face increased scrutiny. However, OFAC expects all companies to comply with sanctions, even those (A) operating predominantly within the United States or (B) working on government contracts.
Each company within a supply chain is expected to comply with OFAC regulations. In some situations, this responsibility extends to proper due diligence regarding trading partners. Companies are expected to (A) vet trading partners, (B) verify their compliance when able, and (C) respond appropriately to red flags.
Recognizing that companies may be held responsible for trading partners’ noncompliance with sanctions, it may be prudent to enter into compliance commitments with trading partners. OFAC appears to endorse these types of commitments, treating several of them as mitigating factors in recent enforcement actions. For example, BMJ now requires all intermediaries to sign anti-diversion agreements with specific OFAC sanctions compliance commitments. UniControl also requires both intermediary and final customers to sign end-user certificates to ensure sanctions compliance. Similarly, SAP implemented risk assessments for its resellers that include third-party audits.
U.S. sanctions are constantly evolving, and companies are expected to continually improve their sanctions compliance programs. This includes (A) updating screening procedures, (B) addressing compliance gaps as they appear, and (C) severing high-risk business ties, where appropriate.
In several recent cases, companies suspected of violating U.S. sanctions terminated employees who were involved in the apparent violations. OFAC considers such proactive behavior to be a mitigating factor in assessing penalties against the company, and emphasizes the importance of individual employees taking appropriate steps to ensure sanctions compliance. As discussed above, Alliance’s chief engineer outsourced some of the company’s labor to an Iranian engineering company owned by his brother in apparent violation of the ITSR. In addition to ending all business dealings with the Iranian company, Alliance also terminated the chief engineer. Similarly, SAP fired five employees who were either involved or complicit in facilitating trade to Iran through its third-party resellers.
OFAC’s enforcement actions over the past six months reinforce the importance of sanctions compliance for all companies, including those with limited exposure to U.S. markets. Strong compliance programs emphasizing management commitments, risk assessments, internal controls, testing and auditing, and training can reduce risk and mitigate penalties. Morrison & Foerster’s National Security Practice Group continues to stand ready to offer counsel on the scope and sufficiency of corporate sanctions compliance programs and, where compliance efforts may have failed, best practices in resolving potential enforcement matters.
R. Charlotte Ishida, a Summer Associate in the Morrison & Foerster LLP National Security practice, contributed to this alert.