Recent enforcement actions against PayPal, Inc. ("PayPal") and Schlumberger Oilfield Holdings Ltd. ("Schlumberger Holdings") serve as a reminder to all companies subject to U.S. economic sanctions that no matter how robust corporate compliance policies may appear on paper, an ineffectively implemented compliance policy will not mitigate or insulate companies from substantial penalties. 

Paypal

On March 25, 2015, the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") announced that online financial services provider PayPal had entered into an agreement to settle allegations that it had committed numerous violations of U.S. sanctions regulations. Under the terms of the settlement agreement, PayPal will remit $7,658,300 to resolve potential civil liability arising from 486 transactions it processed in apparent violation of OFAC sanctions programs targeting Cuba, Iran, Sudan, the proliferation of weapons of mass destruction, and global terrorism. Although PayPal voluntarily disclosed the alleged violations, and the value of the transactions at issue totaled only $43,934, OFAC concluded that some of PayPal's compliance failures constituted egregious violations of U.S. sanctions regulations, and determined that the base penalty amount for all of these violations totaled $17,018,443.

Over approximately a four-year period from 2009 through 2013, "PayPal failed to employ adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in transactions that PayPal processed."[1] According to the settlement agreement, beginning in approximately March 2006, PayPal identified OFAC compliance issues with respect to its payment systems and began taking steps to enhance and implement its OFAC compliance processes and procedures. Nevertheless, prior to July 2011, PayPal reportedly failed to interdict in-process transactions that contained references to sanctioned countries or persons. In July 2011, PayPal enacted a limited compliance procedure that permitted the company to screen transactions against OFAC's list of Specially Designated Nationals and Blocked Persons (the "SDN List") using sanctions-related keywords. PayPal did not begin screening live transactions against the SDN List in real time, and appropriately blocking or rejecting prohibited transactions before payment was complete, until April 2013. By the time PayPal had implemented these changes, it had processed hundreds of transactions involving sanctioned countries or parties.

Of particular concern to OFAC were 136 transactions totaling $7,091.77 that PayPal processed on behalf of Kursad Zafer Circe, an individual whose property and interests in property are blocked pursuant to U.S. sanctions targeting proliferators of weapons of mass destruction and their supporters. According to the settlement agreement, between October 2009 and February 2013, PayPal's software identified Circe's account as potentially associated with an individual on the SDN List and triggered an internal alert on six separate occasions. On each occasion, PayPal personnel mistakenly dismissed the alert. Notably, in February 2013—nearly four years after Circe was designated on the SDN List—a PayPal risk operations agent investigated the potential SDN List match and requested further information on the account. Despite receiving a copy of Circe's passport, which confirmed that his date and place of birth were identical to the information shown on the SDN List entry for Circe, PayPal allowed the transaction to proceed. PayPal only (and finally) appropriately blocked the account and reported it to OFAC on the seventh time Circe's account was flagged in April 2013. The total value of these transactions was $7,091.77, and OFAC determined that the total base penalty for these apparent violations was $17 million.[2] 

While OFAC found that many of the transactions processed in apparent violation of sanctions regulations constituted non-egregious violations, it found that the violations associated with the Circe account were egregious. OFAC based its findings on its conclusions that PayPal had demonstrated reckless disregard for U.S. economic sanctions requirements, that its agents had failed to adhere to PayPal's policies and procedures and had engaged in a pattern of misconduct by repeatedly ignoring warnings of potential matches to the SDN List, and that PayPal's actions had undermined the integrity of OFAC's nonproliferation sanctions regulations. Based upon the egregious nature of those apparent violations, the base penalty for those violations comprised virtually the entirety of the base penalty amount across all apparent violations.

Schlumberger

In late March 2015, the Department of Justice ("DOJ") announced that Schlumberger Holdings entered a plea agreement to resolve allegations that it had violated U.S. sanctions against trade with Iran and Sudan. Schlumberger Holdings is a British Virgin Islands registered subsidiary of Schlumberger Ltd., the world's largest oil-field services company. Under the plea agreement, Schlumberger Holdings will pay $232.7 million for willfully facilitating illegal transactions through its U.S. unit, the Drilling & Measurements business segment ("D&M"), and engaging in trade with Iran and Sudan.[3] Although other companies have entered into settlement agreements with much larger total penalties, this is the largest criminal fine ever imposed for violations of U.S. sanctions regulations promulgated under the International Emergency Economic Powers Act.

In the charging documents, the DOJ focused on coordination between Schlumberger Holdings and D&M, which, according to the DOJ, led to: (i) disguising the company's capital expenditure ("CAPEX") requests from Iran and Sudan and approving such requests in the United States; (ii) making and implementing business decisions specifically concerning Iran and Sudan through U.S. persons; and (iii) planning and supporting transactions involving Iran and Sudan with the assistance of U.S. persons. D&M management personnel were responsible for the supervision of the CAPEX process, "a forecasting mechanism enabling oilfield locations and manufacturing facilities to predict what tools and equipment would be needed in the future to meet anticipated demand for oilfield services."[4] As part of the CAPEX process, D&M managers around the world submitted requests seeking approval for the manufacture of new equipment or for the expenditure of funds for large-scale purchases. The requests typically were submitted electronically, and as a result of the approval process for CAPEX requests, D&M personnel in the United States reviewed and approved all CAPEX requests, including requests relating to Iran and Sudan. Even though the actual purchasing or other work was performed outside of the United States, approval for such transactions by U.S. persons was enough to bring it under the purview of the U.S. sanctions.

The DOJ further explained in detail that Schlumberger Holdings (including D&M) employees would seek to evade the sanctions in multiple ways, using internal company emails to support knowledge and intent. The plea documents identify a number of emails containing statements suggesting that D&M personnel were disguising the fact that certain transactions related to Iran or Sudan. For example, D&M personnel would refer to Iran as "Northern Gulf" and Sudan as "Southern Egypt" or "South Egypt." The documents also indicate that D&M personnel concealed the identity of sanctioned countries in the computer systems by entering codes for nonsanctioned countries or using codes for a facility located in the United Arab Emirates. Finally, according to the DOJ Statement of Offense, D&M held a financial planning meeting in Houston "to discuss global financial expectations for the upcoming year and to establish a plan to meet those expectations."[5] The minutes of the meeting showed that there was discussion that Iran was a market on which the company needed to focus. According to the government, these activities constituted business decisions relating to Iran made in the United States in violation of U.S. sanctions.

The DOJ noted that Schlumberger Holdings had policies and procedures in place "that were designed to assure that company personnel who were U.S. persons did not participate in business that related to U.S. sanctioned countries, including a Recusal Program whereby U.S. persons were required to recuse themselves from involvement in business related to Iran and Sudan."[6] The DOJ found, however, that Schlumberger Holdings did not effectively enforce its policies and procedures in relevant systems and practices related to D&M's operations in Iran and Sudan. Indeed, the DOJ noted that Schlumberger Holdings did not adequately supervise D&M personnel, including U.S. citizens and non-U.S. citizens, to ensure their activities complied with U.S. sanctions regulations and internal policies and procedures. Moreover, it found that Schlumberger Holdings did not adequately provide compliance training, and specifically noted that Schlumberger Holdings's non-U.S. employees were not properly trained regarding the applicability of the sanctions when they were in the United States.

Effectiveness and Implementation of Compliance Policies and Procedures

The PayPal and Schlumberger Holdings enforcement actions reflect familiar themes—continued scrutiny of all money and financial service providers, regardless of size or sophistication, and the provision of back-office services and other support by U.S. persons for foreign business activities in sanctioned countries. A common theme running through both enforcement actions is the substantial impact of ineffectively implemented internal compliance policies and procedures.

Neither OFAC nor any other U.S. sanctions enforcement agency explicitly requires any specific internal compliance or screening regime—or any internal compliance program at all.[7] Nevertheless, any company operating in the international market would be prudent to implement sanctions compliance policies and procedures that are appropriately tailored to the risk inherent in its operations. On its website, OFAC provides guidance materials, as well as Frequently Asked Questions, to assist companies such as importers, exporters, and money and financial service providers in understanding their compliance obligations. In addition, businesses that may be relatively unfamiliar with sanctions compliance issues, or that may wish to review and improve their compliance policies and procedures, should consider consulting legal and compliance experts in this field.

As these enforcement actions indicate, merely having sanctions compliance policies and procedures is not enough; companies must ensure that their policies and procedures are effectively implemented in daily operations and working to prevent violations. 

Companies should, therefore, invest as much effort, if not more, in implementing their policies, as was given to developing the policies. Companies can better protect themselves by providing thorough training to employees, installing a culture of compliance with the U.S. sanctions, and instituting strong checks to prevent violations. Companies should train their personnel to ensure they understand and properly employ internal compliance procedures. Personnel should receive regular mandatory training and, in many cases, certify their understanding of corporate policy. Management should also be involved at all levels to set a "tone from the top" that compliance is a priority, and to supervise operations to avoid violations. Finally, companies should effectively test their internal compliance procedures to ensure they are working properly. Periodic audits can be instrumental in mitigating corporate risk and, at a minimum, catching potential violations before they become systemic problems. Taking steps now to ensure that your business has proper and effective policies and procedures in place can help reduce the risk of a government enforcement action down the road.