Worldwide: OFAC Year-in-Review 2021 Part II – Lessons Learned From OFAC's 2021 Enforcement Actions

Back in July, we took a look at the enforcement actions for the first half of 2021 issued by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC). Today's post – the second half of our OFAC 2021 Year in Review – updates our July summary and provides what we believe are the top dozen (with a lucky thirteenth added for good measure) lessons that industry should glean from these enforcement cases.

By year-end, OFAC announced 20 public enforcement actions across 13 different sanctions regimes for a total of over $20.8 million in penalties/settlements. OFAC exceeded last year's total of 17 public actions, but fell short of the more than $23.6 million in civil monetary fines imposed in 2020. Settlement amounts in 2021 were lower, on average, than in 2020 and far smaller than in previous decades when OFAC's wire stripping cases against major financial institutions frequently resulted in settlements in the hundreds of millions of dollars. Given these recent lower settlement amounts, OFAC started off 2021 with a bang, publishing its 2020 settlement with Union de Banques Arabes et Françaises in the amount of $8.57 million. The next largest penalty announced last year was against Bank of China (UK) Limited for $2.32 million.

Although OFAC continued to bring traditional enforcement actions for prohibited dealings with sanctioned jurisdictions, 2021 saw a rise in enforcement actions against providers of virtual goods and services. These included a cloud-based software services provider, a virtual currency processor, and an online money transmitter. A major issue for many of these companies was not knowing that their customers or ultimate end users resided in or operated from sanctioned jurisdictions, and these companies quickly learned that ignorance is no defense when it comes to sanctions compliance, as OFAC sanctions are a strict liability regime.

Below we highlight significant lessons learned from OFAC's 2021 enforcement actions that we believe the private sector should heed.

1. Comply with U.S. sanctions for all U.S.-cleared transactions.

OFAC's 2021 actions continued to highlight that clearing through or otherwise touching the United States creates a U.S. nexus for any transaction, including transfers involving U.S. dollar accounts and parties outside of the United States, foreign exchange transactions, and exchanges of digital currency.

• U.S. dollar accounts. Use of U.S. dollars/dollar accounts outside of the United States is a key compliance concern because virtually all U.S. dollar payments clear through the United States. This pulls the transaction into U.S. jurisdiction, even when the originator and receiver are located abroad. OFAC's PT Bukit Muria Jayae (BMJ) $1.02 million settlement in January 2021 is the latest in a long line of similar enforcement cases. Indonesia-based BMJ violated the North Korea Sanctions Regulations by directing payments for exports of cigarette paper to North Korea to its U.S. dollar account at a non-U.S. bank. Even though the payments originated from and were directed to foreign banks, they cleared through U.S. banks, resulting in violations of the North Korea Sanctions Regulations.
• Foreign exchange. Attempting to avoid U.S. jurisdiction does not necessarily shield companies from complying with OFAC regulations, particularly when U.S. dollar accounts located abroad are involved, because any resulting foreign exchange (FX) transactions that clear through the United States fall within U.S. jurisdiction. In OFAC's January 2021, $8.57 million settlement with Union de Banques Arabes et Françaises (UBAF), the France-based bank operated U.S. dollar accounts on behalf of sanctioned Syrian financial institutions, processed internal FX transfers on its books for the benefit of the Syrian entities, and then later settled its own FX accounts through U.S.-cleared FX transactions with third party banks. Because the dates and amount of the internal book FX transactions "correlated closely" to the subsequent purchase of U.S. dollars in a U.S.-transaction, OFAC determined that they were violations of Syria-related U.S. sanctions.
• Digital currency. Sanctions compliance obligations apply equally to U.S.-cleared virtual currency transactions. BitPay, Inc.'s (BitPay) fine of $507,375 in February 2021 showcases OFAC's jurisdiction over uses of digital currencies that touch the United States. BitPay is an Atlanta-based payment processing provider that allows merchants to accept digital currencies for goods and services. OFAC pursued enforcement for BitPay's processing of 2,102 transactions for people who – based on IP addresses and location information provided in invoices – were located within sanctioned jurisdictions, including Crimea, Cuba, Iran, North Korea, Sudan, and Syria. OFAC signaled its enforcement interest in these types of services by noting that BitPay did not voluntarily disclose its conduct. As noted in OFAC's October 2021 guidance for sanctions compliance in the virtual currency industry, "[m]embers of the virtual currency industry are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions."

2. Monitor geolocation and other location data to screen sanctioned parties.

OFAC's 2021 enforcement actions highlighted its expectation that companies with a U.S. nexus will use technological controls to prevent access from sanctioned jurisdictions. Continuing related enforcement from 2020, seen in OFAC's public actions against BitGo, Inc. and Amazon, OFAC settled with Payoneer, a New York-based online money transmitter, in July 2021, in the amount of $1.38 million for processing 2,220 transactions for parties in sanctioned jurisdictions. Of the various compliance control breakdowns, OFAC cited as an aggravating factor that Payoneer had reason to know the locations of its users based on common indicators of location like billing, shipping, and IP addresses. In the BitPay case noted above, BitPay processed transactions on behalf of customers likely located within sanctioned jurisdictions that could have been identified and stopped by IP address screening. OFAC also noted this deficiency in its case against SAP SE, discussed below.

3. Ensure that digital services with U.S. links comply with sanctions.

OFAC's enforcement case against SAP SE (SAP) emphasizes that U.S.-origin services – such as software and cloud-based services – cannot be accessed remotely from outside the United States to benefit parties in sanctioned jurisdictions like Iran. In the April 2021 settlement, totaling $2.13 million, OFAC found SAP liable for the prohibited export of software and related services to Iranian end-users. SAP, a software company headquartered in Germany, relied on third-party resellers to deliver a portion of its products and services to end-users. Several of these resellers then provided SAP's U.S.-origin services to users in Iran. This case provides a warning to third-country companies to avoid using U.S.-based software or cloud services when doing business in sanctioned jurisdictions. In addition to its settlement with OFAC, SAP also entered into the first non-prosecution agreement with the U.S. Department of Justice under the Department's new export control and sanctions voluntary self-disclosure policy, as well as a settlement with the U.S. Department of Commerce's Bureau of Industry and Security, resulting in combined penalties of more than $8 million.

4. Know your customers (and employees) and their nationalities.

In the first of two matters OFAC settled simultaneously in December 2021, for a total of $115,005 with TD Bank, N.A. (TD Bank), OFAC found that TD Bank opened nine accounts and processed 1,479 transactions for five employees of the North Korean mission to the United Nations, despite all presenting North Korean passports. Because TD Bank relied heavily on a vendor-supplied screening list that focused on politically exposed persons, the North Korean passports did not trigger an alert during customer screening. Afterwards, TD Bank employees misidentified North Korea as Korea or South Korea or left the citizenship field blank in the customer profiles, preventing TD Bank's screening from flagging these accounts. This matter highlights the importance of all companies both collecting basic information such as nationality regarding their customers, employees, and other third-party relationships and screening that information to ensure that these persons are not citizens of, do not reside in, and do not work from comprehensively sanctioned jurisdictions (e.g., Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine/Russia).

5. Incorporate Ukraine/Russian-related sectoral sanctions into compliance controls.

For many (perhaps most) companies, sanctions compliance tends to focus on ensuring no activity involving (1) comprehensively sanctioned jurisdictions; or (2) sanctioned parties (including those owned 50 percent or more by other sanctioned parties). Particularly since the 2014 invasion of Ukraine by Russia, and the subsequent introduction of sectoral sanctions by the United States (and the European Union), sanctions compliance programs also need to focus on compliance with sectoral sanctions on Russia (and Venezuela), particularly OFAC's Directives 1 to 4 issued pursuant to Executive Order 13662 (and the still relatively new Directive 1 issued pursuant to Executive Order 14024). Cameron International Corporation (Cameron), a Texas-based supplier of goods and services for the oil and gas industries, discovered this requirement the hard way when it settled with OFAC for $1.42 million in September 2021, for violations of Directive 4. OFAC found that Cameron's U.S. person senior managers approved contracts for its Romanian subsidiary to supply goods to the Russian energy firm Gazprom-Neft Shelf, which is subject to Directive 4 restrictions, for an Arctic offshore oil project.

6. Ensure sanctions compliance for all companies – large or small, domestic or foreign.

OFAC expects all companies to maintain a compliance program commensurate with size and sophistication. Although large multinational companies and financial institutions face heightened scrutiny, OFAC expects even companies operating predominantly within the United States and/or working on U.S. government contracts to implement compliance procedures. It is also important to remember that, although not common, sanctioned individuals named on OFAC's List of Specially Designated Nationals and Blocked Persons (SDN List) live in the United States, within federal prisons and elsewhere. Companies should screen even domestic transactions where appropriate, particularly when dealing with high-risk populations.

• Predominantly domestic companies. Small U.S. companies with limited international touchpoints must still conduct sanctions compliance due diligence. Oklahoma City-based Alliance Steel, Inc. (Alliance), a company specializing in designing and manufacturing prefabricated steel structures, sells only to domestic consumers and does not export or market itself outside of the United States. However, Alliance violated U.S. sanctions by outsourcing its engineering work to an Iranian engineering company owned by the brother of the company's chief engineer. OFAC did not consider the company's small size or limited international dealings to be mitigating factors, emphasizing that all companies conducting international business should have sanctions compliance programs. Alliance settled with OFAC in April 2021 for $435,003.
• Government contracts. Even when providing U.S.-based services under U.S. government contracts, companies must maintain strong compliance programs as illustrated in OFAC's MoneyGram Payment Systems, Inc. (MoneyGram) fine of $34,328 in April 2021. Under a federal contract, MoneyGram provided money transfer services to federal inmates, including around 40 on the SDN List. MoneyGram incorrectly assumed sanctions screening was not expected under this contract.

7. Monitor foreign subsidiaries.

As economies and supply chains become increasingly globalized, U.S. companies must ensure they have sufficient controls over non-U.S. subsidiaries. One area of risk – seen in the Cameron matter detailed above – is where U.S.-based personnel are involved in facilitating activities that their non-U.S. subsidiaries legally can do, but that the U.S. parent or other U.S. persons cannot. Another area of risk is that many U.S. parent entities and their non-U.S. subsidiaries often forget that for U.S. sanctions on Cuba and Iran (and North Korea for financial institutions), the non-U.S. subsidiary must comply with those prohibitions even when acting without any other U.S. nexus. Last August, OFAC settled for $862,318 with First Bank SA (First Bank) located in Romania, and its U.S. parent company, JC Flowers & Co., for First Bank's processing of euro-denominated payments for persons located in Iran, which, as a subsidiary of a U.S. company, First Bank was forbidden to do. First Bank was also penalized for processing U.S. Dollar payments through the U.S. financial system for persons located in Iran and Syria.

8. Conduct diligence reviews on your trading partners and follow up on red flags.

Each company within a supply chain must properly conduct diligence on trading partners, regardless of role. OFAC expects companies to: (1) vet trading partners, (2) verify their compliance when able, and (3) respond appropriately to red flags.

• Vet trading partners. Proper vetting of trading partners is a cornerstone of a strong compliance program. Failure to conduct sufficient due diligence on the activities of trading partners can result in substantial penalties, as seen in OFAC's settlement with SAP. As discussed above, SAP's resellers sold U.S.-origin services to end-users in Iran. OFAC noted that proper due diligence – including review of the resellers' public websites – would have revealed that many of SAP's trading partners publicized their business ties with Iranian companies. OFAC also found that SAP acquired several subsidiaries with minimal export controls and – despite awareness of these issues from pre- and post-acquisition due diligence – failed to incorporate the subsidiaries into SAP's compliance program.
• Verify compliance and end-users, where possible. The BitPay case also demonstrates the importance of leveraging all available data to ensure compliance with OFAC regulations. Although BitPay screened its direct clients against the SDN List, it did not screen end-users, resulting in apparent violations of several sanctions regimes. OFAC noted that the company collected invoices with IP addresses, phone numbers, and other identifying information that could have been used to identify blocked parties. Failing to screen end-users led to over $500,000 in penalties.
• Address red flags. OFAC views ignoring warning signs as reckless behavior that opens up companies to increased liability. A single red flag should warrant increased scrutiny from compliance programs, and OFAC considers a failure to address multiple warning signs to be an aggravating factor in determining penalties. Several companies settled with OFAC in 2021 after ignoring indications that goods were to be reexported to Iran:
  • Alfa Laval Tank, Inc. (AL Tank) is a U.S. company that referred an Iran-related business opportunity to a foreign affiliate. An Iranian oil products distributor reached out to the storage tank cleaning equipment manufacturer and inquired about some potential purchases. Because AL Tank knew it could not sell U.S.-made equipment to an Iran-related business, it referred the request to its foreign affiliate in Dubai, Alfa Laval Middle East Ltd. (AL Middle East). That led to a conspiracy among foreign affiliates and the Iran business to actively mislead AL Tank and reexport goods to Iran. AL Middle East settled with OFAC for over $415,000 in April 2021. OFAC also settled with AL Tank for $16,875 that same month, finding that it had failed to heed numerous warning signs that the actual end-user of its products was in Iran.
  • Cleveland-based UniControl, Inc. (UniControl), an instrument manufacturer, exported air pressure switches to two European counterparties that in turn reexported the goods to Iran. According to OFAC, UniControl ignored several red flags, including a customer's expressed interest in shipping goods to Iran, obfuscated end-user requests, and requests to remove "made in USA" labels from UniControl's products. UniControl's failure to heed warning signs resulted in over $200,000 in penalties in March 2021. Separately, one of UniControl's European trade partners, Nordgas S.r.l. (Nordgas), an Italian-based gas boiler producer, also settled with OFAC that same month for its role in deceiving UniControl and exporting goods to Iran. OFAC determined that Nordgas obfuscated its intent to reexport U.S.-origin products to Iran by misrepresenting end-users and using code words in correspondence with UniControl. Given its role in causing the violations, OFAC found that Nordgas's violations were egregious and imposed $950,000 in penalties and an agreement for enhanced monitoring for five years.

9. Demanding and auditing compliance commitments from trading partners, where necessary to mitigate risk.

Given the strict liability nature of U.S. sanctions where parties can be held liable for trading partners' noncompliance with sanctions, it may frequently be prudent to enter into compliance commitments with trading partners. OFAC views efforts to request and audit these types of commitments favorably and highlighted the following examples as mitigating factors in recent enforcement actions: (1) requiring all intermediaries to sign anti-diversion agreements with specific OFAC sanctions compliance commitments (BMJ), (2) requiring intermediary and final customers to sign end-user certificates (UniControl), and (3) implementing risk assessments and third-party audits for reseller relationships (SAP).

10. Ensure compliance programs are evolving and effective.

U.S. sanctions are constantly evolving and OFAC expects companies to update their sanctions compliance programs accordingly. Key areas to consider include: (1) updating screening procedures; (2) addressing compliance gaps as they appear; (3) implementing compliance programs correctly; and (4) severing high-risk business ties, where appropriate.

• Improve screening. OFAC makes frequent changes to sanctions lists and provides new identifiers on its various sanctions lists. Recent additions include Cyrillic, Chinese, and Arabic name spellings, digital currency addresses, and additional country-specific identifiers. These identifiers, as well as other publicly available information, should be incorporated into existing compliance programs. In the case of Payoneer discussed above, weak algorithms allowed close matches to SDN List entries not to be flagged by the company's filter; the company also failed to screen for Business Identifier Codes (BICs) even when the SDN List entries contained them. UBAF, too, failed to adequately incorporate expanded Syria-related sanctions into its compliance program in a timely manner. Effective compliance requires that companies leverage all available data and adapt quickly to changing regulations.
• Address compliance gaps. OFAC expects companies to resolve gaps in their compliance programs in a timely manner, and the speed at which a company takes remedial action may weigh on the likelihood and magnitude of any assessed penalty. For example, in its SAP case, OFAC found that the company failed to remediate issues discovered in multiple internal audits, did not sufficiently investigate whistleblower complaints, and left new acquisitions out of the company's existing compliance measures. OFAC identified these deficiencies as aggravating factors in its final assessment of more than $2.1 million in penalties against the company. Conversely, OFAC has noted remedial actions as mitigating factors. For example, NewTek, Inc. (NewTek), a developer and supplier of 3D animation systems, incorrectly believed that exporting goods and services to third-country distributors that it knew would provide them to an Iranian reseller complied with U.S. sanctions. OFAC viewed NewTek's remediation as a mitigating factor and noted that NewTek subsequently established an export controls and sanctions compliance program with employee training, implementation of bulk name screening and geo-IP blocking measures, and the hiring of a director of compliance. NewTek paid $189,483 in September 2021 to settle with OFAC.
• Implement compliance controls and programs correctly. Even if a company has adequate processes for flagging potentially risky transactions, personnel have to conduct appropriate follow through. In the second of two matters settled simultaneously last year with TD Bank, a reviewer dismissed a sanctions screening alert on new accounts because there was "no match on full name, DOB, and geographic location." However, the only item missing was a middle name that was not in TD Bank's systems. Over the next four years, four additional high-confidence sanctions screening alerts were generated. Only the last alert was determined by a reviewer to be a true hit, triggering the blocking of the accounts and a disclosure to OFAC. The incorrect dispositioning of these alerts also contravened bank procedures to escalate alerts where matches occur on the first and last name and any additional field.
• Sever high-risk business ties, where appropriate. Ending high-risk business relationships can both decrease enforcement penalties and increase compliance program effectiveness in the future. Over the past year, several OFAC enforcement targets cut ties with high-risk business partners as part of remediation. For example, OFAC viewed UniControl's decision to sever ties with its trade partners involved in reexporting U.S.-origin goods to Iran and forfeit related payments as mitigating factors.

11. Terminate employees who flout sanctions rules.

Several 2021 cases involve companies terminating employees involved in the potential violations.

In the Alliance case discussed above – where its chief engineer outsourced labor to an Iranian engineering company – the remedial actions included both ending dealings with the Iranian company and terminating the chief engineer. Similarly, SAP fired five employees who were either involved or complicit in facilitating trade to Iran through third-party resellers. OFAC also looked favorably on Schlumberger Rod Lift, Inc. (SRL), removing personnel who – having been informed that Sudan was at the time under comprehensive U.S. sanctions – were involved in routing field equipment from a Canadian subsidiary through a Chinese joint venture for eventual delivery in Sudan. OFAC considers such proactive behavior to be a mitigating factor in assessing penalties against the company, and emphasizes the importance of individual employees taking appropriate steps to ensure sanctions compliance. OFAC's September 2021 settlement amount for SRL came to $160,000.

12. Be aware that individuals are not immune from enforcement.

Not only may individuals face termination or reprimands for actions on the job involving apparent violations of sanctions, but they may also – in exceedingly rare cases – find themselves personally on the hook for a penalty. In a December 2021 case referenced only by OFAC as against "An Individual," OFAC settled with a U.S. person for $133,860 for accepting into his personal bank account payments on behalf of an Iranian cement company. The individual coordinated with a family member who worked at the Iranian company on the sale of Iranian-origin cement clinker to a third-country company; he also had previously sought an OFAC license for other transactions involving Iran, which had been denied. OFAC mitigated the penalty because the individual received minimal, if any economic benefit, from the transaction and had financial difficulties affecting his ability to pay.

13. Know that even repealed sanctions regimes can land you in hot water.

In 2021, OFAC entered into four settlements – Schlumberger Rod Lift, Bank of China (UK) Limited, Payoneer, and BitPay – for apparent violations and issued one finding of violation (for Mashreqbank) related to the now-repealed Sudan sanctions program. In October 2017, then President Obama repealed Sudan-specific sanctions based on that government's positive actions, including improvement of humanitarian access and cooperation with the United States on addressing regional conflicts. However, even though OFAC removed the Sudanese Sanctions Regulations (SSR) from the Code of Federal Regulations, the agency still may investigate and bring enforcement actions for violations that occurred before the October 2017 repeal.

For example, OFAC entered into a $2.32 million settlement in August 2021 with Bank of China (UK) Limited (BOC UK) for processing 111 commercial transactions in violation of the SSR from September 2014 to February 2016. The settlement was the second largest of the year. BOC UK discovered the violations after conducting an internal investigation triggered by a Sudanese customer's request to process a payment. BOC UK's internal customer database did not include references to Sudan in the name or address fields of two Sudan-linked customers. Failure to appropriately evaluate and flag these transactions resulted in BOC UK processing 111 payments through U.S. correspondent banks for the two Sudan-linked customers.

Compliance programs conducting internal audits should be mindful of both active sanctions programs and inactive programs effective during the audited timeframe.

Conclusion

OFAC's enforcement actions over the past year reinforce the importance of rigorous sanctions compliance for all companies, from the largest corporations operating globally to U.S. companies focused on the U.S. market to non-U.S. companies with only limited exposure to U.S. markets. Strong compliance programs emphasizing management commitment, risk assessments, internal controls, testing and auditing, and training can reduce risk and mitigate penalties. Morrison & Foerster's National Security Practice Group continues to stand ready to offer counsel on the scope and sufficiency of corporate sanctions compliance programs and, where compliance efforts may have failed, guidance on resolving potential enforcement matters.