Recent enforcement actions against companies violating sanction regulations underscores the challenge of complying with these regulations across vast corporate supply chains.
Two weeks ago, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced that Apple would pay a fine of $467,000 for violating sanctions regulations. The company’s App Store had, for two years, inadvertently hosted software from SIS, a Slovenian company identified as a significant narcotics trafficker on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN).
A few weeks before that, OFAC assessed a $210,000 civil penalty against Apollo Aviation Group for violating the Sudanese Sanctions Regulations; and in October, General Electric was fined $2.7 million for 289 alleged violations of the Cuban Assets Control Regulations.
The challenge of complying with sanctions regulations across vast corporate supply chains is clearly seen in OFAC’s description of Apollo Aviation’s violation: “Specifically, Apollo appears to have violated (the regulations) when it leased three aircraft engines to an entity incorporated in the United Arab Emirates, which then subleased the engines to a Ukrainian airline, which then installed the engines on an aircraft wet-leased to Sudan Airways (Sudan Air). At the time of the transactions, Sudan Air was identified on OFAC’s List of Specially Designated Nationals and Blocked Persons as meeting the definition of ‘Government of Sudan.’”
“The OFAC regulations are complex,” notes a new report from Thomson Reuters, Maintaining Sanctions Compliance in a Rapidly Changing Regulatory Environment, “and the data you need to ensure compliance is extremely difficult to obtain.”
The report calls OFAC’s “50% Rule” particularly problematic. This rule makes it unlawful to have dealings with companies that are at least half-owned by people or organizations on the SDN or Sectoral Sanctions Identifications (SSI) lists — even if the company itself is not listed. “There is no published list of companies and entities that fit the 50% Rule,” the report states. “The SDN and SSI lists, both of which identify entities you can’t deal with, are published. There is also a published list of sanctioned countries. However, the regulations say that you also can’t deal with any entity that is controlled or owned — 50% or more — by one of the companies on the SDN or SSI list, or by one of the sanctioned countries. Those relationships are not listed anywhere, and they change often.”
You can download the new report from Thomson Reuters, Maintaining Sanctions Compliance in a Rapidly Changing Regulatory Environment, here.
For companies navigating this challenging terrain, OFAC recently described common reasons for violations in its publication A Framework for OFAC Compliance Commitments. Here’s a summary:
Failure to implement a corporate sanctions compliance program (SCP) — OFAC has assessed “numerous civil monetary penalties… in which the subject’s lack of an SCP was one of the root causes of the sanctions violations identified during the course of the investigation.”
Misinterpreting or disregarding the regulations — Several companies have committed violations by failing to consider — or actively disregarding — the fact that OFAC sanctions applied to them. “With respect to this specific root cause, OFAC’s administrative actions have typically identified additional aggravating factors such as reckless conduct, numerous warning signs that the activity was likely prohibited, and awareness by management of the conduct at issue.
Ignoring the rules — Some companies repeatedly do business with sanctioned entities, OFAC says, despite warning signs that this activity is unlawful. “OFAC’s public enforcement actions… have generally been focused on companies that are large or sophisticated, engaged in a pattern or practice that lasted multiple years, ignored or failed to respond to numerous warning signs, utilized non-routine business practices, and — in several instances — concealed their activity in a willful or reckless manner.”
Processing payments through U.S. financial institutions — This is a violation even when the underlying transaction may not be — such as the shipment of goods from a third-country to an OFAC-sanctioned country.
Sanctions screening software failures — Many organizations screen their customers, supply chain, intermediaries, counter-parties, commercial and financial documents, and transactions to identify OFAC-prohibited locations, parties, or dealings. Sometimes, however, their screening tools use outdated SDN and SSI lists, fail to account for alternative spellings, or fail to include identifiers that find sanctioned financial institutions.
Inadequate due diligence — Some violations result from companies failing to determine who owned their customers or intermediaries, where they were located, or whether they were aware of OFAC requirements.
De-centralized compliance functions — “Several organizations… have committed apparent violations due to a de-centralized SCP, often with personnel and decision-makers scattered in various offices or business units,” OFAC notes. “Violations have resulted… due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.”
The Thomson Reuters report emphasizes the importance of leveraging partners and technology designed to mitigate these risks. “It would be very challenging as an individual company to conduct your own research all over the globe,” the report observes. “Such an effort would require a dedicated team and a substantial investment of time and resources. Even then, you still might not get it right because of the complexity in the relationships, the speed at which those relationships change, and the volume of the data.”