US Sanctions Enforcement by OFAC and the DOJ

Introduction

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces most economic and trade sanctions. Specifically, OFAC is responsible for civil enforcement of US sanctions laws, and its regulations are enforced on a strict liability basis, meaning that OFAC does not need to prove fault or intent to enter an enforcement action and issue a civil penalty. In addition to OFAC, the US Department of Justice (DOJ) and the US Attorney may pursue criminal investigations and enforcement actions for wilful violations of US sanctions laws. Federal criminal prosecutions of sanctions violations are generally conducted on referral by OFAC, although the DOJ may choose to pursue some cases on its own initiative.^[2] Other regulators, such as the Financial Crimes Enforcement Network (FinCEN) and the New York State Department of Financial Services, may impose additional penalties for failure to maintain specific controls to help ensure compliance with OFAC-administered regulations.

Companies should also account for any complementary export control restrictions implemented by the Department of Commerce and enforced by the Bureau of Industry and Security (BIS), or the Department of State and the Directorate of Defense Trade Controls (DDTC) in the case of defence articles and defence services, which may be imposed with respect to exports involving sanctioned countries and regions or sanctioned persons. As evidenced by the significant export restrictions placed on Russia and Belarus following Russia’s invasion of Ukraine,^[3] the publication of significant new OFAC sanctions programmes or updates to existing programmes are often followed by a corresponding restriction on exports to the affected countries, regions or persons. Notably, OFAC, BIS and the DDTC may have different licence requirements to engage in certain activities. A failure to understand each respective set of licensing requirements and acquire all the necessary licences to engage in an otherwise prohibited activity could leave a company facing an enforcement action and potential penalties from one or more regulators.

Both federal and state regulators may pursue enforcement actions for the same conduct simultaneously, which could lead to multiple investigations by multiple entities. In 2019, OFAC Director Andrea Gacki made it clear that OFAC would no longer give credit for all types of fines paid to other agencies in global, multi-agency settlements.^[4] This change in how OFAC calculates fines could lead to increased penalties in global settlement agreements where OFAC would have taken into account the amount of fines and penalties being levied by other agencies when determining the final penalty amount. Currently, for a non-egregious violation, ignoring any adjustment of the penalty based on aggravating or mitigating factors, the base penalty amount would be approximately the value of the transaction, determined specifically by a schedule provided in OFAC’s enforcement guidelines, capped at US$330,947 per transaction.^[5] If a company voluntarily discloses an apparent violation to OFAC, the base amount of the proposed civil penalty is one-half of the transaction value capped at a maximum base amount of US$165,474 per violation.^[6]

During 2020, the number of enforcement actions closed and published by OFAC decreased significantly when compared to 2019, from 26 in 2019 to 16 in 2020. One potential cause of this decrease may be the disruption caused by the covid-19 pandemic throughout 2020 and early 2021, but it likely also represents a continuation of the typical year-to-year fluctuation in the amount of cases closed by OFAC. Indeed, the number of enforcement actions in 2021 increased to 20, with only a slight decrease in the total penalty amount from US$23 million in 2020 to US$20.8 million in 2021. OFAC has continued to pursue novel and more aggressive enforcement theories, including showing a willingness to pierce the corporate veil and pursue enforcement cases for even indirect contact with US financial institutions and expanding its jurisdiction in the wake of technological advancement. OFAC published its first enforcement action related to digital currency transactions on 30 December 2020, followed closely by a second enforcement action related to digital currency transactions in February 2021, indicating that the agency is ready to aggressively pursue enforcement actions against apparent violation involving transactions using digital currency transactions nearly two years after the publication of FAQs 559–563.^[7] Moreover, OFAC published its Sanctions Compliance Guidance for the Virtual Currency Industry in October 2021 as a resource to help members of the virtual currency industry understand and comply with their sanctions obligations.^[8]

Notably, there has been little judicial review or oversight of OFAC’s enforcement theories. Almost all cases that are not resolved by no-action or cautionary letters are settled, and very few are challenged in court. However, there are exceptions to this general trend, including Exxon Mobil Corporation’s challenge of a US$2 million civil penalty imposed by OFAC, which resulted in the penalty being vacated by a District Court in the Northern District of Texas on the grounds that OFAC failed to provide fair notice regarding the agency’s interpretation of the relevant sanctions regulations.^[9] Additionally, in enforcement actions concluded after the May 2019 release of OFAC’s ‘A Framework for Compliance Commitments’ (the Framework),^[10] OFAC has assessed parties’ compliance with the Framework as an aggravating or mitigating circumstance, tracking the parties’ violation against the Framework. The new trends in enforcement, highlighted by recent OFAC cases, show that a strong compliance programme in line with the Framework is a key factor for parties seeking to avoid OFAC enforcement actions moving forward.

Criminal enforcement

The DOJ enforces criminal sanctions violations. Criminal liability may be imposed against a person who wilfully commits, attempts to commit or conspires to commit, or aids or abets in the commission of, an unlawful act pursuant to the International Emergency Economic Powers Act (IEEPA), the Act pursuant to which most sanctions regulations are issued. Criminal liability pursuant to the IEEPA may include a fine of not more than US$1 million or, if a natural person, a prison term of not more than 20 years, or both.^[11]

Recent DOJ actions in the wake of the sanctions placed on Russia have pushed the Department to the forefront of sanctions enforcement along with OFAC. These include the creation of Task Force KleptoCapture on 2 March 2022, an inter-agency law enforcement task force led by the Justice Department and aimed at enforcing the sanctions, export restrictions and economic countermeasures placed on Russia.^[12] Since its creation, the task force has been involved in the seizure of assets and funds from Russian kleptocrats, including the seizure of a US$90 million yacht belonging to Viktor Vekselberg, a sanctioned Russian oligarch.^[13]

The DOJ has also continued to prosecute individuals that have violated US sanctions, including with recent announcements regarding cases against one US citizen and two European citizens for conspiring to assist North Korea in evading sanctions and the first criminal indictment for violations of US sanctions against Russia for its 2014 incursion into Ukraine. On 25 April 2022, the Southern District of New York unsealed an indictment against two European citizens who were charged with conspiring to violate US sanctions on North Korea by working with a US citizen to illegally provide cryptocurrency and blockchain technology services to North Korea. On 12 April 2022, the DOJ announced that the US citizen was sentenced to 62 months in prison after pleading guilty to conspiracy to violate the IEEPA by providing technical advice and instructions to North Korea on using blockchain and cryptocurrency technology to launder money and evade US sanctions and for pursuing plans to facilitate North Korea’s dealings in cryptocurrency.^[14]

In the actions targeting a Russian oligarch and his US associate, the DOJ charged a US citizen with violations of US sanctions for his dealings with Russian national Konstantin Malofeyev, who is also designated on OFAC’s List of Specially Designated Nationals and Blocked Persons. Malofeyev was also charged with conspiracy to violate US sanctions and violations of US sanctions for hiring a US citizen to work with him and conspiring to transfer US dollars from a US bank for the benefit of Malofeyev, a blocked person.^[15] The DOJ highlighted in its press release that OFAC designated Malofeyev in 2014 pursuant to Executive Order 13660 when OFAC determined that Malofeyev was one of the main sources of financing for Russians promoting separatism in Crimea, and materially assisted, sponsored and provided financial, material or technological support for, or goods and services to or in support of, the so-called ‘Donetsk People’s Republic’.^[16] The DOJ noted that this was the first ever criminal indictment for violations of the sanctions on Russia for its 2014 activity in Crimea.^[17]

Investigation

Commencement

The US government can learn of a potential sanctions violation in a number of ways, but the primary means of discovery are through voluntary self-disclosures (VSDs), reports of blocked and rejected transactions, referrals from other government agencies and even publicly available information, such as media reports.

If a company conducts an internal investigation or otherwise learns of a potential violation itself, it may submit a VSD to OFAC. A VSD has many benefits, described further below, including a significant reduction in the base penalty calculation for any potential enforcement action. Depending on the particular circumstances of a violation, the submission of a VSD and subsequent cooperation with OFAC should be carefully considered.

Learning of apparent violations through blocked or rejected transaction reports and other means^[18]

A VSD is not the only means by which the government learns of potential violations. The government frequently learns of violations through reports generated by US persons, primarily banks, that have blocked or rejected a transaction based on a suspected sanctions violation. US persons are required under the sanctions regulations to submit blocking and reject reports to OFAC within 10 business days of the action to block or reject a transaction. Beginning in June 2019, new regulations require that all US persons report rejected transactions to OFAC within 10 days.^[19] Previously, all parties already had an obligation to report transactions involving blocked property to OFAC, but only US financial institutions had the obligation to report rejected transactions. OFAC may also learn of sanctions violations through anti-money laundering reports, primarily suspicious activity reports (SARs), which are also typically submitted by banks and other financial institutions.

OFAC may also learn of potential violations through other government agencies, including foreign governments. Criminal investigations conducted by the DOJ and other federal and state law enforcement can lead to the discovery of sanctions violations.

Notification

Once OFAC learns of a potential violation and decides to launch an investigation, it may make an initial request for information with an administrative subpoena or, depending on the nature of the violation, direct a more informal set of questions to the involved parties, including non-US persons.

Notably, a 2019 DC Circuit Court decision – which required three Chinese banks, two of which have US branches, to comply with the government’s grand jury subpoenas and document production orders in connection with the violation of the US sanctions on North Korea – expanded the ability of US federal prosecutors to subpoena the financial records of foreign financial institutions during an investigation.^[20] The Court held that in instances where a foreign bank has a US branch, it consents to federal court jurisdiction on matters overseen by the Federal Reserve including money laundering and sanctions violations.^[21] The Court also held that the Attorney General’s power under the Bank Secrecy Act (BSA) to compel a foreign bank to produce documents is not limited to transactions that pass directly through a foreign bank’s US foreign account, but also any foreign records with a connection to the bank’s US correspondent account.^[22]

The DOJ’s authority to issue subpoenas to foreign financial institutions was expanded under the Anti-Money Laundering Act of 2020 (AMLA). In addition to having the authority to issue subpoenas to foreign financial institutions that maintain a correspondent account in the United States for records related to the correspondent account, the AMLA expanded the DOJ’s subpoena power to cover ‘any account at the foreign bank, including records maintained outside of the United States’ if those records are the subject of a broad list of enforcement actions, including criminal prosecutions or violations of the BSA.^[23]

Competent authorities

The authorities responsible for enforcing US sanctions are primarily OFAC (responsible for civil enforcement) and the DOJ (responsible for criminal enforcement). Furthermore, financial regulators, including the New York State Department of Financial Services and the Federal Reserve Board, may impose fines and other penalties for compliance failures associated with insufficient sanctions compliance programmes.

Substantive offences

Each sanctions programme administered by OFAC is different depending on the aims of the government. OFAC sanctions programmes generally prohibit US persons from engaging in transactions, directly or indirectly, involving designated individuals or entities (persons). Other sanctions programmes, such as those against Cuba and Iran, are comprehensive in nature, generally prohibiting exports of goods or services by US persons or from the United States to those territories. Regardless, there are common elements for a finding of an apparent violation, generally a breach of regulations for an embargo or transaction involving specially designated nationals and blocked persons or entities subject to sectoral sanctions. OFAC regulations are civil in nature, meaning they generally do not require mens rea, intent or knowledge for an apparent violation to be found and a penalty to be assessed. However, if the apparent violation included a wilful attempt at evading, avoiding, attempting or conspiring to evade or avoid, or facilitating a prohibited transaction, it could expose the party to criminal liability and prosecution by the DOJ.

OFAC’s enforcement authority and procedures are further defined by its general enforcement guidelines at 31 CFR 501 Appendix A. These enforcement guidelines establish the factors for calculating the base penalty amounts, based on a number of specific factors including whether the violation is egregious or non-egregious and whether the violations were voluntarily disclosed to OFAC.

Recent trends in enforcement actions

The following trends have been prevalent in recent civil enforcement actions issued by OFAC.

Piercing the corporate veil^[24]

Indirect contact with US financial institutions^[25]

Expanded jurisdiction^[26]

Enforcement tracked to OFAC’s Framework for Compliance Commitments^[27]

Scrutiny of the cryptocurrency industry^[28]

Conducting transactions indirectly that would otherwise be considered a violation^[29]

Mitigating and aggravating factors

OFAC regulations outline the general factors that it will consider when determining the appropriate enforcement response to an apparent violation of its regulations.

Factors that OFAC will consider to be aggravating or mitigating include:

• wilful or reckless violation of law, including factors such as concealment, a pattern of conduct and management involvement;^[30]
• awareness of the conduct at issue;^[31]
• harm to sanctions programme objectives, including factors such as economic benefit to the sanctioned country and whether the conduct was likely to have been eligible for an OFAC licence;^[32]
• individual characteristics of the party in question, such as commercial sophistication and whether the party has received a penalty notice or a finding of violation from OFAC in the five years preceding the date of the transaction giving rise to the violation;^[33]
• the existence, nature and adequacy of a compliance programme in place at the time of the violation;^[34]
• the remedial response that the party took upon learning of the violation;^[35] and
• cooperation with OFAC, through a VSD or subsequent cooperation during the investigation (or both).^[36]

A key factor, as evidenced by recent OFAC decisions, is the existence and maintenance of an adequate compliance programme in line with OFAC’s Framework for Compliance Commitments. Since 2020, each of the decisions published by OFAC has included a paragraph referencing the Framework.^[37]

As with OFAC, the DOJ generally views voluntary disclosure, full cooperation and timely and effective remedial measures as mitigating factors. The guidelines from the DOJ’s updated VSD policy,^[38] discussed in further detail below, break down full cooperation as:

• timely disclosure of all facts;
• proactive cooperation;
• preservation, collection and disclosure of relevant documents (Guidelines list examples);
• deconfliction of witness interviews;
• retention of business records and prohibition of the improper destruction or deletion of those records; and
• any additional steps that demonstrate recognition of the seriousness of misconduct, acceptance of responsibility and implementation of measures to reduce risk of a repetition of the misconduct.

The updated policy also lays out what the DOJ considers as aggravating factors during an investigation for criminal sanctions violations, which include:^[39]

• exports of items controlled for nuclear non-proliferation or missile technology reasons to a proliferator country;
• exports of items known to be used in the construction of weapons of mass destruction;
• exports to a foreign terrorist organisation or specially designated global terrorist;
• exports of military items to a hostile foreign power;
• repeated violations, including similar administrative or criminal violations in the past; and
• knowing involvement of upper management in the criminal conduct.

The DOJ released an update to its ‘Evaluation of Corporate Compliance Programs’^[40] guidance document, on 1 June 2020. The ‘Principles of Federal Prosecution of Business Organizations’ include several factors that prosecutors should consider when conducting an investigation of a corporation, including the adequacy and effectiveness of a corporation’s compliance programme at the time of an offence. Maintaining an effective compliance programme may be considered an additional mitigating factor.

When determining whether a corporation has an effective compliance programme, the DOJ considers three main questions:

• Is the corporation’s compliance programme well designed?
• Is the compliance programme being applied earnestly and in good faith?
• Does the corporation’s compliance programme work in practice?

Best practice for corporations in an investigation

If an investigation has commenced, it is generally in parties’ best interests to endeavour to proactively collaborate with the agency conducting the investigation. OFAC enforcement actions have shown that it considers cooperation to be a mitigating factor in an enforcement case and the DOJ has stated that for a party to receive the benefits of a VSD, it must fully cooperate with the DOJ. Generally, full cooperation includes but is not limited to internal investigations to discover the root cause of an apparent violation, responding to regulators’ requests for additional information in a timely and complete manner, preserving all sensitive or relevant documents, collaborating with regulators to develop and implement effective remedial measures, and, in the case of a DOJ investigation, deconflicting and making available any potential witnesses. Under no circumstances should parties attempt to hide or destroy evidence of an apparent violation once an investigation has commenced. Any indication of actions opposing an investigation is likely to lead to investigators taking a more hostile approach and may also constitute an offence of obstructing proceedings before departments, agencies and committees pursuant to 18 USC 1505 or conspiracy to obstruct justice under 18 USC 371. Parties should also consider notifying relevant non-US regulators,^[41] shareholders, counterparties, insurers and other interested parties.

Self-reporting

Reporting to OFAC

As mentioned above, OFAC views the self-disclosure of apparent violations favourably. The self-disclosure of a violation can significantly reduce a potential civil penalty amount. To be considered voluntary, a disclosure must be self-initiated and made to OFAC before either OFAC or any government agency or official discovers the apparent violation. Notification of an apparent violation to another government agency, which is considered a VSD by that agency, may be considered a VSD to OFAC on a case-by-case basis. When making a VSD to OFAC, the VSD must include or be followed by a report containing sufficient details to provide a complete understanding of the circumstances of the apparent violation. In some instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before knowing all the facts so as to make a timely disclosure yet ensure that the disclosure is voluntary. Parties should also ensure that their VSD and follow-up report contain all the details known at the time they are submitted. Parties submitting VSDs should also be prepared to respond to any follow-up enquiries by OFAC.^[42]

However, not all notifications to OFAC of an apparent violation will be considered a VSD. Specifically, a notification will not be considered a VSD if a third party notifies OFAC of the apparent violation or substantially similar apparent violation because it blocked or rejected a transaction, or if the disclosure:

• includes false or misleading information or is materially incomplete;
• is not self-initiated;
• is made without the authorisation of senior management; or
• is in response to an administrative subpoena or other enquiry form.^[43]

Filing a licence application with OFAC is also not considered a VSD.^[44]

Reports to OFAC in certain instances are required by OFAC regulations. Specifically, US persons are required to submit reports of rejected and blocked transactions to OFAC within 10 business days of the action.^[45] These reports are typically made by financial institutions and must include details of the rejected or blocked transactions, such as the parties, accounts involved and date and amount of payment. Additionally, annual reports on blocked property must be filed with OFAC by 30 September of each year.^[46] It is important to note that these reports will not be considered a VSD to OFAC and the disclosure of violations that OFAC has already been made aware of by a reject or blocking report submitted by another party will not receive the benefits of a VSD.

Reporting to the DOJ

On 13 December 2019, the DOJ released an updated VSD policy.^[47] Under the new policy, all business organisations, including financial institutions, are eligible for the full range of benefits of the DOJ’s self-disclosure programme. Although there is no requirement to self-report to the DOJ, owing to the timeliness requirements discussed below, a VSD must be made early in the investigation process if it is to receive credit from the DOJ.

Mirroring other DOJ self-disclosure policies, companies are now eligible for credit when they (1) voluntarily self-disclose export control or sanctions violations to the National Security Division’s Counterintelligence and Export Control Section (CES), (2) fully cooperate with the investigation, and (3) remediate any violations appropriately and in a timely manner. The threshold for eligibility is self-disclosure of potential violations to CES; self-disclosing to any other regulatory agency does not qualify a party as a self-discloser under the new DOJ policy.

For the purposes of the DOJ’s VSD policy, for a party’s disclosure to be considered voluntary it must be made prior to an imminent threat of disclosure or government investigation, and within a reasonably prompt time after discovery of the offence, and the party must disclose all relevant facts known to it at the time of the disclosure. The DOJ recognises that parties may not know all relevant facts at the time of disclosure, especially if the parties submit a VSD based on a preliminary investigation. The policy states that if that is the case, a party should make clear that it is making its disclosure based on a preliminary investigation or assessment of information while still providing all available information.

To receive credit for full cooperation, parties are required to disclose all relevant facts in a timely manner; to cooperate proactively with the DOJ; to preserve, collect and disclose all relevant documents and information; to deconflict witness interviews when required; and to make officers and employees of the party available for interviews by the DOJ when so requested. The policy notes that eligibility for cooperation credit does not depend on the waiver of the attorney–client privilege or the work-product protection, although experience suggests that the DOJ typically initiates a discussion on privilege at some point during corporate investigations.

Finally, parties are required to demonstrate a thorough analysis of the causes of underlying conduct and, where appropriate, engage in remediation; implement an effective compliance programme; discipline employees identified by the party as responsible for the oversight; retain business records and prohibit the improper destruction of those records; and take any additional steps that demonstrate recognition of the seriousness of a party’s misconduct.

Considerations before self-reporting

In general, costs associated with making a VSD to either OFAC or the DOJ include legal expenses, government scrutiny, reputational harm and, potentially, large monetary penalties. Tied to the additional scrutiny and investigation by government agencies, apparent violations of US sanctions laws other than those disclosed in the VSD may be discovered during the course of an investigation. When parties are deciding whether or not to submit a VSD, they must weigh these negative factors against the likelihood that a government agency independently discovers or is notified by a third party of the apparent violation and the nature and value of the apparent violation.

A VSD submitted to either OFAC or the DOJ will only be accepted if it is made before there was a significant likelihood that the government would be notified of the apparent violation or otherwise discover it on its own. Additionally, by not making a VSD, parties are forfeiting a valuable opportunity to frame the issue and present any mitigating factors before a government investigation commences.

Prior to proceeding with a VSD, parties should also consider the date a potential violation occurred. The statute of limitations for sanctions violations is generally five years from the date of the apparent violation. However, as part of the settlement process parties may enter into tolling agreements with OFAC, which is considered a mitigating factor, to extend the statute of limitations if it is at risk of expiring during the course of the investigation and settlement process. Parties should also be aware that while the statute of limitation for sanctions violations is generally five years, a criminal investigation conducted by the DOJ may uncover violations of other statutes with significantly longer statutes of limitations.^[48] Depending on the situation, a party may be safe in limiting its investigations and the submission of VSDs to conduct within the past five years; however, parties should be aware that there are instances where the statute of limitations is greater than five years.

Considerations before submitting a VSD to OFAC

The submission of a VSD to OFAC can have several benefits, including as a mitigating factor when calculating a penalty or, in some cases, allowing a party to avoid an enforcement action. OFAC may decline to take action if it determines that the conduct does not constitute a violation, or it may decide that the conduct does not warrant a civil monetary penalty and issue a cautionary letter instead.^[49] However, the main benefit of a VSD is that, if accepted, the VSD will reduce the base amount of the penalty by approximately 50 per cent in both egregious and non-egregious cases.^[50] VSDs are not the only mitigating factors that OFAC takes into account when determining the amount of a penalty. Parties should immediately take any reasonable remedial measures after discovering the apparent violation and discuss those measures in their submission. Additionally, parties should maintain a compliance programme in line with OFAC’s Framework for Compliance Commitments and, to the extent possible, map the apparent violation against their compliance programme and how the party has remedied, or intends to remedy, any deficiencies in its programme.

Further, when submitting a VSD to OFAC, a party must consider the chance that OFAC may launch a broader investigation and uncover additional, undisclosed violations under one of its many sanctions programmes or violations that cause OFAC to notify other government agencies, including a potential referral to the DOJ for criminal enforcement. While notifications made to other government agencies may be considered a VSD for OFAC enforcement purposes, a VSD to OFAC will not qualify as a VSD made to the DOJ. Therefore, parties should carefully consider if there was an element of wilfulness in the apparent violations or other activity that would be considered criminal in nature and would cause OFAC to refer the case to the DOJ. If a party believes that the case may be referred to the DOJ, it should consider submitting a VSD to the DOJ either prior to, or simultaneously with, submitting its VSD to OFAC to benefit from the DOJ’s VSD policy.

Considerations before submitting a VSD to the DOJ

If the party satisfies the three requirements of the DOJ’s VSD policy – voluntarily self-disclosing a violation; fully cooperating with the investigation; and remediating any violations appropriately and in a timely manner – there is a presumption that the party will receive a non-prosecution agreement (NPA) and will pay no fine, absent aggravating factors. However, even if a party receives an NPA, at a minimum the party will not be permitted to retain any of the unlawfully obtained gain and will be required to pay all disgorgement, forfeiture or restitution resulting from the misconduct.

Additionally, even if aggravating circumstances exist, the DOJ will still recommend a fine of at least 50 per cent less for a qualifying party than otherwise would have been levied, and will not require the imposition of a monitor if the party has implemented an effective compliance programme at the time of resolution. In addition to maintaining compliance programmes in line with OFAC’s Framework, parties should ensure their programmes meet the criteria laid out in the DOJ’s updated ‘Evaluation of Corporate Compliance Programs’ guidance document.

While the new VSD policy certainly has issues that businesses must consider before self-reporting, for businesses and the newly included financial institutions, the revised policy is also a potential lifeline to protect them from large financial penalties and potential criminal prosecution as seen in recent DOJ cases regarding UniCredit,^[51] Société Générale^[52] and Halkbank.^[53] Despite this, there are still issues with the policy that may deter business organisations from submitting VSDs to the DOJ.

One factor to take into consideration under the new policy is that it makes clear that a VSD to a regulatory agency will not be enough to qualify for the benefits of the DOJ policy. This is in contrast with OFAC’s position that notification of an apparent violation to another government agency that is considered a VSD by that agency may be considered a VSD by OFAC based on a case-by-case assessment. This, coupled with the requirement that a VSD be made before any imminent threat of disclosure or government investigation, means that parties must decide early in their investigation of a potential violation of sanctions or export laws if they need to file with both regulatory agencies and the DOJ. Investigations can take unexpected turns, however, transforming an ostensible civil issue into a potential criminal matter if evidence of wilfulness is discovered. However, by filing with the DOJ, a party could expose itself to a potential criminal investigation and heavy, continuing disclosure obligations.

Moreover, the policy applies only to the DOJ and does not bind other regulators, including state banking regulators such as the New York State Department of Financial Services or the Federal Reserve. Those other enforcement authorities have their own programmatic mandates, which may be inconsistent with the outcomes available under the new policy. Put differently, self-reporting to the DOJ may earn you the carrot from the DOJ, but you may still face the stick from other regulators.

The key to effectively utilising this policy rests in the foundation of a party’s compliance policies and procedures. Even if the policies and procedures fail to prevent a violation from occurring, they can assist a party in quickly determining the nature and degree of the violation. This should help parties recognise earlier in their investigation of a potential violation whether they need to issue a VSD to the DOJ.

Other notification requirements

During the past few years, the US Securities and Exchange Commission (SEC) has taken a more active role in reviewing economic sanctions compliance. The SEC appears to have taken an interest because of the risks associated with a violation of US sanctions laws. The SEC has increasingly used comment letters^[54] to request additional information from parties regarding the financial and reputational risks from costly regulatory action that may be associated with their disclosures to OFAC and their business activities in sanctioned countries.^[55] Despite this, the SEC has not traditionally acted as an enforcement agency in the mould of OFAC or the DOJ, only seeking disclosure and reporting of sanctions-related risks.^[56] While parties should consider notifying the SEC of apparent violations, this should be done while keeping in mind the requirements for VSD submissions to OFAC and the DOJ. In addition to the SEC, parties should be aware that OFAC maintains memoranda of understanding with several state and federal banking regulatory agencies outlining how they will share information.^[57] Banking regulators, such as the Federal Reserve, may impose penalties on the financial institutions they oversee in connection with apparent violations of US sanctions laws. Accordingly, financial institutions should consider notifying their banking regulators of apparent violations if they plan to submit a VSD to OFAC. However, this should be done while conscious of the requirements for VSD submissions to OFAC and the DOJ.

Parties should also assess whether the apparent violation of US sanctions laws also violates the sanctions laws of other jurisdictions. For example, if a party operates in both the United States and the United Kingdom and commits an apparent violation that would be in breach of sanctions law in both countries, the party should consider making a disclosure to both OFAC and the UK’s Office of Financial Sanctions Implementation. Foreign regulatory agencies may share information regarding apparent violations directly or learn of an apparent violation if it is published by a foreign regulator. Therefore, a party should ensure that it considers whether its actions violate non-US sanctions laws and whether the party would be subject to the jurisdiction of non-US regulators.

Additionally, parties should be aware of how public perception and negative press relating to the discovery of an apparent violation can materially affect a party’s reputation. A VSD and a detailed plan to implement remediation measures targeting the root cause of the apparent violations may mitigate some of the associated reputational damage. However, regardless of how the apparent violation was reported or discovered, public scrutiny still represents a risk factor for future business partners and investors. As a result, reputational damage could lead to lost opportunities and burdensome due diligence requirements imposed by potential business partners.

Anti-money laundering

Suspicious activity reports

Anti-money laundering investigations can overlap with investigations of apparent sanctions violations. Additionally, disclosures to one regulatory authority can notify other authorities of potential violations leading to overlapping investigations for different violations caused by the same action. A financial institution that intentionally attempts to deceive US regulatory authorities or cover up an apparent violation of US sanctions laws, for example, is likely to simultaneously engage in violations of anti-money laundering laws.^[58]

Under the BSA, financial institutions^[59] are required to report ‘any suspicious transaction relevant to a possible violation of law or regulation’. FinCEN has issued regulations implementing the BSA requiring certain financial institutions, including banks, securities broker-dealers, introducing brokers, casinos, futures commission merchants and money services businesses, to report any suspicious activity above a certain dollar threshold in a SAR. Each industry has its own form and, generally, the report must be submitted within 30 days of the detection of the suspicious activity.

OFAC requires financial institutions to submit reports regarding any transactions that were rejected or blocked as a result of the involvement of a person on OFAC’s list of specially designated nationals and blocked persons. These transactions would be considered suspicious activity under the BSA due to the possibility that they violate US sanctions regulations, and financial institutions would be required to submit a SAR to FinCEN. FinCEN’s requirements will be satisfied by filing a rejection or blocking report to OFAC, which will then pass the information to FinCEN.^[60] However, FinCEN notes that any information related to the activity that was not disclosed or included in the blocking report should be included in a separate SAR filed with FinCEN.^[61]

As discussed above, a notice of an apparent violation through a third-party rejection or blocking report will negate any benefit that a party may have received from submitting a VSD. Additionally, because the information filed in a rejection or blocking report will be passed to FinCEN and made available to law enforcement, it could trigger additional investigations relating to money laundering or other civil and criminal offences. Parties should be aware of how regulators share information and how a third-party report may trigger multiple investigations from several government agencies, negating any benefit the party would receive from self-reporting the apparent violation.

In understanding and examining the risks associated with third-party reports, parties should also be aware of the AMLA, ultimately passed on 1 January 2021. The AMLA expands the BSA to include measures to strengthen FinCEN and inter-agency coordination and enforcement, among other provisions such as enhanced regulatory coverage of non-traditional exchanges of value and new beneficial ownership reporting requirements. The AMLA requires the creation of a three-year pilot programme allowing financial institutions to share SARs information with the institution’s foreign branches, subsidiaries and affiliates for the purpose of combating illicit finance risks.^[62] Additionally, the AMLA also requested the establishment of an exchange designed to facilitate information sharing between financial institutions, law enforcement agencies, national security agencies and FinCEN.^[63]

As these programmes continue to develop, the enhanced information-sharing mechanisms and procedures could lead to faster detection by or notification of a potential violation to OFAC, negating any benefits that would be received by self-reporting as the report would no longer be considered voluntary by OFAC. The implementation and effect of these information-sharing programmes should be monitored by parties, and their potential impact on the time it takes for OFAC to independently discover or be notified of an apparent violation considered when deciding if and when to file a VSD.

Resolution of investigations

OFAC has a variety of enforcement options available to it upon learning of a potential violation of US sanctions. If OFAC determines that there is insufficient evidence that a violation has occurred or concludes that the conduct does not warrant an administrative response, then no action will be taken.^[64] In cases where OFAC is aware that the subject of the investigation knows of OFAC’s investigation, it will generally issue a no-action letter. If OFAC determines that there is insufficient evidence of a violation but that the activity in question could lead to a violation or that there is a lack of due diligence in assuring compliance with US sanctions laws, it may issue a cautionary letter.^[65] A cautionary letter will generally lay out OFAC’s concerns about the underlying conduct or concerns regarding the compliance policies, practices and procedures that led to the apparent violation. If OFAC determines that a violation has occurred but that a civil monetary penalty is not appropriate, it may issue a finding of violation.^[66] Although there is no monetary penalty involved, OFAC announces findings of violations in press releases and publishes a notice containing the description of the violations and its analysis, which can cause reputational damage to a party.

Cautionary letter^[67]

OFAC may also impose a civil monetary penalty upon determining that a violation has occurred.^[68] These penalties will be determined in line with OFAC guidelines and subject to the mitigating and aggravating factors described above. Parties may also decide to enter into a settlement with OFAC to reduce their maximum exposure to penalties.^[69] Settlement discussions may be initiated by OFAC or the party that committed the apparent violation. Settlements can be made before or after the issuance of a pre-penalty notice and may also include multiple apparent violations, even if they are covered under separate pre-penalty notices. Notably, OFAC settlements may be a part of a comprehensive settlement with other federal, state or local agencies.

Global settlement^[70]

Finally, OFAC may refer a case to appropriate law enforcement if it determines that the activity warrants a criminal investigation or prosecution (or both).^[71]

Similar to the multiple options available to, and utilised by, OFAC, the DOJ has a variety of enforcement options available to it when closing a case. First, it may choose to resolve a case using a deferred prosecution agreement (DPA) or an NPA. Under a DPA, the DOJ will bring charges against the party committing the violation but agrees not to proceed with those charges so long as the party follows a negotiated set of requirements or conditions. Under an NPA, the DOJ will not file charges against the party and will generally require the party to comply with certain conditions or pay a fine. Additionally, DPAs and NPAs may impose a corporate monitor on the party to the agreement. The party bears the costs of the corporate monitor, and the scope of the monitor’s oversight responsibilities are negotiated by the party and the DOJ. The DOJ may also seek the forfeiture of assets relating to the apparent violation as part of the penalties assessed against the party.

If the DOJ initiates an investigation either through a referral by another government agency or independent discovery of an apparent violation, the offending party may be charged under numerous criminal statutes, depending on the nature of the violation. For example, a single party may be charged for a wilful violation of the IEEPA while simultaneously being charged for fraud, criminal money laundering and other offences committed in coordination with the apparent violation.^[72] These could lead to significant monetary penalties and potential imprisonment for individuals involved in the apparent violation.

Looking ahead to the future of enforcement

Russia’s ongoing invasion of Ukraine is likely to turn the spotlight on sanctions enforcement. The recent criminal indictments related to violations of the 2014 sanctions on Russia are the start of a likely trend towards an enforcement focus on violations of Russia-related sanctions and efforts to evade such sanctions.

Recent OFAC and DOJ actions also suggest that enforcement bodies will focus enforcement of violations by persons outside of the traditional banking sector, historically the target of OFAC’s largest penalties, towards new high-risk sectors such as financial technology businesses and those involved in cryptocurrency trading.

As companies look to strengthen their compliance programmes in an effort to mitigate the risk of violations and subsequent enforcement, OFAC’s Framework will continue to be a valuable guide to what it will look for in a risk-based compliance programme and the key factors it will assess as aggravating and mitigating factors in the event of an enforcement action.

Footnotes