Over the past several years, Office of Foreign Assets Control (“OFAC”) settlements in which non‑US financial institutions have paid hundreds of millions of dollars to settle allegations that they breached US sanctions obligations have grabbed headlines. But long before these mega cases, OFAC routinely brought enforcement actions against companies for relatively small violations. Recent OFAC actions—involving routine low-dollar-value transactions and/or connections with sanctioned individuals that would appear attenuated to the average observer—provide a valuable reminder that the programs OFAC administers employ a strict liability standard and that OFAC’s enforcement priorities are not limited to deliberate, egregious or high‑value violations. All US businesses, even those that deal in small-dollar-value transactions or have attenuated ties to international trade, need to be aware of OFAC’s expectation of a comprehensive compliance program and the lack of any sort of de minimis or inadvertence exceptions in US sanctions laws.
For example, in January 2017, OFAC entered into a settlement involving violations of US sanctions with respect to Cuba. In that case, an individual and a small affiliated charity were fined $10,000 for arranging two trips to Cuba for a total of 20 people in 2010 and 2011. OFAC imposed the fine even though OFAC expressly noted both that the violations caused minimal harm to the current objectives of US sanctions law and that the size of the fine was constrained by the individual’s modest financial means.
Another case demonstrates the truly strict liability of US economic sanctions. In September 2016, a US exporter was penalized for exporting seven shipments of orthodontic devices to Iran between 2008 and 2010. In the consent order, OFAC noted that it probably would have granted a special license to the exporter if the exporter had requested pre-authorization for the shipments. The fact that the shipments were medical devices, had occurred six years earlier, and could have been allowed under certain compliance procedures did not dissuade OFAC from imposing a $43,000 penalty for transactions that had an aggregate value of $60,000.
Another de minimis case includes two findings of violation that OFAC issued to US insurance companies in August 2016. The insurance companies had issued health insurance policies to three individuals in 1992 and then serviced the policies. The insured individuals were subsequently designated by OFAC in 2009. Between 2010 and 2011, the two insurance companies accepted a total of 34 premium payments with an aggregate value of $14,000 from the sanctioned individuals. While OFAC did not fine the companies for these violations, its findings of violation publicly named the companies and could serve as an aggravating factor in any future sanctions matters.
Lastly, in February 2016, OFAC fined a US oil services company $305,000 for allowing its Cayman Islands subsidiaries to provide services to an Angolan oil and gas consortium in which a Cuban government-owned company owned only a five‑percent interest. In the settlement agreement, OFAC indicated that it expected the US provider would have systems in place such that its Cayman subsidiaries would have conducted due diligence on who owned the consortium and identified the presence of a five‑percent Cuban-government-owned investor.
OFAC officials have publicly stated that they consider even a $1 violation to be important because it shows that a company’s compliance systems are not sufficient to prevent all prohibited transactions. This can be a difficult standard for many businesses, especially high-volume, low-dollar-value businesses, to address. By contrast, anti-money laundering requirements incorporate risk-based compliance measures rather than impose strict liability for violations. Similarly, US criminal laws typically require a wrongful state of mind as an element of any violation.
Does OFAC’s willingness to bring enforcement actions to address minor violations mean that companies should self-report to OFAC (through a voluntary self disclosure) whenever they identify an issue? Not necessarily. The right decision will vary depending on each company’s unique facts and circumstances.
Some companies have chosen to report minor violations. For example, in February 2017, a major US retailer revealed that it had voluntarily disclosed to OFAC that it had violated US economic sanctions with respect to Iran from 2012 until 2016. It appears that the aggregate amount of the prohibited transactions was $100,000, but what is particularly interesting was the size of individual prohibited transactions. The retailer disclosed that one prohibited transaction was a $50 order of consumer products that was sent to an Iranian embassy. Other transactions included a $1,300 order of consumer products by a person sanctioned under Executive Order 13224 and a $250 order of consumer products by a person who may have been acting for an entity sanctioned under Executive Order 13382. Each of these consumer transactions was minuscule in comparison to the retailer’s overall business and none appears to have involved the retailer knowingly doing business with a prohibited person (indeed, the retailer has completely automated order processing systems). Despite these mitigating circumstances, the retailer concluded that it should self‑report to OFAC.
The lesson to be learned from the self-report described above is not that every company should follow suit, but rather that each company needs to make its own, informed evaluation. Given OFAC’s focus on violations regardless of the dollar value of the transaction at issue, it is good practice for all companies—including those engaged in a large volume of low-dollar-value transactions—to dedicate compliance resources to identify and investigate potential violations of US sanctions.