Checking OFAC Lists Is Not Processing of Criminal Data
Checking OFAC Lists Is Not Processing of Criminal Data
EU companies should be able to use sanctions lists compiled by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and other governments’ agencies to screen for illicit activity that could cause them harm. Some EU companies, however, have been afraid to use those lists because they believe, inaccurately, that sanctions list screening may constitute the processing of criminal data. This is not correct, and EU companies should feel free to continue accessing this type of public information to help them thwart financial system abuses and for other purposes.
EU companies clearly must comply with sanctions programs adopted by the European Union and any Member States in which they operate. This includes obligations to screen against EU and Member State sanctions lists. One concern expressed by certain EU companies, however, has been that they may face legal risks in using various economic sanctions lists—such as the Specially Designated Nationals List (“SDN List”) released by OFAC—to screen for illicit activity and thereby prevent reputational, legal, and business risks.
Because the General Data Protection Regulation (GDPR) delegates the rules for the processing of “personal data relating to criminal convictions and offences” to Member State control, compliance officials have expressed concerns that banks and other companies may be barred from using publicly available, government-issued lists that provide critical information to help them avoid doing business with terrorist financiers, weapons of mass destruction (WMD) proliferators, money launderers, and other illicit actors because checking the OFAC list will be deemed processing of criminal data.
This characterization is incorrect for a simple reason—individuals and entities are not placed on OFAC lists because they are accused or convicted of a crime. They are put on the lists because they have violated a civil norm. Thus, checking the OFAC lists is not processing of criminal data.
To be added to the OFAC list, SDNs need not be convicted of any crime; in most cases, no criminal charges are ever even sought by prosecutors in the United States or other jurisdictions.
Instead, as OFAC notes on its website, “SDNs are individuals and entities located throughout the world that are blocked pursuant to the various sanctions programs administered by OFAC. SDNs can be front companies, parastatal entities, or individuals determined to be owned or controlled by, or acting for or on behalf of, targeted countries or groups.”
It is true that some of the actions which cause an individual or entity to be added to a U.S., EU, or United Nations sanctions list—such as support for terrorism and WMD proliferation—can also serve as the basis for separate criminal charges. The purposes underlying U.S., EU, and UN sanctions, however, are preventative. They are not punitive, as they would be in the criminal context.
The sanctions lists are intended to deter continuing bad behavior and prevent abuse of the U.S. and international financial systems according to international obligations such as those contained in the Recommendations of the Financial Action Task Force endorsed by more than 180 countries, as well as the EU’s Anti-Money Laundering and Terrorist Financing Regulation (AMLR) – 2024/1624/EU, which calls for “the use of evidence-based decision-making in order to target more effectively the risks of money laundering and terrorist financing facing the Union and those operating within it.”
There is ample reason to utilize separate criminal and administrative actions to target similar behavior.
U.S. and European prosecutors may elect not to waste their limited resources bringing criminal charges against every terrorist financier who hides behind the protection of powerful home country officials, or every kleptocrat stealing a developing nation’s wealth but whose lack of local ties may not allow another country’s criminal authorities to make a case.
Western prosecutors may also elect not to attempt to jump through the necessary hoops to use classified evidence to indict every Iranian, North Korean, or Russian cyber actor whose manipulative keystrokes wreak havoc on Western public and private sector entities, especially when those actors will never set foot outside their home countries.
But sanctions lists can protect organizations from facilitating, or succumbing to, such abuses of the international financial system, even when criminal prosecution is not readily available or practicable.
The consequences of being added to the OFAC or other sanctions lists fall far short of those that result from a criminal conviction. No jail time is threatened or even possible from an SDN listing, unless U.S. or foreign prosecutors initiate separate criminal charges based upon their own criminal cases.
The only legal consequences that flow from listings as SDNs are, first, any property subject to U.S. jurisdiction must be frozen—or “blocked,” to use sanctions terminology—and, second, Americans are prohibited from dealing with SDNs, unless authorized by OFAC. These consequences, while severe, do not rise to any legal or common-sense interpretation of “criminal convictions.”
The “freezing” of assets required by an SDN listing also differs substantially from the “seizing” of assets that may result from a criminal conviction. When assets are frozen, title remains with the SDN, interest continues to accrue, and, barring a separate criminal or civil action, the funds are generally returned to the SDNs upon their removal from the list. When assets are seized pursuant to a criminal proceeding, title transfers to the government and they are not returned.
Indeed, the legal standard by which OFAC acts is far less than the “beyond a reasonable doubt” standard for criminal cases and even the “preponderance of the evidence” standard for civil cases. As the U.S. federal courts have repeatedly emphasized, OFAC’s SDN listings are held to the lower, “reasonable basis” legal standard applicable to federal agency action.
There are ample objectives underpinning the GDPR’s restriction on the use of criminal data. Preventing banks and other companies from utilizing publicly available information—unrelated to a criminal offense but compiled to protect the international financial system from abuse—is not one of them.