U.S. Sanctions Enforcement: 2023 Trends and Lessons Learned
U.S. Sanctions Enforcement: 2023 Trends and Lessons Learned
Today’s alert—the second in our Sanctions 2023 Year in Review Series—provides an overview of U.S. sanctions enforcement in 2023, including the key lessons learned from the public enforcement actions issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
It was a record year for U.S. sanctions enforcement, with OFAC assessing over $1.5 billion in penalties across 17 resolutions, dwarfing the total penalty amounts assessed in recent years and representing the highest volume of penalties ever assessed by OFAC in a single calendar year. This unprecedented penalty total was largely driven by OFAC’s record settlements with Binance Holdings, Ltd. (“Binance”) and British American Tobacco (BAT), OFAC’s highest-ever resolution and highest-ever resolution with a non-financial institution, respectively. Overall, in 2023, OFAC issued 17 public enforcement actions involving violations of seven different OFAC sanctions programs, with the overwhelming majority of these actions involving violations of Russia- or Iran-related sanctions.
Last year also saw increased levels of cooperation between OFAC and other federal agencies, with four OFAC actions that were part of parallel resolutions with the Department of Justice (DOJ) and/or other regulators. These actions suggest increased focus on criminal sanctions enforcement and are consistent with recent statements from the DOJ and other government officials that pursuing sanctions evasion and export control violations are top priorities. This is further evidenced by the first-ever Tri-Seal Compliance Notes issued by OFAC, the Department of Commerce’s Bureau of Industry and Security (BIS), and the DOJ, relating to third-party intermediary risks and Russia-related sanctions and export controls evasion and voluntary self-disclosures.
In addition, OFAC underwent core organizational changes in early 2023, consolidating all investigations and enforcement of potential violations of OFAC’s regulations under the Enforcement Division. Previously the Office of Sanctions Compliance and Evaluation handled investigations and enforcement with respect to the financial services and insurance industries, and the Enforcement Division covered all other investigatory and enforcement matters. This consolidation is expected to streamline the voluntary self-disclosure process, allow OFAC to track and explore cross-industry leads of potential violations, and ensure OFAC’s General Factors from its Economic Sanctions Enforcement Guidelines are enforced equally across industries and economic sectors, although financial institutions remain concerned that the deep understanding of, and sensitivity to, unique financial sector concerns from OFAC’s enforcement arm may be lost in the process. We believe this change signals OFAC’s increased appetite to enforce U.S. sanctions violations broadly, which will likely result in more public enforcement actions and steeper penalties, as evidenced by the record-breaking fines assessed by OFAC in 2023.
Part One of our Sanctions 2023 Year in Review Series summarized OFAC’s major activities and programmatic updates from 2023. This second installment looks to the recent U.S. sanctions enforcement past to offer sanctions compliance lessons for the future. In the coming days we will also be issuing separate alerts covering the most notable sanctions developments from 2023 in a number of key jurisdictions around the globe.
Russia’s war in Ukraine has motivated unprecedented enforcement coordination among U.S. regulators and between the United States and its allies. The “whole of government” approach to combating Russia sanctions evasion has spurred a shift in how OFAC and DOJ coordinate with each other and with their counterparts abroad—particularly the United Kingdom and European Union—that has created infrastructure around cooperation (e.g., weekly phone calls and cross-jurisdictional secondments) that we expect to outlive the current focus on Russia and extend to other shared national security priorities.
The U.S. government is also seeking to explain existing incentives and create new ones for individuals and companies to report sanctions-related violations. In addition to the Tri-Seal guidance flagged above, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), as directed by Congress, is currently updating and expanding its whistleblower program. FinCEN is preparing to issue rulemaking to implement that mandate, which will award whistleblowers 10 to 30 percent of any penalties and fines resulting from the government’s investigation of a tip. In the interim, FinCEN has already received over 100 tips, which have been referred both within FinCEN as well as to OFAC and DOJ and are reportedly mostly sanctions-related (with about 25 percent Russia-related). Companies should account for this new reality in considering their own whistleblower programs and practices around voluntarily disclosing potential violations to OFAC and other regulators.
Over 40 percent of OFAC’s 2023 public enforcement actions involved, at least in part, violations of Russia-related sanctions. These actions involved the provision of goods and services to the comprehensively sanctioned Crimea region of Ukraine, as well as to Specially Designated Nationals (SDNs) designated under OFAC’s Ukraine/Russia-related Sanctions Regulations, and were taken against U.S. and non-U.S. entities operating in the financial services (Binance, CoinList Markets LLC, daVinci Payments, Poloniex, LLC, and Swedbank Latvia AS), insurance (Privilege Underwriters Reciprocal Exchange), and technology sectors (Microsoft Corporation). Two of these settlements involved parallel resolutions: Binance reached a global resolution with OFAC, DOJ, FinCEN, and the Commodity Futures Trading Commission (CFTC), and Microsoft reached a joint resolution with OFAC and BIS.
Although OFAC has yet to bring a public enforcement action under the new sanctions authorities imposed in response to Russia’s 2022 invasion of Ukraine, as discussed above, we continue to see significant cross-agency and cross-border cooperation focused on combating sanctions evasion, such that the lack of public enforcement actions in this space is almost certainly a factor of the time it takes OFAC and other enforcement agencies to complete their enforcement investigations, rather than a lack of prioritization. The numerous joint guidance documents and advisories issued by OFAC and other agencies illustrate U.S. government expectations regarding the role of the private sector as the “first line of defense” and the need for robust implementation of risk-based sanctions compliance programs to counter Russia sanctions evasion; in fact, OFAC has started citing to such guidance in public web posts detailing Russia-related enforcement actions (see OFAC Settles with Poloniex, LLC for $7,591,630 Related to Apparent Violations of Multiple Sanctions Programs and OFAC Settles with Swedbank Latvia for $3,430,900 Related to Apparent Violations of Sanctions on Crimea ). Companies will be expected by OFAC and other regulators and enforcement agencies to assess their ongoing Russia-related exposure and the applicability to their operations of relevant U.S. government guidance in order to ensure that their compliance programs are appropriately calibrated to mitigate those risks. In this environment, ongoing and robust risk assessments, and testing and auditing of compliance controls to ensure they are working as designed, become even more critical.
Four enforcement actions in 2023 were aimed at virtual currency companies, with one of these actions resulting in the largest settlement in OFAC history. OFAC cautioned that it expects, from “day one,” that entities operating in the virtual currency industry will demonstrate their management’s commitment to sanctions compliance, even as such entities are developing their technologies and offerings. Such a commitment must also be backed, as OFAC has routinely stated in the traditional finance space, by sufficient compliance resources to adequately account for a virtual currency company’s sanctions risks. And notably for companies operating in the financial technology (“fintech”) industry, OFAC warned that “it is no defense that an algorithm or other ‘autonomous’ system or formula serves as the mechanism for the underlying transactions or activities that violate sanctions; companies are responsible for the operation and consequences of the technologies they employ and will be held accountable where their technologies result in violations.”
In November 2023, Binance—a non-U.S. entity that operates as the world’s largest virtual currency exchange—settled with OFAC as part of a global resolution with DOJ, FinCEN, and the CFTC in relation to its “exportation or other supply of goods and services from the United States, or by U.S. persons, to sanctioned jurisdictions” and “caus[ing of] U.S. persons to engage, directly or indirectly, in transactions with users in sanctioned jurisdictions and [SDNs].” OFAC determined that the company and its senior management acted willfully to allow such transactions, encouraged its users to circumvent company controls, and misled third parties about such controls. OFAC also credited Binance for its “significant remedial measures,” including revamping and expanding its sanctions and know your customer (KYC) compliance frameworks and agreeing to retain a compliance monitor for a five-year period. This monitorship is the first ever imposed by FinCEN; its remit will include sanctions compliance.
Three other virtual currency companies—CoinList Markets, Poloniex, and Uphold HQ Inc.—entered into settlement agreements with OFAC in 2023 because they processed transactions for customers located in comprehensively sanctioned jurisdictions and/or that meet OFAC’s definition of the Government of Venezuela (and are therefore subject to U.S. blocking sanctions). These actions demonstrate the need for virtual currency companies (and others operating in the financial and technology sectors) to integrate all available information regarding their customers (e.g., KYC and other onboarding data, and geolocational data) into their screening processes and broader compliance functions.
In 2023, OFAC continued to highlight its expectation that U.S. companies will conduct sanctions-related due diligence in connection with acquisitions of both U.S. and non-U.S. entities and take active steps to extend their compliance programs—including risk assessment, training, and monitoring—to newly acquired or incorporated businesses and employees. Non-U.S. companies acquiring U.S. entities should also take steps to assess how such acquisitions may shift their own sanctions risk exposure. Post-transaction, companies should continue to proactively monitor new business elements to identify any sanctions-related issues. Companies should also consider enhanced oversight over their subsidiaries or business lines that operate in high-risk jurisdictions or engage in high-risk activities. Furthermore, subsidiaries should ensure the timely implementation of their parent companies’ global sanctions compliance policies.
The Murad, LLC and Wells Fargo Bank, N.A. settlements are examples of scenarios where U.S. companies acquired other U.S. entities and failed to detect through diligence those entities’ ongoing dealings with sanctioned persons or jurisdictions. In the case of Murad, after the U.S. parent discovered Murad’s Iran-related business, the U.S. parent instructed Murad to cease exports to Iran, but failed to independently verify the shipments actually ceased. In the case of Wells Fargo, it was a “mid-level manager” of a legacy business unit of another U.S. bank acquired by Wells Fargo that was largely responsible for the violative conduct, but OFAC determined that Wells Fargo failed to identify that conduct for years after the acquisition. Similarly, OFAC determined that Nasdaq, Inc. failed to screen 35 member financial institutions of a newly acquired Armenian subsidiary, screening which OFAC determined would have revealed the membership of an Iran-based sanctioned bank.
OFAC also pursued several enforcement actions involving insufficient oversight over non-U.S. subsidiaries. In its nearly $10 million settlement with 3M Company, OFAC determined that two non-U.S. 3M subsidiaries engaged in sales of reflective license plate sheeting which 3M knew or should have known would be resold to Iranian law enforcement (and therefore fell outside the scope of then-operative General License H). OFAC stated that “parent companies are expected to oversee compliance with applicable U.S. sanctions laws within their subsidiaries, and to empower employees to alert headquarters trade compliance when business dealings need further review,” and that such efforts are more likely to succeed at companies with a strong culture of compliance. With respect to subsidiary operations in high-risk jurisdictions, OFAC determined that Construction Specialties Inc.’s UAE subsidiary imported U.S.-origin building materials and knowingly reexported them to Iran under falsified trade documents, in violation of the U.S.-headquartered company’s compliance policy. The company discovered its subsidiary’s conduct when a U.S. person employee of the subsidiary was terminated for raising compliance concerns and subsequently traveled to the U.S. entity to report their suspicions. OFAC flagged this case as an example of the challenges faced by global companies pursuing business opportunities in high-risk jurisdictions and advised that companies should consider the need to implement risk-based, tailored controls at a local level, including routine audits or other appropriate oversight over subsidiaries that pose particular sanctions risks.
OFAC continued in 2023 to pursue enforcement actions against non-U.S. financial institutions and other companies that conduct business with U.S. persons or within the United States that causes U.S. persons to violate U.S. sanctions or results in the exportation, reexportation, sale, or supply, directly or indirectly, of goods, services, or technology from the United States to sanctioned jurisdictions or SDNs. Entities that engage in such conduct not only expose themselves to significant civil monetary penalties, but may also face criminal liability, as was the case last year for Binance (discussed above) and BAT. Non-U.S. companies should not avail themselves of U.S. customers, goods, technology, and services (including financial services), without instituting controls to maintain adherence to U.S. economic sanctions and other U.S. laws.
OFAC and DOJ determined that London-headquartered BAT, one of the world’s largest tobacco manufacturers, willfully conspired to run U.S. dollar payments for tobacco sold to North Korean entities through a third-party company to which BAT had previously spun off its North Korean sales for $1 in parallel with announcing it was exiting the North Korean market. To make these payments, North Korean purchasers used front companies so that U.S. banks involved in the transactions would not detect the connection to North Korea. OFAC and DOJ determined BAT caused U.S. financial institutions to process transactions that should have been blocked under U.S. sanctions. BAT agreed to settle with OFAC for $508 million (the statutory maximum and OFAC’s largest-ever penalty against a non-financial institution), $503 million of which was satisfied by its $629 million resolution with DOJ (the largest criminal North Korean sanctions penalty ever imposed by DOJ). In announcing the settlement, Treasury Under Secretary Brian Nelson stated that “[c]ompanies that seek to profit from circumventing sanctions by obscuring their involvement will be discovered and will pay a price. . . . Firms that deal with blocked persons, even indirectly, will be penalized when their schemes implicate the U.S. financial system.” The BAT actions may foreshadow what we can expect to see from the U.S. government in terms of enforcement of Russia-related sanctions evasion.
Similarly, Godfrey Phillips India Limited (GPI), another tobacco manufacturer, settled with OFAC for its use of the U.S. financial system to receive payments for tobacco it indirectly exported to North Korea, relying on several third-country intermediary parties to receive payments and obscuring the North Korean nexus from U.S. financial institutions. And in Swedbank Latvia, the bank allowed a customer to use its e-banking platform from an internet protocol (IP) address in Crimea to send payments to persons in Crimea through U.S. correspondent banks. Notably, the U.S. financial institutions that processed the violative BAT, GPI, and Swedbank transactions did not face public enforcement action, presumably because OFAC did not find that the U.S. banks knew or should have known about the underlying conduct.
In order for a U.S. sanctions violation to occur, there must be a U.S. nexus, i.e., the involvement of U.S. persons (including non-U.S. branches of U.S. companies and, in certain cases, non-U.S. subsidiaries of U.S. companies), U.S.-origin goods or services, or other activity within the United States. In addition to the financial services actions described above, OFAC’s 2023 enforcement actions highlight some of the different ways that a U.S. nexus can be triggered, such as (i) a non-U.S. subsidiary causing a U.S. affiliate to enter into or sell software licensing agreements and/or provide related services to persons located in sanctioned jurisdictions and sanctioned persons,
(ii) use of servers based in the United States and/or systems managed by U.S. persons, either within the United States or at non-U.S. branches of U.S. persons, and (iii) involvement of U.S. person employees or affiliates in prohibited conduct.
In the Wells Fargo settlement, OFAC (and in a related action, the Federal Reserve) determined that another U.S. bank acquired by Wells Fargo had specially designed a customized software program for a European Bank with knowledge that such program would be used for the European Bank’s dealings with sanctioned jurisdictions and persons, and that although the European Bank continued to rely on technology infrastructure hosted by Wells Fargo, Wells Fargo had no “regular or systematic process in place . . . to periodically . . . confirm [the European Bank] was appropriately screening . . . for OFAC compliance.” In the 3M settlement, which involved a non-U.S. subsidiary engaged in Iran-related business during the pendency of General License H (which before revocation had authorized certain activities by non-U.S. subsidiaries of U.S. companies with Iran), OFAC cautioned that companies with U.S. person employees pursuing business activities that some of their employees may be prohibited from participating in (including, in the case of 3M, a U.S. citizen employee of the non-U.S. subsidiary), it is essential to implement an effective recusal policy.
OFAC’s 2023 actions reiterate that companies that fail to leverage information in their possession regarding their customers’ and other counterparties’ locations—including IP addresses—to comply with U.S. sanctions throughout the course of the counterparty relationship will face enforcement risk.
OFAC continues to pursue enforcement actions highlighting its position that the use of geolocation tools, including IP blocking, to identify and prevent users with a nexus to sanctioned jurisdictions from engaging in prohibited activities is a core element of an effective, risk-based sanctions compliance program. In addition to the Swedbank resolution referenced above, OFAC’s settlements with Poloniex and daVinci Payments also involved apparent violations attributable, in part, to the companies’ failures to implement IP blocking.
While IP blocking is a fundamental internal control, OFAC expects companies to utilize all available data for sanctions compliance purposes. For example, OFAC determined that Uphold HQ Inc. (“Uphold”), a California-based global digital trading platform, failed to screen and identify customers who self-identified their location in Iran or Cuba during the account onboarding process. Additionally, Uphold processed transactions on behalf of customers who self-identified as employees of the Government of Venezuela (and were therefore subject to OFAC blocking sanctions). Similarly, OFAC determined that U.S. Emigrant Bank had actual knowledge that it was maintaining an account for two customers ordinarily resident and located in Iran through multiple documents (including tax forms) showing the customers’ Iranian addresses. And OFAC penalized CoinList Markets for processing transactions with Crimea, where the company had instituted both IP blocking and a KYC process to reject potential customers that provided an ID card or physical address in a sanctioned jurisdiction, but did not catch customers that provided Crimean addresses but said they were located in “Russia.”
OFAC also penalized the failure to aggregate information across databases or systems for sanctions screening purposes. OFAC determined that, in some instances, Microsoft’s restricted-party software did not account for the universe of information known to the company to identify blocked persons. In other instances, the company did not identify blocked persons that were owned 50 percent or more by SDNs, or SDNs with Cyrillic or Chinese names, even though many customers provided information in their native scripts. These failures caused OFAC to observe that companies with sophisticated technological operations should ensure that their sanctions compliance controls remain commensurate with their risks and leverage appropriate technological compliance solutions.
Even the most robust compliance measures are only effective when applied to new and pre-existing customers. For example, when Poloniex implemented a sanctions compliance program, which provided for a sanctions-focused review of KYC information for new customers, existing customers were not retroactively screened and, as a result, the company continued to provide services to customers located in sanctioned jurisdictions. OFAC cautioned that companies implementing new compliance controls should ensure that they apply those controls not only to new customers, but to existing ones as well.
Relatedly, companies should ensure they are incorporating new sanctions into their compliance controls. In its settlement with Microsoft, OFAC determined that the company failed to timely screen pre-existing customers following changes to the SDN list and noted that because OFAC sanctions are dynamic, companies should evaluate new sanctions against their pre-existing relationships to avoid dealing with sanctioned parties.
Not only may individuals face termination or reprimands for actions on the job involving apparent violations of sanctions, but they may also—in rare cases—find themselves personally on the hook for a penalty. One of OFAC’s 2023 actions was brought against a former senior executive of Murad who OFAC determined knowingly signed distribution agreements with Iranian and UAE distributors that facilitated the export of over $11 million worth of goods to Iran over eight years. OFAC considered aggravating factors to include the individual’s awareness of the exports to Iran, seniority, export oversight responsibilities, and knowledge that the sales to Iran were prohibited. OFAC cautioned that senior executives with managerial responsibilities should refrain from committing potential violations and take steps to prevent potential violations by promoting a culture of compliance and raising awareness of applicable prohibitions.
OFAC’s enforcement actions over the past year affirm the importance of implementing and maintaining strict compliance controls for all companies operating internationally. Companies should tailor their compliance mechanisms to ensure that they are commensurate with the sanctions risk posed by their business activities and proactively resolve sanctions compliance-related concerns. Robust compliance programs emphasizing management commitment, risk assessments, internal controls, testing and auditing, and employee training can reduce risk and mitigate penalties.
Morrison Foerster’s National Security Group is ready to offer counsel on the scope and sufficiency of corporate sanctions compliance programs and, where compliance efforts may have failed, guidance on resolving potential enforcement matters.