On July 8, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”) announced a $134,523 civil settlement with Amazon, Inc. (“Amazon”), for alleged violations of multiple OFAC sanction and embargo programs. OFAC oversees multiple sanction and embargo programs under the Trading with the Enemy Act of 1917, 50a U.S.C. §§1-40 (1958), and other related statutes, pursuant to which U.S. business are prohibited from doing business, directly or indirectly, with specific people, organizations, and jurisdictions. In relevant part, Amazon’s conditions of use (last updated in May 2018) state:
SANCTIONS AND EXPORT POLICY
You may not use any Amazon Service if you are the subject of U.S. sanctions or of sanctions consistent with U.S. law imposed by the governments of the country where you are using Amazon Services. You must comply with all U.S. or other export and re-export restrictions that may apply to goods, software (including Amazon Software), technology, and services.
However, as discussed below, such a strong statement in a conditions of use must be accompanied by risk-based controls to achieve effective compliance with OFAC-administered sanction and embargo regulations.
Alleged OFAC Sanctions Violations
According to OFAC, from 2011 to 2018, Amazon allegedly violated several OFAC sanction and embargo regulations1 when its automated screening processes failed to analyze fully all transaction and customer data relevant to compliance with such regulations. These compliance failures allowed $269,000 worth of transactions for low-value retail goods and services to be accepted and processed for (a) persons located in Crimea, Iran, and Syria; (b) persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria; and (c) persons listed on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”). Common screening errors included failures to flag transactions referencing a sanctioned jurisdiction or common alternative spelling of a sanctioned jurisdiction, transactions referencing the correctly spelled names and addresses of persons on the SDN List, and orders shipped to Iranian Embassies located in third countries.
In the course of the investigation, Amazon also disclosed to OFAC its failure to report 362 transactions involving Crimea that it had conducted pursuant to General License No. 5, “Authorizing Certain Activities Prohibited by Executive Order 13685 of December 19, 2014 Necessary to Wind Down Operations Involving the Crimea Region of Ukraine” (“GL 5”), which authorized certain transactions prohibited by E.O. 13685 through February 1, 2015. Under GL 5, Amazon was required to report to OFAC such transactions within 10 days after its wind-down activities concluded. Although Amazon had complied with the GL 5 reporting requirement for 245 other transactions, its lack of timely reporting for the 362 transactions in question nullified the authorization contained in in GL 5, as to those reported transactions.
OFAC’s Enforcement Analysis
Under OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501, app. A.), the maximum civil monetary penalty available for the alleged violations was $1,038,206.21. However, OFAC determined that Amazon’s conduct constituted a “non-egregious” case and it credited Amazon with the company’s voluntary self-disclosure. Accordingly, OFAC imposed the base civil monetary penalty, which equals the sum of one-half of the transaction value for each apparent violation, which totaled $134,523.
In its announcement, OFAC provided the basis for its analysis of the case under the Enforcement Guidelines’ “General Factors.” Among the aggravating factors cited, Amazon:
- did not properly review or assess addresses, customer names, and common variations of relevant data points as part of its screening processes;
- allowed processing of orders for personal security products on behalf of individuals located at Iranian embassies (notwithstanding the low dollar-amount of the goods in question); and
- failed to maintain appropriate screening despite being one of the largest and most commercially sophisticated companies in the world.
More critically, in terms of mitigation, OFAC found that Amazon:
- had not received a penalty notice or Finding of Violation from OFAC in the five years preceding the first date of the transactions in question;
- voluntarily self-disclosed the conduct;
- cooperated with OFAC’s investigation;
- conducted an internal investigation without needing to receive an administrative subpoena first;
- undertook significant remedial measures, including incorporating additional automated preventative screening controls, developing internal custom screening lists, and enhancing its sanctioned jurisdiction Internal Protocol (IP) blocking controls;
- invested substantial resources to improve its overall sanctions compliance program, including engaging senior management, adding headcount to the compliance department, conducting additional reviews, bolstering training, and expanding use of specific export control and sanctions provisions in its contracts.
OFAC explicitly noted in its announcement of the settlement that the case “demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls” especially for e-commerce and other “large, sophisticated” businesses operating on a global scale. The settlement announcement suggests that the more global the company, the greater the compliance obligations; but past OFAC actions do not, in any way, suggest that small and medium sized enterprise have any less of a compliance obligation. Companies should not rely solely on automated compliance mechanisms, at least not without strong human oversight and testing. Statements of policy, such as in Amazon’s conditions of use, set an appropriate compliance tone, but can lose meaning without compliance testing, training, and auditing. U.S. companies should undertake reasonable efforts with respect to screening and reporting requirements under OFAC’s sanction and embargo programs and related general licenses. The relative leniency of the settlement award also clearly indicates the import of self-disclosure, cooperation with investigation, and robust and speedy investment in remedial actions as soon as potential violations are discovered.
Despite the global economic slow-down, now may be the right time to review your export compliance program.
 The regulations include The Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR); the Democratic Republic of the Congo Sanctions Regulations, 31 C.F.R. Part 547 (DRCSR); the Foreign Narcotics Kingpin Sanctions Regulations, 31 C.F.R. Part 598 (FNKSR); the Global Terrorism Sanctions Regulations, 31 C.F.R. Part 594 (GTSR); the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560 (ITSR); the Narcotics Trafficking Sanctions Regulations, 31 C.F.R. Part 536 (NTSR); the North Korea Sanctions Regulations, 31 C.F.R. Part 510 (NKSR); the Syrian Sanctions Regulations, 31 C.F.R. Part 542 (SySR); the Sudanese Sanctions Regulations, 31 C.F.R. Part 538 (SSR); the Transnational Criminal Organizations Sanctions Regulations, 31 C.F.R. Part 590 (TCOSR); Executive Order 13685 of December 19, 2014, “Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to the Crimea Region of Ukraine”; the Venezuela Sanctions Regulations, 31 C.F.R. Part 591 (VSR); the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. Part 539 (WMDPSR); and the Zimbabwe Sanctions Regulations, 31 C.F.R. Part 541 (ZSR).