Six Compliance Lessons for Non-Banks from Recent OFAC Enforcement Actions

April 20, 2020
By: Jack Walsh, Reporter, ACSS

Recently, the Office of Foreign Assets Control, or OFAC, has heightened its focus on industries outside the financial sector. The vast majority, over 70 percent of enforcement actions announced by OFAC in 2018 and 2019 targeted non-financial institutions. This trend continues into 2020 with the agency’s three enforcement actions to date targeting a lobbying firm, a maritime shipping company and a service provider for the civilian air transportation industry.

Of the 18 enforcement actions implicating non-financial institutions in 2019 and 2020, 13 were voluntarily disclosed and nearly a third constituted egregious violations of U.S. sanctions regulations.

In evaluating possible trends in case law, it is important to note that enforcement proceedings are often dragged out over the course of years, and thus recent settlements and penalties are not always the best indicators of current OFAC policies and objectives. In the Eagle Shipping case, for instance, the infractions in question occurred back in 2011, some of them in violation of a sanctions regime (Burma) that no longer exists.

Nonetheless, these actions carry six key compliance lessons for non-financial firms that are uncertain of how to navigate and implement OFAC requirements.

Lesson 1: Conduct Due Diligence on Customers and Counter-Parties

Although OFAC regulations or laws do not impose mandatory customer or counterparty due diligence requirements, recent enforcement actions indicate that corporations should be assuming greater responsibility for ensuring sanctions compliance in tangential commercial partnerships. Of the 18 cases involving non-financial institutions since the beginning of 2019, seven actions involved some form of a counterparty related oversight.

The 2019 General Electric case highlights the importance of sanctions compliance when engaging with third-party payers.

The General Electric Company (October 1, 2019)

Between 2010 and 2014, General Electric failed to flag payments from a Canadian customer that were conducted on behalf of a sanctioned Cuban entity, The Cobalt Refinery Company. This sanctions breach reportedly stemmed from insufficient diligence into the Canadian customer’s activities and commercial partnerships. GE’s missteps earned the conglomerate a $2.7 million penalty from OFAC.

This case demonstrates the sanctions risks associated with U.S. companies and their foreign subsidiaries accepting payments from third parties. It also underscores the need to conduct “appropriate due diligence on customers and other counterparties when initiating and renewing customer relationships,” according to OFAC.

Lesson 2: Contractual Clauses Won’t Protect You When OFAC Comes Knocking

Mere contractual commitments from a business partner may not represent a sufficient level of due diligence, especially if a company operates in a high-risk sector such as energy, aerospace, defense, or shipping.

The 2019 Apollo Aviation enforcement action underscores that aircraft lessors have a duty to require sanctions compliance by their lessees.

Apollo Aviation Group, LLC (November 7, 2019)

In 2015, the aviation service provider discovered that three aircraft engines it had leased to an Emirati entity had been subleased to Sudan Air, which was on OFAC’s “SDN List” at the time. Although Apollo’s original lease agreement contractually prohibited the subsequent sublease, the company failed to “ensure the aircraft engines were utilized in a manner that complied with OFAC’s regulations”, according to OFAC. The enforcement action also adds thatApollo failed to take meaningful steps to “otherwise verify its lessee’s and sublessee’s adherence to the lease provision requiring compliance with U.S. sanctions laws during the life of the lease”.

In this case, sanctions clauses in the lease agreement did not protect the lessor from strict liability when the lessees violated sanctions.

Lesson 3: OFAC Expects Full Spectrum Supply Chain Due Diligence When Sourcing Products in Risky Regions

Lackluster or nonexistent due diligence practices to ensure sanctions compliance throughout supply chains have landed firms from across a diverse range of sectors in trouble with OFAC regulators over the past 15 months.

In the two examples detailed below, a major issue identified by OFAC was a poor/reckless regard for the sanctions risks inherent to regions where the products were sourced.

e.l.f. Cosmetics, Inc. (January 31, 2019)

ELF, a California-based cosmetics company, agreed to a $996,080 settlement in January 2019 for apparent violations of the DPRK sanctions regime. According to the enforcement action, “ELF’s compliance program and its supplier audits failed to discover that approximately 80 percent of the false eyelash kits supplied by two of ELF’s China-based suppliers contained materials from the DPRK”.

Although the company was oblivious to the origin of these materials, OFAC determined that as “a large and commercially sophisticated company”, ELF should have exercised greater supply chain due diligence in sourcing products from China, a country that is known to import goods and raw materials from North Korea.

ZAG IP, LLC (February 21, 2019) 

Between July 2014 and January 2015, ZAG supplied a Tanzanian client with over 250,000 metric tons of cement clinker that was purchased from a company located in the United Arab Emirates, but had originated in Iran. This transaction, which led to a $500,000 settlement, occurred despite ZAG’s awareness that the clinker was produced by an Iranian manufacturer and shipped from an Iranian port. ZAG claimed that the Emirati intermediary provided misleading information about legality of the deal.

Despite engaging in a large volume of international trade, neither company had an adequate OFAC compliance program in place throughout the period in which their respective infractions occurred, according to the enforcement action. Nor did either company conduct regular or substantive supply chain audits prior to OFAC’s involvement.

These enforcement actions highlight the risks for companies that do not conduct full-spectrum supply chain due diligence when sourcing products from overseas, which encompasses the production process, raw materials, and end-products.

Lesson 4: Irregular Monitoring of Foreign Subsidiaries Can Spell Trouble

Another, though hardly new, compliance weak spot showcased by recent OFAC enforcement actions is the failure of U.S. corporates to ensure that foreign affiliates have an appropriate and up-to-date awareness of U.S. sanctions obligations.

Even if foreign employees do have a thorough grasp of U.S. sanctions requirements, they may not possess the resources or wherewithal to effectively report and communicate potential risks and concerns.

“This issue will often stem from de-centralized or inconsistent compliance controls and irregular monitoring,” says Erich Ferrari, attorney at Ferrari & Associates.

The following case shows how a German subsidiary of a U.S. car manufacturer failed to adequately flag prohibited transactions, which ultimately cost its parent company over $1.7 million.

PACCAR, Inc (August 6, 2019)

In the PACCAR enforcement action, a German subsidiary (DAF Germany) of the Bellevue, Washington-based truck manufacturer sold or supplied 63 trucks to European customers with knowledge or reason to believe that the vehicles were ultimately destined for purchasers in Iran. The largest Iran-related purchase order, for 51 trucks, was actually rejected initially by an employee of DAF Germany. However, neither the employee nor the subsidiary initiated an inquiry, and the intermediary buyer received approval upon submitting the same order a second time.

Lesson 5: Don’t Prematurely Stop Post-M&A Diligence

Although corporates are generally attentive to these risks prior to, and immediately after, a merger or acquisition, disregard for sanctions compliance protocols may persist after an M&A deal has taken place if a parent company prematurely ceases its post-merger/acquisition diligence.

This is underscored in contrasting ways by the Stanley Black & Decker and Kollmorgen cases.

Stanley Black & Decker (March 27, 2019)

In this action, which was determined to be an egregious case, a Chinese subsidiary, Jiangsu Guoqiang Tools Co. (GQ), exported or attempted to export 23 shipments of power tools and parts to Iran only a year after Stanley Black & Decker had acquired a 60 percent controlling stake in the firm. Employees reportedly fabricated fictitious bills of lading and ports of call and instructed customers to conceal any mention of Iran on business documents.

Following its acquisition of GQ, according to OFAC, “Stanley Black & Decker provided a series of trainings to GQ’s employees on the company’s business conduct guidelines, the Foreign Corrupt Practices Act, and sanctions.” However, Stanley Black & Decker ultimately neglected to implement “procedures to monitor or audit GQ’s operations to ensure that its Iran-related sales did not recur post-acquisition”. Had the firm exercised a greater degree of diligence in verifying its subsidiary’s activities and awareness of sanctions-related risks, it may have avoided this run-in with OFAC.

In juxtaposition to the Stanley Black & Decker case, the Kollmorgen action demonstrates that the implementation of comprehensive pre- and post-acquisition compliance precautions may very well be a company’s saving grace.

Kollmorgen Corporation (February 7, 2019) 

In 2013, Kollmorgen acquired a Turkish electronics manufacturer that proceeded to conduct substantial business with Iranian clients in egregious violation of U.S. sanctions laws, and fraudulently concealed its activities from Kollmorgen. Thanks to the range of robust due diligence procedures that Kollmorgen undertook in an attempt to reinforce its affiliate’s compliance controls, the parent company likely avoided a massive penalty from OFAC, and instead received only a token fine of $13,000.

Lesson 6: Higher Expectations for Maritime Shipping

U.S. Government expects the maritime industry to develop risk-based compliance programs designed to detect and mitigate risk of exposure to U.S.-sanctioned parties and jurisdictions.

In recent “OFAC Shipping Advisories”, OFAC has been explicit that a lengthy list of players in the shipping sector are vulnerable to enforcement. These include: ship owners, ship operators, shipping brokers, flag registries, oil companies, port operators, and commercial insurance companies. All of these industries are now expected to conduct heightened due diligence to ensure their operations are not part of or facilitating sanctionable conduct.

In the past year, OFAC demonstrated a willingness to follow-through on its repeated warnings for the maritime shipping sector, citing the “high risk” maritime shipping industry as an aggravating factor in the MID-SHIP action.

MID-SHIP (May 2, 2019)

In February and April 2010, MID-SHIP’s subsidiaries located in China and Turkey negotiated three charter party agreements between multiple third parties regarding the transportation of goods from foreign ports to other foreign ports. The parties nominated two IRISL vessels as the performing vessels for the respective charter party agreements. MID-SHIP was in possession of multiple documents identifying the vessels by their respective IMO numbers and connecting the vessels to Iran, and both vessels were publicly identified by name and IMO number on the SDN List by the time MID-SHIP processed the electronic funds transfers constituting the apparent violations.

This case demonstrates the need for vessel name and IMO screening not only at the moment the charter agreement is signed but also when payments are made.

Three other Developments to Keep an Eye On

Firstly, on March 9, 2020, a senior official of the U.S. State Department stated in an interview with the Foundation for Defense of Democracies that a “Global Maritime Shipping Advisory” will be issued imminently, in addition to Guidance on bunkering: providing storage for sanctioned Iranian oil.

This will elevate expectations for the maritime industry in its entirety to develop risk-based compliance programs designed to detect and mitigate risk of exposure to U.S.-sanctioned parties and jurisdictions.

Second, reflected by the uptick in enforcement actions, OFAC is continuing to adopt a more aggressive stance on the enforcement of export controls and sanctions regimes under the Trump administration.

At the same time, however, OFAC has sought greater private-sector cooperation as part of this overall strategy and has taken broad steps to encourage companies to be transparent and forthright about possible sanctions breaches and related concerns.

The first step it is taking is further incentivizing the voluntary self-disclosure of potential sanctions violations. This enforcement approach is consistent with the U.S. Department of Justice’s updated policy on voluntary self-disclosures, which was issued in December of 2019 and includes a presumption that companies that self-report “will receive a non-prosecution agreement and not have to pay a fine, absent aggravating factors”. Companies should carefully observe whether, and to what extent, penalties for non-disclosure will be augmented in parallel to the voluntary self-disclosure “carrot”.

Finally, OFAC rolled out a sanctions compliance framework in May of 2019 that provides prescriptive guidance to companies in all sectors. The Framework for OFAC Compliance Commitments, which can be read more about here, aims to clarify and express the office’s compliance expectations and to help businesses incorporate these expectations into their compliance programs.

The framework outlines five essential components that should be present in each organization’s sanctions compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Recent Articles