The second half of 2023 saw eight enforcement actions from the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”).  These actions reflect a range of penalties, industries, sanctions programs, conduct, and lessons learned.  Below are some highlights from OFAC’s enforcement releases and settlement agreements.

Penalties

OFAC imposed a total of $984,851,289.90 in penalties during the second half of the year, ranging from $31,867.90 against New York-based Emigrant Bank (“Emigrant”) to $968,618,825 against Binance Holdings, Ltd. (“Binance”), a Cayman Islands virtual currency exchange with affiliates around the world.  In one settlement, for $1,207,830 with CoinList Markets LLC (“CLM”), a California-based virtual currency exchange, OFAC suspended $300,000 of the settlement amount considering “the individual facts of this case, including CLM’s financial circumstances.”  This amount is suspended pending satisfactory completion of CLM’s compliance commitments as agreed to in the settlement.  Additionally, as partial satisfaction of the settlement amount, CLM agreed to invest $300,000 in additional sanctions compliance controls.

OFAC determined that three of the eight cases involved egregious conduct. Five of the eight cases involved voluntarily self-disclosed conduct.  Each of the penalties imposed fell below the applicable base civil monetary penalty amount.  Notable mitigating factors include:

  • “Negligible harm” to the U.S. sanctions policy objectives:  One of the General Factors in OFAC’s Economic Sanctions Enforcement Guidelines is “the actual or potential harm to sanctions program objectives caused by the conduct giving rise to the apparent violation.”[1]  In the settlement with Emigrant, which involved bank accounts for two Iranian residents, the relevant transactions were sent to the account holders’ son and daughter-in law, residents of the United States.  OFAC concluded that “[t]hese payments resulted in negligible harm to U.S. sanctions policy objectives.”  In another settlement, involving financial services corporation Nasdaq, Inc. (“Nasdaq”), OFAC found that the “true magnitude of the sanctions harm of the Apparent Violations was significantly less than the face value of the underlying credit resource and foreign exchange transactions.”
  • Proportionate response: OFAC’s Enforcement Guidelines also permit it to consider “other relevant factors on a case-by-case basis,” including “totality of the circumstances to ensure that its enforcement response is proportionate to the nature of the violation.”  In the Binance settlement, OFAC included this as a mitigating factor, referencing the volume of violative conduct compared to the institution’s overall activity, and “its relative revenues and profits with respect to the trades underlying the Apparent Violations.”

Sanctions Programs at Issue

Six of the eight enforcement actions involved apparent violations of Iranian sanctions.  Two of these six actions also involved apparent violations of additional sanctions programs, including apparent violations of Cuban, Ukrainian/Russian, Syrian, and North Korean sanctions.  The other two enforcement actions, against CLM and insurance organization Privilege Underwriters Reciprocal Exchange (PURE), involved apparent violations of OFAC’s Ukraine/Russia sanctions.

Industries and Conduct Involved

Six of the eight enforcement actions involved either a financial institution or a financial services company.  In terms of the activity involved, relevant conduct by these entities included:

  • Maintaining a Certificate of Deposit (CD) account on behalf of two individuals ordinarily resident and located in Iran.
  • Enabling reward cards to be redeemed from persons apparently resident in sanctioned jurisdictions.
  • Encouraging the use of virtual private networks (“VPNs”) to circumvent geofencing controls.
  • Failing to identify users who represented themselves as resident of a non-embargoed country but who nevertheless provided an address within Crimea.
  • Engaging in transactions related to four insurance policies involving a blocked Panama-based company owned by a Specially Designated National (“SDN”).

Two other enforcement actions involved a global manufacturing company and a specialized building materials company, and relevant conduct included:

  • Importing materials to the UAE from the United States, and then knowingly re-exporting the materials to Iran after removing Iran as the final destination of the U.S.-origin goods and the United States as the country of origin from all relevant documentation.
  • Selling materials via a German reseller to an entity controlled by Iran’s Law Enforcement Forces.

Lessons Learned

OFAC has continued to provide “compliance considerations” at the conclusion of each enforcement release.  The eight recent enforcement actions have helpful takeaways that companies should consider when designing and reviewing their sanctions compliance programs.  For example:

  • Parent companies should routinely audit their overseas subsidiaries, particularly those that pose sanctions risks or are located in high-risk jurisdictions.
  • Entities should consider having in place confidential reporting mechanisms.  In one enforcement release, OFAC noted that “[w]histleblowers play a vital role in identifying prohibited conduct and promoting compliance, and responsible companies should have channels in place for employees to raise concerns without fear of retaliation.”[2]
  • OFAC views training as one of five “essential” components of a sanctions compliance program.[3] In one enforcement release, OFAC noted that training is particularly critical for those in a trade compliance function.  Such training should include “understanding how to evaluate all proposed business and entities involved for sanctions concerns.”
  • Financial institutions should pay close attention to the scope of general licenses to identify those instances when seemingly applicable general licenses might not apply.
  • Entities providing services through online platforms should understand “the importance of obtaining and using all available information to verify a customer’s identity or residency, including by using location-related data, such as IP address and top-level domains.”
  • Commitment to compliance should be top-down, led by empowered compliance personnel who receive “the backing and authority necessary to effectively fulfill their function” and foster a “culture of compliance.”
  • The 50 Percent Rule is still giving some companies trouble.  Companies should ensure that they conduct sufficient due diligence to identify any ownership issues.

[1] 31 C.F.R. part 501, app. A.

[2] Related, some of OFAC’s recent enforcement releases reference a whistleblower program maintained by the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”).   Details on this program are available here.

[3] U.S. Department of Treasury, Office of Foreign Assets Control, “A Framework for OFAC Compliance Commitments” (May 2, 2019), https://ofac.treasury.gov/media/16331/download?inline