The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk

Chapter 5 Economic and Trade Sanctions

Charles M. Steele

The U.S. government is using economic and trade sanctions more expansively and aggressively than ever before. The government increasingly looks to sanctions as a primary tool of foreign policy and national security, as demonstrated by its actions over the past several years relating to Iran and, beginning in March 2014, to Russia’s activities in Ukraine. And the government is also enforcing sanctions violations more aggressively than ever, bringing civil monetary penalty actions—and, in some cases, parallel criminal cases—against companies that do business with sanctioned persons and entities.

Over the past few years the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has brought some of the largest enforcement actions in the agency’s history against a wide variety of businesses for violating a broad range of sanctions programs. Between 2012 and 2014, OFAC resolutions of enforcement cases included settlements of $91 million with Weatherford International, a U.S. oilfield manufacturing and services company; $51 million with Fokker Services B.V., a Dutch aerospace services company; and $5.2 million with American Express Travel Related Services Company.

There have also been a number of large settlements with U.S. and foreign banks, including $963 million (BNP Paribas), $619 million (ING Bank), $375 million (HSBC Holdings), $152 million (Clearstream Banking), $33 million (Royal Bank of Scotland), and $16.5 million (Bank of America).¹ Sanctions violators also suffer serious reputational harm, over and above their monetary losses. And, in addition to the United States, many other countries are increasingly implementing sanctions as well, as are the United Nations and the European Union, adding to the complexity of the challenges facing companies that operate internationally.

Sanctions are intended to inflict economic pain on designated persons and entities by cutting them off from the U.S. financial system and markets, and by causing the blocking (or freezing) of their assets that are, or that come within, the possession or control of U.S. persons.² Sanctions can succeed only if the private sector complies with them by refusing to deal with designated targets. When U.S. persons engage in prohibited dealings with sanctioned parties, the coercive effect of the sanctions is lost, undermining U.S. policies.

The government has therefore implemented broad enforcement authority to bring punitive actions, both civil and criminal, against U.S. persons who engage in prohibited dealings with designated targets. OFAC has the authority to bring civil monetary penalty actions against sanctions violators.³ There is strict liability for sanctions violations; that is, prohibited dealings constitute violations without regard to whether the violator acted intentionally, recklessly, or negligently, or even where the violation results from a mere mistake.

Some violations are, however, willful, meaning the violator knows that it is committing a violation and intentionally does so anyway. When this is the case, the U.S. Department of Justice (DOJ) can also bring a criminal action for the same acts, parallel to and in coordination with OFAC’s civil action.⁴ Moreover, in recent years state and local authorities have brought actions when violations of federal sanctions regulations also implicated their own authorities. Examples include the New York State Department of Financial Services and the Manhattan District Attorney’s Office, both of which in recent years have brought actions under New York State law against financial institutions for violating OFAC sanctions requirements.⁵ And the Bureau of Industry and Security (BIS) in the U.S. Department of Commerce, which implements and enforces export controls, often joins OFAC in parallel enforcement actions where their authorities overlap.⁶

Because sanctions are a tool of foreign policy and national security, they change often, adding to the compliance challenges that companies face. The government chooses its targets, and the timing of imposition of the sanctions, to suit its policy goals, without regard to the impact of the sanctions on the private sector. Targets are selected through nonpublic government deliberations, and sanctions are then imposed with no prior notice or warning. Once a person or entity is designated, it is added to OFAC’s public Specially Designated Nationals and Blocked Persons (SDN) list,⁷ putting the public on notice that all business dealings with the particular person or entity are prohibited unless licensed by OFAC.

The prohibition takes effect immediately upon designation; there is no grace period or wind-down period, unless OFAC expressly provides one. Even accepting past-due payments under a contract with a payor who is subsequently designated and added to OFAC’s list would, for example, be prohibited, unless first licensed. And the SDN list changes on at least a weekly basis, with parties added to or removed from the list.⁸

An important example of the changing nature of OFAC sanctions is the implementation of Ukraine-related sanctions. In response to Russia’s actions in Ukraine, President Obama issued a series of executive orders (EOs) authorizing sanctions against persons and entities responsible for those actions. In one of those EOs he took unprecedented action. Departing significantly from decades of practice, he authorized, pursuant to EO 13662, a new type of sanction, called sectoral sanctions. These new sanctions did not apply across Russia’s economy but were limited to certain specific sectors (financial services, energy, and defense). And the new sanctions did not prohibit all business dealings with sanctioned parties; rather, OFAC issued two directives (a new tool) that imposed specific and limited prohibitions on U.S. persons.⁹

In July 2014, OFAC imposed the first round of sectoral sanctions. It created a new list, called the Sectoral Sanctions Identifications (SSI) List,¹⁰ to distinguish parties subject to the new sanctions from parties on its more familiar SDN list. Later, OFAC took further action to refine the sectoral sanctions, issuing amended versions of the two directives and two other directives that imposed new prohibitions with respect to the energy and defense sectors. OFAC also continued to add new names to both the SSI list and the SDN list.

Another example of the dynamic nature of sanctions can be seen with regard to trade with Iran. For years, Iran had been subject to comprehensive sanctions by the United States. In November 2013, the “P5+1,” made up of China, France, Germany, Russia, the United Kingdom, and the United States, reached an agreement with Iran, called the Joint Plan of Action (JPOA), in return for Iran’s agreement to limit its nuclear program in certain respects. In return for Iran’s commitments, the P5+1 agreed to provide Iran with limited, temporary, and targeted sanctions relief¹¹ for a period of six months, starting on January 20, 2014, and concluding on July 20, 2014 (the JPOA period). As of February 2015, the JPOA period had subsequently been extended twice, to June 30, 2015, to give the parties time to continue negotiations.

OFAC’s creation of the sectoral sanctions, and the changes arising from the JPOA efforts, illustrate the unpredictability and complexity of sanctions. This presents significant compliance challenges for companies that need to stay alert to sanctions developments as they unfold, and to be able effectively to account for the changes in the design and execution of their compliance programs. In particular, companies engaged in international business need to screen current and prospective business partners (buyers, suppliers, vendors, joint venture partners, and so on) against the SDN list and, if appropriate in light of their risk profile, the SSI list as well.¹² How frequently a company should screen will depend on its particular risk profile, but all companies should screen frequently enough to avoid violations.

Moreover, sanctions prohibitions tend to be very broad, applying to all types of business activity and all sectors. Sanctions issues can therefore arise suddenly, in a wide variety of contexts that often overlap with other regulations, such as anti–money laundering (AML) rules. Indeed, federal regulators examine financial institutions for both AML and sanctions compliance; sanctions examination provisions are included in the Federal Financial Institutions Examination Council’s (FFIEC’s) Bank Secrecy Act/AML Examination Manual.

Similarly, sanctions issues can overlap with anti-bribery and corruption (ABC) issues, when U.S. companies’ business dealings involve foreign parties who are both corrupt government officials and on the SDN list. A recent example of this involved multiple U.S. government enforcement actions against Weatherford International in late 2013. The government brought civil and criminal actions against Weatherford for violations of both the Foreign Corrupt Practices Act (FCPA) and sanctions prohibitions. The actions included a $91 million settlement with OFAC for the violation of sanctions related to Iran, Sudan, and Cuba.¹³

In light of this overlap between the very broad sanctions rules and other civil regulatory and criminal prohibitions, companies would be wise to integrate sanctions principles into their broader compliance programs. In this chapter we will discuss sanctions implementation and enforcement in the United States. It begins with a background of the history of sanctions in the United States. It then moves to a discussion of how a company can prevent violations and position itself to promptly detect violations. It then addresses how a company should respond in the event that violations occur. It concludes with some perspectives on what the future holds for sanctions, in both the short term and the longer term.

Background

In the United States, economic sanctions have been used since the early years of the nineteenth century.¹⁴ In the period leading up to the War of 1812, the United States imposed sanctions on Great Britain for harassment of American ships. In the Civil War, the Union imposed sanctions on the Confederacy and authorized the forfeiture of goods involved in any prohibited transactions. The Civil War sanctions also created a licensing regime that permitted otherwise prohibited dealings under certain circumstances when approved by the Treasury Department.

After Germany invaded Norway in 1940, the Treasury Department formed the Office of Foreign Funds Control (FFC). The FFC’s mission was to prevent the Nazis’ use of the occupied countries’ holdings of foreign exchange and other assets. The program was subsequently extended to cover other invaded countries. After the United States entered World War II in December 1941, the FFC played a leading role in economic warfare against the Axis powers through the imposition of sanctions, prohibiting trade and financial transactions and blocking assets in the possession or custody of U.S. persons.

OFAC, the successor to the FFC, was created in December 1950, after China entered the Korean War. President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to U.S. jurisdiction. Since then, OFAC has been the principal agency in the U.S. government with authority and responsibility for implementing, administering, and enforcing sanctions.

In 2004 there was an important development in the evolution of the use of sanctions when the Treasury Department created the Office of Terrorism and Financial Intelligence (TFI). TFI was formed to consolidate, under an under secretary of the Treasury, the department’s financial enforcement and intelligence functions, with the “twin aims of safeguarding the financial system against illicit use and combating rogue nations, terrorist facilitators, weapons of mass destruction (WMD) proliferators, money launderers, drug kingpins, and other national security threats.”¹⁵

OFAC, the Financial Crimes Enforcement Network (the department’s agency engaged in AML and countering the financing of terrorism), and the Treasury Executive Office of Asset Forfeiture (TEOAF) were moved into TFI.¹⁶ In addition, the department created two new entities to enhance TFI’s ability to execute its mission. The Office of Terrorist Financing and Financial Crime (TFFC) is “the policy and outreach apparatus for TFI.” The Office of Intelligence and Analysis (OIA) executes TFI’s intelligence functions. It is a member of the U.S. intelligence community and provides analysis services to TFI and Treasury Department leaders and to the community.¹⁷ TFFC and OIA are headed by assistant secretaries who, like the under secretary, are appointed by the president and confirmed by the Senate.

With the creation of TFI, the Treasury Department now plans and executes its national security functions in a more disciplined, extensive, and effective manner than before. All of the department’s national security functions now fall within a unified chain of command dedicated exclusively to bringing Treasury’s tools to bear in support of the government’s efforts against terrorist financing, WMD proliferation, money laundering and other financial crimes, and other threats to U.S. foreign policy and national security policy.

OFAC’s sanctions are, in many ways, the principal weapon in TFI’s arsenal. TFI made some fundamental changes in the way in which sanctions are implemented and executed, which has contributed to the increasing visibility, role, and impact of the tool.¹⁸ In particular, TFI began to focus sanctions more on bad conduct by targets (e.g., providing support to terrorists, WMD proliferation, and drug trafficking) as opposed to relying solely on country-based programs. Among other things, the Treasury found it easier to build multilateral coalitions around such sanctions than around country-based programs, which sometimes tend to be viewed as more politically motivated.

TFI also increased the focus on private sector entities as sanctions targets, as opposed to focusing exclusively or predominantly on government entities as targets. TFI found this to be effective because private sector actors tend to be sensitive to the need to follow rules and regulations, and are also highly motivated to avoid reputational harm. The idea is that they will therefore be quicker to change their behavior in order to avoid being sanctioned, or to obtain their deletion from the SDN list. And with the creation of OIA, Treasury significantly increased the use of intelligence information in sanctions programs. This enhanced the Department’s targeting abilities by providing a broader base of data and information with which to identify potential targets and to confirm that the targets are, in fact, engaging in sanctionable behavior.

Implementation and enforcement of economic sanctions, at least in the United States, have a number of particular characteristics of which companies should be aware, in order to avoid violations and to put themselves in the best compliance posture. One critically important aspect of U.S. economic sanctions is that violations are assessed on a strict liability standard. Unlike other enforcement regimes (civil and criminal), all that is necessary for an OFAC (civil) sanctions violation is that the prohibited transaction or dealing occurred. It will be a violation whether the violator acted intentionally, recklessly, negligently, or through a good-faith mistake. (OFAC will generally treat an intentional or reckless violation more harshly than a negligent or good-faith violation, but they are all violations, nonetheless.) This creates a higher level of risk for violations than companies face in many other regulatory spheres.

OFAC’s 50 percent rule, first announced in 2008, is another example of a particular nuance of sanctions authorities that poses unusual challenges to companies. Under this rule, if a blocked party owns, directly or indirectly, 50 percent or more of another entity, then that other entity is also blocked by operation of law, even if it does not itself appear on OFAC’s list. Any dealings with that entity are therefore prohibited in the same manner and to the same extent as if that party were on the list itself.

To further complicate matters, in August 2014 OFAC issued “revised” guidance on the 50 percent rule.¹⁹ The revised guidance stated that ownership, for purposes of the rule, includes aggregate ownership. In other words, ownership interests held by blocked parties will be aggregated (whether or not the blocked parties are business partners, or know of each other’s interests) for purposes of the rule. Thus, if two blocked persons each own 26 percent of Company A, or if three blocked persons each own 17 percent of Company A, then Company A is also blocked as a matter of law, even if Company A does not appear on OFAC’s list. So, while screening prospective business partners against OFAC’s lists is necessary, it will not always be sufficient; in some circumstances, companies will need to do further third-party due diligence, in order to account for, and mitigate, their level of risk for sanctions violations.

Another unusual aspect of OFAC’s authorities is their sheer breadth. OFAC’s blocking sanctions generally prohibit having any kind of business dealing, directly or indirectly, with sanctioned parties. Even entering into preliminary contract negotiations, and making business referrals to persons or companies in other countries, can constitute violations. Some of these scenarios can be counter-intuitive, and companies may often be surprised to learn that what seems like an innocuous, de minimis, or trivial interaction can in fact constitute a violation, with a significant and, in some cases, very harsh penalty.

These unusual characteristics of U.S. sanctions, together with the government’s increasing use of them as a foreign policy tool, have given sanctions an increasingly prominent role in international commerce. This enhanced role is likely to remain the norm for the foreseeable future.

Compliance Program Controls

Preventative Controls

Policies and Procedures. Sanctions compliance programs should have effective procedures in place for prompt escalation of possible violations, especially where there is any uncertainty as to whether or not there is a hit against the SDN list, or that a violation has been discovered. In criminal matters, the government bears the burden of proving its allegations beyond a reasonable doubt. In certain civil contexts, the government must prove its allegations by a preponderance of the evidence, or by clear and convincing evidence. But not OFAC; its regulations impose strict liability.

This makes it important to act promptly. If a company engages in a regular, high volume of a particular type of transaction—bank processing wire transfers, for example, or a company selling and servicing oil drilling parts and equipment—and takes too long to explore a possible violation, then it may end up committing tens, dozens, or even hundreds more violations before it realizes it has committed any. Given the severity of OFAC’s maximum monetary penalties,²⁰ companies cannot afford to take the risk. Compliance policies should therefore include provisions and mechanisms to ensure prompt identification, escalation, and resolution of possible violations. Among other things, there should be clear escalation policies and practices for employees to follow, to make sure that apparent hits quickly come to the attention of all appropriate personnel for follow-up. The company should not proceed with any dealings with the prospective partner until it is satisfied, after sufficient due diligence, that the party is not, in fact, blocked.

Due Diligence. Ongoing due diligence is important in the sanctions arena, particularly in light of the fact that the OFAC list is updated frequently. Ongoing third-party due diligence is therefore particularly important. Companies with substantial international business should consider not only screening of prospective business partners at the initiation of the relationship, but also ongoing screening of existing partners. The frequency of the screening should be risk-based—the higher the risk level for sanctions violations, based on the company’s areas of operation, customer base, types of products and/or services, and so on, the more frequently the company should screen. This will increase the company’s chances of learning as early as possible if important circumstances have changed. For example, if a current business partner has been added to OFAC’s list, this immediately makes it unlawful to do business with that entity. A similar situation arises if a company is contemplating moving into a new geographic region or expanding its product or service offerings.

The best way to prevent violations is to have a well-conceived, risk-based, effective compliance program in place. Economic sanctions are more about “who” than “what.” Sanctions focus principally on the parties with whom you do business, rather than on the type of business you do, the types of products you export, and so on. OFAC’s enforcers certainly take the type of business into account (prohibited exports of oil-drilling equipment and dual-use items will likely be treated more harshly, for example, than will prohibited exports of medical products or cosmetics), but the key question is “who”—if you engage in any dealings with a sanctioned party, then you are violating the sanctions, no matter the nature of those dealings. Since the purpose of sanctions is to cut the designated party off from U.S. markets entirely, sanctions prohibit all transactions and dealings with listed parties, unless the dealings are licensed by OFAC.

Therefore, the most important component of an OFAC compliance program is proper screening. Companies should screen all prospective business partners—suppliers, vendors, customers, joint venture partners, and so on—against OFAC’s SDN and SSI lists. In order to prevent violations, the screening must be conducted prior to any transactions or dealings. And because the list changes frequently, companies must screen frequently. The decision on how often to screen should be risk-based—a company should screen frequently enough to reasonably head off the possibility of violations, in light of the company’s geographic regions of operation, customer base, and so on. If a prospective partner seems to be on the list, the company should assess it thoroughly before engaging in dealings with the party.

It is necessary, but not always sufficient, to screen against the OFAC list. As noted above, OFAC’s 50 percent rule means that companies must also be concerned about doing business with entities that have certain relationships with listed entities, even if the former are not themselves named on the list. It is easy to see how this rule presents considerable challenges to U.S. companies engaged in international commerce and puts a premium on thorough third-party due diligence. As a threshold matter it is necessary to screen customers, vendors, distributors, contractors, and other prospective business partners against OFAC’s SDN list. But in light of the 50 percent rule, and depending on its risk profile, a company may also need to do further third-party due diligence in order to effectively address its level of sanctions risk.

It should obtain and review data from multiple sources to assess the possibility that a prospective partner, while not itself on OFAC’s list, may be owned 50 percent or more, individually or in the aggregate, directly or indirectly, by blocked parties that are on the list. The risk that this might be the case will be greater in some geographic regions and industries than in others; these are among the considerations companies need to take into account in making risk-based judgments about how much due diligence to undertake beyond merely screening against the SDN list.

While the 50 percent rule is triggered only by ownership, OFAC’s revised guidance further states: “U.S. persons are advised to act with caution when considering a transaction with a non-blocked entity in which one or more blocked persons has a significant ownership interest that is less than 50 percent or which one or more blocked persons may control by means other than a majority ownership interest. Such entities may be the subject of future designation or enforcement action by OFAC.” So while ownership is the most important element that companies should explore, they should also be alert and sensitive to issues of control, for example, membership on the board of directors, or senior management positions. Such relationships will not automatically trigger blocking under the 50 percent rule, but they carry risk nonetheless.

Communications and Training. Proper and effective training is a key component of any regulatory compliance program. Sanctions training programs should include all of the elements and meet the standards of compliance programs generally, as discussed elsewhere in this book. But they should also be tailored to address the matters and issues particular to OFAC’s authorities, especially where those authorities might be counterintuitive. For example, it is important for employees to understand the broad scope and strict liability nature of OFAC’s regulations. The regulations do not merely prohibit exports of goods or processing of financial transactions; they are much broader, and training programs must make that concept clear.

Training must also thoroughly cover the critical concept of facilitation. OFAC’s regulations prohibit not only direct dealings with blocked parties, but also any acts by U.S. persons that facilitate dealings by non-U.S. persons that would be prohibited if engaged in directly by a U.S. person. The term is not formally defined in OFAC’s regulations, but the agency has provided some guidance as to what it means. The Iranian Transactions and Sanctions Regulations, for example, include an interpretative provision that gives examples of conduct that would constitute prohibited facilitation, including altering operating policies or procedures to remove requirements for U.S. person approval of transactions (when done to facilitate prohibited transactions), or referring to a non-U.S. person a business opportunity to which a U.S. person could not directly respond.²¹

The Sudanese Sanctions Regulations contain a similar interpretation provision that states more generally that facilitation includes any act that “assists or supports” trading activity with Sudan by any person.²² Companies would do well to assume that whatever “facilitation” means, it means the same thing when used in any of OFAC’s regulations. It should not be difficult to see how counterintuitive OFAC’s application of this concept might be; therefore, training programs should make employees sufficiently familiar with the concept that they are able, at a minimum, to quickly spot and escalate possible instances of prohibited facilitation.

Training programs present an important opportunity to enable early detection. Employees should be educated to be alert to indicators of possible violations. For example, employees should be aware that if they see terms in documents that refer to persons, companies, places, addresses, and so on in countries that are subject to sanctions (e.g., Iran, Sudan, Cuba), that the document may reflect a possible violation. Employees should therefore also be made aware of company policies and procedures for initial response and assessment, and the proper protocols for escalating possible matches with the OFAC list, to ensure prompt attention by the appropriate personnel.

Detective Controls

Even after good faith efforts to prevent violations, companies sometimes end up running afoul of the regulations by dealing with blocked parties. The extensive scope and rapid pace of modern international commerce and the complex nature and structure of transactions and corporate relationships can make it very difficult completely to avoid violations, even for companies with well-conceived and mature compliance programs.

Given all that, and in light of OFAC’s strict liability standard and heavy penalties for violations, it is important for companies to be positioned to detect violations right away, as soon as possible after the violations occur. A large company with extensive international operations, engaged in large numbers of recurring transactions with overseas partners, can commit several, or dozens, or even a few hundred violations before it learns it has committed any. This can mean big trouble. For example, the maximum penalty for 10 violations under the International Emergency Economic Powers Act (IEEPA) is at least $2.5 million, and for 100 violations, it is at least $25 million.²³ A company positioned to detect violations quickly will be better able to respond quickly, thereby reducing the possible exposure and putting itself in a much better compliance posture.

Data analytics can not only assist in the prevention of violations, but also help detect violations. Properly planned and executed analytics can uncover indicators of possible sanctions violations. This enables early discovery of violations, which puts the company in the best position to halt the violative conduct and to remediate deficiencies in the compliance program. It also puts the company in the best possible light in the event that OFAC decides to take enforcement action. For example, data analytics can help the company determine which of its business activities carry the highest sanctions risk, based on its customer and business partner profiles, types of products and/or services, geographic areas of operation, and so on.

By identifying areas of particularly high risk, the company can deploy its limited resources more efficiently and maximize its chances of uncovering unacceptably risky activities, or even violations. Analytics can also enable a company to determine if controls have been overridden, which can be an indicator of intentional attempts to commit or conceal prohibited conduct. In short, data analytics can be a cost-efficient way of detecting violations early on and therefore of preventing future violations by exposing specific vulnerabilities in compliance mechanisms.

It is always important to periodically test and assess compliance programs. It is particularly important to do so with respect to sanctions compliance programs, in light of both the changing nature of the government’s implementation of sanctions and the fact that OFAC changes its list so frequently. Proper periodic assessments of, and enhancements to, the sanctions compliance program can help a company maximize its chances of prevention and early detection.

Responsive Controls

Suppose a company discovers there is an apparent sanctions violation. What should it do? If the apparent violations arise from ongoing business activity, it is important to consider suspending that activity until such time as the company can determine whether or not violations are, in fact, occurring. This can be challenging and costly, especially if the activity is central to the company’s business (e.g., delivering products or fulfilling service contracts to a high-volume customer, or a bank processing financial transactions). But the costs of continuing the activity can be painfully high. OFAC may eventually conclude not only that further violations occurred, but that the company showed reckless disregard for sanctions requirements by proceeding with business as usual in the face of known apparent violations.

This may be OFAC’s view even if the company begins considering, or even taking, remedial measures right away, while the business activity is continuing. A recklessness finding will almost certainly lead to a significantly higher penalty than OFAC would otherwise impose. So the decision whether to suspend the activity, like most decisions relating to regulatory compliance, should be risk-based—the more likely it appears that violations have in fact occurred and the greater the possible penalty exposure, the more the company should err on the side of suspending the activity.

Internal Investigations

Whether or not the company decides to suspend the activity, it should promptly undertake an internal investigation, for which the scope is determined in proportion to the risk and possible penalty exposure, to evaluate as quickly as possible whether there are, in fact, violations.

The investigation should gather and assess all relevant facts with reference to OFAC’s Enforcement Guidelines and, in particular, the 11 General Factors Affecting Administrative Action (the General Factors).²⁴ OFAC considers the General Factors in determining whether to impose a monetary penalty and, where a penalty is imposed, in determining the appropriate amount of any such penalty. The General Factors address, for example, whether the violations were the result of willfulness or recklessness, as opposed to a good-faith mistake; who within an organization was aware of the conduct constituting the violations, and what were their roles and levels of seniority; the nature and severity of harm to sanctions program objectives resulting from the violations; the individual characteristics of the violator (e.g., size, commercial sophistication, and so on); the existence, nature, and adequacy of any compliance program in place at the time of the violations; the violator’s remedial response, if any, to the violations; and any cooperation the violator provided to OFAC’s investigation.

The scope, nature, and details of the investigation, as is the case with internal investigations generally, should be commensurate with the nature and apparent severity of the possible violations and the enforcement consequences that are likely to follow. In any case, however, the investigation should be geared toward: (1) identifying all apparent violations; (2) determining the monetary value to be assigned to each violation; and (3) identifying all facts relevant to the nature and commission of the violations, and to application of the General Factors. This is the information that OFAC will use to decide on its enforcement response and on the amount of the penalty, if it chooses to impose one. Of course, the company should also be promptly responsive to any questions or guidance OFAC might give during the course of the investigation, to ensure that the final investigative report is sufficiently thorough and addresses any issues or questions that OFAC has raised or might raise.

Enforcement Protocols

Understanding how OFAC decides whether to impose a monetary penalty and what the amount of any such penalty should be will help companies to design and execute effective investigative plans when they discover that there have been violations. OFAC’s methodology is laid out in its Economic Sanctions Enforcement Guidelines (the Enforcement Guidelines).²⁵ These make clear that OFAC employs a thorough, fact-intensive process to assess the nature and severity of apparent violations. It first gathers as much information as it can about the violations, including not only transactional data, but also internal company e-mails, memos, and other communications that can shed light on who within the company knew about, or participated in the violations. It then analyzes the facts against the General Factors and other criteria set forth in the Enforcement Guidelines.

If OFAC determines that the violations merit a penalty, it then makes two threshold determinations: (1) whether the violator made a “voluntary self-disclosure” of the violations to OFAC and (2) whether the violations were “egregious.” “Voluntary self-disclosure” and “egregiousness” are terms of art, defined in the Enforcement Guidelines.²⁶ The yes or no answers to those two questions place the case in one of four boxes in the Base Penalty Matrix (Figure 5.1); each box will have a specific dollar amount, with reference to the statutory maximum penalty for the violations, the monetary amount of the transactions constituting the violations, and/or a schedule of dollar amounts set forth in the Enforcement Guidelines. The difference in amounts between the four boxes can vary greatly, and the penalties for egregious cases can be very large.

Figure 5.1. Base Penalty Matrix

*Source:* http://www.treasury.gov/resource-center/sanctions/Documents/fr74_57593.pdf

Here is a simple example that illustrates how OFAC determines the base penalty, with reference to the Base Penalty Matrix. Assume a hypothetical case involving a single violation, for example, a prohibited export of an item, valued at $6,000, to a sanctioned party in Iran. The base penalty in Box 1 will be one-half of the transaction value, or $3,000. The number for Box 2 is determined by reference to the schedule on the first page of OFAC’s Enforcement Guidelines. For a violation valued at $3,000, the schedule yields a Box 2 base penalty of $10,000. The base penalty for Box 3 is one-half of the statutory maximum penalty for the violation; for Box 4, the base penalty is the full statutory maximum. For violations involving Iran, the statutory maximum is the greater of (1) twice the value of the violation or (2) $250,000. So in this case, the base penalty will be for Box 3 $125,000 and $250,000 for Box 4. Note the wide disparity between these four figures.

If the violator voluntarily self-disclosed to OFAC and the violation was not egregious, then Box 1 applies and the base penalty will be $3,000. If, however, there was no voluntary self-disclosure and the violation was egregious, then Box 4 applies, and the base penalty will be $250,000. Or, the base penalty could end up being the Box 2 ($10,000) or Box 3 ($125,000) penalty, depending on the answers to the two threshold questions. It is easy to see how the base penalty will vary significantly, depending on which of the four boxes applies, and how quickly the base penalty can grow to a large number.

Once OFAC has determined the base penalty, it applies the 11 General Factors set forth in the Guidelines²⁷ to the facts of the case and determines whether the base penalty amount should be mitigated, aggravated, or left unchanged on the basis of each General Factor. The cumulative results of this analysis yield the final penalty amount. So, when a company discovers violations, it should tailor its investigation to these General Factors and OFAC’s definition of egregiousness. This will enable the company to get an idea of the likelihood that OFAC will decide to pursue a penalty and the likely amount of the penalty. It will also help to inform the company’s decision on whether or not to self-disclose the violation to OFAC.

Here again, a company can benefit from using data analytics, particularly in large-scale matters involving, for example, large numbers of transactions or where company personnel are dispersed across a number of geographic locations. Effective use of data analytics will enable the company to more quickly retrieve data about the transactions constituting the possible violations; among other things, this will enable the company to identify and determine the monetary value of the violations, which will in turn enable the company to begin to assess the amount of the penalty it may be facing. In addition, the company will be able to gather and assess other data relevant to OFAC’s enforcement decisions and penalty calculations—for example, internal e-mails and other communications among company personnel, and between company personnel and outsiders.

This type of data can be critical evidence in an OFAC enforcement action, as it can form part of the basis for OFAC’s determinations on how to apply the General Factors. For example, OFAC will look to see if the evidence shows that the violations were intentional and willful, or the result of recklessness, or the result of program failure. Such data can also show at what level within an organization there was knowledge of the acts constituting the violations—did senior officials and managers know of the conduct, or was knowledge limited, instead, to mid- and low-level personnel? In short, effective use of data analytics will enable a company to put itself in the best possible enforcement posture by quickly gathering, analyzing, and interpreting all relevant information.

Disclosure Protocols

If the company develops facts that make it reasonably likely that there has, in fact, been a violation, then it immediately faces another important decision—whether or not to self-disclose the possible violation to OFAC. There is no legal duty to self-disclose, but there are considerable benefits to doing so. OFAC encourages the practice and substantially rewards self-disclosures, both in deciding whether to take an enforcement action in response to the violations and in determining the amount of the penalty it will impose when it does decide to take action. For example, in cases involving egregious violations, where the violator self-discloses, OFAC cuts the base penalty in half in recognition of the self-disclosure. This is before it applies the General Factors to adjust the base penalty, where further reduction through mitigation is possible.

For OFAC’s purposes, voluntary self-disclosure (VSD) is a term of art, defined in OFAC’s Enforcement Guidelines.²⁸ To qualify as a VSD, the disclosure to OFAC must, among other things, be made “prior to, or at the same time that, OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation or another substantially similar apparent violation.” So there is a premium on disclosing promptly, as soon as the company has reasonable indications that violations have occurred.

If OFAC receives information about the apparent violations from any source other than the company (e.g., notice from a bank of the blocking or rejection of a transaction relating to the violations, a tip from a whistleblower, notice from another government agency, and so on), then the company cannot receive the benefits of submitting a VSD. For the same reason, a company that is required to, or is otherwise going to, make a disclosure of sanctions violations to another regulator (e.g., a bank making a disclosure to its prudential regulator) then it should make the same disclosure to OFAC at the same time.

In non-regulated or lightly regulated sectors, whether or not to self-disclose to OFAC can be a more difficult decision. This is because OFAC has traditionally taken a long time to resolve enforcement matters. OFAC is a single, small agency, unlike the DOJ, which has several thousand prosecutors in 93 U.S. Attorney’s Offices across the country and in the department’s headquarters in Washington. A review of the web posts announcing OFAC’s enforcement actions will show how common it has been for resolutions to be announced at least a few years after the most recent violations were committed.²⁹

The same web posts show how frequently OFAC seeks agreements to toll the five-year statute of limitations. In fact, OFAC expressly includes a target’s entering into a statute of limitations tolling agreement as a mitigating factor under the guidelines it uses to calculate penalties for violations. In short, if a company self-discloses and OFAC opens an investigation, the company can safely assume that it will probably take at least a few years until the matter is resolved. This can disrupt business and generate increased legal and other costs.

Therefore, an alternative to self-disclosure in such a situation might be (1) to not self-disclose and hope that OFAC does not learn of the violation some other way, and instead (2) to promptly investigate the apparent violations, and then (3) fix the problem by enhancing the compliance program as necessary and taking other appropriate remedial actions. Then, if OFAC does learn of the violations, the company will be able to show that it recognized and proactively fixed the problem. And even though the company will not be able to reap the benefits of a VSD, it will have the opportunity to gain substantial mitigation of the penalty by cooperating with OFAC in its investigation.³⁰

If the company decides to disclose a matter to OFAC, it should also prepare an effective presentation to advocate for the best possible resolution under the facts and circumstances of the particular matter. It is important to keep in mind that OFAC is different in this respect from criminal enforcers and even most other civil enforcers. In the criminal context and many civil contexts, the government must present evidence to a neutral third party—a judge and jury, or an administrative law judge (ALJ), for example—and bears the burden of proving that there is a sufficient factual and legal basis for its action. OFAC is different. With the exception of the Cuba program, OFAC does not, in the first instance, have to go through any judicial or other third-party process to bring an enforcement action.³¹ Instead, it has authority unilaterally to issue a self-executing Penalty Notice when it decides that violations have been committed and that a particular penalty is the appropriate response. Under OFAC’s regulations, imposition of a Penalty Notice creates a debt due the U.S. government; if the violator does not pay, then OFAC refers the matter to the Treasury Department’s Financial Management Division, which will take action to collect the penalty. Such action may include referral to the DOJ for appropriate action to collect the penalty.

Violators, therefore, have less leverage with OFAC than they do with most other enforcers, making it difficult in most cases to negotiate in the ordinary fashion. Many of the most persuasive arguments for government concessions that a violator can make to other criminal and civil enforcers are inapplicable to OFAC. If the violator rejects OFAC’s terms, then OFAC can simply issue a Penalty Notice and move on to its next case. Companies should keep these dynamics in mind if and when they reach the advocacy stage.

Conclusion

The trend toward the more expansive and aggressive use of economic and trade sanctions, particularly by the U.S. government, appears to be with us for the foreseeable future. Events over the past several years relating to Iran, Sudan, and Russia and Ukraine, among others, clearly demonstrate that governments have growing confidence in sanctions as a means to advance their policy goals. The U.S. Treasury Department’s strategies of using “secondary” sanctions against private-sector entities as a means to pressure and isolate targeted governments and bad actors (e.g., terrorist financiers and drug traffickers), and of bringing aggressive enforcement actions against violators, likewise appear to have become fixtures in the landscape of international business. Companies can assume that sanctions will remain dynamic, with new programs and individual designations arising frequently and without prior notice. And sanctions issues and risks often overlap with other risk areas such as AML and ABC.

Those engaged in cross-border business therefore need to include economic sanctions in their business plans and overall compliance efforts. Whatever changes arise with respect to particular sanctions and prohibitions, a strong compliance program will always be the best way to prevent and detect violations. And, since sanctions are more about “who” than “what,” effective screening and other third-party due diligence efforts will remain particularly important elements of sanctions compliance programs.

Companies also need to be able to promptly detect violations and then to respond quickly and effectively. Strong training programs and effective use of data analytics will enable companies to quickly identify, gather, analyze, and interpret information relating to violations. This will in turn allow the company both to terminate the violative conduct and to promptly begin to develop its response. This will require a thorough, risk-based internal investigation, tied to OFAC’s 11 General Factors. The investigation will point the company toward whatever remedial steps it needs to take to shore up its compliance program, and will also equip it to make its presentation to OFAC and/or other relevant government agencies, if necessary, and to advocate effectively for the best possible outcome under the particular facts and circumstances of the matter.

________________

Mr. Steele, a former managing director at KPMG, is now of counsel at Davis Polk & Wardwell LLP.