In this exclusive Of Counsel piece, Katherine Toomey, Partner at Lewis Baach PLLC outlines the recent OFAC actions against ordinary (non-bank) companies and discusses how companies should approach the development of a compliance culture.

The U.S. Office of Foreign Asset Control (OFAC) enforces U.S. economic sanctions programs, which are generally applicable to “U.S. persons,” that is, U.S. citizens and permanent residents (wherever located), U.S. corporations (including foreign branches), and any person or entity physically located in the United States (including branches of foreign corporations).  A review of OFAC’s enforcement actions for the year to date reveals an interesting development – enforcement actions against companies other than banks outnumber enforcement actions against financial institutions.  In 2016, OFAC has issued enforcement actions and assessed civil penalties against two insurance companies, two medical supply companies, a French geoscience service company, and subsidiaries of the energy giant Halliburton.[1]  None of these companies is a bank.  Thus, if there were any lingering view that OFAC compliance is “really just an issue for banks” OFAC has emphatically put the lie to that myth.

The OFAC enforcement actions this year involve a number of different sanctions programs and varied factual scenarios.  Both Alcon Laboratories and Hyperbranch Medical Technology were sanctioned for violation of the Iranian program by exporting medical supplies to Iran.  Alcon and its affiliates were shipping end-use surgical and pharmaceutical products to both Iran and Sudan in violation of U.S. sanctions laws.  Hyperbranch and its affiliates illegally transshipped dural and spinal sealant products to Iran through a distributor in the United Arab Emirates.  The two insurance companies – AXA Equitable Life and Humana Inc. – violated the Drug Kingpin Sanctions program by providing life insurance to a designated drug kingpin and members of his family.  The Halliburton entities violated the Cuba sanctions by selling oil and gas related products and services to a consortium operating in Angola that included a minority Cuban investor.  CGG Services SA and its affiliates violated the Cuba sanctions by exporting U.S. origin goods to several sea-going vessels that were operating in Cuba’s territorial waters and by engaging in other transactions involving Cuba.  As reflected in OFAC’s published summaries of its enforcement actions, each violation involved different circumstances in terms of knowledge, intent, and voluntary self-disclosure.  These factors resulted in a wide range of penalties assessed against the violators.

Yet there is a common theme.  In virtually all of the cases, OFAC considered whether the company had an effective compliance program in arriving at the appropriate penalty.  Thus, for example, in the enforcement proceedings against the two insurance companies, OFAC noted that each was a “large and commercially sophisticated company” which had failed to “implement controls and measures to ensure that it could identify, block and report insurance policies, premiums, or claims payments” related to blocked persons or in which blocked persons had an interest.  In its enforcement proceeding against Alcon, OFAC went further, identifying as an aggravating factor that Alcon had “demonstrated a reckless disregard for U.S. sanctions requirements by having virtually no compliance program” (emphasis supplied) despite the extent of its business with Sudan and Iran and its extensive experience in international trade. OFAC deemed Halliburton’s compliance program simply “inadequate.”

These enforcement actions counsel strongly that a company with any measure of international business should implement a comprehensive sanctions compliance policy.

Designing a Program.  The program should be written and should specify who in the organization is responsible for its implementation. The first step is a risk assessment.  Unless a company identifies and understands its risk, it is virtually impossible to design a program tailored to mitigate that risk.  For example, if the company does a lot of business in the Middle East, it should make certain that it closely monitors any transactions with the potential to violate the Iran sanctions.  But as the enforcement proceedings against AXA and Humana demonstrate, geography is not the only risk factor.  It is important that companies know whom they are dealing with, and screen the names against OFAC’S list of “Specially Designated Nationals” (SDNs) – individuals with whom U.S. persons are prohibited from doing business.  Thus, companies should consider a compliance program that includes screening of customers, clients, and counterparties against both the SDN list and against a list of countries targeted by OFAC sanctions programs.

Training.  The company needs to provide specific training to its employees regarding the goals, policies and implementation of the program.  An employee who could bind the company to a contract involving Iran, for example, should not be able to say that she never heard of OFAC.  The company also needs to emphasize the consequences – to the company and to the employee – of a failure to comply with the program.  The company should consider targeted training for those employees whose responsibilities place them closer to the issues, i.e., sales officers, representatives, and agents who may go out into the field.

Independent Review.  An independent review can have a number of benefits.  First, an independent review assures that the program is being followed, that employees are properly trained, and that all potential violations have been identified, and if necessary, self-reporting has been considered.  Second and perhaps just as important, an independent review permits the program to be evaluated as a company’s business changes to make certain that the compliance program continues to meet the company’s needs and address its risks.  Businesses change over time – new product lines are introduced, new customers are recruited, and business is expanded in new geographical areas.  A compliance program should be periodically adjusted to meet these new challenges. An outdated program will neither protect the business from potential OFAC violations, nor will it be viewed favorably by OFAC should a violation occur.

Implementation.  Most importantly, a compliance program needs to be followed.  A written program that is ignored or bypassed may invite greater penalties because it can indicate that the company is aware of what should be done, but has chosen not to do it.

OFAC’s concentration of enforcement in the non-banking sector, while not new, may indicate that companies have failed to recognize their own sanctions risk.  A good compliance program is not only likely to prevent a sanctions violation, it will also identify any violation that does occur in time to permit the company to determine whether to self-report to OFAC.  OFAC’s voluntary self-disclosure program can reduce by one-half the applicable penalty for any violation.  In addition, and as reflected in OFAC’s enforcement proceedings this year, the existence of a robust compliance program is a factor that OFAC will take into account in mitigation of any penalty.

[1] In each case, the violators reached a settlement agreement with OFAC whereby a civil penalty was assessed by OFAC for the sanction violations.