Each year, the Office of Foreign Assets Control (OFAC) initiates several enforcement actions targeting companies, financial institutions, and individuals in the United States and abroad. These enforcement actions can present substantial risks—including the risk of multi-billion-dollar civil monetary penalties (CMP) in some cases.

In this article, we’re taking a look at OFAC’s enforcement actions in 2023. After providing a brief overview of each of OFAC’s eight enforcement actions so far this year, we close some key insights and takeaways for executives and their legal counsel.

“OFAC pursues a relatively small number of select enforcement actions each year. However, as these recent examples show, OFAC enforcement actions can present substantial risks, and the entities and individuals targeted in these actions must take a highly strategic approach to mitigating their potential liability.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

OFAC Enforcement Actions in 2023

Here is an overview of OFAC’s enforcement actions so far in 2023:

1. Godfrey Phillips India Limited ($332,500)

OFAC and Godfrey Phillips India Limited (GPI) entered into a settlement agreement on March 1, 2023 arising out of the company’s apparent violations of OFAC’s North Korea Sanctions Regulations. GPI faced a statutory maximum civil monetary penalty (CMP) of $1,782,895 but settled for $332,500. Among other aggravating factors, OFAC found that GPI “acted recklessly when it failed to exercise a minimal degree of caution or care for U.S. sanctions laws and regulations,” and that several of the company’s managers had actual knowledge of the company’s exportation of tobacco to North Korea. Among other mitigating factors, OFAC noted that GPI had not faced enforcement action in the previous five years and that the company implemented a new sanctions compliance program after learning of the apparent violations.

2. Wells Fargo Bank, N.A. ($30,000,000)

OFAC and Wells Fargo Bank, N.A. entered into a $30 million settlement agreement on March 30, 2023 arising out of 124 apparent violations of multiple OFAC sanctions programs. According to OFAC, Wells Fargo and its predecessor (Wachovia) provided software to a foreign bank in Europe which used the software to manage trade-finance transactions with sanctioned nations and individuals. While Wells Fargo faced a statutory maximum CMP of more than $1 billion, its voluntary self-disclosure reduced the base penalty by half, and OFAC acknowledged that there was no indication that Wells Fargo’s or Wachovia’s senior management “either directed or had actual knowledge” of the transactions at issue.

3. Uphold HQ Inc. ($72,230)

OFAC and Uphold HQ Inc., a California-based money services business, entered into a settlement on March 31, 2023 related to the business’s processing of 152 transactions for customers in violation of OFAC’s sanctions against Iran, Cuba, and Venezuela. As a result of the apparent violations, Uphold HQ faced a statutory maximum CMP of more than $44 million. However, due to the non-egregious nature of the apparent violations and the business’s voluntary self-disclosure, the base penalty amount was reduced to just over $90,000. OFAC and Uphold HQ settled for $72,230, with OFAC emphasizing the importance of the business’s prompt and substantial remedial measures.

4. Microsoft Corporation ($2,980,265)

OFAC and Microsoft Corporation entered into a settlement on April 6, 2023 involving apparent violations of OFAC’s Cuba, Iran, Syria, and Ukraine/Russia-related sanctions programs. OFAC’s Enforcement Release states that the settlement amount of $2,980,265 reflects its determination that the apparent violations were “non-egregious and voluntarily self-disclosed, and further reflects the significant remedial measures Microsoft undertook upon discovery of the apparent violations.”

Microsoft faced a statutory maximum CMP of more than $404 million as a result of OFAC’s finding that the company and its foreign affiliates “demonstrated a reckless disregard for U.S. sanctions by failing to identify that over a seven-year period, more than $12,000,000 worth of software and services were exported from the United States through Microsoft systems and servers to SDNs, blocked persons, and to multiple sanctioned jurisdictions.” OFAC also found that the apparent violations were “not isolated or atypical in nature” and that Microsoft “had reason to know” that they were occurring. Even so, Microsoft’s voluntary self-disclosure and remedial measures appear to have largely carried the day.

5. British American Tobacco P.L.C. ($508,612,492)

In the most significant of OFAC’s enforcement actions of 2023 by far, British American Tobacco P.L.C. agreed to a settlement of more than $508 million after OFAC found that it committed substantial apparent violations of the sanctions against North Korea and weapons of mass destruction proliferators. The apparent violations involved engaging in a conspiracy to conceal the source of funds from tobacco exports to North Korea in order to have payments processed by U.S. financial institutions. In an Enforcement Release published on April 25, 2023, OFAC stated that, “[t]he settlement amount, which is equal to the statutory maximum [CMP], reflects OFAC’s determination that these apparent violations were egregious, and not voluntarily self-disclosed.”

6. Poloniex, LLC ($7,591,630)

OFAC and Poloniex, LLC, a Boston-based online trading platform, entered into a settlement on May 1, 2023 arising out of the company’s processing of more than $15 million in transactions for customers in sanctioned jurisdictions. While Poloniex faced more than $19 billion in potential CMP, OFAC agreed to settle with the company for approximately $7.5 million after finding that the violations were both non-egregious and voluntarily self-disclosed, and that the “small start-up” had undertaken significant additional compliance measures after being acquired.

7. Murad, LLC ($3,334,286)

OFAC and Murad, LLC, a California-based cosmetics company, entered into a settlement on May 17, 2023 arising out of apparent violations of OFAC’s Iran sanctions. According to OFAC’s Enforcement Release, the company exported at least 62 products to Iran with a total value of more than $11 million. Noting that Murad voluntarily self-disclosed the violation after being acquired by Unilever, OFAC agreed to settle the company’s potential liability of $22.2 million for just $3.3 million. Notably, an unnamed Murad senior executive agreed to a $175,000 settlement with OFAC as well.

8. Swedbank Latvia AS ($3,430,900)

OFAC and Swedbank Latvia AS entered into a settlement on June 20, 2023 related to 386 apparent violations of OFAC’s sanctions on Crimea. Noting that the apparent violations (which involved a customer with a Crimean IP address using the bank’s online platform to send payments to persons in Crimea) were non-egregious in nature, OFAC also highlighted the fact that the apparent violations were not voluntarily self-disclosed, but rather came to OFAC’s attention through a third party. The non-egregious nature of the apparent violations reduced the base penalty amount from the statutory maximum of more than $112 million to $6.2 million, and OFAC and Swedbank Latvia agreed to settle for just over half of this amount.

Key Insights and Takeaways from OFAC’s Enforcement Actions So Far in 2023

So, what are the key takeaways? Here are some of the insights we can glean from OFAC’s enforcement actions so far in 2023:

• Voluntary Self-Disclosure is a Key Factor – In the majority of cases, OFAC’s enforcement actions so far in 2023 resulted from voluntary self-disclosure. Under the OFAC Economic Sanctions Enforcement Guidelines, voluntary self-disclosure is a key factor in determining the potential penalties that are on the table. Not only does voluntary self-disclosure reduce the base penalty amount by half; but, as these examples show, it is also a key factor during settlement negotiations.
• The Egregiousness of the Apparent Violation(s) is Also a Key Factor – Under the Economic Sanctions Enforcement Guidelines, apparent violations can either be classified as “egregious” or “non-egregious.” In non-egregious cases, the base penalty amount is reduced substantially—as demonstrated by the Microsoft and Swedbank Latvia cases summarized above. When determining whether an apparent violation is egregious, OFAC considers several factors, including (but not limited to) willfulness or recklessness, awareness of the conduct at issue, and harm (if any) to sanctions program objectives.
• Many OFAC Enforcement Actions Settle – All of OFAC’s finalized enforcement actions so far in 2023 have resulted in settlements. This makes sense in light of the fact that most of OFAC’s enforcement actions result from voluntary self-disclosure (and those that don’t often involve clear evidence of apparent violations). In most cases, the settlement amounts have been far below the statutory maximum CMP and base penalty amount.
• Remedial Action Weighs Heavily in OFAC’s Decision-Making – When deciding whether to accept a settlement, OFAC considers both aggravating and mitigating factors. As the Enforcement Releases summarizing the cases discussed above show, remedial action is often a key mitigating factor that substantially reduces targeted entities’ exposure. Some examples of remedial measures include suspending accounts of blocked entities and individuals, implementing new technological solutions to identify SDNs and other parties of concern, enhancing compliance departments’ resources, implementing periodic sanctions risk assessments, and providing additional OFAC compliance training.
• OFAC Expects Entities to Implement Robust and Effective Compliance Programs – Finally, as these cases from the first half of 2023 make clear, ignorance is not an excuse for non-compliance. OFAC expects all entities to assess their sanctions compliance obligations and implement robust and effective compliance programs. During an OFAC investigation, the target’s ability to demonstrate that an apparent violation occurred despite its reasonable and good-faith compliance efforts can play a key role in facilitating a favorable resolution. Conversely, lack of documented compliance policies, procedures, and protocols can enhance targeted entities’ (and individuals’) exposure.