As we previously wrote in our OFAC 2020 Year in Review, the U.S. Treasury Department's Office of Foreign Assets Control ("OFAC") saw a drop in enforcement activity in 2020, likely due to the massive year it had in 2019 and delays due to the coronavirus pandemic. In 2020, OFAC issued 17 enforcement actions with a total of $23.6 million in penalties, compared to the 30 enforcement actions with almost $1.3 billion in penalties in 2019. The reduced numbers last year are likely due to the lack of any blockbuster cases in 2020 like the $657 million penalty against Standard Chartered in 2019 or the $100 million penalty against ZTE Corp. in 2017. Despite the absence of any huge penalties, many of OFAC's 2020 enforcement actions were groundbreaking and filled with important lessons from OFAC for those paying attention. Fortunately, we've collected those lessons for you below.
1. Watch out for the "U.S. Nexus." Most global companies should understand that transactions with a "U.S. nexus" or touchpoints to the United States can be subject to U.S. jurisdiction for sanctions purposes. Last year, OFAC issued a number of penalties that demonstrate the myriad ways in which a transaction can have a U.S. nexus. These cases remind us that a transaction can have a U.S. nexus when it involves (A) a foreign branch of a U.S. bank, (B) U.S. dollars, (C) U.S. information technology ("IT") infrastructure, (D) U.S. nationals, or (E) U.S.-origin goods.
- Foreign Branches of U.S. Banks. OFAC's Essentra case shows how using a foreign branch of a U.S. bank to send/receive payments can bring transactions under U.S. jurisdiction. Essentra is a UAE cigarette filter and tear tape manufacturer that exported cigarette filters to North Korea. While these exports appear to have taken place outside the United States with non-U.S. goods, Essentra sought to be paid into its account at the foreign branch of a U.S. bank. Two of Essentra's violations involved accepting payment in a non-U.S. currency. However, because a foreign branch of a U.S. bank is a "U.S. person" for OFAC sanctions purposes and OFAC prohibits any person - including non-U.S. persons - from causing a U.S. person to violate U.S. sanctions, Essentra caused the U.S. branch that accepted its North Korea-related payments to violate U.S. sanctions and consequently violated them itself.
- U.S. dollars. While transactions in U.S. dollars do not, per se, mean a transaction is subject to U.S. jurisdiction, they may almost always be because the dollars are generally sourced from or cleared through the United States. OFAC's National Commercial Bank ("NCB") case joins a long line of cases showing how this can happen. NCB, a bank headquartered in Jeddah, Saudi Arabia, processed 13 U.S. dollar transactions for clients who appear to have been purchasing goods from Syrian and Sudanese counterparties. NCB appears to have cleared the U.S. dollar funds transfers through the United States, thereby causing exports of such services from the United States to Syria and Sudan in violation of U.S. sanctions.
- U.S. IT infrastructure. While many companies are aware that transactions denominated in U.S. dollars often come under U.S. jurisdiction by passing through the United States, very few applied the same logic to U.S. IT infrastructure. However, in early 2016, OFAC's now revoked General License H mentioned that U.S. foreign subsidiaries authorized to do business with Iran were also authorized to rely on the shared IT systems of their U.S. parent. This indicated that OFAC viewed transactions conducted through U.S. IT infrastructure as subject to U.S. jurisdiction in the same way that a payment transiting the United States would be. OFAC's case against Société Internationale de Télécommunications Aéronautiques SCRL ("SITA") appears to be the first enforcement action based on this view. SITA provides commercial telecommunications network and IT services to the civilian air transportation industry. SITA's services include a messaging system similar to SWIFT that allows airlines and airports to order aircraft maintenance, refuel planes, arrange and change routes, facilitate baggage transfers, and book passengers. SITA provided these services to several sanctioned airlines through a server in Atlanta, Georgia thereby bringing them under U.S. jurisdiction and resulting in a $7.8 million fine.
- U.S. nationals. Many non-U.S. companies understand that U.S. affiliates are subject to U.S. sanctions laws but forget that U.S. national individuals are as well, regardless of where they are located. OFAC's case against " An Individual" is a helpful reminder that U.S. citizens and permanent residents are subject to U.S. sanctions rules even when they are outside the United States. The individual was a U.S. government employee who formed a personal relationship with a sanctioned narcotics trafficker while stationed in Bogota, Colombia. Throughout the course of that relationship, the U.S. national bought the sanctioned individual jewelry, meals, clothing, hotel rooms, and other gifts in violation of the general prohibition against dealing with sanctioned parties. In this case, the U.S. national only incurred personal liability, but it is important to point out U.S. national dealings like the ones in this case on behalf of a non-U.S. employer could incur liability for the employer.
- U.S.-origin goods. In addition to U.S. nationals, U.S. goods can also bring a transaction under U.S. jurisdiction for sanctions purposes (in addition to U.S. export controls). This is well illustrated by OFAC's case against Keysight. Keysight purchased a Finnish subsidiary with historical sales to Iran. Non-U.S. companies are generally not prohibited from dealing with Iran (though secondary sanctions often apply) and at the time of these sales, U.S. foreign subsidiaries were permitted to do so. However, U.S. sanctions against Iran generally do not (and did not at the time of the conduct at issue in the Keysight case) allow exports from the United States to Iran or reexports to Iran of most U.S.-origin goods. This meant that when Keysight's Finnish subsidiary sold U.S.-origin items to Iran, it violated U.S. sanctions and incurred a $473,000 penalty for doing so.
2. No paper tiger compliance programs. OFAC expects all companies subject to its regulations to have a risk-based sanctions compliance program and considers inadequate sanctions compliance programs to be reckless. OFAC's 2020 enforcement actions show that companies (A) cannot contract away their sanctions compliance obligations, (B) should rapidly update their compliance programs in response to changes in the law, (C) implement common sanctions controls, (D) be proactive when dealing with sanctions issues, (E) implement checks and balances to stop staff from overruling controls, and (F) haste makes waste.
- You cannot contract away your sanctions compliance obligations. U.S. sanctions rules are generally strict liability and cannot be contracted to third parties without risk. OFAC's case against Comtech last year is another reminder that every company is independently responsible for its own sanctions compliance, regardless of what it puts in its contracts. Prior to shipping satellite equipment to Sudan, a Comtech subsidiary's screening software and credit manager alerted management that the shipment could be prohibited by U.S. sanctions. In response, the subsidiary's management sought to contractually transfer sanctions compliance obligations to Comtech's Canadian distributor. Despite this, OFAC still penalized Comtech and its subsidiary with a $900,000 fine for violating U.S. sanctions against Sudan after they fulfilled the shipment.
- Update your compliance programs when the law changes. Changes in sanctions rules generally take effect immediately and, therefore, it is important to have controls in place to ensure that you can rapidly respond to changes in the law. This was demonstrated in OFAC's case against Whitford Worldwide Company, LLC ("Whitford"). Whitford is a cookware coating manufacturer based in Elverson, Pennsylvania. Prior to 2012, U.S. foreign subsidiaries could sell goods to Iran. However, Congress changed the Iran rules in 2012 to prohibit U.S. foreign subsidiaries from dealing with Iran. Whitford's Italian and Turkish subsidiaries continued to sell cookware to Iran after 2012, despite the change. This was, in part, because Whitford did not update its policies to prohibit its subsidiaries from dealing with Iran. OFAC found this failure to be reckless.
- Implement common sanctions controls. OFAC understands that the concept of a "risk-based" compliance program is amorphous and hard to implement in practice. However, at a minimum, OFAC expects companies to implement controls that it considers "low hanging fruit" that are commonly used across industries. OFAC's case against BitGo, Inc. is a good example of the issues that can arise from failing to do so. BitGo is a technology company that implements security and scalability platforms for digital assets (e.g., bitcoin) and offers digital wallet management services. BitGo offered these services online and relied on its users to attest to their locations. BitGo did not implement IP address blocking, a very common sanctions control, to prevent users in sanctioned countries from accessing its platform. Over the course of several years, users from almost every sanctioned country used BitGo's services resulting in slew of sanctions violations. In its summary of BitGo's case, OFAC repeatedly emphasized BitGo's failure to implement IP blocking, showing that OFAC expects companies to implement these types of common controls.
- Be proactive. Too many companies wait until there is a major sanctions issue to update their sanctions compliance programs. This was the case for the SITA, a commercial telecommunications and information technology service provider for the civilian air transportation industry. OFAC settled with SITA for providing these services to airlines designated as terrorists. In its discussion of SITA's case, OFAC noted that SITA "described its compliance program up until that point as primarily reactive, in that it would address compliance concerns as they arose." This approach appears to have meant that SITA only took steps to comply with the law after potentially breaking it. As expected, OFAC did not take kindly to this sort of compliance program and settled with SITA for $7.8 million.
- Implement checks and balances. Sometimes a company's sanctions controls are effective but are overruled by employees who shouldn't have the authority to do so. This seems to have occurred in OFAC's Comtech case. Comtech and one of its Canadian subsidiaries exported satellite equipment and related services to Sudan despite multiple warning signs that doing so would be prohibited, including that a Sudanese government agency was the shipment's ultimate consignee and a warning from Comtech's sanctions screening software. Despite multiple warnings, Comtech staff were able to ship the satellite equipment through Canada to Sudan. This appears to have occurred because Comtech's compliance program did not include controls to halt transactions for compliance issues. If Comtech had implemented checks and balances to prevent transactions from moving forward until red flags were cleared, it may have avoided an OFAC penalty.
- Haste makes waste. OFAC does not view high pressure environments where time is of the essence as an excuse for sanctions violations. Therefore, it is essential that global companies give even high-value time-sensitive transactions proper sanctions due diligence. In OFAC's case against Deutsche Bank Trust Company Americas ("DB-US"), DB-US agreed to process a high-value fuel-oil payment that had to be completed within a day to meet a strict deadline. DB-US had reason to know that the fuel-oil payment involved a recently sanctioned party but performed limited due diligence on the transaction after the payer's counsel advised that the sanctioned party had no interest in the payment. OFAC reached a different conclusion regarding the sanctioned party's interest in the payment, and DB-US was forced to pay a fine. OFAC explicitly mentioned that it "would have expected [DB-US] to corroborate independently the representations it received" to ensure the transaction would not violate sanctions.
3. Sound sanctions screening is a must. OFAC has long issued penalties against those who fail to screen or implement inadequate screening. These cases suggest that OFAC expects companies to perform sanctions screening on all relevant information in their possession. Last year, OFAC's screening cases indicated that companies should ensure their sanctions screening is robust enough to capture (A) alternative spellings, (B) addresses of sanctioned government buildings in third-countries, (C) SWIFT Bank Identification Code ("BIC") numbers, and (D) location information.
- Alternate spellings. It seems like almost every year, OFAC penalizes a company after the company's screening software does not flag alternate spellings of a sanctioned party or place name. This past year, OFAC penalized Amazon. OFAC noted that orders were accepted and processed on Amazon's website from persons located in sanctioned jurisdictions, in part, because screening software did not capture alternate spellings of place names in sanctioned jurisdictions, such as "Yalta, Krimea" instead of "Yalta, Crimea" resulting in sales prohibited by the U.S. embargo against Crimea.
- Addresses of sanctioned government buildings in third-countries. OFAC's case against Amazon also suggests that OFAC may expect companies to keep track of and screen for the addresses of sanctioned government buildings (e.g., embassies or consulates) located in third-countries. Orders of persons affiliated with Iranian embassies located in third countries appear to have been processed on Amazon's website. Since U.S. sanctions with respect to the Government of Iran apply without geographic limitations, OFAC appears to have expected Amazon's sanctions screening to account for the Iranian government's presence in third-countries. Others should take note and make sure they are screening for other sanctioned government buildings such as the embassies of Cuba, Iran, Syria, North Korea, Venezuela, etc.
- SWIFT BIC numbers. One of the major themes of OFAC's screening enforcement actions is that companies should be screening all identifying information readily available to them. In OFAC's DB-US case, OFAC made clear that this should include SWIFT BIC numbers. DB-US processed a number of payments destined for accounts with a sanctioned Russian bank. Each payment included the sanctioned bank's BIC number. DB-US's screening software did not flag the Russian bank as sanctioned because DB-US had failed to include the sanctioned bank's SWIFT BIC as an identifier when it was originally added to DB-US's screening filter. This oversight resulted in a penalty for DB-US, which processed multiple payments to the sanctioned bank in violation of U.S. sanctions.
- Location Information. Like alternate spellings, OFAC regularly draws attention to companies that fail to screen location information. This year it was Generali Global Assistance, Inc. ("GGA"). GGA is a New York travel assistance services company that provides travel and claims services on behalf of clients that offer global medical expense and travel insurance policies. GGA provided travel claim reimbursements to Canadian travelers who had travelled to Cuba in violation of U.S. sanctions. GGA had a sanctions policy in place at the time of these violations but this policy failed to require sanctions screening for countries and regions subject to U.S. sanctions. The GGA case serves as a reminder that companies need to screen location information in addition to names against OFAC's lists.
4. When in doubt, request a license or seek legal advice. OFAC's enforcement actions in 2020 stand out by the number of cases where the violation at issue appears to have been, in part, based on misunderstandings of sanctions law and OFAC's regulations. These cases show that (A) you need to ensure you understand the scope of OFAC regulations and licenses before proceeding with a transaction, (B) if you're not sure, apply for an OFAC license, (C) if you've applied for a license, don't proceed until it's been granted, and (D) if you have a license, you need to comply with every provision of it, including reporting requirements.
- Make sure you understand the scope of OFAC's regulations and general licenses before dealing with sanctioned parties. OFAC's case against BIOMIN illustrates this point. BIOMIN is a Kansas-based animal food company that thought it could not sell animal food products from the United States to Cuba, but could sell non-U.S. products to Cuba from its foreign subsidiaries. However, due to an OFAC general license, the opposite was true for BIOMIN, which had to pay a $258,000 penalty for conduct it could likely have performed legally from the United States. Similarly, in its case against Park Strategies, OFAC noted that the lobbying contract Park signed with a sanctioned party was outside the scope of a general license for legal services, suggesting that Park may have thought its lobbying services were authorized. Taken together, these cases show how important it is for companies to carefully review their operations and U.S. sanctions rules before dealing with sanctioned parties.
- When in doubt, apply for a license. As noted above, BIOMIN misunderstood the scope of OFAC's Cuba sanctions program and may have been able to avail itself of a general license. However, OFAC noted that even if the general license did not apply to BIOMIN's transactions with Cuba, BIOMIN "could potentially have availed itself of . a specific license from OFAC, provided the exports had been consistent with the Export Administration Regulations." The fact that OFAC drew attention to this point suggests that such a license would have been granted if only BIOMIN had applied for it.
- If you've applied for a license, wait for OFAC to respond before proceeding. OFAC is a relatively small, understaffed agency. This means it may often take a long time to receive an OFAC license after you've applied for one. However, an OFAC licensing delay is not tacit permission to move forward with prohibited transactions. In OFAC's Eagle Shipping case, Eagle Shipping agreed to transport sand from Burma to Singapore for a land reclamation project. After loading the sand onto a vessel, Eagle Shipping noticed that the shipper was a sanctioned party and applied for an OFAC license to ship the sand. However, due to pressure from the Burmese government, Eagle moved forward with the transaction before obtaining approval from OFAC and ultimately paid a $1.1 million fine for doing so.
- Failing to file OFAC license reports can nullify OFAC licenses. Many OFAC general and specific licenses contain reporting requirements that require the licensee to report to OFAC on the activities the licensee engaged in under the license. In 2020, OFAC reminded those relying on OFAC licenses that these requirements must be strictly adhered to and that not filing such reports can nullify OFAC's licenses. This happened to Amazon when several hundred transactions engaged in under a general license related to Crimea were not reported to OFAC. In response, OFAC nullified the general license with respect to those transactions and augmented Amazon's penalty accordingly.
5. Remediation can make a huge difference even if you violate sanctions. When mistakes happen, OFAC expects companies to quickly undertake remedial efforts to prevent them from happening again. In 2020, OFAC highlighted the following: (A) respond to sanctions issues as quickly as possible, (B) don't patch and pray, and (C) tough love may be necessary.
- Respond to sanctions issues as quickly as possible. The faster a sanctions issue is responded to and remediated, the less likely that issue will spiral into a significant penalty. OFAC also generally interprets rapid responses to sanctions issues as an indication of an effective sanctions compliance program and a positive tone at the top. This can be seen in OFAC's case against Park Strategies, where Park entered into a prohibited contract with a sanctioned party on August 25, received its first payment under the contract on September 6, and requested that its financial institution block those funds on October 12. While it would have been better if Park had not dealt with the sanctioned party at all, OFAC appears to have taken into account Park's rapid response reducing its penalty from a theoretical maximum of over $300,000 to an assessed penalty of $12,000.
- Remediate your whole control framework, don't patch and pray. Many companies respond to sanctions issues under a "patch and pray" framework, resolving sanctions issues in the narrowest and cheapest manner available to them, and hoping they don't happen again. This appears to have been the case for SITA with its ad hoc approach to sanctions compliance issues. However, patch and pray doesn't work long term and as evidenced by SITA's $7.8 million penalty, OFAC expects companies to resolve sanctions issues by remediating their whole control framework to prevent foreseeable sanctions issues from ever happening again. At the end of its webpost for Whitford, OFAC provides a good example of this, by listing what OFAC called the "significant" remedial measures Whitford undertook to prevent its violations from happening again, including appointing multiple compliance monitors, firing the CEO, and revamping its sanctions compliance program, among others.
- Tough love may be necessary. When leadership and other managerial personnel are involved in sanctions violations, it may be necessary to remove these persons to set a proper tone at the top. As mentioned above, Whitford replaced its CEO who was involved in Whitford's sanctions violations. Similarly, Keysight terminated the employees involved in the sanctions violations of its Finnish subsidiary. In each case, OFAC mentioned these firings as mitigating factors.
6. Audit and stress test sanctions compliance programs. It's one thing to have sanctions controls in place, but if these controls do not work or do not work as expected, they will do very little good. OFAC expects companies to test and audit their sanctions compliance programs for effectiveness and ensure their controls are working properly. This testing and auditing function should (A) ensure ring-fencing policies fully remove the U.S. nexus from transactions involving sanctioned parties, (B) ensure systems connected to your compliance program function as intended, and (C) implement backups for when compliance systems crash.
- Ensure ring-fencing policies fully remove the U.S. nexus from transactions. Many non-U.S. companies take steps to insulate their global operations from U.S. sanctions by walling off their U.S. operations through so called "ring-fencing" policies. Like other sanctions controls, ring-fencing policies should be carefully reviewed to ensure the wall between the United States and any transactions involving sanctioned parties outside the United States is not permeable. In OFAC's SITA case, SITA knew it was dealing with sanctioned airlines and "implemented periodic measures" to comply with U.S. economic sanctions. These measures appear to have included a review of SITA's contractual relationships with the sanctioned airlines and terminating those contracts involving services with a U.S. nexus. However, SITA appears to have missed that its U.S.-based servers were processing non-U.S. transactions, thereby bringing those transactions under U.S. jurisdiction.
- Ensure systems connected to your compliance program function as expected. Sanctions compliance policies may direct compliance staff to screen certain information against OFAC's lists. However, if that information never makes it into your screening software to begin with, you may not be screening the information you think you are. This happened to DB-US when it failed to screen a sanctioned bank's SWIFT BIC number even though its sanctions compliance program required BIC numbers to be screened. OFAC noted that this was because DB-US failed to include the sanctioned bank's BIC number in its interdiction filter (even though the sanctioned bank's BIC was included on the SDN List). If DB-US had tested the data feed between OFAC's lists and its interdiction filter, it may have noticed that it wasn't screening the information it thought it was.
- Implement back-ups for when compliance systems crash. Like any other IT system, automated sanctions screening software can freeze and crash. Therefore, it is important to have a plan in place to make sure such crashes do not lead to sanctions violations. In OFAC's case against American Express Travel Related Services Company ("Amex"), Amex used an automated "risk engine" to identify whether an applicant for an Amex travel card was a sanctioned person and decline applicants who were sanctioned. After a non-U.S. bank seeking to issue an Amex travel card to a sanctioned person was declined by Amex's risk engine, the bank resubmitted the sanctioned party's application over and over until the risk engine crashed, thereby allowing the application to move forward. If Amex had a back-up screening system, it may have avoided an OFAC enforcement action.
7. Rein in Foreign Subsidiaries. OFAC's Iran and Cuba programs generally apply the same rules to the foreign subsidiaries of U.S. companies as they do to their U.S. parents (the same is true with respect to North Korea for U.S. financial institutions). In recent years, OFAC has made it clear that it will hold U.S. parent companies liable for the sanctions violations of their foreign subsidiaries. This trend continued in 2020 with Berkshire Hathaway, which settled with OFAC for $4.1 million after one of its Turkish subsidiaries sold cutting tools to Iran, and Keysight, which settled with OFAC for $470,000 after its Finnish subsidiary sold mobile network test equipment to Iran. In both cases, the U.S. parent had policies in place to prohibit its subsidiaries from selling goods to sanctioned countries and, in both cases, the foreign subsidiary ignored these policies. As a result, OFAC penalized the U.S. parent, showing how important it is to rein in foreign subsidiaries and audit their implementation of global controls (especially for those subsidiaries with a history of dealing with sanctioned countries).
In light of OFAC's enforcement actions, companies in all industries should take care to ensure that their businesses comply with U.S. sanctions. Companies (particularly those in high-risk industries) should ensure that they have implemented a rigorous compliance program that emphasizes management commitments, risk assessments, internal controls, testing and auditing, and training. As always, Morrison & Foerster's National Security Practice Group stands ready to provide counsel on the scope and sufficiency of corporate sanctions compliance programs.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved