With U.S. sanctions compliance fines at a decade high, organizations should be taking note of how to address emerging areas of sanctions risk. BDO’s Steven Kuzma and Christian Cooper offer takeaways from OFAC’s new sanctions compliance framework.
As former U.S. Deputy Attorney General Paul McNulty once warned: “If you think compliance is expensive, try noncompliance.”
The failure to implement and maintain an effective sanctions compliance program (SCP) represents a grave threat, and developments in 2019 highlighted this. The Treasury Department’s Office of Foreign Assets Control (OFAC) published its first guidance document on compliance, and it substantially increased enforcement activity compared to previous years. To maintain an SCP that safeguards against risk and can adjust to the changing sanctions landscape, organizations must establish a thorough understanding of the latest OFAC framework, in addition to examining recent enforcement activity and the aggravating factors that affect fines.
Historically, OFAC sanctions primarily stemmed from major investigations of financial services organizations, due to the fact that OFAC targeted the financial services industry both to combat money laundering and because of the likelihood of substantial monetary recovery. Know your customer (KYC) cases have also been a focus area, and technology companies have come under increasing scrutiny as well. The new guidance document and recent enforcement trends could potentially signal a broader scope of enforcement for OFAC, so industries other than financial services must ensure they have an effective SCP in place.
New Compliance Framework
In May 2019, OFAC published a guidance document, “A Framework for OFAC Compliance Commitments,” that encouraged companies to “develop, implement and routinely update” a risk-based SCP. It identified five “essential components,” including management commitment, risk assessment, internal controls, testing and audit and training. This framework provides clarity for companies on how to strengthen compliance practices, which should include clear policies, comprehensive procedures and thorough due diligence practices.
The framework also acknowledges that an SCP should be tailored to each organization’s specific needs in order to develop and implement an effective program. Factors to consider include an organization’s “size and sophistication, products and services, customers and counterparties and geographic locations.” This explicitly includes “foreign entities that conduct business in or with” the U.S. as well.
While the framework’s content was similar to other guidance documents previously published by the Securities and Exchange Commission (SEC) and Department of Justice (DOJ), it was the first comprehensive guidance document on compliance from OFAC. The framework is a helpful resource for companies, and it increases the transparency of how compliance penalties are decided. It also collates guidance in one place rather than forcing companies to review various prior settlements and public statements.
A lack of explicit guidance has previously impacted OFAC’s enforcement actions, as seen in the case of Exxon Mobil Corp. v. Mnuchin. In an unusual move, Exxon Mobil sued OFAC over a $2 million 2017 penalty related to a violation of sanctions against Russia. Exxon argued that OFAC’s guidance was not clear and did not apply to its activities with the company Rosneft. The chief executive of Rosneft, Igor Sechin, was on the Specially Designated Nationals and Blocked Persons List (SDN), but Rosneft was not on the U.S. sanctions list. In December 2019, a Texas district court granted the motion for summary judgment and vacated the fine.
The Exxon case demonstrates the importance of explicit guidance on compliance, both so companies can implement an effective SCP and so OFAC can prevent pushback on penalties. The framework document provides more clarity on compliance, and it explicitly states that “a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC,” including updates to the SDN list.
OFAC Penalties in Context
OFAC had a very busy 2019, doling out penalties and settlements that reached the highest amount of the decade. However, OFAC’s annual penalties have tended to be top-heavy, with one or a few sizeable fines and many smaller ones. This uneven distribution can give a distorted view of how OFAC applies its enforcement actions.
In 2019, 26 penalties and settlements against 22 companies totaled $1.29 billion, but more than 98 percent of that ($1.27 billion) was against two companies. The average enforcement action was $49.6 million, but the median was only $454,000. This large gap between the average and median occurred throughout the decade.
2019 also brought a significant increase from recent years, as 2016 to 2018 saw just over $200 million in penalties from 32 enforcement actions. The decreased enforcement activity in those years was likely a result of the DOJ’s 2016 introduction of a pilot program that encouraged self-reporting under the Foreign Corrupt Practices Act (FCPA). The program was extended in 2017 and made permanent in 2018, so the failure to self-report violations going forward can expose companies to higher penalties for noncompliance.
From 2010 to 2019, OFAC issued 186 penalties or settlements totaling nearly $4.9 billion, but most fines were less than $1 million, and more than one-quarter were less than $100,000. Just 16 of those penalties and settlements exceeded $20 million, and four exceeded $600 million, including two in 2019 against U.K.-based Standard Chartered Bank and Italy’s UniCredit.
Often, multiple agencies are involved in significant enforcement actions, including the SEC, DOJ and Department of Commerce, so OFAC’s activities are not the full measure of sanctions compliance enforcement. However, multimillion-dollar enforcement actions only make up a small percentage of OFAC’s activities, and most penalties and settlements are comparatively low.
Determining Factors for Penalties
Considering the wide variation in the size of OFAC fines, it’s essential to understand the factors OFAC considers in enforcement. The best way to mitigate risk and avoid significant penalties is to implement an effective SCP and regularly update it. While there is no one-size-fits-all approach to this, OFAC looks favorably on good faith efforts by organizations to be compliant.
The failure to self-report a known sanctions violation can be an aggravating factor that may increase a fine, but two factors result in the harshest penalties: actively concealing a violation and breaking the terms of a previous agreement. These misdeeds led directly to the spike in OFAC penalties in 2019.
In the case of UniCredit, the total settlement across regulatory agencies came to $1.3 billion, including $611 million for OFAC. The Italian bank’s subsidiaries in Germany and Austria processed billions of dollars of transactions through the U.S. financial system for clients in Iran, Libya, Sudan, Cuba and elsewhere between 2002 and 2011. The banks attempted to conceal these sanctions violations by removing certain identifying words from payment messages.
As for Standard Chartered Bank, it was fined $1.1 billion, including $657 million by OFAC, primarily because it broke the terms of a previous deferred prosecution agreement with the DOJ. The bank had reached a $667 million settlement in 2012 for violating sanctions against Iran between 2001 and 2007. However, it continued processing transactions for Iranian clients both during and after the period covered by the two-year deferred prosecution agreement.
The removal of sanctions also does not mean that a company is in the clear for previous misconduct. In January 2020, Eagle Shipping International agreed to a $1.1 million settlement for violating sanctions against Myanmar between 2011 and 2014. The U.S. lifted those sanctions in 2016, but the company was still held responsible for the violations. The Connecticut-based company filed for bankruptcy in 2014 and reorganized with a new management team, which reviewed the company’s previous sanctions compliance and reported the violations. Had it not self-reported, the company could have faced an even higher fine.
OFAC’s recent compliance framework provides more clarity, but each organization must examine the unique risks it faces and ensure their specific SCP can address these. Certain technology solutions can help — such as blockchain to improve KYC records and machine learning to analyze data for indications of bribery or corruption — but these must be calibrated and tested routinely.
Maintaining an effective SCP demands the continual assessment of risk, as well as ongoing testing of internal controls and training for compliance best practices. This requires investment, but it’s well worth it. According to the 2020 BDO Middle Market CFO Outlook Survey, 63 percent of CFOs say they plan to increase spending on risk management and compliance this year. As McNulty notes, noncompliance is even more expensive.