Iran: Still a sanctions minefield for non-U.S. companies

Date: August 15, 2016
By: Ed Krauland and Peter Jeydel*

Iran may appear to be opening up for investment from outside, but there are a host of U.S. sanctions-related hurdles in the way, particularly for non-U.S. subsidiaries of U.S. companies. Ed Krauland and Peter Jeydel look at the risk points non-U.S. Persons will need to address before going into Iran.

Those who got swept up in the expectation that the Iran nuclear deal would allow non-U.S. companies, particularly subsidiaries of U.S. companies, to re-enter the Iran market worry-free have probably already begun to realise that was not on the cards. While non-sanctions related obstacles – such as those directly associated with money laundering control vulnerabilities in the financial system, perceptions of corruption, the state of regulatory or commercial frameworks, and possible uncertainty concerning Iran’s domestic and regional political future – present significant risks to business, as does the ‘de-risking’ approach banks and other financial service providers have adopted understandably), there are also significant legal complexities and risks that remain in place, even for non-U.S. companies. The true picture is sobering once it comes into focus. Following the Joint Comprehensive Plan of Action (‘JCPOA’), the U.S. government did lift or suspend most, though not all, of the sanctions aimed specifically at non- U.S. persons and entities (so-called ‘secondary sanctions’). It has also authorised a wide spectrum of activities that were previously prohibited for non-U.S. subsidiaries of U.S. companies under the Iranian Transactions and Sanctions Regulations (‘ITSR’). However, many of the core U.S. sanctions risks have not materially changed, certainly not for U.S. companies, and significant risks remain for non-U.S. companies as well, given the potentially long supply and sales chains that reach back into the United States. Furthermore, the relief that has been offered under the ITSR for non-U.S. subsidiaries of U.S. companies is more complicated than many may have expected. Added to this is the fact that the U.S. government, as well as other national, EU or UN authorities, can impose new sanctions on Iran – for example, relating to ballistic missiles, human rights, terrorism or WMDs. And the risk of ‘snapback’ of the nuclear-related sanctions, should the JCPOA fail, would lead to a return of the status quo ante.

This article provides an overview of the U.S. sanctions measures that will continue to complicate any sanctioned country business that has a U.S. nexus, particularly for non-U.S. subsidiaries of U.S. companies, while also explaining the important changes brought about under the JCPOA.

Enduring U.S. extraterritorial sanctions risk under the JCPOA

The baseline point to understand is that the ITSR, which are administered by the U.S. Treasury Department’s Office of Foreign Assets Control (‘OFAC’),  generally apply only to ‘U.S. Persons’, which does not include companies organised under the laws of a non-U.S. jurisdiction. The definition of ‘U.S. Persons’ under OFAC’s ITSR covers U.S. citizens or lawful permanent residents, wherever located; entities organised under the laws of a U.S. jurisdiction, including their foreign branch offices; and any person or entity located in the United States. So a non-U.S. company’s facility in the United States would be treated as a U.S. Person, as would a U.S. company’s unincorporated facility abroad. Entities based and located outside the United States, however, are not U.S. Persons under the ITSR, even if 100% owned and fully controlled by a U.S. Person. Thus, prior to the end of 2012, the general rule was that non- U.S. subsidiaries of U.S. companies were not directly subject to the ITSR or most OFAC sanctions (with OFAC’s Cuba sanctions, issued under the Trading With The Enemy Act, being an exception).

However, in 2012, the U.S. Congress required OFAC to extend the ITSR to transactions conducted ‘knowingly’ by entities ‘owned or controlled’ by U.S. Persons. So even though non-U.S. subsidiaries were (and are) not ‘U.S. Persons’, as of 26 December 2012, such entities were made subject to the ITSR, essentially as if they were ‘U.S. Persons’. The JCPOA then required the United States to undo this expansion of the ITSR’s jurisdictional reach, at least in part. To satisfy the U.S. obligation under the JCPOA, on 16 January 2016, the U.S. government took two major steps: (1) ‘secondary sanctions’ directed at non-U.S. Persons that are not affiliated with U.S. Persons were largely (but notably, not fully) suspended, and (2) OFAC published General License H, authorising non-U.S. entities ‘owned or controlled’ by U.S. Persons to engage in transactions with Iran and the government of Iran that were prohibited under the ITSR, provided that certain limitations are observed. So while non-U.S. subsidiaries remain subject to the ITSR under the 2012 expansion, General License H provides an authorisation that overrides the prohibitions in many instances. The following discussion focuses on the risk points non-U.S. Persons must address before going into Iran – those arising from the JCPOA changes as well as those that have persisted since 1995.

First, when non-U.S. Persons – whether or not subsidiaries of U.S. companies – plan to do business involving Iran, no ‘U.S. Persons’ can ‘facilitate’, ‘approve’ or ‘guarantee’ that non-U.S. Person activity if the ITSR would otherwise prohibit a U.S. Person from engaging in that same activity. There are some narrow exceptions, such as OFAC allowing U.S. Persons to conduct legal compliance reviews of the proposed business (e.g., of a non-U.S. subsidiary) or providing ‘informational-materials’ in support of the transaction. And OFAC’s view of what is improper ‘facilitation’ or ‘approval’ is quite broad, undefined, and subject to the discretion of the agency – not very comforting from a business planning perspective.

This restriction on facilitation or approval applies to U.S. Person expatriate officers, directors or employees, as well as many other structural business links to the United States. It applies even if the non-U.S. Person’s business might be otherwise totally lawful for the non-U.S. Person to pursue. In other words, U.S. Persons essentially cannot be involved in any activity that is prohibited under the ITSR, even if the primary actor is not subject to the ITSR or is otherwise authorised under General License H.

U.S. Person involvement

What are the risks if a non-U.S. Person were either deliberately or even accidentally to involve a U.S. Person? Well, the U.S. Person could be subject to civil or criminal penalties. The non- U.S. Person could be charged with aiding or abetting a violation, conspiring to commit a violation, ‘causing’ (under a 2007 amendment to the International Emergency Economic Powers Act) a violation of U.S. law, or indeed with exporting U.S.-origin ‘services’ (in the form of the U.S. Person’s involvement) to Iran. Non- U.S. banks that involved U.S. banks in funds transfers originating from Iran (and other U.S.-sanctioned countries) found themselves on the other end of civil and criminal penalties, some as large as billions of dollars, over the past eight years – apparently on one or more of these theories of liability.

It is clear that linkages with U.S. Person individuals or U.S. goods or service suppliers can present risks to non-U.S. Persons who do business with Iran. Such linkages need to be assessed in advance of actual business by non- U.S. companies (even including entering into contracts) to  determine if the enforcement risks noted above are acute, non-existent, or manageable.

Sourcing risks

Another risk under the ITSR for non- U.S. Persons, including non-U.S. subsidiaries of U.S.  companies, is sourcing goods, services, software or technology (collectively, ‘items’) from the United States for purposes of conducting business with Iran. Since the U.S. government has largely maintained the ITSR sanctions ‘as is’, despite the JCPOA, one specific provision of those primary sanctions does directly apply to non-U.S. Persons, including non-U.S. subsidiaries. Section 560.205 explicitly prohibits non-U.S. Persons from engaging in trade or other business transactions with Iran, if that activity would involve the export or supply of items ‘subject to’ U.S. export control jurisdiction – which includes U.S. origin items as well as non-U.S. origin items that contain more than 10% U.S. controlled content or are produced from certain U.S. technology. Items of U.S. origin create a potentially enduring link to U.S. regulatory and enforcement jurisdiction under the ITSR, as well as under U.S. export control regulations. This is true even when U.S. Persons may not be the actual suppliers of the item subject to U.S. jurisdiction. U.S. origin items may already be abroad when they are acquired by a non-U.S. Person for sale to Iran, but their U.S. origin can still give rise to U.S. jurisdiction. Of course, there are situations in which U.S. sourcing may be proper, but any U.S. supply chain linkage creates risks that need to be evaluated. This includes what might be called services that relate to the commercial feasibility of any transaction, such as banks, insurers, carriers, freight forwarders, and other logistics providers.

In addition, non-U.S. companies should be aware that OFAC can add them to its list of Specially Designated Nationals and Blocked Persons (‘SDNs’) for providing material support to other SDNs, among other possible triggers. While the general provision for material support designations for Iran (Executive Order 13645) has been repealed as part of the JCPOA, providing material support to SDNs may still be sanctionable under other executive orders – this has been a common source of confusion. SDN designation risk is complex and has been further complicated under the JCPOA; while it is not the focus of this article, it is something to remain aware of.

Finally, non-U.S. Persons are still at risk of certain secondary sanctions, even without a U.S. nexus, if they engage in certain trade, investment, financial, or other business activity involving Iran. For example, if a non- U.S. Person were to engage in a significant transaction (not clearly defined) with a specified list of SDNs, the Iranian Revolutionary Guard Corps or its agents or affiliates, or those engaged in certain illicit behaviour (such as terrorism, WMD activity, human rights abuses, or destabilizing conduct in Syria or Yemen), that non- U.S. Person can suffer market access limitations, such as being cut off from the U.S. financial system, blacklisted from doing business with  U.S. Persons, cut off from U.S.-licensed export transactions, Ex-Im Bank financing, and so on.

In the sections that follow, we discuss three of the practical challenges that continuing U.S. sanctions on Iran present for non-U.S. companies: (1) how to handle U.S. expatriate personnel; (2) how much support a U.S. parent company or other U.S. entities can offer; and (3) U.S. supply chain risks.

U.S. expatriates

U.S. citizens and permanent resident aliens (so-called ‘green card’ holders) are widely present throughout the international business community, but it is not commonly understood that these individuals are themselves subject to U.S. sanctions jurisdiction. Moreover, a non-U.S. company may even be held vicariously liable for the acts of its U.S. Person employees acting within the scope of their duties, although the precise scope of that potential jurisdiction is not clear when the non-U.S. company itself would not be subject to U.S. jurisdiction for the same activity. For example, if a U.S. Person working for a French company is involved in unlawfully exporting a U.S. origin item to Iran, both the U.S. Person individual and the non-U.S. company could be held liable. If the involvement of the U.S. Person pertains to a non-U.S. Person’s offshore transaction that does not otherwise involve the U.S. economy, the U.S. Person can still be held liable, and the non-U.S. Person company should be concerned if there is evidence of conduct that ‘caused’ the U.S. Person expat to violate the law. A U.S. Person, who is a member of the board of directors, senior officer, controlling shareholder, key employee, or long term contractor, is subject to OFAC’s jurisdiction anywhere in the world and can be liable for facilitation. These risks have not gone away under the JCPOA, and remain highly relevant for any non- U.S. company considering entering (or re-entering) the Iran market.

Recusal of U.S. Persons from sanctioned country activity can reduce U.S. legal risk, but a U.S. Person’s self recusal can itself be treated as a prohibited act of facilitation, or ‘evasion’, particularly if it allows sanctioned country business to move forward, such as in a board vote. Recusal can be complex to implement safely. There are other ways in which U.S. Persons can get themselves and their companies into trouble, even when trying to be compliant. For example, a U.S. Person cannot simply delegate his or her responsibility for sanctioned country business: OFAC may consider that to be a prohibited referral of business to the delegatee and treat it as unlawful facilitation or evasion. The bottom line is that companies dealing in sanctioned countries with any involvement by U.S. Persons are subject to a high level of risk. There may be solutions, but even the solutions can be minefields. This is an area that should be approached with great caution.

Support from U.S. Parents or other U.S. entities

This is one area in which the JCPOA does offer some relief. OFAC’s General License H, issued pursuant to the JCPOA, sets out two narrow exceptions to the facilitation prohibition discussed above by authorising U.S. Persons to engage in the following activities that would otherwise be prohibited: ‘(1) activities related to the establishment or alteration of operating policies and procedures of a United States entity or a U.S.-owned or -controlled foreign entity, to the extent necessary to allow a U.S.-owned or – controlled foreign entity to engage in transactions [in Iran]; and (2) activities to make available to those foreign entities that the U.S. Person owns or controls any automated [i.e. operating “passively and without human intervention” – or at least without human intervention in the United States] and globally integrated [i.e. “available to, and in general use by,” the “global organization”] computer, accounting, email, telecommunications, or other business support system, platform, database, application, or server necessary to store, collect, transmit, generate, or otherwise process documents or information related to transactions [with Iran].’

As those two exceptions in General License H are still quite new, their precise contours are still being defined, and companies would be well-advised to act cautiously in light of the broad underlying prohibition on facilitation that remains in effect. Typically, OFAC construes general licences cautiously, although this is a unique situation in which the United States is subject to a treaty obligation in the JCPOA to ‘license non-U.S. entities that are owned or controlled by a U.S. Person to engage in activities with Iran that are consistent with this JCPOA’. The U.S. government has an obligation to implement that commitment in a good faith manner, and without being unduly restrictive. Even so, OFAC is likely to adhere closely to the text and underlying purpose of the two exceptions in General License H.

OFAC’s Frequently Asked Questions make clear that General License H does not authorise U.S. Persons to become involved in ‘ongoing’ or ‘day-to-day’ Iran-related operations or decision making, including by approving, financing, facilitating, or guaranteeing any Iran- related transaction by a non- U.S. entity. U.S. Persons can only get involved in the ‘initial determination’ to engage in the limited set of activities in Iran not excluded by General License H and the ‘establishment or alteration of the  necessary policies and procedures’, along with providing training on these policies and procedures. U.S. Person facilitation activity that may exceed these parameters presents risk that needs to be assessed – which raises the question: What does the facilitation provision generally require in order to remain within the law when a subsidiary is operating in a sanctioned country?

As a best practice to avoid being charged with facilitation, U.S. parent companies must ensure that their foreign subsidiaries or affiliates act independently of any U.S. Person when engaged in specific sanctioned country activity, including in areas such as business and legal planning; decision making; designing, ordering or transporting goods; and financial, insurance, and other aspects of the specific business opportunity with Iran.

In addition, U.S. Persons can be charged with unlawful facilitation for referring business opportunities with sanctioned countries or entities to non- U.S. Persons. Other than the special circumstances of the Iran programme and General License H specifically, OFAC still prohibits U.S. companies from changing their own policies or operating procedures, or those of their subsidiaries, in order to ‘enable’ a subsidiary to enter into a transaction that would be prohibited for a U.S. Person.

While this paints a broad picture of the facilitation prohibition, there are certain types of support to foreign subsidiaries engaged in sanctioned country business that may not be prohibited. For example, OFAC’s Sudanese Sanctions Regulations specify that facilitation does not include ‘[a]ctivity of a purely clerical or reporting nature that does not further’ prohibited transactions, such as ‘reporting on the results of a subsidiary’s trade’ with a sanctioned country or person.2 On the other hand, financing or insuring that trade, or warranting the quality of goods, would constitute prohibited facilitation. There is much that falls between these two bookends – activity ‘of a purely clerical or reporting nature’ and things like financing – but a potential rule of thumb is that U.S. parent companies will typically not be prohibited from providing generic administrative support to their subsidiaries that is not specific to sanctioned country activity, does not ‘further’ or ‘enable’ that activity in and of itself, and does not compromise the ‘independence’ of the subsidiary with respect to that activity. So, for example, if a foreign subsidiary of a U.S. company uses the U.S.-based email server to correspond with Iranian customers, that would not seem to be the type of U.S. Person facilitation OFAC had in mind, as long as the email server function is generally the same for all activities of the foreign subsidiaries, and no U.S. Persons are pulled into those specific email communications to assist in the transaction or marketing effort of the foreign subsidiary. But, given the inherent ambiguity of the sanctions regulations, and the underlying objective to forbid U.S. Person involvement, each situation, even when relating only to generic, administrative support, warrants careful consideration.

Certain corporate structures present particularly complex risk in this area, such as companies that largely operate overseas, but that have management, legal, commercial or other kinds of support provided from the United States. Two recent criminal cases illustrate this type of structural risk. The first involved Switzerland-based Weatherford International Ltd., which was charged for, among other things, concealing transactions with Iran conducted through a Dubai subsidiary by referring to Iran as ‘Dubai across the waters’, and in other instances concealing the U.S. origin of the items it was selling.3 Weatherford had issued policies prohibiting sanctioned country business, but its U.S.-based executives in practice allegedly supported and directed this business by the foreign subsidiaries. So even though Weatherford was based in Switzerland, its U.S.-based executives brought its activities under U.S. jurisdiction.

In the second case, Schlumberger Oilfield Holdings Ltd. (‘SOHL’) pled guilty to a conspiracy charge for transactions with Iran and Sudan.4 SOHL was a non-U.S. subsidiary of Schlumberger Ltd., a Curaçao (Netherlands) entity with headquarters in the United States, the Netherlands and France. In other words, the charges were against a non-U.S. subsidiary of a non-U.S. company that based some of its management and support personnel in the United States (some of whom were not even U.S. citizens or permanent residents). It was the actions of those U.S.-based personnel that triggered U.S. jurisdiction and the charges against SOHL for ‘conspiring’ with them to conduct trade with Iran and Sudan. Like Weatherford, Schlumberger had sanctions compliance policies in place, but they were found to be ineffective in some circumstances, and a limited number of individuals at the company developed concealment schemes like calling Iran the ‘Northern Gulf’.

What may be most remarkable about the Weatherford and Schlumberger cases is that they do not appear to turn on the fact that the U.S.- based personnel supporting the sanctioned country business were part of the company. A conspiracy with a U.S. Person could therefore potentially involve an unaffiliated service provider in the United States, or possibly even things like technical support (the Schlumberger case involved technical support as well as U.S.-based management). These cases could be said to set out the broad legal principle that non-U.S. companies operating outside the United States can be held liable under U.S. law for business with sanctioned countries or persons whenever that activity involves a U.S. Person, wherever located, or any person or entity located in the United States, acting on behalf of the company and within the scope of their duties. The U.S. Person can be charged with facilitation, among other things, and the non-U.S. company can be charged with conspiracy, causing a violation, or aiding and abetting, among a litany of other possible charges.

U.S. supply chain risks

Dealing with U.S.-origin items can often be the most challenging risk for non-U.S. companies to manage, as U.S. jurisdiction can follow those items and all of the individuals and companies that deal with them, anywhere in the world. The trickiest part is that it is not just completed end-items that trigger U.S. jurisdiction, but even fairly minor components, software and underlying technologies can have that effect. U.S. law broadly prohibits exports of goods, services, software, or technology from the United States or by U.S. Persons, directly or indirectly, to Cuba, Iran, Sudan, Crimea, North Korea and Syria. The U.S. also generally prohibits re- exports (i.e., shipments from a third country) to these sanctioned destinations of items that are of U.S. origin or contain more than a de minimis amount (10% for most sanctioned countries) of U.S.-origin controlled content. This area is complex, with some of the sanctions programmes applying somewhat different rules, and also requiring an analysis of U.S. export control regulations.

For Iran, OFAC prohibits: (1) imports of most Iranian goods or services; (2) exports and re-exports to Iran of most goods, technology or services from the United States or by a U.S. Person anywhere in the world; and (3) exports or re-exports to a third country with reason to know that the items are intended specifically for Iran. For non-U.S. persons, trade with third countries intended specifically for Iran is only prohibited when the items were exported from the United States and controlled under U.S. export control regulations.

These prohibitions largely remain in place under the JCPOA, with a limited new (in fact, restored) authorisation for imports of Iranian-origin carpets and foodstuffs, and a newly enacted policy (or significant expansion of the preexisting policy, which only related to aircraft safety) allowing companies to seek case-by-case approval for exports and re-exports of commercial passenger aircraft and related parts and services. There are also preexisting authorisations allowing exports or re-exports to Iran of certain types of food, agricultural commodities, medicine and medical supplies, as well as informational materials, certain services and software related to Internet-based communications, certain services, software, and hardware incident to personal communications, and certain other goods and services.

As OFAC prohibits most trade with Iran that has a U.S. nexus, non-U.S. companies, whether or not affiliated with a U.S. owner, should try to understand the myriad ways they can find themselves caught up in these rules: they may export from the United States; they may deal in goods that have more than 10% U.S.-origin controlled content or that are the ‘direct product’ of certain U.S. technologies; or they may have facilities in the United States for which they import Iranian-origin goods or use Iranian services, among other risks. For most international companies, it is not practical to try to remain in a position involving no U.S. jurisdiction at all, given how farreaching it can be. And this risk is not merely theoretical – both OFAC and the U.S. Commerce Department’s Bureau of Industry and Security (‘BIS’) are active in pursuing enforcement actions against both U.S. and non-U.S. companies.

Most of OFAC’s enforcement actions in the supply chain area have involved indirect exports from the United States through third countries. This may be explained in part by the fact that many of OFAC’s trade-based cases start with seizures or tips by U.S. Customs and Border Protection (‘CBP’). But OFAC and BIS have clear authority to bring other types of cases as well, such as direct re-exports of U.S.-origin items from third countries to Iran. Enforcement, in practice, can stem from a variety of risk areas, including, for example, return of goods to the United States for repair or replacement, which appears to have been how Sweden-based KMT Group AB came under investigation in 2013.5

Another good example is U.S.-based Thermon Manufacturing Co., which settled charges by OFAC, along with BIS charges against several of its non- U.S. subsidiaries, for shipping goods to sanctioned countries.6  This case is a cautionary tale for U.S.-based companies that do not conduct enough oversight and due diligence to prevent subsidiaries from concealing unlawful transactions. BIS charged Thermon U.K., for example, with causing and aiding and abetting violations by its U.S. parent for, among other things, placing orders with the parent for items shipped through the U.K., without informing the parent that the items were destined for Iran. The U.S. parent company had issued instructions to its subsidiaries prohibiting them from selling to sanctioned countries, but those instructions were not effective, and no fault is required in these strict liability regulatory regimes.


The takeaway from all of this is that non-U.S. companies will continue to face risks in dealing with Iran, even under the JCPOA, when they are U.S.- owned or controlled, have U.S. expatriate personnel, use an international supply chain, have U.S.- based managers or obtain other significant support from the United States. From a big picture perspective, the nuclear deal with Iran has not eliminated these risks, and non-U.S. companies would be well served by exercising great caution as they decide to re-enter the Iran market.

*This article was published in WorldECR, ISSUE 52, JULY/AUGUST 2016. Reprinted with permission. Ed Krauland is Partner at Steptoe & Johnson LLP. Peter Jeydel is Counsel at Steptoe & Johnson LLP and a member of Advisory Board.


1   Some refer to these as ‘extraterritorial’ measures, because they often have the effect of extending OFAC’s sanctions to non-U.S. Persons acting outside the United States. Others disagree with the use of that term, because these measures are still so-called ‘primary’ sanctions, in that they are prohibitions enforceable against the target itself, as opposed to ‘secondary’ sanctions, which are enforceable against U.S. Persons that the target may deal with.

2   The description of the facilitation prohibition in this paragraph and the next is based on OFAC’s Sudanese Sanctions Regulations, 31 C.F.R. § 538.407. Many practitioners agree that OFAC tends to apply concepts such as this across its sanctions programmes, so this Sudan provision is relevant to the scope of the facilitation prohibition for Iran. Some of OFAC’s regulations, like Cuba for example, do not even mention facilitation. But it is clear that, in practice, OFAC has applied that prohibition in its Cuba regime. The Iran regulations also elaborate on the facilitation provision, but not to the same extent as the Sudan regulations. C.f. 31 C.F.R. § 560.417.

3   See, e.g., In the Matter of Weatherford International Ltd. Et al., , U.S. Dep’t Of Commerce, Bureau Of Industry And Security, (Dec. 23, 2013) man/doc_download/921-e2353-r?ltemid=.

4   See, e.g., Plea Agreement United States v. Schlumberger Oilfield Holdings, Ltd., U.S. Department of Justice (March 24, 2015), ss-releases/attachments/2015/03/25/ schlumberger_plea_agreement.pdf.

5   KMT Group AB Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations, U.S. Dep’t of The Treasury, Office Of Foreign Assets Control (25 October 2013), https:// sanctions/CivPen/ Documents/20131025_kmt.pdf (stating that CBP seized the items upon redelivery from Europe to theUnited States).

6   Thermon Manufacturing Company Settles Sudanese Sanctions Violation Allegations, U.S. Dep’t Of The Treasury, Office of Foreign Assets Control (31 August 2009), sanctions/OFAC-Enforcement/ Documents/ 09012009.pdf; In the Matter of Thermon (U.K.) Ltd., U.S. Dep’t Of Commerce, Bureau of Industry And Security (Sept. 11, 2009), man/doc_view/523-e2131?ltemid=

Recent Articles