Back in July, we took a look at the enforcement actions for the first half of 2021 issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Today’s post – the second half of our OFAC 2021 Year in Review – updates our July summary and provides what we believe are the top dozen (with a lucky thirteenth added for good measure) lessons that industry should glean from these enforcement cases.
By year-end, OFAC announced 20 public enforcement actions across 13 different sanctions regimes for a total of over $20.8 million in penalties/settlements. OFAC exceeded last year’s total of 17 public actions, but fell short of the more than $23.6 million in civil monetary fines imposed in 2020. Settlement amounts in 2021 were lower, on average, than in 2020 and far smaller than in previous decades when OFAC’s wire stripping cases against major financial institutions frequently resulted in settlements in the hundreds of millions of dollars. Given these recent lower settlement amounts, OFAC started off 2021 with a bang, publishing its 2020 settlement with Union de Banques Arabes et Françaises in the amount of $8.57 million. The next largest penalty announced last year was against Bank of China (UK) Limited for $2.32 million.
Although OFAC continued to bring traditional enforcement actions for prohibited dealings with sanctioned jurisdictions, 2021 saw a rise in enforcement actions against providers of virtual goods and services. These included a cloud-based software services provider, a virtual currency processor, and an online money transmitter. A major issue for many of these companies was not knowing that their customers or ultimate end users resided in or operated from sanctioned jurisdictions, and these companies quickly learned that ignorance is no defense when it comes to sanctions compliance, as OFAC sanctions are a strict liability regime.
Below we highlight significant lessons learned from OFAC’s 2021 enforcement actions that we believe the private sector should heed.
OFAC’s 2021 actions continued to highlight that clearing through or otherwise touching the United States creates a U.S. nexus for any transaction, including transfers involving U.S. dollar accounts and parties outside of the United States, foreign exchange transactions, and exchanges of digital currency.
OFAC’s 2021 enforcement actions highlighted its expectation that companies with a U.S. nexus will use technological controls to prevent access from sanctioned jurisdictions. Continuing related enforcement from 2020, seen in OFAC’s public actions against BitGo, Inc. and Amazon, OFAC settled with Payoneer, a New York-based online money transmitter, in July 2021, in the amount of $1.38 million for processing 2,220 transactions for parties in sanctioned jurisdictions. Of the various compliance control breakdowns, OFAC cited as an aggravating factor that Payoneer had reason to know the locations of its users based on common indicators of location like billing, shipping, and IP addresses. In the BitPay case noted above, BitPay processed transactions on behalf of customers likely located within sanctioned jurisdictions that could have been identified and stopped by IP address screening. OFAC also noted this deficiency in its case against SAP SE, discussed below.
OFAC’s enforcement case against SAP SE (SAP) emphasizes that U.S.-origin services – such as software and cloud-based services – cannot be accessed remotely from outside the United States to benefit parties in sanctioned jurisdictions like Iran. In the April 2021 settlement, totaling $2.13 million, OFAC found SAP liable for the prohibited export of software and related services to Iranian end-users. SAP, a software company headquartered in Germany, relied on third-party resellers to deliver a portion of its products and services to end-users. Several of these resellers then provided SAP’s U.S.-origin services to users in Iran. This case provides a warning to third‑country companies to avoid using U.S.-based software or cloud services when doing business in sanctioned jurisdictions. In addition to its settlement with OFAC, SAP also entered into the first non-prosecution agreement with the U.S. Department of Justice under the Department’s new export control and sanctions voluntary self-disclosure policy, as well as a settlement with the U.S. Department of Commerce’s Bureau of Industry and Security, resulting in combined penalties of more than $8 million.
In the first of two matters OFAC settled simultaneously in December 2021, for a total of $115,005 with TD Bank, N.A. (TD Bank), OFAC found that TD Bank opened nine accounts and processed 1,479 transactions for five employees of the North Korean mission to the United Nations, despite all presenting North Korean passports. Because TD Bank relied heavily on a vendor-supplied screening list that focused on politically exposed persons, the North Korean passports did not trigger an alert during customer screening. Afterwards, TD Bank employees misidentified North Korea as Korea or South Korea or left the citizenship field blank in the customer profiles, preventing TD Bank’s screening from flagging these accounts. This matter highlights the importance of all companies both collecting basic information such as nationality regarding their customers, employees, and other third-party relationships and screening that information to ensure that these persons are not citizens of, do not reside in, and do not work from comprehensively sanctioned jurisdictions (e.g., Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine/Russia).
For many (perhaps most) companies, sanctions compliance tends to focus on ensuring no activity involving (1) comprehensively sanctioned jurisdictions; or (2) sanctioned parties (including those owned 50 percent or more by other sanctioned parties). Particularly since the 2014 invasion of Ukraine by Russia, and the subsequent introduction of sectoral sanctions by the United States (and the European Union), sanctions compliance programs also need to focus on compliance with sectoral sanctions on Russia (and Venezuela), particularly OFAC’s Directives 1 to 4 issued pursuant to Executive Order 13662 (and the still relatively new Directive 1 issued pursuant to Executive Order 14024). Cameron International Corporation (Cameron), a Texas-based supplier of goods and services for the oil and gas industries, discovered this requirement the hard way when it settled with OFAC for $1.42 million in September 2021, for violations of Directive 4. OFAC found that Cameron’s U.S. person senior managers approved contracts for its Romanian subsidiary to supply goods to the Russian energy firm Gazprom-Neft Shelf, which is subject to Directive 4 restrictions, for an Arctic offshore oil project.
OFAC expects all companies to maintain a compliance program commensurate with size and sophistication. Although large multinational companies and financial institutions face heightened scrutiny, OFAC expects even companies operating predominantly within the United States and/or working on U.S. government contracts to implement compliance procedures. It is also important to remember that, although not common, sanctioned individuals named on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List) live in the United States, within federal prisons and elsewhere. Companies should screen even domestic transactions where appropriate, particularly when dealing with high-risk populations.
As economies and supply chains become increasingly globalized, U.S. companies must ensure they have sufficient controls over non-U.S. subsidiaries. One area of risk – seen in the Cameron matter detailed above – is where U.S.-based personnel are involved in facilitating activities that their non-U.S. subsidiaries legally can do, but that the U.S. parent or other U.S. persons cannot. Another area of risk is that many U.S. parent entities and their non-U.S. subsidiaries often forget that for U.S. sanctions on Cuba and Iran (and North Korea for financial institutions), the non-U.S. subsidiary must comply with those prohibitions even when acting without any other U.S. nexus. Last August, OFAC settled for $862,318 with First Bank SA (First Bank) located in Romania, and its U.S. parent company, JC Flowers & Co., for First Bank’s processing of euro-denominated payments for persons located in Iran, which, as a subsidiary of a U.S. company, First Bank was forbidden to do. First Bank was also penalized for processing U.S. Dollar payments through the U.S. financial system for persons located in Iran and Syria.
Each company within a supply chain must properly conduct diligence on trading partners, regardless of role. OFAC expects companies to: (1) vet trading partners, (2) verify their compliance when able, and (3) respond appropriately to red flags.
Given the strict liability nature of U.S. sanctions where parties can be held liable for trading partners’ noncompliance with sanctions, it may frequently be prudent to enter into compliance commitments with trading partners. OFAC views efforts to request and audit these types of commitments favorably and highlighted the following examples as mitigating factors in recent enforcement actions: (1) requiring all intermediaries to sign anti-diversion agreements with specific OFAC sanctions compliance commitments (BMJ), (2) requiring intermediary and final customers to sign end-user certificates (UniControl), and (3) implementing risk assessments and third-party audits for reseller relationships (SAP).
U.S. sanctions are constantly evolving and OFAC expects companies to update their sanctions compliance programs accordingly. Key areas to consider include: (1) updating screening procedures; (2) addressing compliance gaps as they appear; (3) implementing compliance programs correctly; and (4) severing high-risk business ties, where appropriate.
Several 2021 cases involve companies terminating employees involved in the potential violations.
In the Alliance case discussed above – where its chief engineer outsourced labor to an Iranian engineering company – the remedial actions included both ending dealings with the Iranian company and terminating the chief engineer. Similarly, SAP fired five employees who were either involved or complicit in facilitating trade to Iran through third-party resellers. OFAC also looked favorably on Schlumberger Rod Lift, Inc. (SRL), removing personnel who – having been informed that Sudan was at the time under comprehensive U.S. sanctions – were involved in routing field equipment from a Canadian subsidiary through a Chinese joint venture for eventual delivery in Sudan. OFAC considers such proactive behavior to be a mitigating factor in assessing penalties against the company, and emphasizes the importance of individual employees taking appropriate steps to ensure sanctions compliance. OFAC’s September 2021 settlement amount for SRL came to $160,000.
Not only may individuals face termination or reprimands for actions on the job involving apparent violations of sanctions, but they may also – in exceedingly rare cases – find themselves personally on the hook for a penalty. In a December 2021 case referenced only by OFAC as against “An Individual,” OFAC settled with a U.S. person for $133,860 for accepting into his personal bank account payments on behalf of an Iranian cement company. The individual coordinated with a family member who worked at the Iranian company on the sale of Iranian-origin cement clinker to a third-country company; he also had previously sought an OFAC license for other transactions involving Iran, which had been denied. OFAC mitigated the penalty because the individual received minimal, if any economic benefit, from the transaction and had financial difficulties affecting his ability to pay.
In 2021, OFAC entered into four settlements – Schlumberger Rod Lift, Bank of China (UK) Limited, Payoneer, and BitPay – for apparent violations and issued one finding of violation (for Mashreqbank) related to the now-repealed Sudan sanctions program. In October 2017, then President Obama repealed Sudan-specific sanctions based on that government’s positive actions, including improvement of humanitarian access and cooperation with the United States on addressing regional conflicts. However, even though OFAC removed the Sudanese Sanctions Regulations (SSR) from the Code of Federal Regulations, the agency still may investigate and bring enforcement actions for violations that occurred before the October 2017 repeal.
For example, OFAC entered into a $2.32 million settlement in August 2021 with Bank of China (UK) Limited (BOC UK) for processing 111 commercial transactions in violation of the SSR from September 2014 to February 2016. The settlement was the second largest of the year. BOC UK discovered the violations after conducting an internal investigation triggered by a Sudanese customer’s request to process a payment. BOC UK’s internal customer database did not include references to Sudan in the name or address fields of two Sudan-linked customers. Failure to appropriately evaluate and flag these transactions resulted in BOC UK processing 111 payments through U.S. correspondent banks for the two Sudan-linked customers.
Compliance programs conducting internal audits should be mindful of both active sanctions programs and inactive programs effective during the audited timeframe.
OFAC’s enforcement actions over the past year reinforce the importance of rigorous sanctions compliance for all companies, from the largest corporations operating globally to U.S. companies focused on the U.S. market to non-U.S. companies with only limited exposure to U.S. markets. Strong compliance programs emphasizing management commitment, risk assessments, internal controls, testing and auditing, and training can reduce risk and mitigate penalties. Morrison & Foerster’s National Security Practice Group continues to stand ready to offer counsel on the scope and sufficiency of corporate sanctions compliance programs and, where compliance efforts may have failed, guidance on resolving potential enforcement matters.