Sanctions: The US Perspective

45.1 Overview of the US sanctions regime

The United States imposes economic and trade sanctions on individuals, entities and jurisdictions based on US foreign policy and national security goals. These measures are administered and enforced primarily by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), through a combination of statutes, regulations, executive orders and interpretive guidance. OFAC’s regulations are strict liability, meaning that OFAC does not need to prove fault or intent to enter an enforcement action and issue a civil penalty. Additionally, if a party wilfully violates US sanctions laws, the Department of Justice (DOJ) and the US Attorney may pursue criminal investigations and enforcement actions. Other regulators, such as the Financial Crimes Enforcement Network and the New York Department of Financial Services, may also play a role in enforcing US sanctions regulations, imposing additional penalties for failures to maintain specific controls to help ensure compliance with OFAC-administered regulations. Both federal and state regulators may pursue enforcement actions for the same conduct simultaneously, potentially leading to multiple related investigations by several entities.

The US maintains comprehensive sanctions programmes, also called embargoes, generally prohibiting activity involving Cuba, Iran, North Korea, Syria and the Crimea region of Ukraine. In addition to comprehensive sanctions, OFAC implements targeted sanctions on specific individuals and entities under one or more of its sanctions programmes targeting various activities, such as narcotics trafficking, terrorism, nuclear or other weapons of mass destruction proliferation activities, or human rights violations. Both direct and indirect activities involving governments, entities or individuals subject to targeted sanctions can give rise to violations of US sanctions laws.

45.1.1Statutes and official guidance

The US maintains several sanctions regimes, each with its own restrictions and regulations. In addition to the country-specific sanctions programmes, such as the Iranian Transactions and Sanctions Regulations (ITSR), which primarily govern US sanctions on Iran, OFAC can also sanction individuals under several targeted sanctions programmes, such as the Foreign Narcotics Kingpin Act or the Global Magnitsky Act. Pursuant to these sanctions regulations, individuals and entities designated by the State or Treasury Departments will be added to OFAC’s List of Specially Designated Nationals and Blocked Persons (the SDN List). US persons are generally prohibited from entering into transactions involving individuals or entities on OFAC’s SDN List as well as any entity of which 50 per cent or more is owned by a person on the SDN List, unless authorised by OFAC with a general or specific licence.

OFAC also imposes sectoral sanctions on entities in identified sectors of Russia’s economy that are listed in OFAC’s Sectoral Sanctions Identification List (SSI List). Listed entities operating in certain sectors of the Russian economy, such as financial services, energy and defence, will be added to the SSI List under one of the four Directives described in Executive Order 13662.[2] Each Directive places specific prohibitions, requirements and restrictions on transactions by US persons with those listed entities.

The Department of the Treasury maintains an updated list of US sanctions programmes and country information on its website.[3] Additionally, OFAC maintains a list of compiled frequently asked questions (FAQs) that provide a wide range of details and guidance on topics, including OFAC’s interpretation of newly issued sanctions regulations, enforcement practices specific to certain sanctions programmes, and the implementation of authorisations provided in general licences.[4] The FAQs are an extremely helpful resource and are updated frequently to reflect changes to OFAC’s sanctions regulations and evolving interpretations. OFAC also regularly releases separate guidance documents that advise companies of specific risk factors for certain industries and suggest best practices for designing an appropriate sanctions compliance programme.

OFAC’s enforcement authority and procedures are set forth in OFAC’s Economic Sanctions and Enforcement Guidelines at 31 CFR Part 501 Appendix A. The guidelines establish, among other things, the potential outcomes of an investigation or enforcement action and the method and relevant factors for calculating the base penalty amount of an apparent sanctions violation.

45.1.2Persons to whom sanctions apply

US economic sanctions generally restrict activities within the jurisdiction of the United States and by US persons, generally defined as any US citizen, permanent resident alien, entity organised under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States.[5] These restrictions also create potential liability for non-US persons causing a US person to violate US sanctions. For Iran and Cuba, the prohibitions also extend to any entity owned or controlled by a US person.

The US government may also impose sanctions against non-US persons for certain activity, even with no US nexus. ‘Secondary sanctions’ authorise OFAC or the State Department to impose sanctions against non-US persons for certain specified activity with Iran, Russia, North Korea and Syria. These sanctions are intended to discourage non-US persons from engaging in the specified activity and can result in the imposition of sanctions against the foreign company itself. For example, the United States reimposed secondary sanctions for certain activity involving specified sectors of the Iranian economy following its withdrawal from the Joint Comprehensive Plan of Action (JCPOA). This means that non-US persons may be subject to US sanctions for engaging in significant activity involving Iran’s automotive, shipping, shipbuilding and energy sectors, and in significant transactions involving Iranian SDNs.[6]


OFAC may issue a general licence or a specific licence to authorise certain activity that would otherwise be prohibited by an applicable sanctions programme.

A general licence is generally available to any person engaging in activity that fits the criteria set forth in the licence. Each general licence is specific to a particular sanctions programme and generally offers broad authorisations covering certain categories of transactions. For example, a general licence is typically available to authorise the export of food, medicine and medical devices to countries subject to a comprehensive embargo. In addition to the general licence for the export of food, medicine and medical devices, most sanctions programmes also include, among other authorisations, general licences permitting certain transactions with respect to official business of the US federal government or international organisations such as the United Nations, certain transactions related to the transmission of telecommunications and the services for personal communications, and the provision of legal services related to the requirements and compliance with US law.

It is important to analyse carefully the general licence specific to each country programme as the relevant requirements and restrictions may vary from programme to programme. For example, the general licence for the export of agricultural commodities, medicine and medical devices to Iran, set forth in the ITSR, includes authorisations only for certain ‘covered persons’ and excludes the export of some specified goods.[7] Furthermore, some sanctions programmes contain general licences authorising the export of certain goods or services that are highly tailored to a specific country and its respective sanctions programme and that do not appear in any form in other country sanctions programmes. For example, Cuba and Venezuela have highly individualised sets of general licences that change frequently and are specific to the unique sanctions programme for each country. Additional information on these country programmes is provided in detail below.

Specific licences are granted case by case under certain limited situations and conditions. Requests for specific licences may be submitted directly to OFAC. These licences will typically be granted only if the activity is in the interest of US foreign policy.

45.1.4Key jurisdictions

As noted above, the United States maintains comprehensive sanctions on Cuba, Iran, North Korea, Syria and the Crimea Region of Ukraine. Additionally, OFAC imposes significant sanctions on state-owned entities in Russia and the government of Venezuela. Cuba

The comprehensive sanctions on Cuba, governed by the Cuban Assets Control Regulations (CACR),[8] generally prohibit any transaction by a person subject to US jurisdiction, including foreign entities owned or controlled by a US person, in which Cuba or a Cuban national has an interest. This includes the export of goods and services, including financial services, to Cuba and the import of Cuban goods into the United States. US persons are also prohibited from approving, financing, facilitating or guaranteeing any transaction by a foreign person in which they would be prohibited from engaging themselves.

The CACR contains several general licences authorising activities supporting the Cuban people and private enterprise in Cuba.[9] Additionally, the CACR currently contains general licences regarding travel-related transactions for a variety of specified activities. All general licences should be checked frequently to confirm that relevant authorisations are still in effect and that additional restrictions or requirements have not been placed, limiting the scope of the general licences. Iran

OFAC’s sanctions programme on Iran is primarily governed by the ITSR.[10] The Regulations generally prohibit the export, re-export, sale or supply, directly or indirectly, from the United States or by a US person, wherever located, of any goods, technology or services to Iran and the facilitation by a US person of transactions by a foreign person in which they would otherwise be prohibited from engaging under the Regulations. The prohibitions in the ITSR also apply to foreign entities owned or controlled by a US person.

After the reimposition of sanctions on Iran following the United States’ withdrawal from the JCPOA on 8 May 2018, OFAC reimposed significant secondary sanctions that threaten sanctions on non-US persons for transactions involving Iranian SDNs and for specified activities in key sectors of the Iranian economy.[11] North Korea

The North Korean Sanctions Regulations[12] generally prohibit the export, re-export, sale or supply, directly or indirectly, from the United States or by a US person, wherever located, of any goods, technology or services to North Korea and the facilitation by a US person of transactions by a foreign person in which they would otherwise be prohibited from engaging under the Regulations.

In addition to the primary sanctions detailed above, a number of North Korea-related executive orders authorise the Secretary of the Treasury to impose secondary sanctions on persons determined by the Secretary of the Treasury to be engaging in certain specified commercial activities involving North Korea.[13] Syria

The Syrian Sanctions Regulations[14] generally prohibit, among other things: the export, re-export, sale or supply, directly or indirectly, from the United States or by a US person, wherever located, of any services to Syria; and the facilitation by a US person of transactions by a foreign person in which the US person would otherwise be prohibited from engaging under the Regulations.

Additionally, Section 7412 of the National Defense Authorization Act for Fiscal Year 2020 (also titled the Caesar Syria Civilian Protection Act of 2019) provided authorisation for the President to impose sanctions against any foreign person determined to knowingly provide significant financial, material or technological support to, or knowingly engage in a significant transaction with certain persons in Syria, primarily relating to the government of Syria and its military.[15] Crimea region of Ukraine

The Ukraine-Related Sanctions Regulations generally prohibit the export re-export, sale or supply, directly or indirectly, from the United States or by a US person, wherever located, of any goods, technology or services to Crimea and the facilitation by a US person of transactions by a foreign person in which they would otherwise be prohibited from engaging under the Ukraine-Related Sanctions.[16] Russia

Russia is not subject to a comprehensive embargo but rather significant targeted sectoral sanctions on individuals and entities in identified sectors of Russia’s economy. To begin, a number of Russian individuals and entities appear on OFAC’s SDN List. In addition, pursuant to Executive Order 13662,[17] OFAC issued Directives 1, 2, 3 and 4 imposing sectoral sanctions against entities identified on OFAC’s SSI List[18] operating in certain sectors of the Russian economy, such as financial services, energy and defence.[19]

  • Directives 1, 2 and 3 contain prohibitions on dealing in new debt with a maturity longer than that defined in the Directive or, for Directive 1, new equity on behalf of designated Russian entities operating in Russia’s financial, energy and defence sectors.
  • Directive 4 prohibits the export or re-export by a US person, directly or indirectly, of goods, services or technology in support of deep water, Arctic offshore or shale projects, including new projects outside Russia in which an entity subject to Directive 4 has an ownership interest of 33 per cent or more.

Companies engaging in transactions with SSI entities should ensure that they scrutinise payment terms to ensure that the terms do not violate the requirements of the applicable Directive.

The United States also maintains secondary sanctions on Russia. The Countering America’s Adversaries Through Sanctions Act (CAATSA) mandates the imposition of sanctions against persons that the President determines have knowingly facilitated a ‘significant transaction’[20] for or on behalf of any person subject to sanctions imposed by the United States with respect to the Russian Federation, including for or on behalf of a Russian person or entity on OFAC’s SDN List.[21] OFAC has effectively limited this threat of sanctions to transactions with any Russian person on its SDN list.[22]

CAATSA also mandates that the President impose sanctions on persons determined to have knowingly engaged in a significant transaction with a person involved in the intelligence or defence sectors of the Russian government. The Department of State published the List Regarding the Defense Sector of the Government of the Russian Federation[23] of persons determined to be part of, or operating for or on behalf of, the defence or intelligence sectors of the government of the Russian Federation.[24]

Finally, CAATSA also mandates that the President impose sanctions on persons determined to have made significant investments above a specified threshold that directly and significantly contribute to Russia’s ability to construct energy export pipeline projects initiated on or before 2 August 2017, or that provide significant goods, services, technology, information or support to directly and significantly facilitate the maintenance or expansion of the construction, modernisation or repair of energy export pipelines.[25] Venezuela

Executive Order 13884 blocks all property and interests in property of the government of Venezuela.[26] This means that US persons are generally prohibited from engaging in any transaction in which the government of Venezuela has an interest, including with entities of which 50 per cent or more is owned by the government of Venezuela.

Additionally, Executive Order 13850 blocks the property of additional persons who may be contributing to the situation in Venezuela, including those operating in specified sectors of the Venezuelan economy as determined by the Secretary of the Treasury.[27] Notably, OFAC designated the Venezuelan state oil company, Petróleos de Venezuela, SA, pursuant to this authority on 28 January 2019.

There are currently 26 active general licences authorising certain activities by US persons that would otherwise be prohibited by the Executive Orders in the Venezuela-related sanctions programme. A majority of these general licences change frequently and are very specific as to what actions they authorise and to whom they apply. As such, companies should ensure they scrutinise and carefully monitor any general licence relied on to conduct business otherwise prohibited by the Venezuela-related Executive Orders.

45.2 Offences and penalties

Generally, US primary sanctions prohibit transactions only by US persons or transactions subject to US jurisdiction. For Cuba and Iran, the restrictions also apply to foreign entities that are owned or controlled by a US person. ‘Owned or controlled’ is understood to encompass holding at least 50 per cent of the equity interest by vote or value, a majority of seats on the board of directors, or otherwise controlling actions, policies and personnel decisions of the foreign entity.[28] For example, in 2019, OFAC entered enforcement proceedings against General Electric regarding apparent violations by three of its non-US subsidiaries for accepting payments from a party owned by the Cuban government and on OFAC’s SDN List.[29]

Non-US companies face potential liability for exporting goods or services from the United States in violation of US sanctions or for ‘causing a violation’ by involving a US person in a transaction that would be prohibited for that US person.[30] A non-US person can cause a violation by a US person by transacting in US dollars. The use of US dollars generally requires clearance through a US correspondent bank and therefore involves the services of a US financial institution. For example, in 2019, UniCredit Bank AG, a financial institution headquartered in Germany, agreed to a settlement regarding violations of several sanctions regulations, including operating US dollar accounts on behalf of the Islamic Republic of Iran Shipping Lines (IRISL) and several companies owned by or affiliated with IRISL after it was added to OFAC’s SDN List in 2008.[31] Another example can be found in OFAC’s enforcement action against Standard Chartered Bank (SCB), a financial institution headquartered in the United Kingdom. In 2019, SCB entered into a global settlement with OFAC and other US federal agencies for processing transactions involving persons or countries subject to comprehensive sanctions. The majority of the transactions concerned Iran-related accounts maintained by SCB’s Dubai branches that processed US dollar transactions through SCB’s branch office in New York or other US financial institutions.[32]

As noted above, OFAC or the State Department may also impose secondary sanctions on non-US companies, even with no US nexus to the activity. Under secondary sanctions, access by a non-US company to US markets or the US financial system may be restricted, including by being added to the SDN List, if it engages in certain conduct relating to Iran, Russia or North Korea.

45.3 Commencement of sanctions investigations

The US government can learn of a potential sanctions violation in a number of ways, including through voluntary self-disclosure (VSD), a report of a blocked or rejected transaction, referral from another government agency, and even publicly available information, such as a media report.

If a company learns of a potential violation itself, it may submit a VSD to OFAC. Filing a VSD with OFAC has many benefits, including a significant reduction in the base penalty amount calculated for a potential enforcement action. However, parties should carefully consider whether to submit a VSD to OFAC based on the circumstances of and facts surrounding the potential violation and their history of engagement with OFAC. VSDs are discussed further below.

In addition to VSDs, the US government often learns of potential violations through blocked or rejected transaction reports filed by US persons, typically financial institutions, based on suspected sanctions violations. Beginning in June 2019, all US persons are required to submit blocking and reject reports to OFAC within 10 business days of the action to block or reject a transaction.[33] Prior to the new regulations, all parties already had an obligation to report trans­actions involving blocked property to OFAC, but only US financial institutions were obliged to report rejected transactions.[34]

OFAC also may learn of sanctions violations through anti-money laundering reports, primarily suspicious activity reports, or through criminal investigations conducted by the DOJ or other federal and state law enforcement agencies.

On learning of a potential violation, OFAC may send an initial request for information to the parties with an administrative subpoena or, depending on the nature of the violation, send an informal set of questions to the involved parties, including non-US persons.

45.4 Enforcement

45.4.1Factors to consider

It is important to note that the test in the United States for civil enforcement of sanctions is one of strict liability. This means that companies can be liable for sanctions violations without proof of either knowledge, fault or intent, highlighting the importance of sanctions compliance programmes. It is also important for parties to determine whether there was a wilful violation of US sanctions laws that could lead to a potential criminal investigation or enforcement action. Parties should balance the need to move quickly after identifying a potential violation with taking the time to understand the nature of the violation to determine whether a VSD is appropriate and to whom the parties should report.

45.4.2Compliance framework

In May 2019, OFAC issued its Framework for Compliance Commitments.[35] This guidance document encourages a risk-based approach, noting that no single compliance programme is suitable for every institution. However, the document provides five components that OFAC highlights as essential to any effective compliance programme: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Since publishing the Framework, OFAC has made a point of highlighting the importance of an effective risk-based compliance programme, and has reserved the final paragraph of published enforcement actions to discuss how the facts relate to the Framework and how both the party subject to the enforcement actions and other businesses in its industry can mitigate risks by using the Framework.[36] OFAC has indicated that the strength of a party’s compliance programme can also be a significant mitigating or aggravating factor that OFAC will take into consideration when calculating a penalty amount.[37]

To further mitigate sanctions risks, parties should also ensure that their compliance programme meets the criteria presented in the DOJ’s ‘Evaluation of Corporate Compliance Programs’.[38] As discussed in more detail below, the DOJ will evaluate a party’s compliance programme when determining whether to impose a monitor on the party once an enforcement action relating to an apparent violation of US sanctions laws is concluded.

45.4.3Best practices

Once an investigation has commenced, parties should proactively collaborate and co-operate with the agency conducting the investigation. OFAC enforcement actions and enforcement guidelines highlight co-operation as a mitigating factor to be taken into account in an enforcement action.[39] Furthermore, if the DOJ is conducting an investigation relating to a wilful violation of US sanctions, the party must fully co-operate with the DOJ to receive the benefits associated with submitting a VSD. Generally, full co-operation includes internal investigations to discover the root cause of an apparent violation, responding to regulators’ requests for additional information in a timely and complete manner, preserving all sensitive or relevant documents, and collaborating with regulators to develop and implement effective remedial measures.[40]

Once an investigation has commenced, under no circumstances should parties attempt to hide or destroy material information or evidence. Any indication that the parties have attempted to oppose an investigation is likely to lead federal and state investigators taking a more hostile approach. Self-reporting to OFAC

OFAC generally views VSDs favourably and a VSD to OFAC will reduce the base penalty amount of an apparent violation by up to 50 per cent. To be considered voluntary, a disclosure must be self-initiated and must be submitted to OFAC before OFAC or any other government agency or official discovers the apparent violation. One exception to this is that a VSD to another government agency may be considered a VSD to OFAC case by case. When making a VSD to OFAC, the VSD must include, or be followed by, a report containing sufficient details to provide a complete understanding of the circumstances of the apparent violation. In some instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before knowing all the facts so as to make a timely disclosure and ensure the disclosure is considered voluntary. Parties should ensure that their VSD and follow-up report contain all the details known at the time they are made. Parties submitting VSDs should also be prepared to respond to any follow-up enquiries by OFAC.[41]

OFAC’s enforcement guidelines list several instances where notices to OFAC will not be considered a VSD, including licence applications, notifications from a third party of an apparent violation or substantially similar apparent violation because it blocked or rejected a transaction, or if the disclosure:

  • includes false or misleading information or is materially incomplete;
  • is not self-initiated;
  • is made without the authorisation of senior management; or
  • is in response to an administrative subpoena or other enquiry form.[42] Self-reporting to the DOJ

The DOJ’s updated VSD policy, published on 13 December 2019, states that all business organisations, including financial institutions, are eligible for all the benefits detailed by the policy.[43] Similar to other DOJ self-disclosure policies, companies are eligible for the benefits of the updated VSD policy when they (1) voluntarily self-disclose export control or sanctions violations to the National Security Division’s Counterintelligence and Export Control Section (CES), (2) fully co-operate with the investigation, and (3) remediate any violations appropriately and in a timely manner. The threshold for eligibility is self-disclosure of potential violations to CES. Unlike with OFAC, self-disclosing to any other regulatory agency is not considered an eligible VSD to the DOJ under its new policy.[44] Accordingly, to obtain the benefit of self-disclosure in a criminal investigation, parties must disclose to DOJ before OFAC.

For a party’s disclosure to be considered voluntary, it must be made before there is an imminent threat of disclosure or government investigation, and reasonably promptly after discovery of the offence. Further, the party must disclose all relevant facts known to it at the time of the disclosure.[45] To receive credit for full co-operation, parties are required to:

  • disclose all relevant facts in a timely manner;
  • co-operate proactively with the DOJ;
  • preserve, collect and disclose all relevant documents and information;
  • deconflict witness interviews when required; and
  • make officers and employees of the party available for interviews by the DOJ when so requested.[46]

Finally parties are required to demonstrate a thorough analysis of the causes of underlying conduct and, where appropriate, engage in remediation; implement an effective compliance programme; discipline employees identified by the party as responsible for the oversight; retain business records and prohibit the improper destruction of those records; and take any additional steps that demonstrate recognition of the seriousness of a party’s misconduct.[47]


Submitting a VSD to OFAC can have several benefits, the most significant of which is that it is considered a mitigating factor in the calculation of a potential penalty amount. In some cases, a VSD can allow a party to avoid an enforcement action altogether if OFAC determines the conduct does not constitute a violation or that it does not warrant a civil monetary penalty. However, there are general costs associated with making a VSD to either OFAC or the DOJ, including legal expenses, government investigation, additional scrutiny, reputational harm and, in some cases, large monetary penalties. There is also the potential for a government investigation to reveal unknown or undisclosed violations.

When submitting a VSD to OFAC in particular, parties should carefully consider the possibility that the conduct was wilful and that, as a result, OFAC may refer the case to the DOJ for criminal enforcement. As stated above, a VSD to OFAC or other regulatory agencies will not qualify as a VSD to the DOJ.

If a party submits a VSD to the DOJ that satisfies the requirements of its updated VSD policy, there is a presumption that the party will receive a non-prosecution agreement and will pay no fine, absent aggravating factors.[48] However, even if a party receives a non-prosecution agreement, at a minimum the party will not be permitted to retain any of the unlawfully obtained gain and will be required to pay all disgorgement, forfeiture or restitution resulting from the misconduct. [49] Even if there are aggravating circumstances, the DOJ will still recommend a fine of at least 50 per cent less for a qualifying party than would have been levied absent a VSD, and will not require the imposition of a monitor if the party has implemented an effective compliance programme at the time of resolution. [50] It should also be noted that by filing with the DOJ, a party may invite a criminal investigation in addition to heavy, continuing disclosure obligations.

Overall, effective use of OFAC and the DOJ’s VSD programmes rests in the strength of a party’s compliance programme, policy and procedures. Even if the policy and procedures fail to prevent an apparent violation, they can help parties quickly and more accurately determine the nature of the violation and whether a VSD to OFAC or the DOJ is necessary and beneficial.

Other government authorities

In addition to OFAC and the DOJ, parties should also consider notifying potential violations to relevant US and non-US regulators, shareholders, counterparties, insurers and other interested parties. Parties should also be aware that OFAC maintains memoranda of understanding with several state and federal banking regulatory agencies, which may impose penalties on financial institutions in connection with apparent violations of US sanctions laws.[51] As such, financial institutions should consider notifying their regulators of potential violations. Parties should also determine whether the potential violation of US sanctions laws also violates sanctions laws in foreign jurisdictions and whether it would be appropriate to make disclosures to the relevant regulatory bodies. All these considerations should be made while conscious of the requirements for VSD submissions to OFAC and the DOJ, namely, when a VSD is no longer considered eligible for the benefits. Settlement

OFAC enforcement actions often end in settlement. Settlement discussions may be initiated by either OFAC or the party committing the apparent violation at several points during the enforcement process. These settlements can also include multiple violations or be a part of a comprehensive settlement with other federal, state or local agencies that are also pursuing investigations or enforcement actions relating to the apparent violation. One example of this is UniCredit Bank AG agreeing to pay approximately US$611 million to OFAC as part of a US$1.3 billion settlement with federal and state government partners.[52]

45.5 Trends and key issues

45.5.1Recent enforcement activity

Since the release of its Framework for Compliance Commitments in May 2019, OFAC has been able to map compliance programmes against the Framework to determine whether a party’s compliance programme should be considered an aggravating or mitigating factor. For example, in an enforcement action against Eagle Shipping International, OFAC stated that:

[a]s noted in OFAC’s Framework for Compliance Commitments, this case demonstrates the importance for companies operating in high-risk industries (e.g., international shipping and trading) to implement risk-based compliance measures, especially when engaging in transactions involving exposure to jurisdictions or persons implicated by US sanctions.[53]

Recent enforcement activity has also shown that OFAC is willing to use a minimal or indirect nexus to the United States to proceed with an enforcement action against a non-US party.

An example of OFAC considering even tenuous and indirect contact with US financial institutions as grounds for an enforcement action can be found in the 2019 enforcement action against the British Arab Commercial Bank (BACB). OFAC found that BACB violated Sudanese sanctions stemming from the processing of 72 transactions despite the fact that the transactions at issue were not processed and did not go through US financial institutions. BACB operated a nostro account in a country that imports Sudanese-origin oil for the stated purpose of facilitating payments involving Sudan. The nostro account was funded by routing large, periodic US-dollar denominated wire transfers from banks in Europe, which in turn passed through US financial institutions. OFAC determined that this indirect link to US financial institutions was sufficient to enter an enforcement action.[54]

OFAC has also showed its willingness to expand its extraterritorial jurisdiction to penalise non-US companies for transactions that would not have been covered by OFAC’s jurisdiction if not for the use of servers located in the United States. In an enforcement action against Société Internationale de Télécommunications Aéronautiques SCRL (SITA), OFAC’s basis for jurisdiction over SITA, a global information technology services provider headquartered in Switzerland and serving commercial air transportation, was that the technology provided to sanctioned parties was hosted on, and incorporated functions that routed messages through, US servers and contained US-origin software.[55]

45.5.2Potential pitfalls

Companies should be wary of OFAC’s continued use of increasingly indirect and tenuous links to the US financial system to bring enforcement actions against foreign parties for ‘causing a violation’ by US banks. As such, non-US companies should scrutinise the structure of transactions to or with persons or countries subject to US sanctions to ensure that there are no potential direct or indirect links to the US financial system, including transactions that use US dollars. Additionally, given the emphasis OFAC places on its Framework for Compliance Commitments, companies should ensure that their compliance programmes are in line with the Framework.


[1] David Mortlock is a managing partner, and Nikki Cronin and Ahmad El-Gamal are associates, at Willkie Farr & Gallagher LLP.

[2] Exec. Order No. 13662, 79 Fed. Reg. 16169-71 (24 March 2014).

[4] The US Department of the Treasury’s Office of Foreign Assets Control [OFAC] FAQs are available at

[5] See OFAC FAQ #11.

[6] OFAC will consider the totality of the circumstances when determining whether a transaction is significant, using seven factors: (1) the size, number and frequency of the transaction(s); (2) the nature of the transaction(s); (3) the level of awareness of management and whether the transaction(s) are part of a pattern of conduct; (4) the nexus between the transaction(s) and a blocked person; (5) the impact of the transaction(s) on statutory objectives; (6) whether the transaction(s) involve deceptive practices; and (7) such other factors that the Secretary of the Treasury deems relevant case by case. OFAC FAQ #545.

[7] 31 CFR §§ 560.530 (3)(ii), 560.530 (4).

[8] 31 CFR Part 515.

[9] 31 CFR §§ 515.502 to 515.591.

[10] 31 CFR Part 560.

[11] Exec. Orders 13902 and 13871 authorise the imposition of secondary sanctions on specified transactions involving Iran’s iron, steel, aluminium copper, construction, mining, manufacturing and textile sectors. See Exec. Order No. 13902, 85 Fed. Reg. 2003 (10 January 2020); Exec. Order No. 13871, 84 Fed. Reg. 20761 (May 10, 2019).

[12] 31 CFR Part 510.

[13] Exec. Order No. 13810, 82 Fed. Reg. 44705 (20 September 2017).

[14] 31 CFR Part 542.

[15] Caesar Civilian Protection Act, Section 7412(2) of the National Defense Authorization Act for Fiscal Year 2020.

[16] 31 CFR Part 589.

[17] Exec. Order No. 13662, 79 Fed. Reg. 16169-71 (24 March 2014).

[19] Exec. Order No. 13662, 79 Fed. Reg. 16167 (20 March 2014).

[20] See discussion on ‘significant transactions’, supra note 6.

[21] See Countering America’s Adversaries Through Sanctions Act [CAATSA] § 228.

[22] OFAC FAQ #541.

[23] The US Department of State’s List Regarding the Defense Sector of the Government of the Russian Federation can be found at

[24] See CAATSA § 231.

[25] CAATSA § 232.

[26] Exec. Order No. 13884, 84 Fed. Reg. 38843 (6 August 2019).

[27] Exec. Order No. 13850, 83 Fed. Reg. 55243 (2 November 2018).

[28] 31 CFR §§ 515.329, 560.215.

[29] See ‘OFAC Enforcement Information for October 1, 2019’, The General Electric Company, available at

[30] 50 USC § 1705.

[31] See ‘OFAC Enforcement Information for April 15, 2019’, UniCredit Bank AG, available at

[32] See ‘OFAC Enforcement Information for April 9, 2019’, Standard Chartered Bank, available at

[33] See 31 CFR § 501.603.

[34] An example of OFAC learning of a potential violation through a blocked transaction report can be found in the enforcement action against Hotelbeds USA. OFAC was notified of the apparent violations through a blocked payment report filed by a US financial instructions relation to a Cuba-travel related transaction. See OFAC ‘Enforcement Information for June 13, 2019’, at

[35] ‘A Framework for OFAC Compliance Commitments’ is available at

[36] See ‘OFAC Enforcement Information for February 26, 2020’, Société International de Télécommunications Aéronautiques SCRL, available at (‘As noted in OFAC’s Framework for Compliance Commitments issued in May 2019, companies can mitigate sanctions risks by conducting risk assessments and exercising caution when engaging in business transactions with entities that are affiliated with, or known to transact with, OFAC-sanctioned persons or jurisdictions, or otherwise pose high risks due to their joint ventures, affiliates, subsidiaries, customers, suppliers, geographic location, or the products and services they offer’).

[37] In OFAC’s enforcement action against Haverly Systems for violations of the Ukraine Related Sanctions Regulations, OFAC considered the fact that Haverly did not have a formal OFAC sanctions compliance programme at the time the apparent violations occurred was an aggravating factor. See ‘OFAC Enforcement Information for April 25, 2019’, available at

[38] The DOJ’s ‘Evaluation of Corporate Compliance Programs’ is available at

[39] For example, in OFAC’s enforcement action against Stanley Black & Decker, Inc and its subsidiary, OFAC found that Stanley Black & Decker’s co-operation with OFAC, including an extensive internal investigation and meaningful responses to OFAC’s requests for additional information, was a mitigating factor when determining the penalty amount. See OFAC ‘Enforcement Information for March 27, 2019’, available at

[40] For guidance on co-operating with OFAC, see 31 CFR 501 Appendix A(III)(G). For guidance on the requirements necessary for credit for full co-operation with a DOJ sanctions-related investigation, see DOJ Export Control and Sanctions Enforcement Policy for Business Organizations, pp. 3 to 5.

[41] 31 CFR 501 Appendix A(I)(I).

[43] The DOJ’s ‘Export Control and Sanctions Enforcement Policy for Business Organizations’ is available at

[44] Id., at p. 3.

[46] Id., at pp. 3 to 5.

[47] Id., at pp. 5 to 6.

[48] Id., at pp. 2 to 3.

[51] The Department of the Treasury maintains a list of memoranda of understanding between OFAC and state and federal banking regulators at

[52] See, e.g., US Department of the Treasury press release, ‘U.S. Treasury Department Announces Settlement with UniCredit Group Banks’ (15 April 2019), available at

[53] See OFAC ‘Enforcement Information for January 27, 2020’, Eagle Shipping International, available at

[54] See OFAC ‘Enforcement Information for September 17, 2019’, British Arab Commercial Bank, available at

[55] See OFAC ‘Enforcement Information for February 26, 2020’, Société Internationale de Télécommunications Aéronautiques SCRL, available at

Unlock unlimited access to all Global Investigations Review content