US Sanctions Enforcement by OFAC and the DOJ

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The US Department of the Treasury’s Office of Foreign Asset Control (OFAC) administers and enforces most economic and trade sanctions. Specifically, OFAC is responsible for civil enforcement of US sanctions laws, and its regulations are enforced on a strict liability basis, meaning that OFAC does not need to prove fault or intent to enter an enforcement action and issue a civil penalty. In addition to OFAC, the US Department of Justice (DOJ) and the US Attorney may pursue criminal investigations and enforcement actions for wilful violations of US sanctions laws. Federal criminal prosecutions of sanctions violations are generally conducted on referral by OFAC, although the DOJ may choose to pursue some cases on its own initiative.[2] Other regulators, such as the Financial Crimes Enforcement Network (FinCEN) and the New York State Department of Financial Services, may impose additional penalties for failure to maintain specific controls to help ensure compliance with OFAC-administered regulations. Both federal and state regulators may pursue enforcement actions for the same conduct simultaneously, which could lead to multiple investigations by multiple entities. In 2019, then OFAC Director Andrea Gacki made it clear that OFAC would no longer give credit for all types of fines paid to other agencies in global, multi-agency settlements.[3] This change in how OFAC calculates fines could lead to increased penalties in global settlement agreements where OFAC would have taken into account the amount of fines and penalties being levied by other agencies when determining the final penalty amount.

During 2020, the number of enforcement actions closed and published by OFAC decreased significantly when compared to 2019. 2020 saw approximately US$23 million in penalties across 16 enforcement actions compared to approximately US$1.3 billion in penalties across 26 enforcement cases in 2019. One potential cause of this decrease may be the disruption caused by the covid-19 pandemic throughout 2020 and early 2021, but it could also be a continuation of the yearly fluctuation and variance in the amount of cases closed by OFAC. It remains to be seen whether the number of cases will continue to trend upwards or remain steady once a sense of normalcy has returned. Despite the decreased number of closed and published enforcement actions, OFAC has continued to pursue novel and more aggressive enforcement theories, including showing a willingness to pierce the corporate veil and pursue enforcement cases for even indirect contact with US financial institutions and expanding its jurisdiction in the wake of technological advancement. OFAC also published its first enforcement action related to digital currency transactions on 30 December 2020, followed closely by a second enforcement action related to digital currency transactions in February 2021, indicating that the agency is ready to aggressively pursue enforcement actions against apparent violation involving transactions using digital currency transactions nearly two years after the publication of FAQs 559–563.[4]

Notably, there has been little judicial review or oversight of OFAC’s enforcement theories. Almost all cases that are not resolved by no-action or cautionary letters are settled, and very few are challenged in court. However, there are exceptions to this general trend, including Exxon Mobile Corporation’s challenge of a US$2 million civil penalty imposed by OFAC, which resulted in the penalty being vacated by a District Court in the Northern District of Texas on the grounds that OFAC failed to provide fair notice regarding the agency’s interpretation of the relevant sanctions regulations.[5] Additionally, in enforcement actions concluded after the May 2019 release of OFAC’s ‘A Framework for Compliance Commitments’ (the Framework),[6] OFAC has assessed parties’ compliance with the Framework as an aggravating or mitigating circumstance, tracking the parties’ violation against the Framework. The new trends in enforcement, highlighted by recent OFAC cases, show that a strong compliance programme in line with the Framework is a key factor for parties seeking to avoid OFAC enforcement actions moving forward.



The US government can learn of a potential sanctions violation in a number of ways, but the primary means of discovery are through voluntary self-disclosures (VSDs), reports of blocked and rejected transactions, referrals from other government agencies, and even publicly available information, such as media reports.

If a company conducts an internal investigation or otherwise learns of a potential violation itself, it may submit a VSD to OFAC. A VSD has many benefits, described further below, including a significant reduction in the base penalty calculation for any potential enforcement action. Depending on the particular circumstances of a violation, the submission of a VSD and subsequent cooperation with OFAC should be carefully considered.

A VSD is not the only means by which the government learns of potential violations. The government frequently learns of violations through reports generated by US persons, primarily banks, that have blocked or rejected a transaction based on a suspected sanctions violation. US persons are required under the sanctions regulations to submit blocking and reject reports to OFAC within 10 business days of the action to block or reject a transaction. Beginning in June 2019, new regulations require that all US persons report rejected transactions to OFAC within 10 days.[7] Previously, all parties already had an obligation to report transactions involving blocked property to OFAC, but only US financial institutions had the obligation to report rejected transactions. OFAC may also learn of sanctions violations through anti-money laundering reports, primarily suspicious activity reports (SARs), which are also typically submitted by banks and other financial institutions.

Learning of apparent violations through blocked or rejected transaction reports[8]

In an enforcement action against Hotelbeds USA, OFAC was notified of the apparent violations when a US financial institution blocked a payment relating to a Cuba-travel transaction and Hotelbeds USA sought a specific licence to unblock the funds, which was denied by OFAC.

OFAC may also learn of potential violations through other government agencies, including foreign governments. Criminal investigations conducted by the DOJ and other federal and state law enforcement can lead to the discovery of sanctions violations.


Once OFAC learns of a potential violation and decides to launch an investigation, OFAC may make an initial request for information with an administrative subpoena or, depending on the nature of the violation, direct a more informal set of questions to the involved parties, including non-US persons.

Notably, a 2019 DC Circuit Court decision – which required three Chinese banks, two of which have US branches, to comply with the government’s grand jury subpoenas and document production orders in connection with the violation of the US sanctions on North Korea – expanded the ability of US federal prosecutors to subpoena the financial records of foreign financial institutions during an investigation.[9] The Court held that in instances where a foreign bank has a US branch, it consents to federal court jurisdiction on matters overseen by the Federal Reserve including money laundering and sanctions violations.[10] The Court also held that the Attorney General’s power under the Bank Secrecy Act to compel a foreign bank to produce documents is not limited to transactions that pass directly through a foreign bank’s US foreign account, but also any foreign records with a connection to the bank’s US correspondent account.[11]

The DOJ’s authority to issue subpoenas to foreign financial institutions was expanded under the Anti-Money Laundering Act of 2020 (AMLA). In addition to having the authority to issue subpoenas to foreign financial institutions that maintain a correspondent account in the United States for records related to the correspondent account, the AMLA expanded the DOJ’s subpoena power to cover ‘any account at the foreign bank, including records maintained outside of the United States’ if those records are part of a broad list of enforcement actions, including criminal prosecutions or violations of the Bank Secrecy Act (BSA).[12]

Competent authorities

The authorities responsible for enforcing US sanctions are primarily OFAC (responsible for civil enforcement) and the DOJ (responsible for criminal enforcement). Furthermore, financial regulators, including the New York State Department of Financial Services and the Federal Reserve Board, among others, may impose fines and other penalties for compliance failures associated with insufficient sanctions compliance programmes.

Substantive offences

Each sanctions programme administered by OFAC is different depending on the aims of the government. OFAC sanctions programmes generally prohibit US persons from engaging in transactions, directly or indirectly, involving designated individuals or entities (persons). Other sanctions programmes, such as those against Cuba and Iran, are comprehensive in nature, generally prohibiting exports of goods or services by US persons or from the United States to those territories. Regardless, there are common elements for a finding of an apparent violation, generally a breach of regulations for an embargo or transaction involving specially designated nationals and blocked persons or entities subject to sectoral sanctions. OFAC regulations are civil in nature, meaning they generally do not require mens rea, intent or knowledge for an apparent violation to be found and a penalty to be assessed. However, if the apparent violation included a wilful attempt at evading, avoiding, attempting or conspiring to evade or avoid, or facilitating a prohibited transaction, it could expose the party to criminal liability and prosecution by the DOJ.

OFAC’s enforcement authority and procedures are further defined by OFAC’s general enforcement guidelines at 31 CFR 501 Appendix A. These enforcement guidelines establish the factors for calculating the base penalty amounts, based on a number of specific factors including whether the violation is egregious or non-egregious and whether the violations were voluntarily disclosed to OFAC.

Piercing the corporate veil[13]

In an enforcement action against the General Electric Company (GE), OFAC signalled its willingness to pierce the veil in enforcement cases by entering enforcement proceedings against GE regarding apparent violations by three of its non-US subsidiaries. The three non-US subsidiaries of GE had accepted 289 payments from the Cobalt Refinery Company, a party owned in part by the Cuban government and on OFAC’s list of specially designated nationals and blocked persons. Foreign persons that are owned or controlled by a US person are required to comply with the restrictions imposed by the Cuban Assets Control Regulations.

In an enforcement action against Berkshire Hathaway Inc, OFAC again pierced the veil by entering an enforcement proceeding against Berkshire for apparent violations of the Iranian Transaction and Sanction Regulations (ITSR) by its indirectly wholly owned Turkish subsidiary. These actions were conducted under the direction of certain senior managers in Turkey, despite Berkshire and other Berkshire subsidiaries’ repeated communications and policies sent to the Turkish subsidiary regarding US sanctions against Iran and the application of the ITSR to its operations in Turkey. The ITSR explicitly state that a penalty shall be imposed against the US parent for a foreign subsidiary’s prohibited dealings with Iran.

Indirect contact with US financial institutions[14]

In an enforcement action against British Arab Commercial Bank (BACB), OFAC considered even tenuous and indirect contact with US financial institutions as grounds for an enforcement action. OFAC found that BACB had violated Sudanese sanctions despite the fact that the transactions at issue were not processed to or through the US financial system. BACB operated a nostro account in a country that imports Sudanese-origin oil for the stated purpose of facilitating payments involving Sudan. The bank funded the nostro account with large, periodic US dollar wire transfers from banks in Europe, which in turn transacted with US financial institutions in a manner that violated OFAC sanctions.

Expanded jurisdiction[15]

In an enforcement action against Société Internationale de Télécommunications Aéronautiques SCRL (SITA), OFAC showed its willingness to penalise non-US companies for transactions that would not have been covered by OFAC’s jurisdiction if they had not used US servers. OFAC’s basis for jurisdiction over SITA, a global information technology services provider headquartered in Switzerland and serving commercial air transportation, was that the technology provided to sanctioned parties was hosted on and incorporated functions that routed messages through US servers and contained US-origin software.

Enforcement tracked to OFAC’s Framework for Compliance Commitments[16]

In an enforcement action against Eagle Shipping International, OFAC stated: As noted in OFAC’s Framework for Compliance Commitments, this case demonstrates the importance for companies operating in high-risk industries (e.g., international shipping and trading) to implement risk-based compliance measures, especially when engaging in transactions involving exposure to jurisdictions or persons implicated by US sanctions.

Scrutiny of the cryptocurrency industry[17]

In an enforcement action against BitGo, Inc, OFAC signalled its intent to enforce sanctions compliance in the cryptocurrency industry. The apparent violations involved users located in sanctioned jurisdictions signing up for and accessing BitGo’s secure digital wallet management services to engage in digital currency transactions. Despite having access to the IP addresses of its customers, tracked at the time for security purposes related to logins, BitGo did not use that information for sanctions compliance purposes. OFAC highlighted the importance of entities involved in providing digital currency services to implement sanction compliance controls commensurate with their risk profile. The fact that BitGo did not implement appropriate, risk-based sanction compliance controls and had reason to know the users were located in sanctioned jurisdictions based on their IP addresses were seen as aggravating factors.

In an enforcement action against BitPay, Inc, OFAC signalled that companies involved in providing digital currency services would be subject to the same compliance requirements as financial institutions. BitPay offers a payment processing solution for its direct merchant customers to accept digital currency. Specifically, BitPay would receive digital currency payments on behalf of its merchant customers and convert the digital currency to fiat currency before relaying that currency to the merchant. While BitPay screened its direct customers, BitPay failed to screen location data it obtained about its merchant buyers. As a result, BitPay processed 2,102 transactions on behalf of individuals located in sanctioned jurisdictions.

Conducting transactions indirectly that would otherwise be considered a violation[18]

In an enforcement action against Generali Global Assistance, Inc (GGA), OFAC highlighted the importance of ensuring that sanctions compliance policies and procedures address both direct and indirect sanctions compliance risks. GGA served as a travel services provider on behalf of two Canadian insurers that offered policies for Canadian subscribers who travelled to Cuba, providing medical expense claim processing and payment services to one of the Canadian insurers. For payments intended for Cuban service providers, GGA would intentionally refer the requests to a Canadian affiliate and then reimburse that affiliate for the amounts paid. In the enforcement action, OFAC specifically noted the sanctions risks of implementing a procedure to process, indirectly, transactions whose direct processing would be prohibited by US sanctions laws.

The Department of Justice enforces criminal sanctions violations. Criminal liability may be imposed against a person who wilfully commits, attempts to commit, or conspires to commit, or aids or abets in the commission of, an unlawful act pursuant to the International Emergency Economic Powers Act (IEEPA), the Act pursuant to which most sanctions regulations are issued. Criminal liability pursuant to IEEPA may include a fine of not more than US$1 million or, if a natural person, a prison term of not more than 20 years, or both.[19]

Mitigating and aggravating factors

OFAC regulations outline the general factors that OFAC will consider when determining the appropriate enforcement response to an apparent violation of its regulations. Factors that OFAC will consider to be aggravating or mitigating include:

  • wilful or reckless violation of law, including factors such as concealment, a pattern of conduct and management involvement;[20]

OFAC’s enforcement action against UniCredit Bank AG highlighted the bank’s wilful intent to circumvent US sanctions, citing formal UniCredit Bank AG documents containing policies and procedures that instructed bank personnel to ensure payment structures were formatted in a way to hide the participation of OFAC-sanctioned parties.

  • awareness of the conduct at issue[21]

OFAC found that Standard Chartered Bank had actual knowledge or reason to know of its apparent violations of several sanctions regulations, including the Cuban Assets Control Regulations and the Iranian Transactions and Sanctions Regulations, which OFAC deemed an aggravating factor.

  • harm to sanctions programme objectives, including factors such as economic benefit to the sanctioned country and whether the conduct was likely to have been eligible for an OFAC licence;[22]

OFAC found that Jiangsu Guiqiang Tools Co Ltd (GQ), a subsidiary of Stanley Black & Decker, Inc, which agreed to pay the penalty for both itself and GQ, harmed the objectives of the Iranian Transactions and Sanctions Regulations by conferring an economic benefit to Iran in a systematic scheme involving the export and attempted export of several shipments of power tools and spare parts to a third country with knowledge that the goods were intended specifically for supply, trans-shipment or re-exportation to Iran.

  • individual characteristics of the party in question, such as commercial sophistication and whether the party has received a penalty notice or a finding of violation from OFAC in the five years preceding the date of the transaction giving rise to the violation;[23]

In OFAC’s enforcement action against Cubasphere Inc for violations of the Cuban Assets Control Regulations, OFAC considered the fact that Cubasphere was a small company with few employees as a mitigating factor. By contrast, in OFAC’s enforcement action against Apollo Aviation Group, LLC (Apollo) for violations of the Sudanese Sanctions Regulations, OFAC highlighted Apollo’s size and sophistication as an aggravating factor.

  • the existence, nature and adequacy of a compliance programme in place at the time of the violation;[24]

In OFAC’s enforcement action against Haverly Systems, Inc for violations of the Ukraine Related Sanctions Regulations, OFAC considered the fact that Haverly did not have a formal OFAC sanctions compliance programme at the time the apparent violations occurred an aggravating factor.

  • the remedial response that the party took upon learning of the violation;[25]and

In OFAC’s enforcement action against PACCAR, Inc on behalf of its wholly owned subsidiary DAF Trucks NV (DAF) for violations of the Iranian Transactions and Sanctions Regulations, OFAC considered the remedial actions taken by DAF a mitigating factor. On learning of the apparent violations, DAF conducted an internal investigation, dismissed employees involved in some of the apparent violations, cancelled the delivery of 20 trucks for customers that appeared to have sold or allowed DAF trucks to be sold to buyers in Iran, provided compliance training annually to DAF subsidiaries and implemented enhanced trade compliance controls in an effort to prevent similar apparent violations from reoccurring.

  • cooperation with OFAC, through a VSD or subsequent cooperation during the investigation (or both).[26]and

In OFAC’s enforcement action against Stanley Black & Decker, Inc and its subsidiary, OFAC found that Stanley Black & Decker’s cooperation with OFAC, including an extensive internal investigation and meaningful responses to OFAC’s requests for additional information was a mitigating factor.

A key factor, as evidenced by recent OFAC decisions, is the existence and maintenance of an adequate compliance programme in line with OFAC’s Framework for Compliance Commitments. Beginning in 2020, each of the decisions published by OFAC has included a paragraph referencing the Framework.[27]

As with OFAC, the DOJ generally views voluntary disclosure, full cooperation and timely and effective remedial measures as mitigating factors. The guidelines from the DOJ’s updated VSD policy,[28] discussed in further detail below, breaks down full cooperation as:

  • timely disclosure of all facts;
  • proactive cooperation;
  • preservation, collection and disclosure of relevant documents (Guidelines list examples);
  • deconfliction of witness interviews;
  • retention of business records and prohibition of the improper destruction or deletion of those records; and
  • any additional steps that demonstrate recognition of the seriousness of misconduct, acceptance of responsibility and implementation of measures to reduce risk of a repetition of the misconduct.

The updated policy also lays out what the DOJ considers as aggravating factors during an investigation for criminal sanctions violations. The aggravating factors listed by the DOJ include:[29]

  • exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;
  • exports of items known to be used in the construction of weapons of mass destruction;
  • exports to a foreign terrorist organisation or specially designated global terrorist;
  • exports of military items to a hostile foreign power;
  • repeated violations, including similar administrative or criminal violations in the past; and
  • knowing involvement of upper management in the criminal conduct.

The DOJ released an update to its ‘Evaluation of Corporate Compliance Programs’[30] guidance document, on 1 June 2020. The ‘Principles of Federal Prosecution of Business Organizations’ include several factors that prosecutors should consider when conducting an investigation of a corporation, including the adequacy and effectiveness of a corporation’s compliance programme at the time of an offence. Maintaining an effective compliance programme may be considered an additional mitigating factor.

When determining whether a corporation has an effective compliance programme, the DOJ considers three main questions:

  • Is the corporation’s compliance programme well designed?
  • Is the compliance programme being applied earnestly and in good faith?
  • Does the corporation’s compliance programme work in practice?

Best practice for corporations in an investigation

If an investigation has commenced, parties should endeavour to proactively collaborate with the agency conducting the investigation. OFAC enforcement actions have shown that it considers cooperation to be a mitigating factor in an enforcement case and the DOJ has stated that for a party to receive the benefits of a VSD, the party must fully cooperate with the DOJ. Generally, full cooperation includes but is not limited to internal investigations to discover the root cause of an apparent violation, responding to regulators’ requests for additional information in a timely and complete manner, preserving all sensitive or relevant documents, implementing and collaborating with regulators to develop and implement effective remedial measures, and, in the case of a DOJ investigation, deconflicting and making available any potential witnesses. Under no circumstances should parties attempt to hide or destroy evidence of an apparent violation once an investigation has commenced. Any indication of actions opposing an investigation is likely to lead to investigators taking a more hostile approach and may also constitute an offence of obstructing proceedings before departments, agencies, and committees pursuant to 18 USC 1505 or conspiracy to obstruct justice under 18 USC 371. Parties should also consider notifying relevant non-US regulators, shareholders, counterparties, insurers and other interested parties.


Reporting to OFAC

As previously mentioned, OFAC views the self-disclosure of apparent violations favourably. The self-disclosure of a violation can significantly reduce a potential civil penalty amount. To be considered voluntary, a disclosure must be self-initiated and made to OFAC before either OFAC or any government agency or official discovers the apparent violation. Notification of an apparent violation to another government agency, which is considered a VSD by that agency, may be considered a VSD to OFAC on a case-by-case basis. When making a VSD to OFAC, the VSD must include or be followed by a report containing sufficient details to provide a complete understanding of the circumstances of the apparent violation. In some instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before knowing all the facts so as to make a timely disclosure yet ensure that the disclosure is voluntary. Parties should also ensure that their VSD and follow-up report contain all the details known at the time they are submitted. Parties submitting VSDs should also be prepared to respond to any follow-up enquiries by OFAC.[31]

However, not all notifications to OFAC of an apparent violation will be considered a VSD. Specifically, a notification will not be considered a VSD if a third party notifies OFAC of the apparent violation or substantially similar apparent violation because it blocked or rejected a transaction, or if the disclosure:

  • includes false or misleading information or is materially incomplete;
  • is not self-initiated;
  • is made without the authorisation of senior management; or
  • is in response to an administrative subpoena or other enquiry form.[32]

Filing a licence application with OFAC is also not considered a VSD.[33]

Reports to OFAC in certain instances are required by OFAC regulations. Specifically, US persons are required to submit reports of rejected and blocked transactions to OFAC within 10 business days of the action.[34] These reports typically are made by financial institutions and must include details of the rejected or blocked transactions, such as the parties, accounts involved, and date and amount of payment. Additionally, annual reports on blocked property must be filed with OFAC by 30 September of each year.[35] It is important to note that these reports will not be considered a VSD to OFAC and the disclosure of violations that OFAC has already been made aware of by a reject or blocking report submitted by another party will not receive the benefits of a VSD.

Reporting to the DOJ

On 13 December 2019, the DOJ released an updated VSD policy.[36] Under the new policy, all business organisations, including financial institutions, are eligible for the full range of benefits of the DOJ’s self-disclosure programme. Although there is no requirement to self-report to the DOJ, owing to the timeliness requirements discussed below, a VSD must be made early in the investigation process if it is to receive credit from the DOJ.

Mirroring other DOJ self-disclosure policies, companies are now eligible for credit when they (1) voluntarily self-disclose export control or sanctions violations to National Security Division’s Counterintelligence and Export Control Section (CES), (2) fully cooperate with the investigation, and (3) remediate any violations appropriately and in a timely manner. The threshold for eligibility is self-disclosure of potential violations to CES; self-disclosing to any other regulatory agency does not qualify a party as a self-discloser under the new DOJ policy.

For the purposes of the DOJ’s VSD policy, for a party’s disclosure to be considered voluntary it must be made prior to an imminent threat of disclosure or government investigation, and within a reasonably prompt time after discovery of the offence, and the party must disclose all relevant facts known to it at the time of the disclosure. The DOJ recognises that parties may not know all relevant facts at the time of disclosure, especially if the parties submit a VSD based on a preliminary investigation. The policy states that if that is the case, a party should make clear that it is making its disclosure based on a preliminary investigation or assessment of information while still providing all available information.

To receive credit for full cooperation, parties are required to disclose all relevant facts in a timely manner; to cooperate proactively with the DOJ; to preserve, collect and disclose all relevant documents and information; to deconflict witness interviews when required; and to make officers and employees of the party available for interviews by the DOJ when so requested. The policy notes that eligibility for cooperation credit does not depend on the waiver of the attorney–client privilege or the work-product protection, although experience suggests that the DOJ typically initiates a discussion on privilege at some point during corporate investigations.

Finally, parties are required to demonstrate a thorough analysis of the causes of underlying conduct and, where appropriate, engage in remediation; implement an effective compliance programme; discipline employees identified by the party as responsible for the oversight; retain business records and prohibit the improper destruction of those records; and take any additional steps that demonstrate recognition of the seriousness of a party’s misconduct.

Considerations before self-reporting

In general, costs associated with making a VSD to either OFAC or the DOJ include legal expenses, government scrutiny, reputational harm and, potentially, large monetary penalties. Tied to the additional scrutiny and investigation by government agencies, apparent violations of US sanctions laws other than those disclosed in the VSD may be discovered during the course of an investigation. When parties are deciding whether or not to submit a VSD, they must weigh these negative factors against the likelihood that a government agency independently discovers or is notified by a third party of the apparent violation and the nature and value of the apparent violation.

As mentioned above, a VSD submitted to either OFAC or the DOJ will only be accepted if it is made before there was a significant likelihood that the government would be notified of the apparent violation or otherwise discover it on its own. Additionally, by not making a VSD, parties are forfeiting a valuable opportunity to frame the issue and present any mitigating factors before a government investigation commences.

Prior to proceeding with a VSD, parties should also consider the date a potential violation occurred. The statute of limitations for sanctions violations is generally five years from the date of the apparent violation. However, as part of the settlement process parties may enter into tolling agreements with OFAC, which is considered a mitigating factor, to extend the statute of limitations if it is at risk of expiring during the course of the investigation and settlement process. Parties should also be aware that while the statute of limitation for sanctions violations is generally five years, a criminal investigation conducted by the DOJ may uncover violations of other statutes with significantly longer statutes of limitations. One example is the bank fraud statute, which carries a 10-year statute of limitations.[37] Additionally, the presence of a conspiracy to violate sanctions laws may extend the statute of limitations as the statute of limitations does not begin until the final overt act committed for its benefit. Depending on the situation, a party may be safe in limiting its investigations and the submission of VSDs to conduct within the past five years; however, parties should be aware that there are instances where the statute of limitations is greater than five years.

Considerations before submitting a VSD to OFAC

The submission of a VSD to OFAC can have several benefits, including as a mitigating factor when calculating a penalty or, in some cases, allowing a party to avoid an enforcement action. OFAC may decline to take action if it determines that the conduct does not constitute a violation, or it may decide that the conduct does not warrant a civil monetary penalty and issue a cautionary letter instead.[38] However, the main benefit of a VSD is that, if accepted, the VSD will reduce the base amount of the penalty by approximately 50 per cent in both egregious and non-egregious cases.[39] As mentioned above, VSDs are not the only mitigating factors that OFAC takes into account when determining the amount of a penalty. Parties should immediately take any reasonable remedial measures after discovering the apparent violation and discuss those measures in their submission. Additionally, parties should maintain a compliance programme in line with OFAC’s Framework for Compliance Commitments and, to the extent possible, map the apparent violation against their compliance programme and how the party has remedied, or intends to remedy, the deficiency in its programme that caused the apparent violation.

Further, when submitting a VSD to OFAC, a party must consider the chance that OFAC may launch a broader investigation of the party and find additional, undisclosed violations under one of its many sanctions programmes or violations that cause OFAC to notify other government agencies, including a potential referral to the DOJ for criminal enforcement. While notifications made to other government agencies may be considered a VSD for OFAC enforcement purposes, a VSD to OFAC will not qualify as a VSD made to the DOJ. Therefore, parties should carefully consider if there was an element of wilfulness in the apparent violations or other activity that would be considered criminal in nature and would cause OFAC to refer the case to the DOJ. If a party believes that the case may be referred to the DOJ, it should consider submitting a VSD to the DOJ either prior to, or simultaneously with, submitting its VSD to OFAC to take advantage of the DOJ’s VSD policy.

Considerations before submitting a VSD to the DOJ

If the party satisfies the three requirements of the DOJ’s VSD policy – (1) voluntarily self-disclosing a violation, (2) fully cooperating with the investigation, and (3) remediating any violations appropriately and in a timely manner – there is a presumption that the party will receive a non-prosecution agreement and will pay no fine, absent aggravating factors. However, even if a party receives a non-prosecution agreement, at a minimum the party will not be permitted to retain any of the unlawfully obtained gain and will be required to pay all disgorgement, forfeiture or restitution resulting from the misconduct.

Additionally, even if aggravating circumstances exist, the DOJ will still recommend a fine of at least 50 per cent less for a qualifying party than otherwise would have been levied, and will not require the imposition of a monitor if the party has implemented an effective compliance programme at the time of resolution. In addition to maintaining compliance programmes in line with OFAC’s Framework, parties should ensure their programmes meet the criteria laid out in the DOJ’s updated ‘Evaluation of Corporate Compliance Programs’ guidance document.

While the new VSD policy certainly has issues that businesses must consider before self-reporting, for businesses and the newly included financial institutions, the revised policy is also a potential lifeline to protect them from large financial penalties and potential criminal prosecution as seen in recent DOJ cases regarding UniCredit,[40] Société Générale[41] and Halkbank.42 Despite this, there are still issues with the policy that may deter business organisations from submitting VSDs to the DOJ.

One factor to take into consideration under the new policy is that it makes clear that a VSD to a regulatory agency will not be enough to qualify for the benefits of the DOJ policy. This is in contrast with OFAC’s position that notification of an apparent violation to another government agency that is considered a VSD by that agency may be considered a VSD by OFAC based on a case-by-case assessment. This, coupled with the requirement that a VSD be made before any imminent threat of disclosure or government investigation, means that parties must decide early in their investigation of a potential violation of sanctions or export laws if they need to file with both regulatory agencies and the DOJ. Investigations can take unexpected turns, however, transforming an ostensible civil issue into a potential criminal matter if evidence of wilfulness is discovered. However, by filing with the DOJ, a party could expose itself to a potential criminal investigation and heavy, continuing disclosure obligations.

Moreover, the policy applies only to the DOJ and does not bind other regulators, including state banking regulators such as the New York State Department of Financial Services or the Federal Reserve. Those other enforcement authorities have their own programmatic mandates, which may be inconsistent with the outcomes available under the new policy. Put differently, self-reporting to the DOJ may earn you the carrot from the DOJ, but you may still face the stick from other regulators.

The key to effectively utilising this policy rests in the foundation of a party’s compliance policies and procedures. Even if the policies and procedures fail to prevent a violation from occurring, they can assist a party in quickly determining the nature and degree of the violation. This should help parties recognise earlier in their investigation of a potential violation whether they need to issue a VSD to the DOJ.

Other notification requirements

During the past few years, the US Securities and Exchange Commission (SEC) has taken a more active role in reviewing economic sanctions compliance. The SEC appears to have taken an interest because of the risks associated with a violation of US sanctions laws. The SEC has used comment letters[43] to request additional information from parties regarding the financial and reputational risks from costly regulatory action that may be associated with their disclosures to OFAC and their business activities in sanctioned countries. The proportion of comment letters discussing sanctions issues has risen from 1.5 per cent in 2014 to 4.5 per cent in 2018.[44] Despite this, the SEC has not traditionally acted as an enforcement agency in the mould of OFAC or the DOJ, only seeking disclosure and reporting of sanctions-related risks.

However, in a recent Foreign Corrupt Practices Act (FCPA) case against Quad/Graphics, the SEC found that, in addition to violating anti-bribery and bookkeeping offences, Quad/Graphics participated in a scheme to circumvent US sanctions and export control laws.[45] The DOJ had declined to prosecute Quad/Graphics despite finding evidence of bribery and did not reference the sanctions evasion scheme.[46] It remains to be seen whether the SEC will continue to use provisions of the FCPA to enforce US sanctions laws. Based on this and the increased frequency of the SEC’s requests for information and disclosure of sanctions-based risks, parties should consider notifying the SEC of apparent violations. However, this should be done while keeping in mind the requirements for VSD submissions to OFAC and the DOJ.

In addition to the SEC, parties should be aware that OFAC maintains memoranda of understanding (MOUs) with several state and federal banking regulatory agencies.[47] These MOUs outline how OFAC and the banking regulators will share information regarding apparent violations of US sanctions. Banking regulators, such as the Federal Reserve, may impose penalties on the financial institutions they oversee in connection with apparent violations of US sanctions laws. The jurisdiction of these regulators is generally based on the requirements for safe and sound banking practices, which may include compliance with US economic sanctions and financial crime laws and requirements to disclose sanctions risks.[48] Accordingly, financial institutions should consider notifying their banking regulators of apparent violations if they plan to submit a VSD to OFAC. However, as discussed with respect to the SEC, this should be done while conscious of the requirements for VSD submissions to OFAC and the DOJ.

Parties should also assess whether the apparent violation of US sanctions laws also violates the sanctions laws of other jurisdictions. For example, if a party operates in both the United States and the United Kingdom and commits an apparent violation that would be in breach of sanctions law in both countries, the party should consider making a disclosure to both OFAC and the UK’s Office of Financial Sanctions Implementation. Foreign regulatory agencies may share information regarding apparent violations directly or learn of an apparent violation if it is published by a foreign regulator. Therefore, a party should ensure that it considers whether its actions violate non-US sanctions laws and whether the party would be subject to the jurisdiction of non-US regulators.

Additionally, parties should be aware of how public perception and negative press relating to the discovery of an apparent violation can materially affect a party’s reputation. A VSD and a detailed plan to implement remediation measures targeting the root cause of the apparent violations may mitigate some of the associated reputational damage. However, regardless of how the apparent violation was reported or discovered, public scrutiny still represents a risk factor for future business partners and investors. As a result, reputational damage could lead to lost opportunities and burdensome due diligence requirements imposed by potential business partners.

Anti-money laundering

Suspicious activity reports

As mentioned above, anti-money laundering investigations can overlap with investigations of apparent sanctions violations. Additionally, disclosures to one regulatory authority can notify other authorities of potential violations leading to overlapping investigations for different violations caused by the same action. A financial institution that intentionally attempts to deceive US regulatory authorities or cover up an apparent violation of US sanctions laws, for example, is likely to simultaneously engage in violations of anti-money laundering laws.[49]

Under the BSA, financial institutions[50] are required to report ‘any suspicious transaction relevant to a possible violation of law or regulation’. FinCEN has issued regulations implementing the BSA requiring certain financial institutions, including banks, securities broker-dealers, introducing brokers, casinos, futures commission merchants and money services businesses, to report any suspicious activity above a certain dollar threshold in a SAR. Each industry has its own form and, generally, the report must be submitted within 30 days of the detection of the suspicious activity.

As discussed in earlier sections of this chapter, OFAC requires financial institutions to submit reports regarding any transactions that were rejected or blocked as a result of the involvement of a person on OFAC’s list of specially designated nationals and blocked persons. These transactions would be considered suspicious activity under the BSA due to the possibility that they violate US sanctions regulations, and financial institutions would be required to submit a SAR to FinCEN. However, FinCEN’s requirements will be satisfied by filing a rejection or blocking report to OFAC.[51] OFAC will then pass the information to FinCEN, where the activity will be logged in the suspicious activity reporting database and become available to law enforcement agents. However, FinCEN notes that to the extent a financial institution has information related to the activity that was not disclosed or included in the blocking report, the financial institution should file a separate SAR with FinCEN including that information.[52]

As discussed above, a notice of an apparent violation through a third-party rejection or blocking report will negate any benefit that a party may have received from submitting a VSD. Additionally, because the information filed in a rejection or blocking report will be passed to FinCEN and made available to law enforcement, it could trigger additional investigations relating to money laundering or other civil and criminal offences. Parties should be aware of how regulators share information and how a third-party report may trigger multiple investigations from several government agencies, negating any benefit the party would receive from self-reporting the apparent violation.

In understanding and examining the risks associated with third-party reports, parties should also be aware of the AMLA, ultimately passed on 1 January 2021. The AMLA expands the BSA to include measures to strengthen FinCEN and inter-agency coordination and enforcement, among other provisions such as enhanced regulatory coverage of non-traditional exchanges of value and new beneficial ownership reporting requirements. As noted above, one way that OFAC may learn of apparent violations of US sanctions laws is through information shared by foreign regulatory bodies. The AMLA requires the US Treasury department to create a three-year pilot programme allowing financial institutions to share SARs information with the institution’s foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.[53] Additionally, the AMLA also requested the establishment of an exchange designed to facilitate information sharing between financial institutions, law enforcement agencies, national security agencies and FinCEN.[54]/a>

As these programmes continue to develop, the enhanced information-sharing mechanisms and procedures could lead to faster detection by or notification of a potential violation to OFAC, negating any benefits that would be received by self-reporting as the report would no longer be considered voluntary by OFAC. The implementation and effect of these information-sharing programmes should be monitored by parties, and their potential impact on the time it takes for OFAC to independently discover or be notified of an apparent violation considered when deciding if and when to file a VSD.

Resolution of investigations

OFAC has a variety of enforcement options available to it upon learning of a potential violation of US sanctions. If OFAC determines that there is insufficient evidence that a violation has occurred or concludes that the conduct does not warrant an administrative response, then no action will be taken.[55] In cases where OFAC is aware that the subject of the investigation knows of OFAC’s investigation, OFAC will generally issue a no-action letter. If OFAC determines that there is insufficient evidence of a violation but that the activity in question could lead to a violation or that there is a lack of due diligence in assuring compliance with US sanctions laws, OFAC may issue a cautionary letter.[56] A cautionary letter will generally lay out OFAC’s concerns about the underlying conduct or concerns regarding the compliance policies, practices and procedures that led to the apparent violation. If OFAC determines that a violation has occurred but that a civil monetary penalty is not appropriate, OFAC may issue a finding of violation.[57] Although there is no monetary penalty involved, OFAC announces findings of violations in press releases and publishes a notice containing the description of the violations and its analysis, which can cause reputational damage to a party.

Cautionary letter[58]

In OFAC’s enforcement action against AppliChem GmbH, OFAC noted that it had previously issued a cautionary letter to Illinois Tool Works Inc, a US company that acquired AppliChem, regarding AppliChem’s post-acquisition sales to Cuba.

OFAC may also impose a civil monetary penalty upon determining that a violation has occurred.[59] These penalties will be determined in line with OFAC guidelines and subject to the mitigating and aggravating factors described above. Parties may also decide to enter into a settlement with OFAC to reduce their maximum exposure to penalties.[60] Settlement discussions may be initiated by OFAC or the party that committed the apparent violation. Settlements can be made before or after the issuance of a pre-penalty notice and may also include multiple apparent violations, even if they are covered under separate pre-penalty notices. Notably, OFAC settlements may be a part of a comprehensive settlement with other federal, state or local agencies.

Global settlement[61]

UniCredit Bank AG agreed to pay approximately US$611 million to OFAC as part of a larger, US$1.3 billion settlement with federal and state government partners.

Finally, OFAC may refer a case to appropriate law enforcement if it determines that the activity warrants a criminal investigation or prosecution (or both).[62]

Similar to the multiple options available to and utilised by OFAC, the DOJ has a variety of enforcement options available to it when closing a case. First, it may choose to resolve a case using a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA). Under a DPA, the DOJ will bring charges against the party committing the violation but agrees not to proceed with those charges so long as the party follows a negotiated set of requirements or conditions. Under an NPA, the DOJ will not file charges against the party and will generally require the party to comply with certain conditions or pay a fine. Additionally, DPAs and NPAs may impose a corporate monitor on the party to the agreement. The party bears the costs of the corporate monitor and the scope of the monitor’s oversight responsibilities are negotiated by the party and the DOJ. The DOJ may also seek the forfeiture of assets relating to the apparent violation as part of the penalties assessed against the party.

If the DOJ initiates an investigation either through a referral by another government agency or independent discovery of an apparent violation, the offending party may be charged under numerous criminal statutes depending on the nature of the violation. For example, a single party may be charged for a wilful violation of IEEPA while simultaneously being charged for fraud, criminal money laundering and other offences committed in coordination with the apparent violation.[63] These could lead to significant monetary penalties and potential imprisonment for individuals involved in the apparent violation.


1 David Mortlock and Britt Mosman are partners and Nikki Cronin and Ahmad El-Gamal are associates at Willkie Farr & Gallagher LLP.

2 31 CFR Part 501 Appendix A (II)(F).

3 Dylan Tokar, Treasury Department Changes Approach to Fines in Sanctions Cases, Wall Street Journal (14 June 2019), available at

4 Published in March 2018, FAQs 559–563 detail the compliance responsibilities of entities involved in the digital currency industry or using digital currency as a means of conducting transactions as well as providing key definitions and information on how OFAC will use existing authorities to bring enforcement actions with respect to apparent violations involving the use or transfer of digital currency. See OFAC Frequently Asked Questions ‘Questions on Virtual Currency,’ available at

5 See Exxon Mobil Corporation v. Steven Mnuchin, CIVIL ACTION NO. 3:17-CV-1930-B (N.D. Tex. 2019).

6 US Department of the Treasury, ‘A Framework for OFAC Compliance Commitments’, at

7 See 31 CFR Part 501.

8 See OFAC ‘Enforcement Information for June 13, 2019’, at

9 See In re: Sealed Case, No. 19-5068 (D.C. Cir. Aug. 6, 2019).

10 id. at 10.

11 id. at 9.

12 31 USC § 5315(k) as amended by the Anti-Money Laundering Act 2020.

13 See OFAC ‘Enforcement Information for October 1, 2019’, at; see OFAC ‘Enforcement Information for October 20, 2020’, at

14 See OFAC ‘Enforcement Information for September 17, 2019’, at

15 See OFAC ‘Enforcement Information for February 26, 2020’, at

16 See OFAC ‘Enforcement Information for January 27, 2020’, at

17 See OFAC ‘Enforcement Information for December 30, 2020’, at; see OFAC ‘Enforcement Information for February 18, 2021’, at

18 See OFAC ‘Enforcement Information for October 1, 2020’, at

19 50 USC 1705(c).

20 See OFAC ‘Enforcement Information for April 15, 2019’, at

21 See OFAC ‘Enforcement Information for April 9, 2019’, at

22 See OFAC ‘Enforcement Information for March 27, 2019’, at

23 See OFAC ‘Enforcement Information for June 13, 2019’, at; and OFAC ‘Enforcement Information for November 7, 2019’, at

24 See ‘OFAC Enforcement Information for April 25, 2019’, at

25 See ‘OFAC Enforcement Information for August 6, 2019’, at

26 See ‘OFAC Enforcement Information for March 27, 2019’, at

27 See, for example, ‘OFAC Enforcement Information for December 30, 2020’, BitGo, Inc., at (‘On May 2, 2019, OFAC published A Framework for OFAC Compliance Commitments in order to provide organizations subject to US jurisdiction, as well as foreign entities that conduct business in or with the United States or US persons, or that use US-origin goods or services, with OFAC’s perspective on the essential components of a sanctions compliance program. The Framework also outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements. The Framework includes an appendix that offers a brief analysis of some of the root causes of apparent violations of US economic and trade sanctions programs OFAC has identified during its investigative process.’).

28 US Department of Justice [DOJ], National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ (13 December 2019), at

29 id.

30 DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020), at

31 31 CFR 501 Appendix A (I)(I).

32 id.

33 id.

34 31 CFR 501.603 and 501.604.

35 id.

36 DOJ, National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ (13 December 2019), at

37 See 18 USC 1344.

38 31 CFR 501 Appendix A (II)(C).

39 31 CFR 501 Appendix A (V)(B)(a).

43 SEC ‘comment letters’ refer to either letters submitted in response to requests for public comment, or, in this instance, to correspondence between SEC staff and SEC filers. The SEC may use comment letters to request that a party provide additional supplemental information, revise disclosure in a document on file with the SEC, provide additional disclosure in a document on file with the SEC, or provide additional or different disclosure in a future filing with the SEC. There may be several rounds of letters as the SEC’s staff and the filer work to resolve a particular issue.

44 Menghi Sun and Mark Maurer, ‘SEC Questions More Companies About Sanctions Disclosures’, Wall Street Journal (28 August 2019) (citing Audit Analytics), at

45 See Securities and Exchange Commission press release of 26 September 2019, at

46 See DOJ Response Letter, Re: Quad/Graphics Inc, at

47 The US Department of the Treasury maintains a list of memoranda of understanding between OFAC and state and federal banking regulators at

48 See, for example, ‘Board of Governors of the Federal Reserve System, Order to Cease and Desist and Order of Assessment of Civil Money Penalty Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as Amended, In the Matter of Standard Chartered PLC’ (8 April 2019) available at (Stating that Standard Chartered PLC and Standard Chartered Bank were fined for unsafe and unsound practices relating to inadequate sanctions controls and failure to disclose sanctions risks to the Federal Reserve.)

49 An example of simultaneous sanctions and anti-money laundering enforcement can be found in the ongoing case of Halkbank. The Turkish state-owned bank allegedly participated in a multibillion-dollar scheme to evade US sanctions on Iran, including facilitating fraudulent transactions designed to appear to be purchases of food and medicine. The DOJ referenced the knowing involvement of senior officers at the bank and discussions on how best to structure transactions to evade scrutiny by US regulators. As is often the case with schemes to avoid sanctions, Halkbank violated anti-money laundering laws by using fraudulent pretences and representations to defraud financial institutions. See United States v. Halkbank, Superseding Indictment S6 15 Cr. 867 (RMB), at

50 The Bank Secrecy Act defines ‘financial institutions’ at 31 USC 5312. This list at 31 USC 5312(a)(2) includes, but is not limited to, insured banks, commercial banks or trust companies, private bankers, brokers and dealers in securities or commodities, investment bankers or companies, insurance companies, certain casinos and any businesses or agencies that engage in any activity which the Secretary of the Treasury determines, by regulation, to be an activity that is similar to, related to, or a substitute for any activity in which any business described in 31 USC 5312(a)(2) is authorised to engage.

51 See FinCEN Interpretive Guidance ‘Interpretation of Suspicious Activity Reporting Requirements to Permit the Unitary Filing of Suspicious Activity and Blocking Reports’, December 2004, available at

52 id.

53 31 USC § 5318(g)(8) as amended by the Anti-Money Laundering Act, 2020.

54 31 USC § 310(d) as amended by the Anti-Money Laundering Act, 2020.

55 31 CFR 501 Appendix A (II)(A).

56 31 CFR 501 Appendix A (II)(B).

57 See US Department of the Treasury, ‘Enforcement Release April 30, 2020: OFAC Issues a Finding of Violation to American Express Travel Related Services Company for Violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations’, at

58 See ‘OFAC Enforcement Information for February 14, 2019’, at

59 31 CFR 501 Appendix A (II)(E).

60 31 CFR 501 Appendix A (V)(C).

61 See, e.g., US Department of the Treasury press release, ‘U.S. Treasury Department Announces Settlement with UniCredit Group Banks’ (15 April 2019), at

62 31 CFR 501 Appendix A (II)(F).

63 See DOJ press release of 15 October 2019, at (‘[Halkbank] was charged today in a six-count indictment with fraud, money laundering, and sanctions offenses related to the bank’s participation in a multibillion-dollar scheme to evade U.S. sanctions on Iran.’).

Unlock unlimited access to all Global Investigations Review content