Would it not be super-nice if sanctions compliance came with a neat menu of do’s and don’ts? Well, it kind of does, but it involves participating in a scavenger hunt of sorts on the Office of Foreign Assets Control (OFAC) website.
When You Assume…
Before delving into specific pieces of online information that can illuminate regulatory expectations, a certain baseline about interpreting and utilizing the available information needs to be understood.
U.S. sanctions enforcement is an administrative regime, not a judicial system. One cannot avoid the consequences of one’s actions on the basis of a technicality. Therefore, one should assume that OFAC’s discretion is extremely broad in defining its jurisdiction. Similarly, OFAC should be expected to exercise wide latitude in defining the business dealings that constitute sanctions violations meriting punitive measures and/or public disclosure. This has been borne out in a number of enforcement actions over the last few years:
- B Whale Corporation, where jurisdiction on a Taiwanese firm hinged on the fact that, at the time of the violating transactions, the company was involved in bankruptcy proceedings in Texas
- CSE Global/CSE TransTel, where the use of a U.S.- dollar bank account held at a branch of a non-U.S. bank located outside the U.S. enabled OFAC to impose a penalty
- Exxon Mobil Corp., where the signing of contracts with a sanctioned party constituted violations, despite the lack of a transfer of any tangible assets
- State Street Bank and Trust, where pension payments to a U.S. citizen’s bank account in the U.S. were deemed to be violations because the account holder was a resident in Iran at the time of the payments
- e.l.f. Cosmetics, which was deemed to be in violation of North Korean sanctions because the distributor that provided certain health and beauty products to e.l.f. used a firm in North Korea to fulfill the overwhelming majority of e.l.f.’s false eyelash kit orders, even though the company was unaware of the distributor’s use of that supplier
At a more basic level, if an issue is the subject of a discussion on one of OFAC’s webpages, one should consider that such publication represents the setting or reinforcement of a regulatory expectation. This is also true of frequently asked questions (FAQ), guidance documents and enforcement action-related documents (e.g., settlement agreements and press releases, in addition to the enforcement information documents published on OFAC’s enforcement pages).
The Enforcement “Bible” and the New Testament
The OFAC Enforcement Guidelines document, which is an excerpt from the Federal Register available on OFAC’s enforcement pages, provides a detailed explanation of the enforcement process, the possible outcomes, the potential penalties (both monetary and incarceration) and how the resulting amount of monetary penalties are derived. The General Factors that the document lists are behaviors that cause the violations to be viewed in a worse light and other behaviors that may mitigate in one’s favor when all the accounting is done.
Earlier this year, OFAC further expanded on one of the General Factors listed in the Enforcement Guidelines to provide greater clarity on its expectations. A Framework for OFAC Compliance Commitments (“Framework document”) lays out the following five “essential components” of a sanctions compliance program:
- Management commitment (e.g., “tone at the top,” establishing a “culture of compliance”)
- Risk assessment (i.e., identification of customer segments, geographies, products and delivery channels, as well as an assessment of the relative regulatory risk associated with each)
- Internal controls (i.e., policies, procedures and systems)
- Testing and auditing
These directly parallel the current regulatory requirements and best practices for anti-money laundering programs. One should reasonably assume that this would be used as the yardstick for evaluating a violating party’s compliance program (one of the General Factors enumerated in the Enforcement Guidelines).
In addition, the Framework document lays out the following 10 general themes from enforcement actions that represent the underlying cause of sanctions compliance programs being found inadequate in design and/or execution:
- No OFAC sanctions compliance program
- Lack of understanding of OFAC regulations
- Facilitation of transactions by non-U.S. persons
- Exports/re-exports of U.S.-origin goods prohibited under U.S. sanctions regulations
- Using the U.S. financial system for transactions prohibited under U.S. sanctions regulations
- Failures of sanctions screening systems
- Inadequate due diligence
- Inconsistent sanctions compliance within a decentralized compliance function
- Use of non-standard payment or commercial practices
- Individual liability
These are factors OFAC will be even less forgiving of in the future, due to their delineation in the Framework document. As the bromide goes, forewarned is forearmed—these documents help draw a bright line between an occasional error that might result in a no-action letter and systematic inadequacies that are more likely to result in a civil monetary penalty (CMP).
Enforcement Cliffs Notes: Enforcement Information
The enforcement information documents detailing each OFAC investigation that resulted in public disclosure on OFAC’s website can actually be more illuminating than the Enforcement Guidelines or Framework document
They bring those “regulator-speak” documents to life by providing concrete realworld examples of their principles in practice. In each documented case, OFAC either levied CMPs (or settled with the violating firm in lieu of a CMP) or, in cases of less willful, reckless or negligent sets of circumstances, issued a Finding of Violation which, while a serious matter, does not result in a financial penalty.
The quality of these enforcement action documents has steadily improved over time. Prior to the publication of the Enforcement Guidelines, the documentation provided was a limited description of the violating conduct and had no insight as to why OFAC imposed the penalty. Now a good description of the violating transactions, as well as interactions between various involved parties in relation to the recognition of sanctions risks, is a regular portion of each enforcement action document (although, if available, the settlement document tends to provide even more detail).
The enforcement information documents detailing each OFAC investigation that resulted in public disclosure on OFAC’s website can actually be more illuminating than the Enforcement Guidelines or Framework document.
Just as the enforcement information documents provide real-world evidence of violating behavior and OFAC’s assessment thereof, the FAQ section of the website provides detailed responses to issues that OFAC recognizes require greater clarification.
OFAC also explains how the final penalty was derived, documenting the amount of the base penalty (and comparing it to the value of the underlying transactions, as well as the statutory maximum penalty), as well as the General Factors from the Enforcement Guidelines that influenced the calculation of the final amount of the settlement or CMP.
These portions of enforcement information documents can provide a diligent reader a road map to behaviors it should strive to identify in a company’s compliance and business operations. However, over the last few years OFAC has endeavored to not only provide more of such information, but to highlight it more obviously. Newer documents include, in much greater detail, the specific remediation actions performed by a firm in order to shore up its sanctions compliance program (older documents used to refer to “extensive remediation” or similar wording). Enforcement action documents now also include a paragraph or two that clearly describes the lessons that firms should learn based on the facts of the particular enforcement investigation.
One may consider the risk in one’s business to be significantly lower than that of the firm agreeing to a settlement, or the firm’s size and commercial sophistication (part of the Enforcement Guidelines’ individual characteristics General Factor) to be significantly lesser than that of the investigated firm. However, one would be ignoring the facts and lessons to be learned at their peril. One might reasonably assume that, at the time of the violation, the standard of care being discussed was not as relevant or applicable to one’s firm. But it should be expected that the regulatory expectation being documented will extend to larger and larger sets of parties over time—one cannot predict, with any certainty, when it will apply to their firm.
F is for Frequently
Just as the enforcement information documents provide real-world evidence of violating behavior and OFAC’s assessment thereof, the FAQ section of the website provides detailed responses to issues that OFAC recognizes require greater clarification. The FAQ pages are extensive and well-organized—they include sections addressing topics that are applicable regardless of the sanctions program involved, as well as those that address very targeted topics, such as subsections that relate to specific changes in legislation and regulation. For example, there is a separate subsection (under the Syria sanctions section) with multiple questions about Syria General License 11. Once addressed in an FAQ, one should expect that a regulatory expectation has been set—the Exxon Mobil enforcement action mentioned previously addresses the sections of the FAQ (which had been published prior to the firm’s violating behavior) relevant to the specifics of its investigation.
Another notable example of this relates to FAQ 409, which discusses rollovers of short-term credit issued to a party subject to the sectoral sanctions capital markets restrictions under the Ukraine/Russia-related sanctions program. Such further extensions of credit are only allowed if the prior borrowing is repaid in full first. The 2019 enforcement action against Haverly Systems—in which Haverly’s attempt to collect on credit that had been extended beyond the limits under OFAC’s sectoral sanctions directives resulted in a $75,375 settlement—is one that potentially could have been avoided with proper attention to this question.
Each OFAC sanctions program has its own dedicated webpage, including links to all documents containing regulatory information relevant to that program. In addition to cut-and-dried sets of regulatory requirements enshrined in associated legislation, regulation, executive orders and general licenses, these pages also link to guidance and advisory documents that add useful detail. For example, the Iran sanctions program page contains, as of early June 2019, links to the following documents and related webpages:
- A page containing FAQ on the Combating America’s Adversaries Through Sanctions Act and other information
- A list of medical devices that require authorization
- Advisories for the maritime industry (regarding the Islamic Republic of Iran Shipping Lines [IRISL]), fraudulent shipping documents and abuse of intermediates such as trading companies and exchange houses
- Graphic charts documenting various subsets of designated Iranian parties and any non-Iranian enablers and partners, and the relationships between them
- The list of related FAQ
- Links to the Foreign Sanctions Evaders List, the now-defunct Part 561 List and the Non-SDN Iranian Sanctions Act List
- Iran-specific guidance and statements of licensing policy (SLP) regarding sales of food, agricultural commodities, medicine and medical devices by non-U.S. persons; the Shah DenizBank Consortium; humanitarian assistance; “internet freedom” in Iran; donations of food and medicine; sponsorship of conferences by Iranian persons or the government of Iran; transshipments to Iran; “U-turn” payments; and the Comprehensive Iran Sanctions Accountability and Divestment Act
- A list of interpretive guidance documents issued by OFAC (including those issued in response to requests by the public) on a range of general and Iran-specific topics. The Iran-specific topics include internet-related issues, “substantive enhancement of information,” aircraft safety, surveys and interviews, travel exemptions and posting of information from Iran on websites
- Guidance documents related to OFAC licensing policy, including the OFAC 50 Percent Rule, legal fees and costs licenses, academic and cultural exchange programs, and activities which support human rights, humanitarian assistance and promotion of democracy
Understanding regulatory expectations is not the “art of the possible”; it is more like the “science of the required”
These documents (with the possible exception of the advisories) all combine to form a more complete picture of regulatory expectations regarding each specific program that OFAC administers. The advisory documents, while they detail the typologies of behavior used by targeted parties, do not provide specific guidance as to recommended (or even possible) countermeasures. While it is unclear as to what types and amount of action would be sufficient to demonstrate diligence in identifying and/or obstructing such behaviors, it would likely be prudent to assume that some amount of effort should be expended in the pursuit of these goals (at least if the advisory is targeted to one’s industry). It is also likely that, as effective detection methods are developed and proven, these advisories will be superseded by guidance and/or FAQ.
Gone, But Not Forgotten
Another source for gaining insight into regulatory details and expectations was the twice-yearly symposia that OFAC ran in Washington, D.C., for a number of years until 2017. Those forums provided a venue to hear from OFAC staff about the current state of a number of prominent sanctions programs, and its enforcement priorities, as well as ask them detailed questions. While the transcripts from these sessions were not published, meaning that one could not consider them official statements of policy and expectations, they did provide useful guidance on the likely interpretation of potential fact patterns under the then-current regulatory environment.
Assembling the OFAC Jigsaw Puzzle
While the above resources do not provide a neat checklist to follow in order to avoid OFAC’s investigative reach, they can be assembled into two neat piles of information. In a general sense, the Enforcement Guidelines, Framework document and enforcement action-related documents—along with the FAQ, guidance documents and licensing policy statements that are not program-specific—can be cobbled together to define how OFAC would evaluate one’s compliance operations. Using that as a baseline, the program-specific parts of those elements (FAQ, guidance and SLPs) which address the specific elevated risks in those programs, will further color OFAC’s judgment of how a firm manages the specifics of those risks.
No one said it would be easy—but it seems to be possible. And, to be honest, properly understanding regulatory expectations is not the “art of the possible”; it is more like the “science of the required.”
Eric A. Sohn, CAMS, global market strategist and product director, Dow Jones Risk & Compliance, New York, NY, USA, email@example.com