Recent enforcement actions against PayPal, Inc. ("PayPal") and Schlumberger Oilfield Holdings Ltd. ("Schlumberger Holdings") serve as a reminder to all companies subject to U.S. economic sanctions that no matter how robust corporate compliance policies may appear on paper, an ineffectively implemented compliance policy will not mitigate or insulate companies from substantial penalties.
Paypal
On March 25, 2015, the U.S. Department of the Treasury's
Office of Foreign Assets Control ("OFAC") announced that online financial services
provider PayPal had entered into an agreement to settle allegations
that it had committed numerous violations of U.S. sanctions
regulations. Under the terms of the settlement agreement, PayPal will remit
$7,658,300 to resolve potential civil liability arising from 486
transactions it processed in apparent violation of OFAC sanctions
programs targeting Cuba, Iran, Sudan, the proliferation of weapons
of mass destruction, and global terrorism. Although PayPal
voluntarily disclosed the alleged violations, and the value of the
transactions at issue totaled only $43,934, OFAC concluded that
some of PayPal's compliance failures constituted egregious
violations of U.S. sanctions regulations, and determined that the
base penalty amount for all of these violations totaled
$17,018,443.
Over approximately a four-year period from 2009 through 2013,
"PayPal failed to employ adequate screening technology and
procedures to identify the potential involvement of U.S. sanctions
targets in transactions that PayPal processed."1
According to the settlement agreement, beginning in approximately
March 2006, PayPal identified OFAC compliance issues with respect
to its payment systems and began taking steps to enhance and
implement its OFAC compliance processes and procedures.
Nevertheless, prior to July 2011, PayPal reportedly failed to
interdict in-process transactions that contained references to
sanctioned countries or persons. In July 2011, PayPal enacted a
limited compliance procedure that permitted the company to screen
transactions against OFAC's list of Specially Designated
Nationals and Blocked Persons (the "SDN List") using
sanctions-related keywords. PayPal did not begin screening live
transactions against the SDN List in real time, and appropriately
blocking or rejecting prohibited transactions before payment was
complete, until April 2013. By the time PayPal had implemented
these changes, it had processed hundreds of transactions involving
sanctioned countries or parties.
Of particular concern to OFAC were 136 transactions totaling
$7,091.77 that PayPal processed on behalf of Kursad Zafer Circe, an
individual whose property and interests in property are blocked
pursuant to U.S. sanctions targeting proliferators of weapons of
mass destruction and their supporters. According to the settlement
agreement, between October 2009 and February 2013, PayPal's
software identified Circe's account as potentially associated
with an individual on the SDN List and triggered an internal alert
on six separate occasions. On each occasion, PayPal personnel
mistakenly dismissed the alert. Notably, in February
2013—nearly four years after Circe was designated on the SDN
List—a PayPal risk operations agent investigated the
potential SDN List match and requested further information on the
account. Despite receiving a copy of Circe's passport, which
confirmed that his date and place of birth were identical to the
information shown on the SDN List entry for Circe, PayPal allowed
the transaction to proceed. PayPal only (and finally) appropriately
blocked the account and reported it to OFAC on the seventh time
Circe's account was flagged in April 2013. The total value of
these transactions was $7,091.77, and OFAC determined that the
total base penalty for these apparent violations was $17
million.2
While OFAC found that many of the transactions processed in
apparent violation of sanctions regulations constituted
non-egregious violations, it found that the violations associated
with the Circe account were egregious. OFAC based its findings on
its conclusions that PayPal had demonstrated reckless disregard for
U.S. economic sanctions requirements, that its agents had failed to
adhere to PayPal's policies and procedures and had engaged in a
pattern of misconduct by repeatedly ignoring warnings of potential
matches to the SDN List, and that PayPal's actions had
undermined the integrity of OFAC's nonproliferation sanctions
regulations. Based upon the egregious nature of those apparent
violations, the base penalty for those violations comprised
virtually the entirety of the base penalty amount across all
apparent violations.
Schlumberger
In late March 2015, the Department of Justice ("DOJ")
announced that Schlumberger Holdings entered a
plea agreement to resolve allegations that it had violated U.S.
sanctions against trade with Iran and Sudan. Schlumberger Holdings
is a British Virgin Islands registered subsidiary of Schlumberger
Ltd., the world's largest oil-field services company. Under the
plea agreement, Schlumberger Holdings will pay $232.7 million for
willfully facilitating illegal transactions through its U.S. unit,
the Drilling & Measurements business segment
("D&M"), and engaging in trade with Iran and
Sudan.3 Although other companies have entered into
settlement agreements with much larger total penalties, this is the
largest criminal fine ever imposed for violations of U.S. sanctions
regulations promulgated under the International Emergency Economic
Powers Act.
In the charging documents, the DOJ focused on coordination between
Schlumberger Holdings and D&M, which, according to the DOJ, led
to: (i) disguising the company's capital expenditure
("CAPEX") requests from Iran and Sudan and approving such
requests in the United States; (ii) making and implementing
business decisions specifically concerning Iran and Sudan through
U.S. persons; and (iii) planning and supporting transactions
involving Iran and Sudan with the assistance of U.S. persons.
D&M management personnel were responsible for the supervision
of the CAPEX process, "a forecasting mechanism enabling
oilfield locations and manufacturing facilities to predict what
tools and equipment would be needed in the future to meet
anticipated demand for oilfield services."4 As part
of the CAPEX process, D&M managers around the world submitted
requests seeking approval for the manufacture of new equipment or
for the expenditure of funds for large-scale purchases. The
requests typically were submitted electronically, and as a result
of the approval process for CAPEX requests, D&M personnel in
the United States reviewed and approved all CAPEX requests,
including requests relating to Iran and Sudan. Even though the
actual purchasing or other work was performed outside of the United
States, approval for such transactions by U.S. persons was enough
to bring it under the purview of the U.S. sanctions.
The DOJ further explained in detail that Schlumberger Holdings
(including D&M) employees would seek to evade the sanctions in
multiple ways, using internal company emails to support knowledge
and intent. The plea documents identify a number of emails
containing statements suggesting that D&M personnel were
disguising the fact that certain transactions related to Iran or
Sudan. For example, D&M personnel would refer to Iran as
"Northern Gulf" and Sudan as "Southern Egypt"
or "South Egypt." The documents also indicate that
D&M personnel concealed the identity of sanctioned countries in
the computer systems by entering codes for nonsanctioned countries
or using codes for a facility located in the United Arab Emirates.
Finally, according to the DOJ Statement of Offense, D&M held a
financial planning meeting in Houston "to discuss global
financial expectations for the upcoming year and to establish a
plan to meet those expectations."5 The minutes of
the meeting showed that there was discussion that Iran was a market
on which the company needed to focus. According to the government,
these activities constituted business decisions relating to Iran
made in the United States in violation of U.S. sanctions.
The DOJ noted that Schlumberger Holdings had policies and
procedures in place "that were designed to assure that company
personnel who were U.S. persons did not participate in business
that related to U.S. sanctioned countries, including a Recusal
Program whereby U.S. persons were required to recuse themselves
from involvement in business related to Iran and Sudan."
6 The DOJ found, however, that Schlumberger Holdings did
not effectively enforce its policies and procedures in relevant
systems and practices related to D&M's operations in Iran
and Sudan. Indeed, the DOJ noted that Schlumberger Holdings did not
adequately supervise D&M personnel, including U.S. citizens and
non-U.S. citizens, to ensure their activities complied with U.S.
sanctions regulations and internal policies and procedures.
Moreover, it found that Schlumberger Holdings did not adequately
provide compliance training, and specifically noted that
Schlumberger Holdings's non-U.S. employees were not properly
trained regarding the applicability of the sanctions when they were
in the United States.
Effectiveness and Implementation of Compliance Policies and Procedures
The PayPal and Schlumberger Holdings enforcement actions reflect
familiar themes—continued scrutiny of all money and financial
service providers, regardless of size or sophistication, and the
provision of back-office services and other support by U.S. persons
for foreign business activities in sanctioned countries. A common
theme running through both enforcement actions is the substantial
impact of ineffectively implemented internal compliance policies
and procedures.
Neither OFAC nor any other U.S. sanctions enforcement agency
explicitly requires any specific internal compliance or screening
regime—or any internal compliance program at all.
7 Nevertheless, any company operating in the
international market would be prudent to implement sanctions
compliance policies and procedures that are appropriately tailored
to the risk inherent in its operations. On its website, OFAC
provides guidance materials, as well as Frequently Asked Questions,
to assist companies such as importers, exporters, and money and
financial service providers in understanding their compliance
obligations. In addition, businesses that may be relatively
unfamiliar with sanctions compliance issues, or that may wish to
review and improve their compliance policies and procedures, should
consider consulting legal and compliance experts in this
field.
As these enforcement actions indicate, merely having sanctions
compliance policies and procedures is not enough; companies must
ensure that their policies and procedures are effectively
implemented in daily operations and working to prevent
violations.
Companies should, therefore, invest as much effort, if not more,
in implementing their policies, as was given to developing the
policies. Companies can better protect themselves by providing
thorough training to employees, installing a culture of compliance
with the U.S. sanctions, and instituting strong checks to prevent
violations. Companies should train their personnel to ensure they
understand and properly employ internal compliance procedures.
Personnel should receive regular mandatory training and, in many
cases, certify their understanding of corporate policy. Management
should also be involved at all levels to set a "tone from the
top" that compliance is a priority, and to supervise
operations to avoid violations. Finally, companies should
effectively test their internal compliance procedures to ensure
they are working properly. Periodic audits can be instrumental in
mitigating corporate risk and, at a minimum, catching potential
violations before they become systemic problems. Taking steps now
to ensure that your business has proper and effective policies and
procedures in place can help reduce the risk of a government
enforcement action down the road.
Footnotes
1 OFAC Enforcement Information for March 25, 2015 at 1.
2 Id. at 2.
3 Under the plea agreement, Schlumberger will pay $155.1 million in criminal fines and $77.6 million in forfeited profits. Schlumberger also is subject to a three-year probation period during which it has to report any potential sanctions violations and is required to hire an independent consultant to evaluate and analyze its sanctions policies.
4 Statement of Offense at 7-8.
5 Id. at 17.
6 Id. at 7.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.