In connection with a settlement with a Swiss company, the Office of Foreign Assets Control (OFAC) has extended its reach in an important development for foreign businesses which may utilize software or hardware originating from the United States.

What happened

On February 26, 2020, OFAC announced that it had reached an agreement with a Swiss-based airline reservation services company to pay over $7 million to settle its potential civil liability for 9,256 apparent violations of the Global Terrorism Sanctions Regulations, 31 C.F.R. Part 594 (GTSRs).1

Specifically, Société Internationale de Télécommunications Aéronautiques SCRL (SITA) was alleged to have violated the GTSRs between April 2013 and February 2018 when it provided commercial services and software benefiting certain Iranian, Syrian and Iraqi airline customers that were also specially designated global terrorist organizations (SDGTs). What is noteworthy about this OFAC enforcement action is that OFAC applied its primary sanctions enforcement authority to a non-U.S. entity whose nexus with the United States was the use of U.S.-origin software, technology and telecommunications hardware located in the United States—not the processing of funds for the SDGTs through the U.S. financial system. This is significant because SITA—a Swiss-based entity organized under Belgian law—is not a U.S. Person and therefore is not expected to comply with primary U.S. sanctions laws and regulations.

SITA provided three different types of commercial services and software to the SDGTs which implicated U.S. jurisdiction: (i) a messaging service that enabled users to communicate with others in the industry (for example, for purposes of ordering aircraft maintenance, refueling, flight planning), which was routed through switching equipment located in Atlanta, Georgia; (ii) a U.S.-origin software application that allowed shared users of a common terminal to manage processes such as check-in and baggage management; and (iii) a lost-baggage tracing and matching system hosted on SITA’s servers in the United States, which were maintained by a U.S. subsidiary. OFAC determined that these services and software caused SITA to become subject to U.S. jurisdiction for primary sanctions compliance obligations (as to which U.S. persons are subject) because “they were provided from, or transited through, the United States or involved in the provision of U.S.-origin software with knowledge that customers designated as SDGTs would benefit from the use of that software.”

OFAC also cited SITA for having an inadequate, “primarily reactive” sanctions compliance program that failed to comprehensively address in detail issues regarding compliance with U.S. sanctions laws and regulations. For example, OFAC noted that although SITA had terminated its ticketing, e-commerce and other contract services with one of the SDGTs—an Iranian airline—immediately following OFAC’s designation of that entity as an SDGT, SITA continued to provide the aforementioned U.S.-origin software and technical services, implicating U.S. jurisdiction.

SITA also failed to voluntarily self-disclose to OFAC the existence of the alleged apparent violations of the GTSRs prior to OFAC’s investigation. Consequently, SITA was unable to take advantage of the OFAC regulation cutting in half its base civil monetary penalty, prior to adjustments for mitigating and aggravating factors.

Why it matters

Many non-U.S. businesses have structured their U.S. sanctions compliance programs based upon the assumption that they are not obligated to comply with primary (as opposed to secondary) U.S. sanctions laws and regulations so long as funds are not being cleared through the U.S. financial system, transactions are with other non-U.S. persons, and they have no physical presence in the United States. The increasing scope and reach of U.S. sanctions authority, however, warrants reconsideration of such assumptions based upon a comprehensive risk assessment of operational nexus with the United States extending to the company’s use of technical services routed through the U.S. and U.S.-origin software provided for the benefit of the customer. Foreign companies operating in industry sectors targeted by U.S. sanctions (such as the airline, metals and financial services industries) should take particular note of these developments, swiftly implement a review of existing risk assessments, and make appropriate adjustments to their sanctions compliance programs to avoid unintended violations of U.S. sanctions laws and regulations. Additionally, all persons, including non-U.S. businesses, should engage legal counsel promptly upon discovery of an apparent U.S. sanctions violation in order to assess the propriety of making a voluntary self-disclosure to OFAC to take advantage of significant, early mitigation of a potential civil monetary penalty.