This article originally appeared in the May/June 2017 issue of the American Bankers Association's ABA Bank Compliance. Subscribers may access the digital edition here.

In January 2017, the U.S. Treasury Department, Office of Foreign Assets Control (OFAC) announced a settlement with a large Canadian bank for approximately 170 alleged violations of U.S. sanctions against Iran and Cuba. The bank agreed to pay OFAC more than $500,000 in monetary penalties.

On the same day, OFAC announced its determination that two of the bank's European subsidiaries had committed nearly 3,500 U.S. sanctions violations. Yet OFAC imposed no penalty on the subsidiaries.

This is not the only example of OFAC imposing different penalties against entities apparently involved in similar conduct. In September 2016, OFAC announced penalties against two U.S. companies alleged to have violated U.S. sanctions on Iran. The number of violations that each company allegedly committed was similar; the penalty was not, as one company paid 1/100th of what the other company paid.

Unfortunately, OFAC's reasoning in concluding enforcement actions is not always clear. While the agency publishes details of settlements on its website, the information provided is typically minimal. There will be a brief description of the parties involved and the alleged violations, and a list of the factorsboth aggravating and mitigatingthat OFAC considered in deciding what penalty to impose.

Nonetheless, these settlement announcements provide useful insight into strategies to mitigate violations that do occur. This article attempts to outline some of those strategies, both for purposes of protecting against violations and to remediate them when they do occur.

Background

OFAC currently administers approximately 25 different sanctions programs against designated countries, governments and other entities, individuals, and even vessels. As a general matter, U.S. persons (including U.S. companies and all persons in the United States) cannot do any business with a sanctioned party.

Banks and other financial institutions are on the front lines of U.S. sanctions compliance, as they process millions of transactions, on a daily basis and across international boundaries. And it's not just U.S. banks that are in the cross hairs: as demonstrated in its enforcement action against the Canadian bank, OFAC views its jurisdiction to extend to any party that transacts in or through the United States. (See also the penalties imposed against Standard Chartered, HSBC, andmost significantlyBNP Paribas for further evidence of the long arm of OFAC jurisdiction.)

To be clear, OFAC is unlikely to attempt to exercise jurisdiction over a non-U.S. entity operating entirely outside the United States. But it is also clear that OFAC may try to exercise jurisdiction over any transaction that involves U.S. dollarsand which therefore needs to pass through the United States at least electronically at some point.

Canadian Bank Violations

The January 2017 enforcement action against the Canadian bank is instructive as to how OFAC pursues enforcement actions. In the action, OFAC asserted that the bank was involved in trade finance transactions, from approximately 2003 through 2011, in violation of U.S. sanctions on Cuba and Iran. (Note that, as is frequently the case with OFAC enforcement actions, the violations occurred many years before the agency actually settled the matter, i.e., these matters often take a long time to conclude.)

According to OFAC, the bank maintained accounts with one Canadian company that was owned by a Cuban entity, and another Canadian company that was an agent for an Iranian entity designated on OFAC's List of Specially Designated Nationals and Blocked Persons. The bank also apparently maintained accounts on behalf of numerous Cuban nationals residing in Canada.

OFAC determined that the bank conducted dozens of transactions through the U.S. financial system on behalf of these parties; by OFAC's calculations, the unauthorized transactions totaled over $2 million. The transactions reportedly involved non-U.S. bank personnel whoaccording to OFACknew or should have known of the customers' connections to sanctioned nations and entities. OFAC asserted that the shortcomings of these personnel were largely the result of ineffective compliance policies and procedures. (More on avoiding that later.) According to OFAC, the bank, a large sophisticated financial institution with a global presence, should have had more effective compliance controls in place.

But OFAC also decided to reduce the penalty as a result of several factors. In particular, OFAC noted the bank's substantial cooperation during the investigation, including its voluntary self-disclosure, provision of detailed and well-organized information in response to OFAC requests, and signing and extension of a tolling agreement. And OFAC highlighted the bank's "robust remedial response, including by changing its policies and procedures as well as its compliance structure ..."

OFAC's separate action for violations committed by the bank's subsidiaries highlights the long arm of sanctions enforcement, as both subsidiaries operate primarily in Europe. According to OFAC, in an annual Anti-Money Laundering Risk Assessment, the Canadian bank discovered that the subsidiaries lacked adequate compliance programs. In part for that reason presumably, the subsidiaries processed nearly 3,500 transactions with persons residing or located in Iran or Cuba. These transactions totaled $92,868,862 between 2008 and 2013.

Yet no penalty was imposed against the subsidiaries. OFAC explained that the violations were not the result of intentional misconduct but rather inadequate compliance and a lack of understanding about the scope of U.S. sanctions jurisdiction. OFAC also emphasized remedial measures were taken, including compliance improvements.

In any event, the penalties imposed (and not imposed) by OFAC demonstrate that OFAC generally expects greater accountability from larger businesses, and that large global entities are expected to understand the complexities of U.S. sanctions laws and to have in place the compliance infrastructure to prevent, detect, andwhen deemed appropriateself-report violations.

To be clear, OFAC is not giving small organizations a free passfar from it. But OFAC also seems to recognize that the compliance infrastructure in a smaller organization should be commensurate with the organization's size and risk profile. In other words, OFAC seems to appreciate that compliance programs should be risk-based. And this is a lesson from which every company can benefit.

Remediation

So how does a company, either before it is under investigation or once already in the government's sights, try to control the damage? As demonstrated in the Canadian bank case, cooperation with the government is typically a good strategy. But it is important to note that there is rarely an affirmative obligation to disclose a violation of U.S. sanctions; in many cases a company can reasonably decide not to self-disclose.

Even in such a case, however, there are certain steps that are essential to remediate violations that have occurred. Based on past OFAC enforcement actions, and our own experiences, we think the following steps are critical:

Careful investigation. If a violation or potential violation is identified, the company must conduct an appropriate investigation. The scope of the investigation should be based on the nature of the actual/potential violation, but an investigation must take place. Otherwise problematic conduct may continue, and if it does, and the government subsequently learns of it, the penalties are likely to be much more severe. The government really does not like it when companies duck their head in the sand and hope a problem goes awaythe government's expectation is that problematic conduct will be investigated, root causes identified, and specific remedial measures will be taken to protect against similar problems in the future.

Compliance enhancements. Enhancements can take many formsimproved policies and procedures, enhanced training, more robust auditing, and other steps may all be warranted depending on the circumstances. Regardless of which measures are taken, those that are implemented should be specifically directed to address violations / compliance shortcomings that have been identified. For example, if a company's screening processes are not extended to its non-U.S. operations, and violations occurred because non-U.S. operations were conducting business with prohibited parties, those operations should be instructed to adopt specific screening mechanisms. If a U.S. company's personnel are processing transactions with Iran under the false impression that the U.S. embargo on Iran has been lifted, those personnel (and probably all relevant personnel of the company) should be trained on the scope of U.S. sanctions on Iran.

Compliance enhancements also serve the purpose of demonstrating that the company has a tone from the top that emphasizes the importance of compliance. In our experience, nothing is more important than a culture of compliance. The only way such a culture can be meaningfully introduced and maintained is through committed leadership.

Monitoring. Even the best compliance program will be unable to prevent all violations. It is thus necessary to have a monitoring mechanism so that weaknesseseven if they don't turn into violations can be identified and remedied. Compliance reviews should be conducted on a regular basis and with reference to what makes most sense commercially. Spending an exorbitant amount of money to audit a low-risk jurisdiction may not be needed; likewise, spending a paltry sum to review the operations in a high-risk jurisdiction may be asking for trouble.

Recordkeeping. In each area of compliance, keeping good records is vital: it is those records that will often be the most useful evidence that your enterprise did its best to comply with the laweven if there was a misstep. Results of monitoring, including who has responsibility for managing corrective actions recommended due to the monitoring, should be kept in compliance files. Copies of training materials should be maintained, and of course policies and procedures should be memorialized so they are readily accessible to personnel.

Conclusion

There is no indication that OFAC is slowing down its enforcement activitiesnow as always, financial institutions will often make a compelling target for the agency. All risk cannot be eliminated, but it can definitely be mitigated through the steps listed above.