Applying Lessons Learned from Recent US Sanctions Enforcement Cases

In summary

A review of the US Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent public enforcement actions reveal several primary themes that organisations should be mindful of when reviewing and updating their compliance programmes. First, organisations should ensure that they understand and address the circumstances in which their activities will be subject to US jurisdiction. Organisations should also consider and implement measures to account for risks specific to their industry. Finally, an effective compliance programme should be subject to periodic reviews and involve audits, training and other activities designed to foster a culture of compliance.

Discussion points

• OFAC’s enforcement actions underscore the importance that organisations understand the extent to which their activities are subject to US jurisdiction
• Organisations should ensure that they address risks specific to their industry and incorporate OFAC’s industry guidance into their compliance programmes
• Even where OFAC guidance related to an industry is specific, organisations should apply that guidance to its activities more broadly
• Training, auditing, and other activities to foster a culture of compliance are viewed by OFAC as critical to an effective compliance programme
• Organisations should also ensure they proactively monitor and audit their activities and respond to reports of potential noncompliance

Referenced in this article

• US Department of the Treasury, Office of Foreign Assets Control
• US Department of the Treasury, A Framework for OFAC Compliance Commitments, 2 May 2019

Among the materials published by the US Treasury Department’s Office of Foreign Assets Control (OFAC) to its website is information regarding the agency’s public enforcement actions.^[1] Agency personnel have frequently referred practitioners and compliance personnel to this information when discussing the agency’s approach to compliance and it has served as a source of insight into industries and activities of interest to the agency, as well as the expectations of the agency. These enforcement actions have clarified the agency’s position on what constitutes a violation and what factors the agency considers when determining whether to impose a monetary penalty and what penalty to impose in connection with violations. In years past, such enforcement actions often included a discussion of the relevant facts, a description of the violation and a recitation of aggravating and mitigating factors that OFAC considered when reaching its enforcement determination. Following OFAC’s May 2019 publication of ‘A Framework for OFAC Compliance Commitments’ (the Framework),^[2] OFAC began to include additional relevant information in its enforcement actions. This information now specifically identifies for organisations the compliance considerations that OFAC has identified as most important in connection with the enforcement action.

OFAC public enforcement actions: the past 18 months

There were 43 total public enforcement actions between 1 January 2018 and 30 June 2020. Enforcement actions in 2019 included four findings of violation and 26 settlements, with a total value of settlements of approximately US$1.2 billion. Enforcement actions from 1 January 2020 through 30 June 2020 included one finding of violation and four settlements, with a total value of settlements of approximately US$9.2 million.

Approximately a third of the 43 enforcement actions between 1 January 2018 and 30 June 2020 were against non-US entities; these included both activities of non-US entities owned or controlled by US persons, as well as non-US entities, in which the relevant activities had some other US jurisdictional nexus. Of the enforcement actions against US companies, approximately 30 per cent of those cases involved actions by non-US subsidiaries of US companies.

The most prevalent industry covered by enforcement actions during this time period was the financial services industry, representatives of which were the target of approximately a third of total public enforcement actions, followed by the logistics and shipping industry, which was the subject of approximately 25 per cent of total public enforcement actions.

Lessons learned: key considerations for organisations based on recent enforcement actions

OFAC has published information regarding its enforcement actions for a number of years. The information in these enforcement actions provides important context regarding the facts and issues most important to OFAC in reaching its enforcement decisions. OFAC summarised some of the themes from historic enforcement actions in its annex to the Framework, in which it set out root causes of compliance failures leading to OFAC enforcement actions. Following the publication of the Framework, OFAC began identifying in its public enforcement information the compliance considerations highlighted by the particular enforcement action, which calls readers’ attention to the compliance considerations that OFAC deems to be the most important. In reviewing recent public enforcement actions, several primary themes arise, including:

• the importance that organisations understand and address all potential touch points to US jurisdiction in their activities;
• the need for organisations to consider and implement compliance measures that account for risks based on their industry; and
• the expectation that organisations will conduct periodic reviews of their compliance programmes and undertake audits, trainings and other actions that will foster a culture of compliance.

This chapter will address each of these themes in the context of OFAC’s recent public enforcement actions.

Understanding and addressing touchpoints to US jurisdiction

One of the primary themes emerging from OFAC’s recent public enforcement actions is the importance that organisations assess and understand their touchpoints to US jurisdiction and ensure all such touchpoints are addressed in the organisation’s compliance programme. OFAC has long stated that it expects organisations to undertake a risk-based approach to compliance. In its Framework, OFAC calls for organisations to conduct:

a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world . . . [in order] to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries or regions. ^[3]

OFAC views this review to identify and address an organisation’s risks as a necessary first step to implementing an effective risk-based approach to compliance.

For US entities, this includes reviewing customers, suppliers and vendors to ensure that all such persons and entities are screened and conducting diligence to ensure that transactions otherwise do not involve sanctioned persons or destinations. It also includes identifying circumstances or activities that could give rise to risks under the prohibitions against engaging in activities that facilitate, evade or cause a violation of US sanctions.

For non-US entities, this assessment is particularly important. That approximately a third of OFAC’s public enforcement actions over the past two years were against a non-US entity only further supports this point. Among the topic areas that non-US organisations should include when conducting an assessment of their touchpoints with US jurisdiction are the following.

• Does the entity have locations (eg, branches) in the United States? Do any employees of the entity work in the United States? Will any such entities or employees be involved in activities that could involve a sanctioned party or destination?
• Is the entity a subsidiary (directly or indirectly) of a US entity or is it owned or controlled by US persons?
• Are any employees, regardless of their location, US citizens or legal permanent residents?
• Do any activities take place in the United States? Will there be any provision of goods, software or services from the United States?
• Does the entity source goods, software or technology from the United States?
• Does the entity process funds through any US financial institutions?
• Does the entity conduct business in US dollars?

Each of the above questions is relevant to an organisation’s understanding of the circumstances in which its activities are subject to US jurisdiction; a lack of understanding in this regard has been identified by OFAC as a root cause of sanctions violations. Organisations should ensure that they evaluate and address their touchpoints to US jurisdiction, both when new business opportunities arise and periodically to ensure that any changes to the business (including its activities, locations and personnel) are taken into account.

There are two aspects in which having an understanding of your organisation’s potential touchpoints to US jurisdiction is important. First, these potential touchpoints should inform your compliance programme as a general matter – each of these touchpoints should be considered when designing or updating compliance measures in place generally throughout the organisation. Second, these touchpoints to US jurisdiction should also be considered when evaluating specific transactions that have been identified as potentially involving a sanctioned person or destination. Hence, organisations should ensure that they consider US jurisdictional questions with respect to their activities generally and when evaluating specific transactions that may give rise to sanctions risks.

For entities with a complex organisational structure, having a complete understanding of that structure is important, particularly when it comes to assessing the applicability of prohibitions under the US sanctions regimes against Cuba and Iran. Under the Cuba and Iran sanctions programmes, the prohibitions applicable to US persons apply in full to entities owned or controlled by US persons or entities. Hence, a UK entity that is owned 50 per cent or more by a US citizen is subject to all of the prohibitions under the Iran and Cuba sanctions programmes that are applicable to US persons. The same analysis applies in cases where a US company acts as an intermediary company in an ownership chain. Any subsidiaries that are owned or controlled by that US company are subject to the prohibitions applicable to US entities under the US sanctions against Iran and Cuba. Hence, it is important that global organisations (particularly those with organisational structures that include holding companies or intermediary companies organised in a variety of jurisdictions) identify any entities in their organisational structure that will be subject to US jurisdiction and ensure that the compliance programme for such entities addresses US sanctions risks.

Further, to the extent that any such entities are located in Canada, the European Union or certain other jurisdictions, organisations may also need to consider the effect under local law of blocking statutes, which prohibit companies from refusing to engage in activities with certain destinations (ie, Cuba and Iran) when such refusal results from US sanctions. Because OFAC expects persons to comply with US sanctions in all cases in which the United States asserts jurisdiction over a transaction and does not excuse persons from their obligations to comply with US sanctions based on other local law requirements, organisations will need to ensure that they address such considerations when developing their compliance programmes. For example, in 2019 OFAC imposed liability on a Swiss company based on the actions of its UK entity that, through a series of intermediate corporate entities, was a subsidiary of a US company and, as such, was a person subject to US jurisdiction for purposes of the Cuban Assets Control Regulations.^[4] In that action, OFAC discussed the importance of including exclusionary clauses in contract documents and specifically referenced the EU blocking regulation as not preventing enforcement of US sanctions, instead considering as an aggravating factor in the enforcement action business leaders’ and legal and compliance personnel’s reliance on their conclusions that the EU blocking regulation would prevent enforcement of the US sanctions regulations against Cuba.

The above is not the only case in 2019 in which OFAC imposed liability on an entity based on its US-person ownership. In AppliChem GmbH, OFAC imposed liability on a German company when that company continued to do business with Cuban nationals following its acquisition by a US company, despite several warnings by the US parent company that dealings with Cuba must cease.^[5] In the case of Acteon Group Ltd, liability was imposed in connection with activities undertaken by UK, Malaysian, and Singaporean affiliates based on the ownership by a US investor-parent of a majority stake in the parent company.^[6] Each of these examples demonstrates the importance of non-US companies having a complete understanding of their organisational structure and the associated effect of that structure on their compliance obligations vis-à-vis US sanctions.

Beyond understanding any sanctions impacts resulting from an entity’s organisation and ownership, non-US entities must also assess all other potential touchpoints to US sanctions jurisdiction, including, but not limited to, whether they:

• have US operations;
• employ US persons (regardless of where such employees are located);
• resell US-origin items; or
• process funds through US banks (or their foreign branches).

This assessment should also take into consideration activities that could give rise to risks under the prohibitions for evading, avoiding or causing a violation of US sanctions.

Identifying and addressing risks related to industry

While having a complete understanding of the possible US jurisdictional touchpoints associated with an organisation’s activities is a necessary first step toward ensuring compliance, organisations must then ensure that they address sanctions risks associated with their business activities. OFAC has indicated that a risk-based approach to sanctions compliance should include more than identifying and addressing risks associated with an entity’s particular customers, suppliers or other activities, it should address risks specific to an organisation’s industry as well.

OFAC has issued guidance related to sanctions considerations for a number of industries, including shipping, aviation, financial services and insurance.^[7] In more than one recent enforcement action, OFAC specifically cited its industry guidance as placing entities on notice regarding compliance considerations applicable to that industry. Even where OFAC’s guidance is issued pursuant to a specific sanctions regime, OFAC has made clear in recent public enforcement actions that it expects that industry participants will apply its guidance to their activities more broadly. Specifically, in both Apollo Aviation Group, LLC and Société Internationale de Télécommunications Aéronautiques SCRL, OFAC cited to its ‘Iran-Related Civil Aviation Advisory’ and stated that those in the civil aviation industry should be aware that others outside Iran may engage in practices similar to those warned of in the guidance.^[8] These enforcement actions make clear that OFAC views such guidance, even when country-specific, to put industry participants on notice of potential compliance considerations associated with activities in the relevant industries, which OFAC expects those in the industry to take into account beyond the specific country for which the guidance was issued. Hence, organisations should take steps to implement recommendations set out in OFAC’s guidance broadly to their activities as a whole.

Organisations in other industries OFAC has identified as high risk (eg, travel, shipping, finance and insurance) should also ensure that they review and incorporate OFAC’s guidance materials corresponding to those industries into their compliance processes. This should include information supplied in OFAC’s Frequently Asked Questions as well as in its more formal sanctions advisories or similar guidance documents.

In particular, organisations should use the guidance materials to assist them in identifying and addressing specific risks particular to their industry and business activities. In an enforcement action against a US-headquartered shipping company OFAC made clear:

the importance for companies operating in high-risk industries (e.g., international shipping and trading) to implement risk-based compliance measures, especially when engaging in transactions involving exposure to jurisdictions or persons implicated by U.S. sanctions. It is essential that companies engaging in international transactions consider and respond to sanctions-related warning signs, such as information that goods originated from or were supplied by a person or entity subject to U.S. economic and trade sanctions. ^[9]

OFAC’s guidance documents operate to make members of industry aware of common risks, thereby putting members of the industry on notice of such risks so that those risks may be addressed in risk assessments, training or specific compliance measures. Some examples of questions that organisations should consider when incorporating risks from OFAC’s guidance documents into their compliance programmes are the following.

• Financial services
  • In what circumstances does the entity rely on US banks (or their foreign branches) or the US financial system?
  • If the entity relies on complex payment structures, what are those structures? Do they involve or rely on US banks or the US financial system?
  • Is all available information being screened? Is the screening provider using ‘fuzzy’ logic and are full names and common abbreviations being screened?
  • With what frequency is periodic rescreening being conducted and what information is being rescreened?
  • What procedures are used when there are red flags or potential hits?
• Travel
  • Are any persons providing services subject to US jurisdiction?
  • Who are the recipients of the services?
  • What authorisations are required in connection with the activities? Have all such authorisations been obtained and have all conditions and requirements under those authorisations been complied with?
• Civil aviation
  • For non-US entities engaging in dealings involving foreign-made aircraft (including aged aircraft), does that aircraft contain more than de minimis US-origin controlled content by value such that it is subject to US jurisdiction?
  • Has diligence been conducted on all parties involved in transactions to address risks that they are front companies or pass-through entities designed to conceal Iranian or other sanctioned beneficiaries of a transaction?
  • Are there any indications that items are destined for parties or destinations other than from those ordering the items or that items are otherwise being procured for the benefit of sanctioned persons or destinations?
  • Does the entity have information regarding all possible users of the aircraft (including through indirect leasing arrangements)?
  • If authorisations are required for a transaction, have copies of those authorisations been provided?
  • Do lease documents include provisions to guard against subleases of aircraft to airlines or persons that are targets of sanctions (eg, Iranian airlines)?
  • Will any financing involve US dollars or US financial institutions?
  • For providers of aviation-related services, to whom will such services be provided (either directly or indirectly)?
• Shipping
  • Are there any indications that entities are engaging in deceptive practices (eg, disabling or manipulating automatic identification systems (AIS) on vessels; physically altering vessel identification; falsifying cargo and vessel documents; conducting ship-to-ship transfers; using indirect routing, unscheduled detours, or transit or transhipment of cargo through third countries; continuing to use a country’s flag after it has been de-registered or changing flags frequently)?
  • Are the parties with which the entity is dealing part of a complex ownership structure such that it is difficult or impossible to identify the real parties interested in a transaction?
  • Is diligence conducted and are counterparties to transactions otherwise required to have adequate and appropriate compliance policies?

Organisations should ensure that they consider all relevant risk factors associated with their business and industry. To the extent that an organisation does not believe that a risk identified by OFAC is relevant to their activities, organisations may wish to ensure that their internal records reflect the analysis that they conducted in coming to that conclusion.

Training, auditing and fostering a culture of compliance

In addition to identifying and addressing risks specific to industry, OFAC’s recent public enforcement actions also emphasise the importance that entities engage in regular training, auditing and other activities to foster a culture of compliance within their organisations. This includes conducting periodic assessments of the organisation’s business activities and related risks, updating the organisation’s compliance programme to reflect those risks, training personnel regarding their compliance obligations and verifying that compliance policies and procedures are being followed.

OFAC views this as particularly important in the context of mergers and acquisitions. In its Framework, OFAC described its expectations in this regard, stating as follows:

One of the multitude of areas organizations should include in their risk assessments –which, in recent years, appears to have presented numerous challenges with respect to OFAC sanctions – are mergers and acquisitions. Compliance functions should also be integrated into the merger, acquisition, and integration process. Whether in an advisory capacity or as a participant, the organization engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process. After an M&A transaction is completed, the organization’s Audit and Testing function will be critical to identifying any additional sanctions-related issues. ^[10]

In addition, in several recent enforcement actions, OFAC has made clear that organisations must go beyond notifying their foreign entities that become subject to US jurisdiction following an acquisition that they are subject to US jurisdiction and the related requirements under US sanctions, but must also proactively monitor and audit the activities of such foreign entities to ensure that they do not engage in prohibited activities. In AppliChem GmbH, OFAC stated that this should include:

(i) implementing risk-based controls, such as regular audits, to ensure subsidiaries are complying with their obligations under OFAC’s sanctions regulations, (ii) performing follow-up due diligence on acquisitions of foreign persons known to engage in historical transactions with sanctioned persons and jurisdictions, and (iii) appropriately responding to derogatory information regarding the sanctions compliance efforts of foreign persons subject to the jurisdiction of the United States. ^[11]

Similarly, in Stanley Black & Decker, OFAC recommended that organisations:

conduct sanctions-related due diligence both prior and subsequent to mergers and acquisitions, and [. . .]take appropriate steps to audit, monitor, and verify newly acquired subsidiaries and affiliates for OFAC compliance. U.S.-owned or -controlled foreign subsidiaries are subject to the ITSR and U.S. person parent companies may face potential exposure to civil monetary penalties vis-à-vis the actions of their foreign subsidiaries. Foreign acquisitions can pose unique risks that U.S. person parent companies need to address fully at all stages of its relationship with the subsidiary. U.S. parent companies are encouraged to take steps to mitigate risk to sanctions exposure, including by addressing known deficiencies like unconventional record-keeping practices, and any hindrances to monitoring, auditing, or investigating the foreign subsidiary’s operations. Testing of compliance procedures and timely auditing of subsidiaries can mitigate the risk of exposure to U.S. economic sanctions violations. ^[12]

While these statements from OFAC are specifically targeted to auditing and verification activities post-acquisition, the concepts should also be applied to activities outside of the merger and acquisition context. Several other recent OFAC enforcement actions have reflected OFAC’s expectations that organisations be proactive in reviewing their business activities and their compliance programmes to ensure that risks are being addressed and processes are being followed throughout the organisation.

For example, several enforcement actions addressed gaps related to the restricted party screening process, including the types of information being screened and the process for reviewing and clearing hits. Organisations should consider their processes related to restricted party screening as part of their periodic risk assessment and compliance program review activities. This review should ensure that all information related to customers, vendors, suppliers and other counterparties is being captured and screened, that any screening services use ‘fuzzy’ logic to capture alternative spellings or capitalisations and screen full names in addition to known abbreviations, and that any potential flags are escalated for review by personnel with sanctions expertise.

Organisations should ensure that their reviews extend beyond screening to include other risks associated with their particular business activities. In addition to this evaluation, organisations should also conduct training for all relevant personnel. A number of OFAC’s enforcement actions specifically identified training as an important part of ensuring a culture of compliance exists within an organisation.

These statements make plain OFAC’s expectation that organisations periodically evaluate their compliance programmes in light of risks arising out of their activities and update these programmes based on changes to those risks, whether such changes occur in connection with changes to the organisation’s activities or changes to the applicable laws or regulations.

Conclusion

While recent public enforcement actions do not prescribe specific measures that an organisation must take for purposes of sanctions compliance, they are a useful guidepost regarding OFAC’s expectations. Based on the number of enforcement actions in 2019 and the first half of 2020, as well as statements from the agency, OFAC does not intend to cease its enforcement efforts. Hence, organisations would be wise to apply lessons learned from those enforcement actions when reviewing and updating their compliance programmes.

The author would like to thank colleagues Susan Kovarovics and Carrie Miller for their assistance in the preparation of this article.

Notes