Office of Foreign Assets Control (OFAC) sanctions regulations and the and other regulatory regimes that impose restrictions on international trade have always been important tools to protect US foreign policy and national security interests. The use of sanctions has aggressively expanded in recent years, and the continuing inclusion of organizations and individuals’ names on OFAC and the Bureau of Industry and Security lists are in the middle of escalating tensions with China, Russia, Venezuela, and other countries. Meanwhile, the Committee on Foreign Investment in the United States (CFIUS), a previously little-known inter-agency committee of the US government, has been at the center of several scuttled mergers and acquisitions as the US seeks to protect national security interests from all angles.
Sanctions and export controls compliance has always been challenging, but they seem to be verging on impossible. With the Department of Justice pursuing criminal actions for sanctions-related cases involving North Korea, Iran, and other sanctions programs – the stakes are much higher than simple civil or administrative penalties.
In a recent episode of our Fraud Eats Strategy podcast series, I spoke with sanctions and export controls experts Baruch Weiss, a partner with Arnold & Porter and FTI’s own Eric Rudolph who each offer practical advice on how to handle the increasingly complex area of OFAC and sanctions compliance.
In 2019, the U.S. Department of the Treasury published the Framework for OFAC Compliance Commitments, which sets forth five essential components of a sanctions compliance program and 10 root causes of sanctions compliance breakdowns. Companies are well-advised to align themselves with this OFAC framework that waspublished roughly one year ago. The framework details what a compliance program should include and how organizations should administer it. An important point in this guidance is that the program shouldn’t mirror the framework exactly. Instead, the framework sets forth clear expectations that each program should be developed after the company has performed a meaningful risk assessment.
Some companies are at much greater risk of encountering OFAC sanctions problems than others. Into which category an organization falls depends on the composition of its customer base, geographic location of those customers, the goods or services offered and other variables that together form the organization’s unique risk profile. The compliance program should be influenced by the Framework, other authoritative guidance and the risk assessment itself. It is the risk assessment that provides the information needed to make the program risk-based and tailored to the organization’s risk profile.
Organizations that have OFAC risk should be using the OFAC Framework to guide the design and implementation of their compliance programs. A company that fails to factor OFAC risk into its compliance program runs the risk of incurring sanctions that are both severe and costly. With the release of this document, OFAC is delineating what they expect to see in a sanctions compliance program. OFAC looks at a program through a critical lens, examines the adequacy of that program against the Framework and then weighs what actions to take against the company.
If your organizational leadership remains unconvinced of the need for a good compliance program, consider this. If your company ends up violating OFAC and you have a good program that aligns with the OFAC Framework, OFAC will likely go lightly on you in terms of fines and penalties. Because even with the best of programs in place, OFAC violations can still occur and the agency understands and expects that to happen on occasion. On the other hand, there are recent instances in which there were sanctions violations and OFAC concluded that the reason for the violations was because of failures or inadequacies in the compliance program. That could lead to two results. First, OFAC may mandate improvements of the compliance program and second, it may and likely will result in a higher financial penalty than if you had implemented a robust compliance program before running afoul of OFAC.
Acritical part of complying with these various frameworks is doing comparative analysis against large lists of sanctioned and debarred individuals, entities, vessels and countries. This leaves global companies wondering if they can operate within the law without having to screen every transaction, vendor, customer and payment to comply.
Organizations do have to know every customer. If they don’t know them, they need to screen them. There is software that allows for screening against OFAC and various other sanctions, debarment and restrictive trading lists issued by governments, the EU, the UN and multilateral banks. It is not hard to get software that will screen against whichever lists that you deem relevant and you do not have to screen every counterparty and every transaction. If your company sells domestically as opposed to foreign customers, you may not need to do it at all. Even if you sell to foreign customers products that you manufacture exclusively to five customers that you’ve dealt with for years, you also don’t need to screen every transaction.
This is another area that should be informed by the performance of a risk assessment. A risk assessment should consider customers, their geographies, direct and indirect sales to customers. If you sell to a lot of first-time customers in regions of the world like the UAE, there’s a risk of your products being diverted to customers in Iran you would be well-served to conduct a more thorough review of your customer in the UAE than you would have to do if you’re selling to a customer in Canada who you’ve sold to for many years.
Another important consideration is that the status of vendors or customers can change. You don’t want to be in a situation in which you’ve done business with a vendor or a customer for years and you don’t realize that someone involved in those businesses has been added to a list but you haven’t rescreened or updated your screening. And that has certainly happened. There’s no way to know or be certain that you aren’t doing business with a sanctioned party if you don’t screen. There have been several enforcement cases that highlight this issue including some very prominent companies such as Apple.
You want to have good screening software tools, training and communications around recognizing and responding to sanctions risk. Your compliance program needs to stand up to outside scrutiny and meet the government’s definition of “effective”. The OFAC Framework includes 10 categories of mistakes or problems that have led to the imposition of penalties and some of them are embarrassing. One is the fact that a lot of companies don’t yet have a sanctions compliance program. When there’s no mechanism to catch these things, that’s glaringly obvious and completely avoidable. Some problems are more subtle but we now have the advantage that OFAC has identified them in their Framework so they aren’t subtle or inconceivable any longer. They are there and are components that you should factor into your compliance.
Another important point that not everyone appreciates is that these lists, the public record and the risk profile of a counterparty are all dynamic and can change very quickly. Baked into any compliance program needs to be some element of dynamism as well in which background investigations are refreshed and sanctions screening is repeated at scheduled intervals.
In 2019, the U.S Government Accountability Office issued a report that acknowledged that US government agencies themselves were struggling to understand the opaque ownership structures of some of its contractors. Also, in 2019, Apple was fined $466,000 by OFAC for failing to identify an OFAC specially designated national who was an owner of an Apple counterparty. In this instance, the commercial partner had taken several steps to try to obscure the ownership and conceal the connection with this prohibited person. This would seem to represent a ratcheting up of regulatory expectations in terms of counterparty due diligence. In light of these seemingly increased expectations, there are several steps organizations should take to avoid OFAC liability when the counterparties are deliberately obscuring their true ownership. It’s complicated by what is called in the OFAC world – the 50% rule. If you have somebody who is an OFAC SDN and that person or entity owns more than 50% of another company or a subsidiary, then that second company is also deemed to be on the list and transactions involving that company must be blocked.
The 50% rule makes OFAC compliance infinitely more complex than simply running the names of your customers and vendors through your software. It doesn’t mean that you must investigate every client or every customer, but you do need to consider asking certain questions. And in some unusual situations, undertaking some type of enhanced due diligence to make sure that the entity that you’re dealing with is not obscuring its ownership.
One last complicating factor is that OFAC works on a strict liability basis. This means even if you’re not at fault, if you deal with an entity that you’re not supposed to deal with irrespective of your intent and the fact that you may have screened, performed due diligence and found nothing, OFAC still reserves the right to impose penalties. OFAC law does not require that you act willfully. When you combine the strict liability and with the 50% rule and you have an SDN who’s deliberately trying to obscure their ownership, you have a situation where you can inadvertently do business with somebody that you’re not supposed to. And you could find yourself in a situation where OFAC is contemplating imposing penalties as a result.
While OFAC certainly seems to command the lion’s share of attention, there are several sanctions and export control lists and obligations that companies have to incorporate into their sanctions and trade compliance programs. Companies must take steps to harmonize their various sanctions and export controls obligations into a single cohesive program. The good news here is that although there are multiple export control and sanctions programs, as a general matter, the compliance programs that you need for all of these are similar but not identical. They’re similar enough that you can use the same software to screen for debarred and restricted parties for all of them. You have one chief compliance officer who will handle all of these and the training is much the same. There are some differences. The Department of Commerce’s Bureau of Industry and Security for example is concerned with the nature of the goods being exported and how they have been classified under Commerce’s Export Administration Regulations. If your organization manufactures technological goods, you need to master the Export Administration Regulations and understand which devices are restricted, how they are classified and your compliance obligations for each.
The Committee for Foreign Investment in the United States (CFIUS)has figured prominently in the scuttling of some major acquisitions in the past few years. Dealing with CFIUS used to be a voluntary process until recently. And what that meant was that if a US company was going to be acquired by a foreign company and there was a concern the transaction may pose a national security concern; the US company could voluntarily ask for CFIUS’s input. If CFIUS approved, the company could go forward with the transaction, confident that it would not be undone.
A couple of years ago, Congress passed legislation that made it mandatory for certain classes of acquisitions to be submitted to CFIUS for review. The regulations were modified in October tying CFIUS to the manufacture and export of goods governed by the Commerce BIS lists bringing those companies into the mandatory jurisdiction of CFIUS. Even if you don’t fall within the mandatory category, it’s still advantageous in many instances to consult CFIUS about a proposed sale to a foreign buyer. If you’re not in the mandatory category, it’s likely you’ll get a yes. By doing so, you don’t have to live with the concern that maybe there’s something about the transaction that CFIUS considers a national security concern.
Global organizations must understand who their customers and third-party distributors and resellers are and that none are debarred by OFAC, BIS, or other U.S. restrictive trading lists or risk incurring strict liability fines and penalties some of which can include criminal liability. If any of the products they manufacture have potential national security implications, they must ensure that they are classified as such and any buyers have been screened to ensure none are restricted parties. And lastly, companies considering a sale to a foreign buyer need to understand whether such a sale has the potential to have national security implications and if there is any doubt, they should consider conferring with CFIUS before moving forward or risk having to unwind the transaction after the fact.
To hear the full Fraud Eats Strategy podcast episode with Baruch Weiss and Eric Rudolph, click here.
Note: The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies or opinions