Today’s alert—the third and final installment in our Sanctions 2022 Year in Review series—provides an overview of U.S. sanctions enforcement in 2022, including the key lessons learned from the enforcement actions issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and an overview of the increased focus on sanctions enforcement by the U.S. Department of Justice (DOJ).
Following Russia’s invasion of Ukraine, the Biden administration warned of increased sanctions enforcement, although given the lengthy time necessary for investigation and conclusion of OFAC enforcement cases, the agency issued no public enforcement actions last year relating to the heightened Russia sanctions (although it did issue one action relating to the earlier round of sanctions after Russia’s 2014 Ukraine invasion). We expect new Russia-centric cases to begin trickling out of OFAC during the coming year. Overall, in 2022, OFAC issued 16 public enforcement actions involving violations of 11 different OFAC sanctions programs. The actions, including 14 penalty matters and two findings of violation (FOVs), targeted apparent violations, resulting in settlements totaling over $42.7 million. While OFAC issued four fewer public enforcement actions last year than in 2021, its penalty settlements were more than double compared to the 2021 total of $20.9 million. Although the penalties in recent years have been far smaller than those assessed last decade, when OFAC’s wire-stripping cases against major financial institutions frequently resulted in settlements of hundreds of millions of dollars, 2022 nevertheless saw OFAC issue its largest penalty ($24 million) in three years as part of its first joint resolution against a cryptocurrency company (Bittrex, Inc) with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). The next-largest OFAC penalty last year was against Toll Holdings Limited (“Toll”), a freight forwarding and logistics company, for $6.1 million.
For its part, DOJ also played an integral role in sanctions enforcement last year. During his 2022 State of the Union Address, President Biden warned that DOJ was creating a “dedicated task force to go after the crimes of Russian oligarchs” and announced the United States was “joining with our European allies to find and seize your yachts, your luxury apartments, your private jets. We are coming for your ill-begotten gains.” This KleptoCapture Task Force is tasked with ensuring the full effect of sanctions against Russia-related parties, by investigating and prosecuting violations of new and future sanctions imposed in response to Russia’s war, combating evasion of sanctions against Russian financial institutions, including the prosecution of those who try to evade know-your-customer and anti-money laundering measures, targeting efforts to use cryptocurrency to evade U.S. sanctions or launder proceeds of foreign corruption, and using asset forfeiture authorities to seize assets belonging to sanctioned individuals and entities. In June, Deputy Attorney General Lisa Monaco further ratcheted up attention on criminal sanctions enforcement when she referred to sanctions as “the new FCPA” and described the Department’s focus on sanctions enforcement as a “sea change.” Echoing other recent statements from DOJ officials, Ms. Monaco stressed the importance of sanctions compliance programs and voluntary disclosure, urging companies to “pick up the phone and call us. Do not wait for [DOJ] to call you.” In fact, Ms. Monaco just announced that DOJ is hiring 25 “new prosecutors who will investigate and prosecute” sanctions and export control violations, with a particular focus on corporate violations. This expansion would more than double the number of prosecutors at the DOJ who focus on such violations, and influx of resources which resources will inevitably lead to a substantial increase in investigations and enforcement actions. While the long-term impacts of these efforts remain to be seen, we anticipate that sanctions and other national security issues will continue to be core priorities for DOJ in 2023 and beyond.
In the meantime, we offer this Part Three of our Sanctions Year in Review to highlight significant lessons learned from OFAC’s 2022 enforcement actions. Part One of our series summarized OFAC’s major activities and programmatic updates from 2022, and Part Two summarized the key Russia-related sanctions imposed by the United States, European Union, and United Kingdom. In this final installment, we look to the recent enforcement past to offer sanctions compliance lessons for the future.
1. Scaling sanctions compliance with business expansion
In three 2022 enforcement actions—against Bittrex, Airbnb Payments, Inc.(“Airbnb Payments”), and Payward, Inc. d/b/a Kraken (“Kraken”)—OFAC highlighted the importance of scaling sanctions compliance programs commensurate with business growth and ongoing sanctions risk assessment.
Two of these matters involved companies operating in the virtual currency space. Bittrex, a Washington-based virtual currency exchange that provides users with wallet hosting services, settled its potential civil liability for $24,280,892—the largest OFAC settlement since 2019. While rapidly expanding, Bittrex failed to prevent persons apparently located in sanctioned jurisdictions from transacting on its platform. Although Bittrex had retained a third-party screening vendor, it was only screening against sanctions lists and not for nexus to sanctioned jurisdictions. And in its settlement with Kraken, a Delaware-incorporated virtual currency platform founded in 2011 that allows users to buy, sell, hold, and exchange fiat and cryptocurrencies, OFAC determined that Kraken engaged in apparent violations when processing transactions on behalf of individuals located in Iran. Although Kraken had controls in place to prevent users from initially opening accounts from sanctioned jurisdictions, Kraken did not implement IP address blocking on transactional activity across its platform, despite serving customers worldwide. In both matters, OFAC credited as mitigating factors enhancements to the companies’ compliance programs, including hiring additional compliance leadership and staff.
OFAC noted the importance of “new companies and those involved in emerging technologies incorporating sanctions compliance into their business functions at the outset, especially when the companies seek to offer financial services to a global customer base.” Rapidly growing companies would be well served by regularly updating their sanctions compliance policies and procedures to account for their evolving risk profiles, including when expanding into new geographic territory or new business lines with increased sanctions risks. In the case of Airbnb Payments, where the apparent violations were associated with the company’s launch in Cuba, OFAC cautioned against entering new commercial markets, particularly those with elevated sanctions risks, without fully anticipating the complexities of operating in those markets and implementing risk-based sanctions compliance controls.
2. A “set it and forget it” approach to sanctions compliance is insufficient
OFAC’s 2022 enforcement actions serve as a reminder that adopting sanctions compliance controls without adequate investment in proper implementation can lead to sanctions violations. Companies should implement internal controls that perform regular audits on their sanctions compliance tools and expeditiously update their compliance policies whenever changes are made to U.S. sanctions laws.
OFAC’s settlement with C.F.M. Indosuez Wealth (“C.F.M.”), a Monaco-based financial institution specializing in wealth management and corporate investment banking, involved C.F.M. operating U.S.-dollar banking and security accounts and conducting business through the U.S. financial system on behalf of 11 individual customers located in sanctioned jurisdictions. Although C.F.M. had implemented internal restrictions designed to prevent certain payments on accounts held by persons ordinarily resident in sanctioned jurisdictions, the restrictions did not prevent securities-related payments from being credited to the accounts. C.F.M. had reason to know that these transactions involved clients residing in sanctioned jurisdictions because the clients’ know-your-customer (KYC) files included address information. The apparent violations were identified following a periodic oversight review conducted by C.F.M.’s compliance division. OFAC considered C.F.R.’s adoption of enhanced sanctions screening tools to be a mitigating factor. Similarly, OFAC’s FOV against MidFirst Bank involved apparent violations stemming from the bank’s misunderstanding of how often its outside vendor was conducting sanctions screening against the bank’s existing customer base.
3. Non-U.S. companies that utilize U.S. financial services—directly or indirectly—must comply with U.S. sanctions.
OFAC’s 2022 enforcement actions reaffirmed its appetite to penalize non-U.S. corporations utilizing U.S. financial services to effect business transactions involving sanctioned persons and jurisdictions. Transactions involving U.S. dollars and U.S.-dollar accounts located abroad are generally sourced or cleared through the United States, which pulls such transactions into U.S. jurisdiction, even when they otherwise occur entirely outside the United States and without the involvement of U.S. persons. Companies engaging in U.S.-dollar transactions must ensure they have adequate sanctions compliance measures in place to mitigate the risk of engaging in U.S. sanctions violations. The same principle applies to the use of accounts at non-U.S. branches of U.S. financial institutions, which are considered U.S. persons under the U.S. sanctions regime.
OFAC’s settlements with Toll, Sojitz (Hong Kong) Limited (“Sojitz HK”), and Danfoss A/S all involve non-U.S. companies “causing” sanctions violations by conducting transactions—that otherwise did not involve a U.S.-nexus—through the U.S. financial system. The apparent violations in the Toll matter stem from U.S.-dollar payments originated or received in connection with shipments to, from, or through sanctioned jurisdictions. Similarly, Sojitz HK, a Hong Kong-based company, initiated U.S.-dollar payments for Iranian-origin goods from its Hong Kong bank to its supplier’s bank in Thailand. And Danfoss, a Dutch Company, settled for apparent violations involving its UAE subsidiary’s use of a non-U.S. branch of a U.S. bank to facilitate payments to Iran and Syria. In these matters, payments were directly or indirectly processed through U.S. financial institutions, including correspondent banks, causing those U.S. banks to engage in and facilitate prohibited financial transactions related to dealings with sanctioned jurisdictions.
4. Employee training can prevent sanctions violations caused by human error
Employees are often one of the frontline defenses for compliance with U.S. sanctions regimes. In 2022, OFAC’s enforcement actions explicitly flagged investment in the training and development of employees on sanctions compliance procedures as an essential component of sanctions compliance. In OFAC’s settlement with American Express National Bank (“Amex”), OFAC attributed the apparent violations to a combination of human error and internal controls deficiencies. Amex processed transactions for a U.S. customer account with a supplemental cardholder who, subsequent to card issuance, was designated as an SDN. As part of its remediation, Amex conducted various forms of training for relevant personnel, which was viewed favorably by OFAC as a mitigating factor. Similarly, in the Toll settlement described above, OFAC determined that personnel within the company knew or should have known that the payments at issue violated U.S. sanctions prohibitions, and cited as a mitigating factor the company’s implementation of a training program for all relevant employees and training provided for over 500 employees across five countries. And in the Newmont case described below, where the apparent violation occurred due to a Newmont subsidiary employee’s lack of understanding of the relevant U.S. sanctions prohibitions, OFAC explicitly cautioned that inadequate training of employees at non-U.S. subsidiaries and affiliates can result in missed red flags, which in turn can result in sanctions violations.
5. Increased sanctions risk due to M&A and insufficient oversight of subsidiaries
OFAC’s 2022 enforcement actions highlighted its expectation that U.S. companies will conduct sanctions-related due diligence in connection with acquisitions of both U.S. and non-U.S. entities and take active steps to extend their compliance programs—including training and monitoring—to newly acquired or incorporated businesses and employees. Post-transaction, companies should continue to proactively monitor new business elements to identify any sanctions-related issues. Furthermore, subsidiaries should ensure the timely implementation of their parent companies’ global sanctions compliance policies.
In the S&P Global, Inc. (“S&P”) settlement, a recently acquired U.S. subsidiary of S&P extended credit with a maturity date of more than 90 days to a Russian oil company on OFAC’s Sectoral Sanctions Identification (SSI) List, in violation of the debt restrictions set forth under Directive 2 of Executive Order 13662, both before and after S&P’s acquisition. This action reiterated OFAC’s stance that sophisticated companies are responsible for conducting sufficient due diligence prior to acquisitions and comprehensive risk assessments relating to potential sanctions risks, and for implementing the necessary tools to prevent the violations from taking place. Similarly, Toll reached the above-referenced settlement with OFAC after acquiring several small local or regional companies without implementing sanctions compliance policies or controls. These cases demonstrate the importance of identifying and implementing measures to mitigate sanctions risks for rapidly expanding companies.
Similarly, CA Indosuez (Switzerland) (“CAIS”) and C.F.M., indirect subsidiaries of Credit Agricole Corporate and Investment Bank, failed to adhere to the global sanctions compliance program mandated by their parent company, which resulted in the processing of transactions on behalf of persons in sanctions jurisdictions. OFAC cautioned that companies doing business in multiple jurisdictions and across product lines should ensure, on a risk-based basis, the consistent implementation of compliance controls.
6. Be mindful of supply chain risks.
OFAC reaffirmed the importance of U.S. companies ensuring that they have sufficient controls over non-U.S. subsidiaries contracting with suppliers to ensure compliance with U.S. sanctions. An area of risk highlighted by the enforcement action against Newmont Corporation (“Newmont”) is when non-U.S. subsidiaries contract with third parties that are not compliant with U.S. sanctions laws. In the Newmont action, a subsidiary engaged in apparent violations of Cuba sanctions when its distributor imported Cuban-origin goods. The apparent violation was caused by human error due to a lack of comprehensive sanctions compliance training for one of the subsidiaries’ employees. In its web notice, OFAC emphasized the important of conducting due diligence of and instituting strong controls with supplies, including “a thorough examination of risks such as geographic location, type of industry, as well as assessing the status and compliance controls of key partners involved in a company’s transactions, including joint ventures, affiliates, subsidiaries, customers, and suppliers.” Newmont’s apparent distributor, Chisu International Corporation (“Chisu”), a U.S. entity affiliated with a Suriname-based distributor, entered into a parallel OFAC settlement, as discussed further below.
7. Licensable does not mean licensed
In the Nodus International Bank, Inc. (“Nodus”) matter, the bank held several accounts for an SDN that was designated by OFAC in 2017, and the SDN also held an interest in certain securities issued by Nodus prior to the designation. Shortly after learning of the designation, Nodus sought to redeem the SDN’s blocked securities and move the proceeds into a blocked account. Nodus understood that an OFAC license was required for this action and assured its banking regulator, the Commissioner of Financial Institutions of Puerto Rico, that it would apply for the license. Despite Nodus’ assurances, the blocked property was redeemed without an OFAC license. OFAC considered Nodus’ deliberate dealing in blocked property—despite knowledge that an OFAC license was required—as an aggravating factor in determining the settlement amount. This action serves as a reminder that companies must ensure they receive all necessary licenses from OFAC before dealing in blocked property.
8. Use of geolocation controls is fundamental.
OFAC’s settlements with Tango Card, Inc. (“Tango Card”), Kraken, and Bittrex highlight that companies that fail to leverage information in their possession regarding their customers’ and other counterparties’ geolocation data—including but not limited to IP addresses—to comply with U.S. sanctions throughout the course of the counterparty relationship will face enforcement risk. Tango Card, a U.S. company that supplies and distributes electronic rewards, settled apparent violations involving the transmission of over $380,000 in merchant gift cards and promotional debit cards to individuals with email or IP addresses associated with sanctioned jurisdictions. Although Tango Card leveraged geolocation data to screen its direct customers, it failed to implement the same controls to the recipients of rewards. As discussed above, the Bittrex and Kraken actions also involved the failure to properly implement geolocation controls, including with respect to IP address blocking and other location information provided by customers, such as physical addresses and passports.
These enforcement actions highlight OFAC’s position that the use of geolocation tools, including IP blocking, to identify and prevent users with a nexus to sanctioned jurisdictions from engaging in prohibited activities, is a core element of an effective, risk-based sanctions compliance program. Companies should maintain effective, risk-based sanctions compliance programs that leverage geolocation tools and information provided by customers to identify and prevent potential transactions involving sanctioned jurisdictions.
9. Companies of all sizes are responsible for due diligence and sanctions compliance.
In 2022, OFAC affirmed the importance of U.S. sanctions compliance by all companies regardless of size. For example, OFAC entered into a settlement with Chisu, a small, Florida-based distributor overseen by a single individual, for apparent violations relating to the company and its non-U.S. affiliates’ procurement of Cuban-origin explosives and related materials. At the time of the apparent violations, Chisu did not maintain a sanctions compliance program. Regardless of size, companies should maintain appropriate risk-based sanctions compliance tools and establish controls to ensure they are not engaging in prohibited transactions, particularly when conducting cross-border transactions.
10. OFAC continues to rigorously enforce sanctions against Venezuela and Cuba despite the Biden administration’s softening policies towards both countries.
This year, OFAC continued to express its commitment to enforcing Cuban and Venezuelan sanctions regimes despite the Biden administration’s shifting stance on U.S. relations with Cuba and Venezuela. Seven of OFAC’s 16 2022 actions—Airbnb Payments, Bittrex, CAIS, CFM, Chisu, Newmont Corporation, and Tango Card—involved apparent violations of Cuba sanctions. And in its settlement with Banco Popular de PuertoRico, one of two 2022 actions involving Venezuela sanctions, OFAC surprised industry participants by taking action against a financial institutions for dealings with “lower-level” government employees who meet OFAC’s definition of the government of Venezuela. While this interpretation is consistent with OFAC’s guidance (see FAQ 680), this action serves as a wakeup call to financial institutions and other companies to conduct due diligence on their Venezuelan customers to confirm that such individuals are not blocked by virtue of their employment status.
11. Terminating noncompliant employees who flout sanctions is viewed favorably.
As in 2021, in 2022, OFAC demonstrated that it will consider the termination of noncompliant employees as a mitigating remedial factor. In Sojitz HK, OFAC viewed favorably the company’s decision to terminate employees responsible for the apparent violations due to their intentional concealment of information and deliberate disregard for warnings communicated by compliance personnel. This action indicates OFAC’s willingness to credit companies for disciplinary actions when employee conduct is willful as opposed to the product of insufficient awareness of compliance obligations.
OFAC’s enforcement actions over the past year affirm the importance of implementing and maintaining adequate compliance controls for all companies operating internationally. Companies should tailor their compliance mechanisms to ensure that they are commensurate with the sanctions risk posed by their business activities and proactively resolve sanctions compliance-related concerns. Robust compliance programs emphasizing management commitment, risk assessments, internal controls, testing and auditing, and employee training can reduce risk and mitigate penalties.
Law clerk Jermel McClure contributed to this alert.