Global Investigations Review - The law and practice of international investigations

The Guide to Sanctions - First Edition

US Sanctions Enforcement by OFAC and the DOJ

Willkie Farr & Gallagher LLP

Introduction

The US Department of the Treasury’s Office of Foreign Asset Control (OFAC) administers and enforces most economic and trade sanction. Specifically, OFAC administers civil enforcement of US sanctions laws and its regulations are strict liability, meaning that OFAC does not need to prove fault or intent to enter an enforcement action and issue a civil penalty. In addition to OFAC, the US Department of Justice (DOJ) and the US Attorney may pursue criminal investigations and enforcement actions for wilful violations of US sanctions laws. Other regulators, such as the Financial Crimes Enforcement Network (FinCEN) and the New York Department of Financial Services, may impose additional penalties for failure to maintain specific controls to help ensure compliance with OFAC-administered regulations. Both federal and state regulators may pursue enforcement actions for the same conduct simultaneously, which could lead to multiple investigations by multiple entities.

During the past year, OFAC has dramatically increased the number of enforcement actions, with 2019 seeing a record of approximately US$1.3 billion in penalties across nearly 30 enforcement cases. OFAC has pursued novel and more aggressive enforcement theories, including showing a willingness to pierce the corporate veil and pursue enforcement cases for even indirect contact with US financial institutions, and has expanded its territorial jurisdiction in the wake of technological advancement. Notably, there has been little judicial review or oversight of OFAC’s enforcement theories. Almost all cases are settled and very few are challenged in court. Additionally, in enforcement actions concluded after the May 2019 release of OFAC’s ‘A Framework for Compliance Commitments’,[2] OFAC has assessed parties’ compliance with the Framework as an aggravating or mitigating circumstance, tracking the parties’ violation against the Framework. The new trends in enforcement, highlighted by recent OFAC cases, show that a strong compliance programme in line with the Framework is a key factor for parties seeking to avoid OFAC enforcement actions moving forward.

Investigation

Commencement

The US government can learn of a potential sanctions violation in a number of ways, but the primary means of discovery are through voluntary self-disclosures (VSDs), reports of blocked and rejected transactions, referrals from other government agencies, and even publicly available information, such as media reports.

If a company conducts an internal investigation or otherwise learns of a potential violation itself, it may submit a VSD to OFAC. A VSD has many benefits, described further below, including a significant reduction in the base penalty calculation for any potential enforcement action. Depending on the particular circumstances of a violation, the submission of a VSD and subsequent cooperation with OFAC should be carefully considered.

A VSD is not the only means by which the government learns of potential violations. The government frequently learns of violations through reports generated by US persons, primarily banks, that have blocked or rejected a transaction based on a suspected sanctions violation. US persons are required under the sanctions regulations to submit blocking and reject reports to OFAC within 10 business days of the action to block or reject a transaction. Beginning in June 2019, new regulations require that all US persons report rejected trans­actions to OFAC within 10 days.[3] Previously, all parties already had an obligation to report transactions involving blocked property to OFAC, but only US financial institutions had the obligation to report rejected transactions. OFAC may also learn of sanctions violations through anti-money laundering reports, primarily suspicious activity reports (SARs), which are also typically submitted by banks and other financial institutions.

Learning of apparent violations through blocked or rejected transaction reports[4]

In an enforcement action against Hotelbeds USA, OFAC was notified of the apparent violations when a US financial institution blocked a payment relating to a Cuba-travel trans­action and Hotelbeds USA sought a specific licence, which was denied by OFAC, to unblock the funds.

OFAC may also learn of potential violations through other government agencies, including foreign governments. Criminal investigations conducted by the DOJ and other federal and state law enforcement can lead to the discovery of sanctions violations.

Notification

Once OFAC learns of a potential violation and decides to launch an investigation, OFAC may make an initial request for information with an administrative subpoena or, depending on the nature of the violation, direct a more informal set of questions to the involved parties, including non-US persons.

Notably, a 2019 DC Circuit Court decision – which required three Chinese banks, two of which have US branches, to comply with the government’s grand jury subpoenas and document production orders in connection with the violation of the US sanctions on North Korea – expanded the ability of US federal prosecutors to subpoena the financial records of foreign financial institutions during an investigation. The Court held that in instances where a foreign bank has a US branch, it consents to federal court jurisdiction on matters overseen by the Federal Reserve that include money laundering and sanctions violations. The Court also held that the Attorney General’s power under the Bank Secrecy Act to compel a foreign bank to produce documents is not limited to transactions that pass directly through a foreign bank’s US foreign account, but also any foreign records with a connection to the bank’s US correspondent account.

Competent authorities

The authorities responsible for enforcing US sanctions are primarily OFAC (responsible for civil enforcement) and the DOJ (responsible for criminal enforcement). Furthermore, financial regulators, including the New York State Department of Financial Services and the Federal Reserve Board, among others, may impose fines for compliance failures associated with insufficient sanctions compliance programmes.

Substantive offences

Each sanctions programme administered by OFAC is different depending on the aims of the government. OFAC sanctions programmes generally prohibit US persons from engaging in transactions involving designated entities or individuals who engage in, provide material support for, or enter into transactions with parties who engage in or support certain actions. Other sanctions programmes, such as those against Cuba and Iran, are comprehensive in nature, generally prohibiting exports of goods or services by US persons or from the United States to those territories. Regardless, there are common elements for a finding of an apparent violation, generally a breach of regulations for an embargo, specially designated nationals, or sectoral sanctions. OFAC regulations are civil in nature, meaning they do not require mens rea, intent or knowledge for an apparent violation to be found and a penalty to be assessed. However, if the apparent violation included a wilful attempt at evading, avoiding, attempting or conspiring to evade or avoid, or facilitating a prohibited transaction, it could open up the party to criminal liability and prosecution by the DOJ.

OFAC’s enforcement authority and procedures are further defined by OFAC’s general enforcement guidelines at 31 CFR 501 Appendix A. Furthermore, these enforcement guidelines establish the factors for calculating the base penalty amounts, based on a number of specific factors including whether the violation is egregious or non-egregious and whether the violations were voluntarily disclosed to OFAC.

Piercing the corporate veil[5]

In an enforcement action against the General Electric Company (GE), OFAC signalled its willingness to pierce the veil in enforcement cases by entering enforcement proceedings against GE regarding apparent violations by three of its non-US subsidiaries. The three non-US subsidiaries of GE had accepted 289 payments from The Cobalt Refinery Company, a party owned in part by the Cuban government and on OFAC’s list of specially designated nationals.

Indirect contact with US financial institutions[6]

In an enforcement action against British Arab Commercial Bank (BACB), OFAC considered even tenuous and indirect contact with US financial institutions as grounds for an enforcement action. OFAC found that BACB had violated Sudanese sanctions despite the fact that the transactions at issue were not processed to or through the US financial system, the bank did operate a nostro account in a country that imports Sudanese-origin oil to facilitate payments involving Sudan. The bank funded the nostro account with large, periodic US dollar wire transfers from banks in Europe, which in turn transacted with US financial institutions in a manner that violated OFAC sanctions.

Expanded territorial jurisdiction[7]

In an enforcement action against Société Internationale de Télécommunications Aéronautiques SCRL (SITA), OFAC showed its willingness to penalise non-US companies for transactions that would not have been covered by OFAC’s jurisdiction if they had not used US servers. OFAC’s basis for jurisdiction over SITA, a global information technology services provider headquartered in Switzerland and serving commercial air transportation, was that the technology provided to sanctioned parties was hosted on and incorporated functions that routed messages through US servers and contained US origin software.

Enforcement tracked to OFAC’s Framework for Compliance Commitments[8]

In an enforcement action against Eagle Shipping International OFAC stated:
‘As noted in OFAC’s Framework for Compliance Commitments, this case demonstrates the importance for companies operating in high-risk industries (e.g., international shipping and trading) to implement risk-based compliance measures, especially when engaging in transactions involving exposure to jurisdictions or persons implicated by US sanctions.’

The Department of Justice enforces criminal sanctions violations. Criminal liability may be imposed against a person who wilfully commits, wilfully attempts to commit, or wilfully conspires to commit, or aids or abets in the commission of, an unlawful act pursuant to the International Emergency Economic Powers Act (IEEPA), the Act pursuant to which most sanctions regulations are issued. Criminal liability may include a fine of not more than US$1 million or, if a natural person, a prison term of not more than 20 years, or both.[9]

Mitigating and aggravating factors

OFAC regulations outline the general factors that OFAC will consider when making a determination on how to proceed with an apparent violation. Factors that OFAC will consider to be aggravating or mitigating include:

  • wilful or reckless violation of law, including factors such as concealment, a pattern of conduct and management involvement;[10]

OFAC’s enforcement action against UniCredit Bank AG highlighted the bank’s wilful intent to circumvent US sanctions, citing formal UniCredit Bank documents containing policies and procedures that instructed bank personnel to ensure payment structures were formatted in a way to hide the participation of OFAC-sanctioned parties.

  • awareness of the conduct at issue;[11]

OFAC found that Standard Chartered Bank had actual knowledge or reason to know of its apparent violations of several sanctions regulations, including the Cuban Assets Control Regulations and the Iranian Transactions and Sanctions Regulations, which OFAC deemed an aggravating factor.

  • harm to sanctions programme objectives, including factors such as economic benefit to the sanctioned country and whether the conduct was likely to have been eligible for an OFAC licence;[12]

OFAC found that Jiangsu Guiqiang Tools Co Ltd (GQ), a subsidiary of Stanley Black & Decker, Inc, which agreed to pay the penalty for both itself and GQ, harmed the objectives of the Iranian Transactions and Sanctions Regulations by conferring an economic benefit to Iran in a systematic scheme involving the export and attempted export of several shipments of power tools and spare parts to a third country with knowledge that the goods were intended specifically for supply, trans-shipment or re-exportation to Iran.

  • individual characteristics of the party in question, such as commercial sophistication and whether the party has received a penalty notice or a finding of violation from OFAC in the five years preceding the date of the transaction giving rise to the violation;[13]

In OFAC’s enforcement action against Cubasphere Inc for violations of the Cuban Assets Control Regulations, OFAC considered the fact that Cubasphere was a small company with few employees as a mitigating factor. By contrast, in OFAC’s enforcement action against Apollo Aviation Group, LLC (Apollo) for violations of the Sudanese Sanctions Regulations, OFAC highlighted Apollo’s size and sophistication as an aggravating factor.

  • the existence, nature and adequacy of a compliance programme in place at the time of the violation;[14]

In OFAC’s enforcement action against Haverly Systems, Inc for violations of the Ukraine Related Sanctions Regulations, OFAC considered the fact that Haverly did not have a formal OFAC sanctions compliance programme at the time the apparent violations occurred an aggravating factor.

  • the remedial response that the party took upon learning of the violation;[15] and

In OFAC’s enforcement action against PACCAR, Inc on behalf of its wholly owned subsidiary DAF Trucks NV (DAF) for violations of the Iranian Transactions and Sanctions Regulations, OFAC considered the remedial actions taken by DAF a mitigating factor. On learning of the apparent violations, DAF conducted an internal investigation, dismissed employees involved in some of the apparent violations, cancelled the delivery of 20 trucks for customers that appeared to have sold or allowed DAF trucks to be sold to buyers in Iran, provided compliance training annually to DAF subsidiaries and implemented enhanced trade compliance controls in an effort to prevent similar apparent violations from reoccurring.

  • cooperation with OFAC, through a VSD or subsequent cooperation during the investigation (or both).[16]

In OFAC’s enforcement action against Stanley Black & Decker, Inc. and its subsidiary, OFAC found that Stanley Black & Decker’s cooperation with OFAC, including an extensive internal investigation and meaningful responses to OFAC’s requests for additional information was a mitigating factor.

A key factor, as evidenced by recent OFAC decisions, is the existence and maintenance of an adequate compliance programme in line with OFAC’s Framework for Compliance Commitments. In each of the decisions OFAC has published since the Framework was released in May 2019, OFAC has reserved the final paragraph for discussing how the case relates to the Framework and how businesses can mitigate sanctions risks by utilising the Framework.[17]

As with OFAC, the DOJ generally views voluntary disclosure, full cooperation and timely and effective remedial measures as mitigating factors. The guidelines from the DOJ’s updated VSD policy,[18] discussed in further detail below, breaks down full cooperation as:

  • timely disclosure of all facts;
  • proactive cooperation;
  • preservation, collection and disclosure of relevant documents (Guidelines list examples);
  • deconfliction of witness interviews;
  • retention of business records and prohibition of the improper destruction or deletion of those records; and
  • any additional steps that demonstrate recognition of the seriousness of misconduct, acceptance of responsibility and implementation of measures to reduce risk of a repetition of the misconduct.

The updated policy also lays out what the DOJ considers as aggravating factors during an investigation for criminal sanctions violations. The aggravating factors listed by the DOJ include:[19]

  • exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;
  • exports of items known to be used in the construction of weapons of mass destruction;
  • exports to a foreign terrorist organisation or specially designated global terrorist;
  • exports of military items to a hostile foreign power;
  • repeated violations, including similar administrative or criminal violations in the past; and
  • knowing involvement of upper management in the criminal conduct.

The DOJ has also released an update to its ‘Evaluation of Corporate Compliance Programs’[20] guidance document, on 1 June 2020. The ‘Principles of Federal Prosecution of Business Organizations’ include several factors that prosecutors should consider when conducting an investigation of a corporation, including the adequacy and effectiveness of a corporation’s compliance programme at the time of an offence. Maintaining an effective compliance programme may be considered an additional mitigating factor.

When determining whether a corporation has an effective compliance programme, the DOJ considers three main questions:

  • Is the corporation’s compliance programme well designed?
  • Is the compliance programme being applied earnestly and in good faith?
  • Does the corporation’s compliance programme work in practice?

Best practice for corporates in an investigation

Other than self-reporting considerations, discuss what practical steps a corporate should take once an investigation is commenced (e.g., document preservation, internal investigation and actions against employees).

If an investigation has commenced, parties should endeavour to proactively collaborate with the agency conducting the investigation. OFAC enforcement actions have shown that it considers cooperation to be a mitigating factor in an enforcement case and the DOJ has stated that for a party to receive the benefits of a VSD, the party must fully cooperate with the DOJ. Generally, full cooperation includes but is not limited to internal investigations to discover the root cause of an apparent violation, responding to regulators’ requests for additional information in a timely and complete manner, preserving all sensitive or relevant documents, implementing and collaborating with regulators to develop and implement effective remedial measures, and, in the case of a DOJ investigation, deconflicting and making available any potential witnesses. Under no circumstances should parties attempt to hide or destroy evidence of an apparent violation once an investigation has commenced. Any indication of actions opposing an investigation is likely to lead to investigators taking a more hostile approach. Parties should also consider notifying relevant non-US regulators, shareholders, counterparties, insurers and other interested parties.

Self-reporting

Reporting to OFAC

As previously mentioned, OFAC views the self-disclosure of apparent violations favourably. The self-disclosure of a violation can significantly reduce a potential civil penalty amount. To be considered voluntary, a disclosure must be self-initiated and made to OFAC before either OFAC or any government agency or official discovers the apparent violation. Notification of an apparent violation to another government agency, which is considered a VSD by that agency, may be considered a VSD to OFAC case by case. When making a VSD to OFAC, the VSD must include or be followed by a report containing sufficient details to provide a complete understanding of the circumstances of the apparent violation. In some instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before knowing all the facts so to make a timely disclosure yet ensure that the disclosure is voluntary. Parties should also ensure that their VSD and follow-up report contain all the details known at the time they are submitted. Parties submitting VSDs should also be prepared to respond to any follow-up enquiries by OFAC.[21]

However, not all notifications to OFAC of an apparent violation will be considered a VSD. Specifically, a notification will not be considered a VSD if a third party notifies OFAC of the apparent violation or substantially similar apparent violation because it blocked or rejected a transaction, or if the disclosure:

  • includes false or misleading information or is materially incomplete;
  • is not self-initiated;
  • is made without the authorisation of senior management; or
  • is in response to an administrative subpoena or other enquiry form.

Filing a licence application with OFAC is also not considered a VSD.[22]

Reports to OFAC in certain instances are required by OFAC regulations. Specifically, US persons are required to submit reports of rejected and blocked transactions to OFAC within 10 business days of the action.[23] These reports typically are made by financial institutions and must include details of the rejected or blocked transactions, such as the parties, accounts involved, and date and amount of payment. Additionally, annual reports on blocked property must be filed with OFAC by 30 September of each year.[24] It is important to note that these reports will not be considered a VSD to OFAC and the disclosure of violations that OFAC has already been made aware of by a reject or blocking report submitted by another party will not receive the benefits of a VSD.

Reporting to the DOJ

On 13 December 2019, the DOJ released an updated VSD policy.[25] Under the new policy, all business organisations, including financial institutions, are eligible for the full range of benefits of the DOJ’s self-disclosure programme. Although there is no requirement to self-report to DOJ, owing to the timeliness requirements discussed below, a VSD must be made early in the investigation process if it is to receive credit from the DOJ.

Mirroring other DOJ self-disclosure policies, companies are now eligible for credit when they (1) voluntarily self-disclose export control or sanctions violations to National Security Division’s Counterintelligence and Export Control Section (CES), (2) fully cooperate with the investigation, and (3) remediate any violations appropriately and in a timely manner. The threshold for eligibility is self-disclosure of potential violations to CES; self-disclosing to any other regulatory agency does not qualify a party as a self-discloser under the new DOJ policy.

For the purposes of the DOJ’s VSD policy, for a party’s disclosure to be considered voluntary it must be made prior to an imminent threat of disclosure or government investigation, and within a reasonably prompt time after discovery of the offence, and the party must disclose all relevant facts known to it at the time of the disclosure. DOJ recognises that parties may not know all relevant facts at the time of disclosure, especially if the parties submit a VSD based on a preliminary investigation. The policy states that if that is the case, a party should make clear that it is making its disclosure based on a preliminary investigation or assessment of information while still providing all available information.

To receive credit for full cooperation, parties are required to disclose all relevant facts in a timely manner; to cooperate proactively with the DOJ; to preserve, collect and disclose all relevant documents and information; to deconflict witness interviews when required; and to make officers and employees of the party available for interviews by the DOJ when so requested. The policy notes that eligibility for cooperation credit does not depend on the waiver of attorney–client privilege or work-product protection, although experience suggests that the DOJ typically initiates a discussion on privilege at some point during corporate investigations.

Finally, parties are required to demonstrate a thorough analysis of the causes of underlying conduct and, where appropriate, engage in remediation; implement an effective compliance programme; discipline employees identified by the party as responsible for the oversight; retain business records and prohibit the improper destruction of those records; and take any additional steps that demonstrate recognition of the seriousness of a party’s misconduct.

Considerations before self-reporting

In general, costs associated with making a VSD to either OFAC or the DOJ include legal expenses, government scrutiny, reputational harm and, potentially, large monetary penalties. Tied to the additional scrutiny and investigation by government agencies, apparent violations of US sanctions laws other than those disclosed in the VSD may be discovered during the course of an investigation. When parties are deciding whether or not to submit a VSD, they must weigh these negative factors against the likelihood that a government agency independently discovers or is notified by a third party of the apparent violation and the nature and value of the apparent violation.

As mentioned above, a VSD submitted to either OFAC or the DOJ will only be accepted if it is made before there was a significant likelihood that the government would be notified of the apparent violation or otherwise discover it on its own. Additionally, by not making a VSD, parties are forfeiting a valuable opportunity to frame the issue and present any mitigating factors before a government investigation commences.

Considerations before submitting a VSD to OFAC

The submission of a VSD to OFAC can have several benefits, including as a mitigating factor when calculating a penalty or, in some cases, allowing a party to avoid an enforcement action. OFAC may decline to take action if it determines that the conduct does not constitute a violation, or it may decide that the conduct does not warrant a civil monetary penalty and issue a cautionary letter instead. However, the main benefit of a VSD is that, if accepted, the VSD will reduce the base amount of the penalty by approximately 50 per cent in both egregious and non-egregious cases. As mentioned above, VSDs are not the only mitigating factors that OFAC takes into account when determining the amount of a penalty. Parties should immediately take any reasonable remedial measures after discovering the apparent violation and discuss those measures in their submission. Additionally, parties should maintain a compliance programme in line with OFAC’s Framework for Compliance Commitments and, to the extent possible, map the apparent violation against their compliance programme and how the party has remedied, or intends to remedy, the deficiency in its programme that caused the apparent violation.

Further, when submitting a VSD to OFAC, a party must consider the chance that OFAC may launch a broader investigation of the party and find additional, undisclosed violations under one of its many sanctions programmes or violations that cause OFAC to notify other government agencies, including a potential referral to the DOJ for criminal enforcement. While notifications made to other government agencies may be considered a VSD for OFAC enforcement purposes, a VSD to OFAC will not qualify as a VSD made to the DOJ. Therefore, parties should carefully consider if there was an element of wilfulness in the apparent violations or other activity that would be considered criminal in nature and would cause OFAC to refer the case to the DOJ. If a party believes that the case may be referred to the DOJ, it should consider submitting a VSD to the DOJ either prior to, or simultaneously with, submitting its VSD to OFAC to take advantage of the DOJ’s VSD policy.

Considerations before submitting a VSD to the DOJ

If the party satisfies the three requirements of the DOJ’s VSD policy – (1) voluntarily self-disclosing a violation, (2) fully cooperating with the investigation, and (3) remediating any violations appropriately and in a timely manner – there is a presumption that the party will receive a non-prosecution agreement and will pay no fine, absent aggravating factors. Although, even if a party receives a non-prosecution agreement, at a minimum the party will not be permitted to retain any of the unlawfully obtained gain and will be required to pay all disgorgement, forfeiture or restitution resulting from the misconduct.

Additionally, even if aggravating circumstances exist, the DOJ will still recommend a fine of at least 50 per cent less for a qualifying party than otherwise would have been levied, and will not require the imposition of a monitor if the party has implemented an effective compliance programme at the time of resolution. In addition to maintaining compliance programmes in line with OFAC’s Framework, parties should ensure their programmes meet the criteria laid out in the DOJ’s updated ‘Evaluation of Corporate Compliance Programs’ guidance document.

While the new VSD policy certainly has issues that businesses must consider before self-reporting, for businesses and the newly included financial institutions, the revised policy is also a potential lifeline to protect them from large financial penalties and potential criminal prosecution as seen in recent DOJ cases regarding UniCredit,[26] Société Générale[27] and Halkbank.[28] Despite this, there are still issues with the policy that may deter business organisations from submitting VSDs to the DOJ.

One factor to take into consideration under the new policy is that it makes clear that a VSD to a regulatory agency will not be enough to qualify for the benefits of the DOJ policy. This, coupled with the requirement that a VSD be made before any imminent threat of disclosure or government investigation, means that parties must decide early in their investigation of a potential violation of sanctions or export laws if they need to file with both regulatory agencies and the DOJ. Investigations can take unexpected turns, however, transforming an ostensible civil issue into a potential criminal matter if evidence of wilfulness is discovered. However, by filing with the DOJ, a party could expose itself to a potential criminal investigation and heavy, continuing disclosure obligations.

Moreover, the policy applies only to the DOJ and does not bind other regulators, including state banking regulators such as the New York Department of Financial Services. Those other enforcement authorities have their own programmatic mandates, which may be inconsistent with the outcomes available under the new policy. Put differently, self-reporting to the DOJ may earn you the carrot from the DOJ, but you still face the stick from other regulators.

The key to effectively utilising this policy rests in the foundation of a party’s compliance policies and procedures. Even if the policies and procedures fail to prevent a violation from occurring, they can assist a party in quickly determining the nature and degree of the violation. This should help parties recognise earlier in their investigation of a potential violation whether they need to issue a VSD to the DOJ.

Other notification requirements

Outline any ancillary issues, such as notifying lenders or other regulators.

During the past few years, the US Securities and Exchange Commission (SEC) has taken a more active role in regulating economic sanctions. The SEC appears to have taken an interest because of the risks associated with a violation of US sanctions laws. The SEC has used comment letters[29] to request additional information from parties regarding the financial and reputational risks from costly regulatory action that may be associated with their disclosures to OFAC and their business activities in sanctioned countries. The proportion of comment letters discussing sanctions issues has risen from 1.5 per cent in 2014 to 4.5 per cent in 2018.[30] Despite this, the SEC has not traditionally acted as an enforcement agency in the mould of OFAC or the DOJ, only seeking disclosure and reporting of sanctions-related risks.

However, in a recent Foreign Corrupt Practices Act (FCPA) case against Quad/Graphics, the SEC found that, in addition to violating anti-bribery and bookkeeping offences, Quad/Graphics participated in a scheme to circumvent US sanctions and export control laws.[31] The DOJ had declined to prosecute Quad/Graphics despite finding evidence of bribery and did not reference the sanctions evasion scheme.[32] It remains to be seen whether the SEC will continue to use provisions of the FCPA to enforce US sanctions laws. Based on this and the increased frequency of the SEC’s requests for information and disclosure of sanctions-based risks, parties should consider notifying the SEC of apparent violations. However, this should be done while conscious of the requirements for VSD submissions to OFAC and the DOJ.

In addition to the SEC, parties should be aware that OFAC maintains memoranda of understanding (MOUs) with several state and federal banking regulatory agencies.[33] These MOUs outline how OFAC and the banking regulators will share information regarding apparent violations of US sanctions. Banking regulators, such as the Federal Reserve, may impose penalties on the financial institutions they oversee in connection with apparent violations of US sanctions laws. Financial institutions should consider notifying their banking regulators of apparent violations if they plan to submit a VSD to OFAC. However, as discussed in regard to the SEC, this should be done while conscious of the requirements for VSD submissions to OFAC and the DOJ.

Parties should also assess whether the apparent violation of US sanctions laws also violates the sanctions laws of other jurisdictions. For example, if a party operates in both the United States and the United Kingdom and commits an apparent violation that would be in breach of sanctions law in both countries, the party should consider making a disclosure to both OFAC and the UK’s Office of Financial Sanctions Implementation. Foreign regulatory agencies may share information regarding apparent violations directly or learn of an apparent violation if it is published by a foreign regulator. Therefore, a party should ensure that it considers whether its actions violate non-US sanctions laws and whether the party would be subject to the jurisdiction of non-US regulators.

Additionally, parties should be aware of how public perception and negative press relating to the discovery of an apparent violation can materially affect a party’s reputation. A VSD and a detailed plan to implement remediation measures targeting the root cause of the apparent violations may mitigate some of the associated reputational damage. However, regardless of how the apparent violation was reported or discovered, public scrutiny still represents a risk factor for future business partners and investors. As a result, reputational damage could lead to lost opportunities and burdensome due diligence requirements imposed by potential business partners.

Anti-money laundering

If there has been a breach or a suspected breach of financial sanctions, what are the money laundering issues an entity needs to consider and the role of relevant AML regulators?

Suspicious activity reports

As mentioned above, anti-money laundering investigations and investigations of apparent sanctions violations can overlap. Additionally, disclosures to one regulatory authority can notify other authorities of potential violations leading to overlapping investigations for different violations caused by the same action. A financial institution that intentionally attempts to deceive US regulatory authorities or cover up an apparent violation of US sanctions laws, for example, is likely to simultaneously engage in violations of anti-money laundering laws.[34]

Under the Bank Secrecy Act (BSA), financial institutions[35] are required to report ‘any suspicious transaction relevant to a possible violation of law or regulation’. FinCEN has issued regulations implementing the BSA requiring certain financial institutions, including banks, securities broker-dealers, introducing brokers, casinos, futures commission merchants and money services businesses, to report any suspicious activity above a certain dollar threshold in a SAR. Each industry has its own form and, generally, the report must be submitted within 30 days of the detection of the suspicious activity.

As discussed in earlier sections of this chapter, OFAC requires financial institutions to submit reports regarding any transactions that were rejected or blocked as a result of the involvement of an individual or party on OFAC’s list of specially designed nations. These transactions would be considered suspicious activity under the BSA owing to the fact that they violate US sanctions regulations and financial institutions would be required to submit a SAR to FinCEN. However, FinCEN’s requirements will be satisfied by filing a rejection or blocking report to OFAC. OFAC will then pass the information to FinCEN, where the activity will be logged in the suspicious activity reporting database and become available to law enforcement agents.

As discussed above, a notice of an apparent violation through a third-party rejection or blocking report will negate any benefit that a party may have received from submitting a VSD. Additionally, because the information filed in a reject or blocking report will be passed to FinCEN and made available to law enforcement, it could trigger additional investigations relating to money laundering or other civil and criminal offences. Parties should be aware of how these regulators share information and how a third-party report may trigger multiple investigations from several government agencies, and negate any benefit the party would receive from self-reporting the apparent violation.

Resolution of investigations

OFAC has a variety of enforcement options available to it upon learning of a potential violation of US sanctions. If OFAC determines that there is insufficient evidence of a violation but that the activity in question could lead to a violation, OFAC may issue a cautionary letter. A cautionary letter will generally lay out OFAC’s concerns about the underlying conduct or concerns regarding the compliance policies, practices and procedures that led to the apparent violation. If OFAC determines that a violation has occurred but that a civil monetary penalty is not appropriate, OFAC may issue a finding of violation.[36] Although there is no monetary penalty involved, OFAC announces findings of violations in press releases and publishes a notice containing the description of the violations and its analysis, which can cause reputational damage to a party.

Similarly, the DOJ has a variety of enforcement options available to it when closing a case. First, it may choose to resolve a case using a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA). Under a DPA, the DOJ will bring charges against the party committing the violation but agrees not to proceed with those charges so long as the party follows a negotiated set of requirements or conditions. Under an NPA, the DOJ will not file charges against the party and will generally require the party to comply with certain conditions or pay a fine. Additionally, DPAs and NPAs may impose a corporate monitor on the party to the agreement. The party bears the costs of the corporate monitor and the scope of the monitor’s oversight responsibilities are negotiated by the party and the DOJ. The DOJ may also seek the forfeiture of assets relating to the apparent violation as part of the penalties assessed against the party.

Cautionary letter[37]

In OFAC’s enforcement action against AppliChem GmbH, OFAC noted that it had previously issued a cautionary letter to Illinois Tool Works Inc, a US company that acquired AppliChem, regarding AppliChem’s post-acquisition sales to Cuba.

OFAC may also impose a civil monetary penalty upon determining that a violation has occurred. These penalties will be determined in line with OFAC guidelines and subject to the mitigating and aggravating factors described above. Parties may also decide to enter into a settlement with OFAC to reduce their maximum exposure to penalties. Settlement discussions may be initiated by OFAC or the party that committed the apparent violation. Settlements can be made before or after the issuance of a pre-penalty notice and may also include multiple apparent violations, even if they are covered under separate pre-penalty notices. Notably, OFAC settlements may be a part of a comprehensive settlement with other federal, state or local agencies.

Global settlement[38]

UniCredit Bank AG agreed to pay approximately US$611 million to OFAC as part of a larger, US$1.3 billion settlement with federal and state government partners.

Finally, OFAC may refer a case to appropriate law enforcement if it determines that the activity warrants a criminal investigation or prosecution (or both). If the DOJ initiates an investigation either through a referral by another government agency or independent discovery of an apparent violation, the offending party may be charged under numerous criminal statutes depending on the nature of the violation. For example, a single party may be charged for a wilful violation of IEEPA while simultaneously being charged for fraud, criminal money laundering and other offences committed in coordination with the apparent violation.[39] These could lead to significant monetary penalties and potential imprisonment for individuals involved in the apparent violation.


Footnotes

1 David Mortlock is a partner and Nikki Cronin and Ahmad El-Gamal are associates at Willkie Farr & Gallagher LLP.

2 US Department of the Treasury, ‘A Framework for OFAC Compliance Commitments’, at https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf.

3 See 31 C.F.R. Part 501.

4 See OFAC ‘Enforcement Information for June 13, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190612_hotelbeds.pdf.

5 See OFAC ‘Enforcement Information for October 1, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20191001_ge.pdf.

6 See OFAC ‘Enforcement Information for September 17, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190917_bacb.pdf.

7 See OFAC ‘Enforcement Information for February 26, 2020’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200226_sita.pdf.

8 See OFAC ‘Enforcement Information for January 27, 2020’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200127_eagle.pdf.

9 50 U.S.C. 1705(c).

10 See OFAC ‘Enforcement Information for April 15, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190415_uni_webpost.pdf.

11 See OFAC ‘Enforcement Information for April 9, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190408_scb_webpost.pdf.

12 See OFAC ‘Enforcement Information for March 27, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190327_decker.pdf.

13 See OFAC ‘Enforcement Information for June 13, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190612_cubasphere.pdf; and OFAC ‘Enforcement Information for November 7, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20191107_apollo.pdf.

14 See ‘OFAC Enforcement Information for April 25, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190425_haverly.pdf.

15 See ‘OFAC Enforcement Information for August 6, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190806_paccar.pdf.

16 See ‘OFAC Enforcement Information for March 27, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190327_decker.pdf.

17 See ‘OFAC Enforcement Information for February 26, 2020’, Société International de Télécommunications Aéronautiques SCRL, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200226_sita.pdf (‘As noted in OFAC’s Framework for Compliance Commitments issued in May 2019, companies can mitigate sanctions risks by conducting risk assessments and exercising caution when engaging in business transactions with entities that are affiliated with, or known to transact with, OFAC-sanctioned persons or jurisdictions, or otherwise pose high risks due to their joint ventures, affiliates, subsidiaries, customers, suppliers, geographic location, or the products and services they offer.’)

18 US Department of Justice [DOJ], National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ (13 December 2019), at https://www.justice.gov/nsd/ces_vsd_policy_2019/download.

19 id.

20 DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020), at https://www.justice.gov/criminal-fraud/page/file/937501/download.

21 31 C.F.R. 501 Appendix A (I)(I).

22 id.

23 31 C.F.R. 501.603 and 501.604.

24 id.

25 DOJ, National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ (13 December 2019), at https://www.justice.gov/nsd/ces_vsd_policy_2019/download.

29 SEC ‘comment letters’ refer to either letters submitted in response to requests for public comment, or, in this instance, to correspondence between SEC staff and SEC filers. The SEC may use comment letters to request that a party provide additional supplemental information, revise disclosure in a document on file with the SEC, provide additional disclosure in a document on file with the SEC, or provide additional or different disclosure in a future filing with the SEC. There may be several rounds of letters as the SEC’s staff and the filer work to resolve a particular issue.

30 Menghi Sun and Mark Maurer, ‘SEC Questions More Companies About Sanctions Disclosures’, Wall Street Journal (28 August 2019) (citing Audit Analytics), at https://www.wsj.com/articles/sec-questions-more-companies-about-sanctions-disclosures-11567018243.

31 See Securities and Exchange Commission press release of 26 September 2019, at https://www.sec.gov/news/press-release/2019-193.

32 See DOJ Response Letter, Re: Quad/Graphics Inc, at https://www.justice.gov/criminal-fraud/file/1205341/download.

33 The US Department of the Treasury maintains a list of memoranda of understanding between OFAC and state and federal banking regulators at https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/reg_mou-index.aspx.

34 An example of simultaneous sanctions and anti-money laundering enforcement can be found in the ongoing case of Halkbank. The Turkish state-owned bank allegedly participated in a multibillion-dollar scheme to evade US sanctions on Iran, including facilitating fraudulent transactions designed to appear to be purchases of food and medicine. The DOJ referenced the knowing involvement of senior officers at the bank and discussions on how best to structure transactions to evade scrutiny by US regulators. As is often the case with schemes to avoid sanctions, Halkbank violated anti-money laundering laws by using fraudulent pretences and representations to defraud financial institutions. See United States v. Halkbank, Superseding Indictment S6 15 Cr. 867 (RMB), at https://www.justice.gov/opa/press-release/file/1210396/download.

35 The Bank Secrecy Act defines ‘financial institutions’ at 31 U.S.C. 5312. This list at 31 U.S.C. 5312(a)(2) includes, but is not limited to, insured banks, commercial banks or trust companies, private bankers, brokers and dealers in securities or commodities, investment bankers or companies, insurance companies, certain casinos and any businesses or agencies that engage in any activity which the Secretary of the Treasury determines, by regulation, to be an activity that is similar to, related to, or a substitute for any activity in which any business described in 31 U.S.C. 5312(a)(2) is authorised to engage.

36 See US Department of the Treasury, ‘Enforcement Release April 30, 2020: OFAC Issues a Finding of Violation to American Express Travel Related Services Company for Violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200430_amex.pdf.

37 See ‘OFAC Enforcement Information for February 14, 2019’, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190214_applichem.pdf.

38 See, e.g., US Department of the Treasury press release, ‘U.S. Treasury Department Announces Settlement with UniCredit Group Banks’ (15 April 2019), at https://home.treasury.gov/news/press-releases/sm658.

39 See DOJ press release of 15 October 2019, at https://www.justice.gov/opa/pr/turkish-bank-charged-manhattan-federal-court-its-participation-multibillion-dollar-iranian (‘[Halkbank] was charged today in a six-count indictment with fraud, money laundering, and sanctions offenses related to the bank’s participation in a multibillion-dollar scheme to evade U.S. sanctions on Iran.’)

Previous Chapter:US Sanctions

Next Chapter:Navigating Conflicting Sanctions Regimes