Low Penalty for Sanctions Violations Shows Importance of Self-Disclosure
Voluntary self-disclosure of sanctions violations, along with significant remedial measures after those violations were discovered, were key factors in a recent Office of Foreign Assets Controls decision to impose a minor penalty for those violations. Kristine Pirnia, export controls and sanctions practice leader for Sandler, Travis & Rosenberg, said this case offers clear evidence of the value of self-disclosing such violations.
According to an OFAC notice, a major U.S. company has agreed to pay $134,523 to settle its potential civil liability for apparent violations of multiple OFAC sanctions programs. Specifically, the company provided goods and services to persons sanctioned by OFAC, persons located in sanctioned regions and countries, and individuals located in or employed by the foreign missions of sanctioned countries. The company also failed to timely report several hundred transactions conducted pursuant to a general license issued by OFAC that included a mandatory reporting requirement, thereby nullifying that authorization with respect to those transactions.
OFAC states that these violations occurred primarily because the company’s automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to sanctions compliance. In some instances, customer orders specifically referenced a sanctioned jurisdiction, a city within a sanctioned jurisdiction, or a common alternative spelling of a sanctioned jurisdiction, but the company’s screening processes did not flag the transactions for review. In several hundred other instances, these processes failed to flag the correctly spelled names and addresses of persons on OFAC’s Specially Designated Nationals List.
Penalty and Mitigation
The statutory maximum civil monetary penalty amount for the violations was more than $1 billion. However, OFAC determined that the company voluntarily self-disclosed the violations and that they constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines the base civil monetary penalty amount for the violations equals the sum of half the transaction value for each violation, which in this case is $134,523.
OFAC considered the following to be aggravating factors: (1) the company failed to exercise due caution or care when it implemented sanctions screening processes that failed to properly flag transactions involving blocked persons and sanctioned jurisdictions, (2) while the violations primarily involved low-value retail and consumer goods and services, some related to orders for personal security products on behalf of persons at the Iranian embassies in Tokyo and Brussels, and (3) the company processes billions of global transactions annually and is one of the largest and most commercially sophisticated companies in the world.
On the other hand, mitigating factors included that the company (1) voluntarily self-disclosed the violations and cooperated with OFAC’s investigation by providing data analysis and submitting detailed information in a well-organized manner, (2) conducted an internal investigation without receiving an administrative subpoena and identified and disclosed the circumstances of the transactions that led to the violations, (3) undertook significant remedial measures to address its sanctions screening deficiencies, and (4) agreed to undertake various additional sanctions compliance commitments, including (a) investing substantial resources to improve its overall sanctions compliance program, (b) employing internal and third-party sources to conduct a thorough review of its sanctions compliance program and automated screening systems, (c) developing custom internal screening lists, (d) bolstering its compliance training programs, and (e) expanding the use of specific export control and sanctions provisions and the language of those provisions in its agreements.
OFAC states that this case demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls, including sanctions screening measures appropriate for e-commerce and other Internet-based businesses that operate on a global scale.
In particular, global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate. Moreover, companies that learn of a weakness in their internal compliance controls may benefit by taking immediate and effective action to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.