OFAC Sanctions: Avoiding Unintentional Violations

Are you a US-headquartered company with international business operations? How confident are you that your company and its agents, employees, affiliates, or subsidiaries are not dealing with foreign countries, geographic regions, entities, or individuals that are the subject of economic sanctions?

The US and other international actors most recently deployed economic sanctions in response to Russia’s invasion of Ukraine. And the spotlight became a bit brighter when US Deputy Attorney General Lisa Monaco called sanctions “the new FCPA.” As we previously discussed, the Foreign Corrupt Practices Act (FCPA) generally prohibits companies and their employees and representatives from the payment of bribes to foreign officials to assist in obtaining or retaining business.

Monaco further said:

The growth of sanctions enforcement follows the path that the FCPA traveled before it. Both FCPA and sanctions enforcement are relevant to an expanding number of industries. They have extended beyond just U.S. actions to an increasingly multilateral enforcement regime. And they both reward companies that develop the capacity to identify misconduct within the organization, and then come forward and voluntarily disclose that misconduct to the department.

This article provides a brief overview of the US economic sanctions regime, how it is enforced, and ways that companies can strengthen their sanctions compliance programs to mitigate the risk of violations.

Background on OFAC

In the US, the Office of Foreign Assets Control (OFAC) within the Department of the Treasury administers and enforces economic sanctions. OFAC was formally created in December 1950 in reaction to the entry of China into the Korean War. At the time, President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to US jurisdiction. Since its formation, US sanctions have been used as a tool against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to national security, foreign policy, or the economy of the US.

As of this writing, OFAC administers 38 different sanctions programs. The programs apply to all "US persons," which generally include:

• all US citizens and permanent resident aliens, regardless of where they are located,
• all persons and entities within the US, and
• all US persons working for US-incorporated entities and their foreign branches.

In the case of certain programs, foreign subsidiaries owned or controlled by US companies also must comply.

Sanctions can be either comprehensive or selective. In the case of comprehensive sanctions, US persons are prohibited from participating in most transactions, collaborations, and activities with certain countries. For example, think of US trade embargoes concerning Cuba, Iran, North Korea, and Syria.

Selective sanctions are targeted at specific individuals or entities. OFAC maintains the Specially Designated Nationals and Blocked Persons List (SDN List), which has approximately 6,300 names connected with sanctions targets. Examples include international narcotics traffickers and Russian oligarchs. US persons are prohibited from dealing with SDNs regardless of location, and all SDN assets are blocked. In addition, entities that an SDN owns (defined as a direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.

Enforcement and Penalties

Enforcement actions for violations of economic sanctions may be brought by OFAC and the Department of Justice. If OFAC believes that a US person is in violation of economic sanctions, it often triggers an investigation.

Based on the outcome of that investigation, OFAC may decide to, among things:

• conclude that there was no violation,
• find that there was a violation,
• find that there was a violation and attach a civil monetary penalty, and/or
• refer the matter to the Department of Justice (DOJ) for criminal investigation/enforcement.

OFAC Enforcement

Violations of economic sanctions are strict liability offenses. OFAC only needs to prove failure by a company to adhere to sanctions programs; it does not need to establish that there was intent or fault by the company. This can catch some companies off guard, especially when they rely on third-party software to screen for potential violations and those systems fail. Inadvertent violations are still violations that are grounds for OFAC to initiate an investigation and ultimately issue a civil penalty.

Civil penalties can vary significantly and depend in large part on the relevant statutory authority, as well as OFAC’s evaluation of the circumstances. There are examples where the applicable statutory maximum civil monetary penalty has amounted to several million dollars, and OFAC has chosen to ratchet down those penalties to a few hundred thousand dollars based on mitigating circumstances.

NewTek Inc. is one such company. The statutory maximum civil penalty associated with its violations came in at just over $15 million. The final settlement amount in that case of $189,483 reflects OFAC’s consideration of certain mitigating factors including self-disclosure, lack of violations in the last five years, compliance program reforms, and cooperation during the investigation.

DOJ Enforcement

The DOJ oversees criminal sanctions violations. Successful prosecutions can result in:

• asset seizures,
• fines of not more than $1 million, and
• a prison term of not more than 20 years.

It’s worth noting that alleged sanctions violations that attract the attention of the DOJ typically involve sanctions evasion and money laundering schemes. For example, the DOJ announced this year that a US citizen who conspired to provide services to the North Korean government, including technical advice on using cryptocurrency and blockchain technology to evade US sanctions, was sentenced to 63 months in prison. In another case, an Italian national was sentenced to 28 months in prison for conspiring to obtain industrial equipment from the US on behalf of a Russian energy company in violation of US sanctions. For the vast majority reading this article, I expect any potential sanctions violations would be of the inadvertent type and none that would involve taking actions to benefit the North Korean or Russian government.

A Tale of Two Sanctions Compliance Programs

As noted earlier, sanctions violations are enforced on a strict liability basis. So even if you have a “best in class” sanctions compliance program, you may still find yourself subject to an OFAC enforcement action if you are found to have violated sanctions. 

As an example, there was a recent OFAC enforcement involving a bank that processed payments on behalf of two individuals who were added to the SDN List. The bank processed these payments for only 14 days after the individuals were added to the SDN List. The bank used a vendor to screen new names added to the SDN List against the bank’s existing customer base. The bank mistakenly believed that the vendor’s daily screenings would screen the entire customer base against additions and changes to the SDN List. Unfortunately, the reality was that the vendor only screened the bank’s entire existing customer base once a month. In this case, the customers matching two of the individuals that were added to the SDN List in late September 2020 were not discovered until the vendor generated its monthly report in early October 2020. The bank became aware of this and reported the processed payments to OFAC. OFAC issued a Finding of Violation instead of a civil monetary penalty.

On the opposite end of the spectrum are those companies that effectively operate without a sanctions compliance program. OFAC announced one such case in October 2022. It involved a cryptocurrency platform that was not screening customer information for terms associated with sanctioned jurisdictions. As a result, individuals located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria were able to use the cryptocurrency platform in violation of US sanctions. The company settled with OFAC for over $24 million.

In addition, the Treasury’s Financial Crimes Enforcement Network (FinCEN) conducted a civil enforcement investigation of the company. FinCEN found that the company failed to develop, implement, and maintain an effective anti-money laundering program. In the end, the company settled with FinCEN for an additional $29 million.

Developing and Enhancing Your Sanctions Compliance Program

What makes for a good sanctions compliance program? OFAC has published guidance that companies should review in advance of developing their sanctions compliance programs. It also makes sense to revisit any updated guidance from time to time to help ensure that their compliance programs reflect sanctions risks associated with their business operations. In 2019, OFAC published “A Framework for OFAC Compliance Commitments” and in 2021, it published “Sanctions Compliance Guidance for the Virtual Currency Industry.” The latter leverages elements from the 2019 publication.

While OFAC concedes that no single compliance program or solution is suitable to every circumstance or business, it does lay out five essential components of an effective sanctions compliance program.

1. Management Commitment: OFAC views senior management’s commitment to a company’s sanctions compliance program as one of the most important factors in determining the program’s success. Effective commitment includes providing adequate resources to the company’s sanctions compliance program, as well as ensuring that compliance is fully integrated into the company’s daily operations. OFAC’s general view is that “senior management” typically includes senior leadership, executives, and/or the board of directors. This is yet another instance where tone at the top matters.

2. Risk Assessment: As discussed earlier, penalties associated with sanctions violations can be high, which may negatively impact a company’s balance sheet, as well as a company’s reputation. In some cases, sanctions violations can harm US foreign policy and national security interests. Along those lines, OFAC recommends that companies take a risk-based approach when designing or updating their sanctions compliance programs. This will generally involve conducting routine, and if appropriate, ongoing risk assessments to identify potential OFAC issues they are likely to encounter. This will help in developing policies, procedures, internal controls, and training to mitigate such risks.

3. Internal Controls: OFAC views an effective sanctions compliance program as including policies and procedures designed to address the risks identified in the company’s risk assessment. These internal controls should clearly outline the company’s expectations, procedures, and processes related to sanctions compliance (including reporting and escalation chains) and minimize sanctions-related risks. To that end, companies should ensure their policies and procedures are enforced. To the extent that any weaknesses are identified, they should be remediated promptly.

4. Testing/Auditing: To ensure a company’s sanctions compliance program is performing effectively, OFAC recommends the program be the subject of comprehensive, independent, and objective testing or auditing. This will help the company identify program weaknesses and deficiencies. The company can use the results of this testing/auditing to enhance and/or remediate its program, including improving software, systems, and training.

5. Training: Finally, companies must ensure their employees are adequately trained on sanctions risk and compliance. OFAC notes that an effective training program must be tailored to a company’s risk profile and that the training should be provided to all appropriate employees (e.g., management, compliance, and customer service). OFAC recommends that training should be conducted periodically, but annually at a minimum.

The training should generally accomplish the following:

• provide job-specific knowledge based on need,
• communicate the sanctions compliance responsibilities for each employee, and
• hold employees accountable for sanctions compliance training through assessments.

Parting Thoughts

As the lines dividing the global economy become more blurred, even the most well-intentioned companies with the most robust sanctions compliance programs may find themselves in the sanctions hot seat. You want your company’s sanctions compliance program to identify and avoid any sanctions risks before they materialize. If your program still falls short, you may receive lesser penalties if your program has integrated OFAC’s five essential components of an effective sanctions compliance program.