Rooting for OFAC: A Sanctions Compliance To-Don’t List

In guidance published earlier this year (“Framework document”), the US Treasury Department’s Office of Foreign Assets Control (OFAC) lists 10 “root causes” of inadequate sanctions compliance programs (SCPs) derived from historical enforcement actions it has taken:

1. Lack of a formal OFAC SCP
2. Misinterpreting, or failing to understand the applicability of, OFAC’s regulations
3. Facilitating transactions by non-U.S. persons, including through or by overseas subsidiaries or affiliates
4. Exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries
5. Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
6. Sanctions screening software or filter faults
7. Improper due diligence on customers/clients (e.g., ownership, business dealings, etc.)
8. Decentralized compliance functions and inconsistent application of an SCP
9. Utilizing non-standard payment or commercial practices
10. Individual liability

Let’s look back at OFAC’s 2019 enforcement actions and see how they correspond to each of these program faults, based on the behaviors related to each penalty, and OFAC’s assessment of those behaviors. That will give us some sense of how frequently each of these occurs. With regard to the individual liability factor, it will only be listed when individuals are acting with the intent to circumvent sanctions regulations, as opposed to less willful conduct.

Also note that the August 8^th, 2019 Finding of Violation against Southern Cross Aviation LLC is not listed below, as there were no documented violations of any sanctions regulations other than that of the Reporting, Procedures and Penalties Regulations, or RPPR.

DNI Express Shipping Company: August 8, 2019

This Finding of Violation, while centered on the company’s lack of cooperation, as well as its attempts to obstruct OFAC’s investigation (which are RPPR violations), concerns facilitation of shipment of farm equipment to Sudan, and financing those shipments. Due to the lack of detail, it is unclear whether the source of the goods was within the U.S., although a reasonable assumption, based on the lack of an action against the manufacturer, would be that it was not.

Relevant root causes: 3

PACCAR, Inc: August 6, 2019

In this case, PACCAR’s Netherlands-based DAF Trucks N.V. (“DAF”) subsidiary, and other subsidiaries of the company, sold trucks that ended up in the hands of Iranian clients. In two of the three instances mentioned, employees had access to information that either clearly demonstrated or strongly suggested that the goods were destined for Iran, but they did not do the due diligence necessary to notice the red flags. In the third case, the Iranian buyer was introduced to the dealership by a DAF company employee. 

Relevant root causes: 7, 10

An individual and Cubasphere, Inc: June 13, 2019

In this case, in which the parties aggressively obscured their provision of travel services to Cuba for third parties, OFAC specifically noted that the unnamed individual facilitated the sanctions violations of others. Both parties were aware, through communication with OFAC, that the conduct violated the Cuban Assets Control Regulations, or CACR. The entities also utilized non-standard practices of evading sanctions, such as encouraging travelers to discard travel schedules and receipts from their trip.

Relevant root causes: 2, 3, 9, 10

Expedia Group, Inc: June 13, 2019

Expedia did a poor job in establishing a consistent sanctions posture in some of its foreign subsidiaries and did not produce the needed understanding of regulatory obligations in those offices, according to OFAC. In one instance, a subsidiary was not notified for about 15 months after its acquisition about the U.S. legal jurisdiction over its activities. While not specifically noted in the description of Expedia’s actions, the enforcement information does highlight the need for due diligence with regards to sanctions compliance, both prior to and after mergers or acquisitions. Given the context, one could reasonably assert that Expedia’s inconsistent sanctions compliance was due, in part, to its failures to conduct proper due diligence.

Relevant root causes: 2, 8

Hotelbeds USA, Inc: June 13, 2019

Hotelbeds was noted to have only an informal sanctions compliance program, which probably explained its misunderstanding of Cuban sanctions regulations, as referenced in the enforcement action. Based on that misunderstanding, Hotelbeds thought that Cuba-related travel transactions for non-US persons were fine if they were paid for through bank accounts maintained outside of the United States. It would also explain why Hotelbeds staff ignored such red flags as OFAC denying a specific license application, and the blocking of a payment by a US bank.

Relevant root causes: 1, 2

Western Union Financial Services, Inc: June 7, 2019

Western Union had a substantial screening program for its agents, but did not similarly scrutinize discrete locations of those agents. In the case which was the focus of the enforcement, a sub-agent was mischaracterized as a location of one of Western Union’s agents and was therefore not identified as an Specially Designated National (SDN) for a substantial amount of time. It is likely best to describe this as a due diligence inadequacy, since proper categorization of the SDN would have flagged the compliance issue during its onboarding. However, since the locations should also have been screened (e.g., to expose a location in a comprehensively sanctioned country or region), this action should also be considered as a failure to understand OFAC’s regulations properly.

Relevant root causes: 2, 7

State Street Bank and Trust Co: May 28, 2019

State Street utilized a separate screening system, and used personnel other than those in the firm’s central sanctions compliance unit to review matches, for its Retiree Services unit. Although the system did produce alerts for 45 payments linked to a US citizen resident in Iran, all the items were ultimately approved by compliance personnel who were not sanctions specialists. While there may have been concerns with using the alternative screening system, the clear focus of the enforcement action was in the inconsistent nature of sanctions processing for the Retiree Services unit, as well as the misinterpretation of the OFAC regulations by the compliance staff who reviewed the payments.

Relevant root causes: 2, 8 

MID-SHIP Group: May 2, 2019

Two of MID-SHIP’s foreign subsidiaries chartered two blacklisted Iranian cargo vessels well over a year after they had been added to the SDN List, and despite having documents which identified the vessels by the name and IMO number in their SDN List citations. MID-SHIP received payments for these charters despite MID-SHIP managers having known that financial institutions had held up multiple payments for “compliance”, “administrative” or “security” issues. OFAC denotes this as a deficient “culture of compliance,” as opposed to a specific shortcoming of the subsidiaries.

Relevant root causes: 5, 10

Haverly Systems: April 25, 2019

Haverly, which did not have a sanctions compliance program at the time, was unaware that it could not collect on an debt owed it by Rosneft. Due to administrative delays on Haverly’s part, the debt was sustained longer than permitted under the Ukraine/Russia-related sectoral sanctions for energy companies subject to Executive Order 13662 Directive 2. Additionally, when it had difficulty receiving payment on its second invoice, Haverly changed the date of the invoice at the suggestion of Rosneft.

Relevant root causes: 1, 2, 9

UniCredit Bank: April 15, 2019

UniCredit’s German, Austrian (as Bank Austria) and Italian operations all used non-transparent payment structures, including use of SWIFT cover payments, to process funds related to parties blacklisted under multiple OFAC sanctions programs. There is also evidence that at least some transactions processed by the Austrian and Italian operations were altered after being rejected by US financial institutions so that they would be processed without incident. Additionally, the German offices also made reimbursements under a letter of credit with the apparent knowledge that the goods being shipped would be re-exported to Iran. 

Relevant root causes: 5, 9

Acteon Group and KKR & Co. Inc: April 11, 2019

In the first of two settlements on this date, Acteon’s Malaysian subsidiaries, with the approval and/or guidance of senior management at an American-owned subsidiary, were willfully involved in oil exploration projects in Cuban territorial waters. The finance director at the parent company also recommended steps to limit access to reports being generated as part of one of the projects. Additionally, company personnel obscured the location of the Cuban work in expense reports and other company records. In the second case, a US-organized subsidiary shipped equipment, and provided services, to projects in Cuban territorial waters. Additionally, the subsidiary’s U.A.E. branch provided equipment to vessels that operated in Iranian waters. KKR was fined for its majority ownership of Acteon at the time of the second set of violations.

Relevant root causes: 3, 4, 9, 10

Standard Chartered Bank: April 9, 2019

Standard Chartered (SCB) had two separate settlements on this date. In the first case, due to an inadequate set of controls that included insufficient due diligence, SCB’s Dubai branch processed a large number of financial transactions that violated sanctions against Iran, Sudan and Syria. The global settlement also includes evidence of a relationship manager coaching an Iranian person on how to process their transactions, presumably to avoid OFAC penalties.

In the second case, SCB’s Zimbabwe affiliate processed financial transactions through its New York branch for parties on the SDN List, as well as those implicated by the 50 Percent Rule.

Root causes referenced: 5, 7, 10

Stanley Black and Decker: March 27, 2019

Stanley Black and Decker’s 60 percent-owned Chinese subsidiary continued business dealings with Iran despite the fact that terminating its Iranian ties had been a condition of its acquisition. The subsidiary’s senior management and board members were knowing participants in these dealings, which included falsification of shipping documents, and usage of multiple intermediary trading companies to obscure the true end-user of the shipped goods.

Root causes referenced: 8, 9, 10

ZAG IP: February 21, 2019

The company, when faced with a supplier unable to properly fulfill an order for raw materials and a purchaser unwilling to delay delivery, bought Iranian-origin goods from a U.A.E.-based supplier to fulfill the order. ZAG IP relied on the assurances of the alternate supplier that using the goods did not violation U.S. sanctions, rather than performing its own due diligence or review of sanctions regulations and guidance. The enforcement information notes that the firm’s compliance program was ineffective.

Root causes referenced: 2, 7

AppliChem GmbH: February 14, 2019

AppliChem received a Civil Monetary Penalty (CMP) because, despite being directed by Illinois Tool Works (ITW, its parent company) to cease business in violation of the Cuban Assets Control Regulations (CACR), it continued to do so. It created standardized procedures for concealing the details of its Cuban business from ITW. Senior management conducted training sessions for company staff in these “Caribbean Procedures,” which dictated that internal documents and correspondence refer to Cuba as “Caribbean.” Additionally, the firm used external agents to prepare documents that required references to Cuba, such as hazardous materials and shipping documents, so that AppliChem could plausibly deny knowledge of Cuban involvement. Finally, when an ITW division manager located in Spain was notified of continued AppliChem Cuba business, the manager did not investigate further (although local employees were reminded of its sanctions compliance requirements, and efforts were made to ensure that an upcoming shipment would not be diverted to Cuba).

Root causes referenced: 8, 9, 10

Kollmorgen Corporation: February 7, 2019

The case of Kollmorgen Corporation is similar to that of Stanley Black and Decker and AppliChem GmbH. In this case, a Turkish subsidiary continued to do business with Iranian clients, despite extensive pre-acquisition steps taken by Kollmorgen. The subsidiary’s manager not only continued the business through intimidation of staff, but also directed the falsification of business records and deletion of emails. As part of this action, the subsidiary manager was added to OFAC’s Foreign Sanctions Evaders (FSE) List.

Root causes referenced: 8, 9, 10

e.l.f. Cosmetics: January 31, 2019

The company, which had either no OFAC compliance program or an inadequate one, violated the North Korea Sanctions Regulations when it was unaware that 80 percent of the false eyelash kits it received from its Chinese distributors were produced in North Korea.

Root causes referenced: 1, 7

Cobham Holdings, Inc: November 27, 2018

Cobham Holdings, as noted in a 2018 enforcement action, failed to identify that a party to which its Aeroflex/Metelics subsidiary shipped U.S.-goods was the subsidiary of a company on the SDN List under the Ukraine Related Sanctions Regulations, and which had a name similar to the parent company. The enforcement information focuses on the fact that the matching software was deficient in not matching the similar company names. However, had the company had data for compliance with OFAC’s 50 Percent Rule, they may have been able to discover the subsidiary and its sanctions implications when it screened the order information. OFAC’s action does not note that fixing the apparent software bug is not a cure-all; many companies implicated by the 50 Percent Rule, including West Indies Alumina (owned by United Company Rusal when it was on the SDN List) and DenizBank (owned by Sberbank), and the overwhelming majority of companies owned by sanctioned individuals, do not have names similar to their sanctioned owners.

Root causes referenced: 2, 4, 6

OFAC’s To-Don’t List

Clearly, the 10 root causes listed by OFAC occur at different frequencies and in different circumstances. As an example of the first, the Cobham Holdings action listed above is the only one in recent memory that blamed malfunctioning software – although there are a number which concern the improper use of technology. In the second instance, the export of U.S.-origin goods and the lack of a formal SCP causes are ones that rarely occur, if at all, for financial services firms, while prohibited use of the U.S. financial services predominantly applies to financial firms.

The root causes listed could potentially be improved by broadening the definitions a bit such that more facts of the existing enforcement actions could be mapped to them. However, even as written, the root causes lists provides a quick “to-don’t” list that firms can use to check their own sanctions compliance programs and business operations. In conjunction with the first part of the Framework document, OFAC has produced a fairly comprehensive road map to regulatory expectations for sanctions compliance (as of May 2019). The document will benefit firms that don’t have extensive experience and/or expertise in this area, as well as those who have already invested much time and money to identify, assess and manage their sanctions compliance risks.

Eric A. Sohn, CAMS, global market strategist and product director, Dow Jones Risk & Compliance, New York, NY, USA, eric.sohn@dowjones.com