As peak summer holiday season approaches, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) continues to remind the private sector of the importance of strict economic sanctions compliance. OFAC issued eight enforcement actions in the first half of this year for apparent violations of 11 different sanctions regimes resulting in penalties/settlements of over $13.5 million. This puts OFAC on pace to match last year’s 17 enforcement actions, but falls short of the 30 enforcement actions it issued in 2019. Although the settlement amounts so far in 2021 were lower than the equivalent period in years past, this does not indicate that OFAC is going soft on enforcement. Rather the agency is resolving some of the lower value, non-egregious cases in its pipeline, and we anticipate more significant resolutions may be coming. Below we examine several lessons learned from OFAC enforcement actions during the first half of 2021.
1. All U.S.-cleared transactions are subject to U.S. sanctions, regardless of underlying currency.
The past six months have served as yet another reminder that any transaction that clears through the United States must comply with OFAC sanctions, even when the originator and receiver are located abroad. This includes transactions involving (A) U.S. dollars and U.S. dollar accounts abroad, as well as (B) foreign exchange and (C) digital currencies.
- U.S. Dollar Transfers/Accounts. Transactions involving U.S. dollars and U.S. dollar accounts located abroad remain a major sanctions compliance concern as they are generally sourced or cleared through the United States. This pulls the transaction into U.S. jurisdiction, even when the originator and receiver are located abroad. OFAC’s PT Bukit Muria Jaya (BMJ) case continues this trend of enforcement. Indonesia-based BMJ directed payments for exports of cigarette paper to North Korea to its U.S. dollar account at a non-U.S. bank. Even though the payments originated from and were directed to foreign banks, they cleared through U.S. banks, resulting in violations of the North Korea Sanctions Regulations.
- Foreign Exchange. Attempting to avoid U.S. jurisdiction does not necessarily shield companies from OFAC regulations, particularly when U.S. dollar accounts located abroad are involved, because the resulting foreign exchange transactions that may clear through the United States also fall within U.S. jurisdiction. In OFAC’s settlement with Union de Banques Arabes et Françaises (UBAF), the France-based bank operated U.S. dollar accounts on behalf of sanctioned Syrian financial institutions, processed internal transfers on behalf of the Syrian entities, and then followed up with corresponding funds transfers through a U.S. bank. Because the dates and amounts of the internal book transfers “correlated closely” to the subsequent transfers through the United States, OFAC determined that they were apparent violations of the Syria and Weapons of Mass Destruction Proliferator sanctions regimes.
- Digital Currency Exchange. OFAC regulations extend beyond fiat currencies. Once a virtually unregulated market, OFAC’s BitPay, Inc. case continues the recent push to regulate digital currencies. BitPay is an Atlanta-based payment processing provider that allows merchants to accept digital currencies for goods and services. BitPay processed 2,102 transactions from buyers that appear to have been located within sanctioned jurisdictions, including Crimea, Cuba, Iran, North Korea, Sudan, and Syria, apparently violating multiple sanctions regimes.
2. Check geolocation data for possible sanctions violations.
As a corollary to the last lesson, OFAC continues to focus on ensuring that companies that use the U.S. financial system have technological controls in place to prevent users in sanctioned jurisdictions from accessing their U.S.-based services. In particular, OFAC expects companies to screen geolocation information from IP addresses and block transactions involving sanctioned countries, continuing a trend seen in OFAC’s case against BitGo, Inc. late last year. As discussed above, BitPay processed transactions on behalf of customers who appear to have been located within sanctioned jurisdictions; IP address screening likely would have identified these transactions as prohibited. OFAC also noted this deficiency in its case against SAP SE, discussed in more detail below.
3. Digital U.S.-origin service exports must comply with sanctions.
OFAC has continued its emphasis on ensuring that U.S.-origin services – such as software and cloud-based services – cannot be accessed remotely from outside the United States to benefit parties in sanctioned jurisdictions like Iran. Similar to OFAC’s case against Société Internationale de Télécommunications Aéronautiques SCRL (SITA) last year, OFAC found that SAP SE exported software and related services to Iranian end-users in apparent violation of the Iran Transactions and Sanctions Regulations (“ITSR”). SAP, a software company headquartered in Germany, relied on third-party resellers to deliver a portion of its products and services to end-users. Several of these resellers provided SAP’s U.S.-origin services to users in Iran in violation of the ITSR. This case should provide a warning to third-country companies that do business in sanctioned jurisdictions to not use U.S.-based software or cloud services for that sanctioned country business. In addition to its settlement with OFAC, SAP also entered into the first non-prosecution agreement with the U.S. Department of Justice under the Department’s new export control and sanctions voluntary self-disclosure (“VSD”) policy, as well as a settlement with the U.S. Department of Commerce’s Bureau of Industry and Security, resulting in combined penalties of more than $8 million.
4. Sanctions compliance matters for all companies.
Compliance programs should be commensurate with company size and sophistication. Recent OFAC enforcement actions as well as OFAC’s enforcement guidelines indicate that large multinational companies and financial institutions may face increased scrutiny. However, OFAC expects all companies to comply with sanctions, even those (A) operating predominantly within the United States or (B) working on government contracts.
- Predominantly Domestic Companies. Multinational companies have long faced the demands and expectations of sanctions compliance. However, even small companies with only sporadic international trade need to conduct basic due diligence. Oklahoma City based Alliance Steel, Inc., a company specializing in designing and manufacturing prefabricated steel structures, only sells to domestic consumers and does not export or market itself outside the United States. However, the company appears to have violated the ITSR when it outsourced engineering services to an Iranian engineering company (owned by the brother of the company’s chief engineer). OFAC did not consider the company’s small size or limited international trade to be mitigating factors, emphasizing that all companies conducting international business should have sanctions compliance policies. It is also important to remember that, although not particularly common, several individuals on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”) currently live in the United States, both within federal prisons and elsewhere. Thus, companies should consider, as part of their risk-based decisions regarding the sufficiency of their compliance program, screening purely domestic transactions when appropriate, particularly when dealing with high-risk populations.
- Government Contracts. When providing services under government contracts, companies must maintain strong compliance programs, as illustrated in OFAC’s MoneyGram Payment Systems, Inc. case. As part of a U.S. government contract, MoneyGram provided services to federal inmates. In doing so, it provided services to roughly 40 blocked individuals in violation of several sanctions regimes. MoneyGram incorrectly believed that sanctions screening was not necessary under the contract, resulting in a modest settlement of approximately $35,000. (Of note, these types of transactions are now authorized by general licenses under some sanctions regimes (including the Narcotics Trafficking Sanctions Regulations and Foreign Narcotics Kingpin Sanctions Regulations)). This case emphasizes that companies should not rely on third parties, including the government, to ensure their own sanctions compliance. It is particularly ironic and worthy of note for other global corporations that a company like MoneyGram – which does business in more than 200 countries and territories, including many high-risk jurisdictions – received an OFAC penalty for sending money to persons generally viewed as the lowest risk, e.g., persons living in the United States.
5. Companies may be responsible for trading partners’ conduct.
Each company within a supply chain is expected to comply with OFAC regulations. In some situations, this responsibility extends to proper due diligence regarding trading partners. Companies are expected to (A) vet trading partners, (B) verify their compliance when able, and (C) respond appropriately to red flags.
- Vet Trading Partners. Proper vetting of trading partners is a cornerstone of a strong compliance program. Failure to conduct sufficient due diligence can result in substantial penalties, as seen in OFAC’s case against SAP. As discussed above, SAP’s resellers sold SAP’s U.S.-origin services to end-users in Iran, a sanctioned jurisdiction. OFAC noted that proper due diligence – including review of the resellers’ public websites – would have revealed that many of SAP’s trading partners publicized their business ties with Iranian companies. OFAC also found that SAP acquired several subsidiaries with minimal export controls. Despite identifying this issue during pre- and post-acquisition due diligence, SAP failed to pull the subsidiaries into SAP’s overall compliance program, instead allowing them to operate as standalone entities.
- Trust but Verify. The BitPay case also demonstrates the importance of leveraging all available data to ensure compliance with OFAC regulations. Although BitPay screened its direct clients against the SDN List, it did not screen end-users, resulting in apparent violations of several sanctions regimes. OFAC noted that the company collected invoices with IP addresses, phone numbers, and other identifying information that could have been used to identify blocked parties. Failing to screen end-users led to over $500,000 in penalties.
- Pay Attention to Red Flags. OFAC considers ignoring warning signs to be reckless behavior that opens up companies to increased liability. A single red flag should warrant increased scrutiny from compliance programs, and OFAC considers a failure to address multiple warning signs to be an aggravating factor in determining penalties. An example of this appears in OFAC’s settlement with Cleveland-based UniControl, Inc. The instrumentation manufacturer exported air pressure switches to European companies, which were then reexported to Iran in violation of the ITSR. According to OFAC, UniControl ignored several red flags, including the customer’s expressed interest in shipping goods to Iran, obfuscated end-user requests, and requests to remove “Made in USA” labels from UniControl’s products. UniControl’s failure to heed warning signs resulted in over $200,000 in penalties.
One of UniControl’s European trade partners, Nordgas S.r.l., also settled with OFAC. OFAC determined that Nordgas obfuscated its intent to reexport U.S.-origin products to Iran by misrepresenting end-users and using code words in correspondence with the U.S. company. Unlike the UniControl case, OFAC determined that Nordgas’s apparent violations were egregious and not voluntarily disclosed. This led to $950,000 in penalties and an agreement for enhanced monitoring for five years.
6. Compliance commitments with trading partners may mitigate risk.
Recognizing that companies may be held responsible for trading partners’ noncompliance with sanctions, it may be prudent to enter into compliance commitments with trading partners. OFAC appears to endorse these types of commitments, treating several of them as mitigating factors in recent enforcement actions. For example, BMJ now requires all intermediaries to sign anti-diversion agreements with specific OFAC sanctions compliance commitments. UniControl also requires both intermediary and final customers to sign end-user certificates to ensure sanctions compliance. Similarly, SAP implemented risk assessments for its resellers that include third-party audits.
7. Continue to enhance compliance programs.
U.S. sanctions are constantly evolving, and companies are expected to continually improve their sanctions compliance programs. This includes (A) updating screening procedures, (B) addressing compliance gaps as they appear, and (C) severing high-risk business ties, where appropriate.
- Update screening. OFAC makes frequent changes to sanctions lists and provides new identifiers on its various sanctions lists. Recent additions include Cyrillic, Chinese, and Arabic name spellings, digital currency addresses, and additional country-specific identifiers. These identifiers, as well as other publicly available information, should be incorporated into existing compliance programs. As discussed above, BitPay failed to screen end-users based on IP addresses and other information, which would have identified apparent sanctions violations. SAP similarly did not review IP address and other geolocation data, while UBAF failed to adequately incorporate expanded Syria-related sanctions into its compliance program in a timely manner. Effective compliance requires that companies leverage all available data and adapt quickly to changing regulations.
- Address compliance gaps. OFAC expects companies to resolve gaps in their compliance programs in a timely manner and the speed at which a company takes remedial action may weigh on the likelihood and magnitude of any assessed penalty. For example, in its SAP case, OFAC found that the company failed to remediate issues discovered in multiple internal audits, did not sufficiently investigate whistleblower complaints, and left new acquisitions out of the company’s existing compliance measures. OFAC identified these deficiencies as aggravating factors in its final assessment of more than $2.1 million in penalties against the company.
- Sever high-risk business ties, where appropriate. Ending high-risk business relationships can both decrease enforcement penalties and increase compliance program effectiveness in the future. Over the past six months, several of the companies involved in OFAC’s enforcement actions have cut ties with high-risk business partners as part of their remediation efforts. In particular, UniControl severed ties with its trade partners involved in reexporting U.S.-origin goods to Iran. UniControl even forfeited payment for exports that apparently violated U.S. sanctions instead of accepting funds from a restricted jurisdiction. OFAC identified these actions as mitigating factors in determining penalties.
8. Employees remain on the hook for apparent violations of U.S. sanctions.
In several recent cases, companies suspected of violating U.S. sanctions terminated employees who were involved in the apparent violations. OFAC considers such proactive behavior to be a mitigating factor in assessing penalties against the company, and emphasizes the importance of individual employees taking appropriate steps to ensure sanctions compliance. As discussed above, Alliance’s chief engineer outsourced some of the company’s labor to an Iranian engineering company owned by his brother in apparent violation of the ITSR. In addition to ending all business dealings with the Iranian company, Alliance also terminated the chief engineer. Similarly, SAP fired five employees who were either involved or complicit in facilitating trade to Iran through its third-party resellers.
OFAC’s enforcement actions over the past six months reinforce the importance of sanctions compliance for all companies, including those with limited exposure to U.S. markets. Strong compliance programs emphasizing management commitments, risk assessments, internal controls, testing and auditing, and training can reduce risk and mitigate penalties. Morrison & Foerster’s National Security Practice Group continues to stand ready to offer counsel on the scope and sufficiency of corporate sanctions compliance programs and, where compliance efforts may have failed, best practices in resolving potential enforcement matters.
R. Charlotte Ishida, a Summer Associate in the Morrison & Foerster LLP National Security practice, contributed to this alert.