Internet businesses are easily able to reach customers around the world. That worldwide reach, however, only increases a company’s risk of violating U.S. economic sanctions that the company might have not even realized applied. Imagine receiving a subpoena asking about customer accounts originating from Cuba that you did not even know existed on your platform. Accounts like these, sales or technology transfers to sanctioned locations, or any number of other seemingly innocuous transactions can lead to costly and unexpected violations and penalties. Many online companies are not aware that although they physically operate wholly within one country, their international online presence necessitates policies and procedures to ensure global sanctions compliance to avoid civil and criminal penalties. And in the sanctions world, a lack of knowledge is not an excuse for noncompliance.
WHAT IS OFAC? An agency of the U.S. Department of the Treasury, the Office of Foreign Assets Control (OFAC) administers and enforces a variety of economic sanctions programs to further U.S. foreign policy and national security objectives. Sanctions programs include:
- Foreign governments (e.g., Cuba, Iran, North Korea)
- Individuals (e.g., terrorists, narcotics traffickers)
- Groups (e.g., drug cartels, organizations supporting terrorist activities)
- Practices (e.g., cybercrime, rough diamond trade, proliferation of weapons of mass destruction)
Generally, these sanctions programs prohibit business transactions associated with the above targets. Engaging in these transactions can lead to major fines and penalties, even when the transactions themselves are small. This is because OFAC is trying to change the behavior of bad actors and protect U.S. national security concerns by denying those actors such resources as money, currency transfers, assets, technology, the ability to conduct business, and the physical products they need. To further these goals, OFAC applies sanctions that are broad and tend to prohibit export of all goods, technology, and services from U.S. people/businesses to certain designated people or entities, places, or sectors/activities. Many online businesses are providing these types of products or services and could mistakenly make them available to restricted parties or locations.
OFAC JURISDICTION: OFAC exercises wide-ranging jurisdiction to enforce these laws, including over:
- OFAC has jurisdiction over U.S. citizens and lawful permanent residents, regardless of their physical location, as well as any individuals physically located in the United States.
- OFAC also has jurisdiction over U.S. companies, including foreign branches; companies physically located in the United States; and, in some cases, foreign entities owned or controlled by persons subject to U.S. jurisdiction.
- OFAC also maintains jurisdiction over transactions by foreign persons to the extent they involve the United States or have a U.S. nexus, such as using U.S. dollars or products with U.S.-origin technology.
SANCTIONS CHALLENGES: Yes, online businesses face significant challenges in complying with OFAC’s sanction regimes, and right now OFAC is devoting its financial resources to finding sanctions violators online. The global reach afforded by the internet also increases the risk of inadvertent country-based sanctions violations. Additionally, the lack of in-person contacts and the near-immediate nature of online transactions make it difficult to identify customers in order to avoid transactions with restricted individuals and entities.
To comply with OFAC sanctions, online businesses need to adopt procedures that can mitigate risk of violations while minimizing restrictions on their operations. Many online businesses rely on third-party payment-processing businesses to assume the compliance risk, reasoning that the payment would not go through if it were illegal. But the government holds service providers responsible for complying with the sanctions laws for their sales and services, and even for nonpaying customers who access an internet website. Luckily, there are various methods to prevent sales to restricted parties or embargoed countries, including:
- Internet protocol (IP) address blocks based on geographic location
- Reliance on credit card authentication to confirm identity
- Removal of embargoed countries from drop-down menus indicating shipping destination or payment currency
OFAC supports these efforts but finds them insufficient alone to fully address compliance risks. It recommends that e-commerce businesses do their best to know their customers directly, including gathering authentic information to verify identities and to ensure that the business is not transacting with sanctioned entities. OFAC further advises companies to gather purpose-of-payment information on each transaction processed.
AGGRESSIVE ENFORCEMENT: OFAC aggressively investigates suspected violations of its sanctions programs. As an example, the web performance and security company Cloudflare voluntarily disclosed to OFAC in May 2019 that it had provided services to sanctioned entities and individuals. OFAC’s investigation has been ongoing for over a year, and the company continued to respond to investigators’ questions as recently as July 2020.
In addition to the time and expense involved in cooperating with an OFAC investigation, businesses should consider that OFAC can impose significant financial and criminal penalties after it determines a company has violated sanctions programs. A recent settlement agreement between a Swiss company, the Société Internationale de Télécommunications Aéronautiques SCRL (SITA), which provides telecommunications services to the airline industry, illustrates the risks of failing to ensure online services comply with sanctions. While not strictly an online business, SITA provided electronic messaging services and software applications globally to airline customers that included airlines identified by OFAC as Specially Designated Global Terrorists, pursuant to the Global Terrorism Sanctions Regulations.
Those services and applications were either U.S.-origin technology or routed through the United States, allowing OFAC to assert jurisdiction over the company. OFAC determined that the base penalty amounted to around $13,384,000, with a maximum applicable penalty available of nearly $2.5 billion. After taking into account aggravating and mitigating factors, OFAC negotiated a settlement in which SITA agreed to pay around $7,830,000. Thus, companies providing global, internet-based services or technology need to know their customers and take appropriate steps to ensure that they avoid dealing with embargoed countries or restricted parties.
BUSINESS CONSEQUENCES OF SANCTIONS RISKS: In addition to severe legal penalties for sanctions violations, companies also are finding that not having a compliance program can affect the company’s ability to secure future investment and acquisition prospects. As OFAC scrutiny and investigations have increased, investors are wary of investing funds in companies carrying enforcement risks. Consequently, investors now are conducting more extensive due diligence regarding sanctions and other trade controls to ensure that their investment or purchase does not bring with it liability for sanctions violations. That due diligence can include extensive employee, partner, customer, and co-investor screenings, as well as audits of company records for documentary evidence of compliance controls, policies, and procedures. Companies with an existing screening process and other sanctions controls already in place can quickly address these concerns and provide investors or buyers with confidence that the company is in compliance. More and more, we are finding that investors (and third-party insurers) have an expectation that at least some OFAC sanctions compliance procedures are in place when they are looking to invest in or purchase a business.
The bottom line is that any company subject to OFAC requirements needs to review its risk profile. Companies should implement and employ compliance tools that are commensurate with the speed and scale of their business operations. There are many compliance steps that can be taken to minimize risk and reduce violations, including putting in place a policy, verifying information technology configurations, and assessing the cost of restricted-party screenings. Understand that reliance on automated screenings requires companies to take reasonable action to ensure those processes are configured to screen relevant customer information, including spelling variations. Creative counsel can find cost-effective ways to develop a compliance system that protects your company and your investors without hindering your business operations. It all starts with understanding your obligations and your online risk exposure.