- In the past year, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), the U.S. Department of Commerce's Bureau of Industry and Security (BIS) and the U.S. Department of State's Directorate of Defense Trade Controls (DDTC) have prioritized the implementation of regulations and issuance of guidance in response to Russia's invasion of Ukraine and ongoing economic competition with China.
- The agencies have also been busy with enforcement actions, often underscoring policy priorities of the Biden Administration and offering the business community a roadmap for best practices.
- This Holland & Knight alert identifies 10 important lessons learned from OFAC, BIS and DDTC enforcement actions and policies announced in 2022.
In the past year, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), the U.S. Department of Commerce's Bureau of Industry and Security (BIS) and the U.S. Department of State's Directorate of Defense Trade Controls (DDTC) (collectively, the Trade Agencies) have prioritized the implementation of regulations and issuance of guidance in response to Russia's invasion of Ukraine and ongoing economic competition with China.
At the same time, the Trade Agencies have been busy with enforcement actions, often underscoring policy priorities of the Biden Administration and offering the business community a roadmap for best practices. In 2022, the Trade Agencies took several notable actions against U.S. and foreign companies for violating U.S. export control and sanctions laws and regulations. These enforcement actions highlight the challenges companies face in managing risk associated with global operations, meeting U.S. legal requirements and implementing effective trade compliance programs.
With 2022 in the rearview mirror and as industry looks forward in 2023, businesses should take the opportunity to review existing trade compliance programs and determine whether new or different internal controls are warranted in light of the changing enforcement landscape. This Holland & Knight alert highlights 10 important lessons learned from OFAC, BIS and DDTC enforcement actions and policies publicized in 2022, which can help inform areas of risk for industry.
Lesson 1 – If You Outsource Due Diligence, Be Sure to Read the Fine Print: Companies Using Third-Party Sanctions Screening Tools Must Still Be Active Participants in Compliance
Over the course of 2022, major geopolitical developments like Russia's invasion of Ukraine have created heightened sanctions compliance risks for many businesses. In 2022 alone, OFAC designated thousands of individuals and entities to its Specially Designated Nationals (SDN) and Blocked Persons List, greatly expanding the compliance burden for companies conducting sanctions and prohibited parties screening, especially those doing so manually. As risk profiles evolve and U.S. sanctions programs become more extensive and complex, many companies may choose to utilize third-party vendors to complete their sanctions screening.
In enforcement actions in the past year, OFAC has recognized the value in engaging third parties for sanctions screening services but highlighted the need for companies to actively understand the scope and capacity of third-party sanctions screening tools and to ensure that those capabilities are commensurate to the company's specific risk profile. The use of third-party sanctions screening tools will look different depending on a company's size, geographic reach and customer base. For example, OFAC may expect banks and other financial institutions to complete real-time, daily screening of each processed transaction of their existing customer base to make sure screening procedures capture new additions to the SDN List. OFAC has made clear the need for comprehensive sanctions compliance programs that are not simply limited to the utilization of third-party services. Instead, OFAC expects – particularly for those companies with high-risk profiles – other internal controls, routine assessment of risk, periodic training and auditing, and a culture of compliance.
Lesson 2 – Mind Your Post-Closing Obligations: Sanctions Compliance Must Flow Down to Newly Acquired Subsidiaries
Companies that frequently engage in mergers and acquisitions (M&A) activities should pay close attention to the actions of their new subsidiaries. In April 2022, OFAC announced that New York-based business analytics and information company S&P Global Inc. agreed to pay $78,750 to settle its potential civil liability for apparent violations of the Ukraine-Related Sanctions Regulations. The violations occurred in 2016 and 2017 when a newly acquired U.S. subsidiary of S&P Global, Petroleum Industry Research Associates Inc. (PIRA), reissued and re-dated multiple invoices to continue to extend credit to JSC Rosneft (Rosneft), a state-owned Russian oil company, in violation of the debt and equity restrictions set forth under Executive Order 13662. After the acquisition, S&P Global (formerly PIRA) employees reissued and re-dated four invoices to extend the original payment dates. S&P Global ultimately accepted past-due payments totaling $82,500 from Rosneft, even after Rosneft informed PIRA that the rejected payments were "returned by the bank because of sanctions policy" and suggested that PIRA contact its U.S. financial institution.
Notably, the enforcement action involved a violation of OFAC's sectoral sanctions – only the second-ever enforcement action involving the Sectoral Sanctions Identifications List (SSI List) – and serves as a helpful warning in light of the expansion of the SSI List with Russia's invasion of Ukraine. Likewise, OFAC's enforcement action highlights the importance of U.S. companies conducting appropriate due diligence and actively extending trade (sanctions and otherwise) compliance programs, including training and monitoring to newly acquired international and domestic businesses. New employees should be trained in OFAC compliance procedures following an acquisition.
Lesson 3 – Know Thyself: Companies Should Tailor Their Sanctions Compliance Programs to Their Respective Risk Profiles
Trade compliance programs should be risk-based and commensurate with the size and scope of any particular company's operations. Two recent OFAC enforcement actions against two companies of significantly different size and scope are demonstrative of this principle. At bottom, OFAC had different expectations for the companies, even though each was subject to an enforcement action.
On April 21, 2022, OFAC announced that Chisu International Corporation (Chisu), a Florida-based corporation affiliated with a Suriname-based distributor of explosives, agreed to pay $45,908 to settle its potential civil liability for apparent violations of the Cuban Assets Control Regulations. In 2016 and 2017, Chisu purchased Cuban-origin explosives and explosive accessories from a third-party vendor for a mining project in Suriname, knowing the goods were of Cuban origin. Though Chisu failed to voluntarily self-disclose the violation and the transaction value was nearly $700,000, the monetary penalty was not even a quarter of the maximum amount. OFAC recognized that while Chisu failed to exercise a minimal degree of caution or care in procuring Cuban-origin goods and had no compliance program in place, the company is very small and run largely by a single individual. In this case, Chisu's small size and localized operations were viewed as a mitigating factor.
On the other hand, on April 25, 2022, OFAC announced that Toll Holdings Limited (Toll Holdings), an international freight forwarding and logistics company headquartered in Melbourne, Australia, agreed to pay $6,131,855 to settle its potential civil liability for 2,958 apparent violations of multiple OFAC sanctions programs. The widespread violations occurred when Toll Holdings originated or received payments through the U.S. financial system involving sanctioned jurisdictions and persons. These payments were in connection with sea, air and rail shipments conducted by Toll Holdings, its affiliates and suppliers to, from or through North Korea, Iran and Syria, or the property or interests in property of an entity on the SDN List. Unlike Chisu, Toll Holdings is a large company with thousands of employees and a substantial global footprint. Toll Holdings had a sanctions compliance program in place, but it failed to meet the burden created by the company's growing and complicated international business operations. Additionally, after learning of potential sanctions violations in May 2015, Toll Holdings did not take immediate steps to address its continuing risks of transactions with sanctioned entities. Despite voluntarily disclosing the violations to OFAC, Toll Holdings faced a significant penalty reflective of the imbalance between the company's high-risk profile and its comparatively weak compliance program.
Lesson 4 – Schematics and Sketches and CAD Files, Oh, My! The Export Administration Regulations and Related Licensing Requirements Apply to Technical Drawings and Blueprints
On June 7, 2022, BIS issued a temporary denial order (TDO) against three U.S. companies – Quicksilver Manufacturing Inc. (Quicksilver), Rapid Cut LLC (Rapid Cut) and US Prototype Inc. (US Prototype) – for violations of the Export Administration Regulations (EAR). The TDO, which suspends Quicksilver, Rapid Cut and US Prototypes' export privileges for 180 days, comes in response to the three companies' illegal export of technical drawings and 3-D graphic and computer-aided design (CAD) files. The files were controlled for export and either subject to the EAR with a presumption of denial licensing policy for China or listed on the U.S. Munitions List (USML). Quicksilver, Rapid Cut and US Prototype were involved in the provision of drawings and design files for satellite parts and rocket platform testing equipment to a Chinese entity for manufacturing. BIS renewed the TDO against Quicksilver, Rapid Cut and US Prototype on Dec. 5, 2022, finding that the export compliance failures are broader in scope than originally revealed at the time of the June 2022 TDO.
In this case, BIS makes clear its propensity to protect U.S. space and defense technologies in all stages of the development process – including the prototype phase – especially when Chinese end-users are involved. Businesses should remember that U.S. export control laws extend not only to the export of physical goods but also to the export and re-export (including deemed export) of software, technology and certain services. Through this enforcement action, BIS has demonstrated that technical drawings and blueprints are perfect examples of what must be carefully guarded.
Lesson 5 – Russia-Related Restrictions Go Global: BIS Is Targeting Non-U.S. Businesses Under U.S. Export Control Jurisdiction
BIS has prohibited the export to Russia of virtually all controlled goods subject to U.S. export jurisdiction, including civil aircraft and associated parts. Between March and December 2022, BIS began identifying aircraft operated by Russian airlines that have flown internationally in violation of the EAR and issued TDOs against 10 Russian and Belarusian airlines, placing them on the Denied Persons List. Such listing makes it harder for the entities to surreptitiously obtain civil aircraft parts to support the aircraft. The airlines in question operated passenger or cargo flights on aircraft subject to the EAR into and out of Russia. The issuance of a TDO is one of the most significant civil sanctions under the EAR and highlights BIS's heightened focus on enforcement against Russian and Belarusian airlines viewed as fueling Russian President Vladimir Putin's war effort. The agency continues to prioritize cutting off Russia's access to the goods, technologies and capital needed to wage its war.
BIS has identified Airbus aircraft as having operated in violation of the EAR pursuant to its de minimis rules (e.g., asserting jurisdiction over these foreign-manufactured aircraft because they contain more than 25 percent U.S.-controlled content by value, namely U.S.-origin engines or avionics). Generally, any foreign-produced item that incorporates more than 25 percent by value of controlled U.S.-origin content is subject to the EAR.1
Lesson 6 – Companies Exporting Defense Articles to Ukraine Should Prepare for Enhanced U.S. Government End-Use Monitoring Measures
Since Russia invaded Ukraine in February 2022, the U.S. government and its allies have accelerated security assistance to Ukraine at a historic pace to ensure Ukraine is able to defend its borders, both through the provision of conventional weapons and other defense articles. During the second half of 2022, the Biden Administration took steps to enhance oversight of defense articles transferred to Ukraine and limit the potential illicit diversion to Russia's forces, Russia's proxies and non-state actors.
On Oct. 27, 2022, the U.S. Department of State released the U.S. Plan to Counter Illicit Diversion of Certain Advanced Conventional Weapons in Eastern Europe. Through implementation of the plan, the State Department intends to safeguard and account for arms and munitions in Ukraine and neighboring countries when they are transferred, stored and deployed; enhance regional border management and security; and build the capacity of security forces, law enforcement and border control agencies in the region.
The State Department's approach includes regional border security information-sharing and collaboration related to sanctions and export control implementation; targeting and risk analysis; and observed tactics, techniques and procedures along key border areas. While this plan is focused predominantly on federal security assistance, the State Department has made clear that a near-term action in 2023 involves scrutinizing requests to transfer defense articles to Ukraine on a case-by-case basis to screen for parties that may pose an unacceptable risk of diversion. Accordingly, private companies exporting defense articles and other items subject to the International Traffic in Arms Regulations (ITAR) to Ukraine should be mindful of guidance from DDTC and other Trade Agencies and comprehensively review and update their end-use and end-user monitoring procedures.
Lesson 7 – Compliance Must Keep Pace with Technological Innovation: Companies Should Leverage Geographic Information to Identify Transactions Involving Sanctioned Jurisdictions
On Sept. 30, 2022, OFAC announced a $116,048.60 settlement with Tango Card Inc., a Seattle-based supplier and distributor of stored-valued cards used by businesses to support their customer loyalty and employee rewards programs. OFAC found that, though Tango Card used geolocation tools to identify transactions involving countries at high risk for suspected fraud and had OFAC screening and know-your-customer (KYC) mechanisms around its direct customers, it did not use those controls to identify whether recipients of rewards, as opposed to senders of rewards, might involve sanctioned jurisdictions. As a result of deficient geolocation identification processes, Tango Card transmitted at least 27,720 stored value products to individuals with Internet Protocol (IP) and email addresses associated with Cuba, Iran, Syria, North Korea and the Crimea region of Ukraine.
In this case, OFAC makes clear that geoblocking and other appropriate geolocation tools are only part of an effective, risk-based sanctions compliance program. Contractual obligations mandating customers to comply with sanctions regulations and other sanctions compliance controls can help companies, especially those that utilize novel payment technologies such as instant payment systems to mitigate evolving risk.
Lesson 8 – Enforcement Can Be Preventative in Nature
Though BIS often takes enforcement action against companies after alleged violations, TDOs can also be issued before a violation technically occurs. Specifically, BIS may issue an order temporarily denying a respondent's export privileges upon showing that the order is necessary in the public interest to prevent an "imminent violation" of the EAR. On Aug. 26, 2022, BIS requested the issuance of a TDO denying, for a period of 180 days, the export privileges under the EAR of Hans De Geetere of Belgium and his company Knokke-Heist Support Corporation Management, also known as Hasa-Invest (Knokke-Heist).
According to BIS, the Office of Export Enforcement's (OEE) request was based among other things, upon facts indicating that De Geetere engaged in conduct prohibited by the EAR by acquiring or attempting to acquire under false pretenses accelerometers, which are items subject to the EAR, from the United States on behalf of prohibited end-users or for prohibited end-uses in China, by falsely asserting to U.S. companies that the end-user was a Belgian government agency.
The use of accelerometers by the aerospace and defense industries, as well as false statements made by De Geetere and Knokke-Heist to U.S. companies to obtain the items, raised significant concerns of future violations absent the issuance of a TDO. The action comes as BIS and the Biden Administration have prioritized competition with China and instituted a number of policies aimed at preventing Chinese end-users from obtaining access to certain U.S.-origin technologies.
Lesson 9 – Crypto Cops: The Global Virtual Currency Sector Is a Priority for OFAC
On Oct. 11, 2022, OFAC and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) announced parallel enforcement actions against virtual currency exchange Bittrex Inc.2 Bittrex, a Bellevue, Washington-based company that offers cryptocurrency exchange services, agreed to pay OFAC more than $24.28 million to settle its potential civil liability for 116,421 apparent violations of multiple sanctions programs. Bittrex also agreed to pay $29 million to FinCEN for violations of the Bank Secrecy Act. Bittrex's settlement marks OFAC's largest virtual currency enforcement action to date.
Despite offering services to a global network of customers, Bittrex operated without a sanctions compliance program between March 2014 and February 2016. Though Bittrex retained a third-party sanctions screening vendor in February 2016, the vendor only screened transactions through OFAC's SDN List, failing to consider any additional connections to jurisdictions subject to more comprehensive sanctions programs. OFAC determined that as a result of the deficiencies in Bittrex's sanctions compliance procedures, the company processed more than $263 million in virtual currency-related transactions involving persons apparently located in the Crimea region of Ukraine as well as Cuba, Iran, Sudan and Syria between March 2014 and December 2017.
OFAC's action against Bittrex sends a clear message to companies in the cryptocurrency sector that OFAC expects U.S. and non-U.S. companies that engage in U.S. nexus transactions to have robust sanctions screening procedures in place. Companies that utilize third-party software for sanctions screening should periodically review their systems to ensure that they are flagging customers or transactions in sanctioned jurisdictions, not merely screening against prohibited parties lists like the SDN List.
OFAC's focus on virtual currency-related enforcement did not end with Bittrex. On Nov. 28, 2022, OFAC announced a more than $362,000 settlement with Payward Inc. d/b/a Kraken (Kraken), a U.S.-based cryptocurrency exchange and bank.3 The settlement resolved 826 transactions with persons with internet protocol (IP) addresses in Iran.
As cryptocurrencies and other digital assets grow in popularity, businesses should expect continued scrutiny from OFAC and the wider Treasury Department. While virtual currencies present enormous opportunity for businesses, the U.S. government increasingly views such digital assets as high risk for sanctions evasion and expects sanctions compliance programs commensurate to this risk.
Lesson 10 – Implement an Iterative Approach to Trade Compliance: Internal Controls for Businesses Should Evolve to Mitigate New Risks
The actions discussed above make clear that the Trade Agencies' enforcement priorities are constantly shifting to meet the demands of new sanctions and export controls. Likewise, the Biden Administration continues to respond to evolving national security concerns, particularly regarding Russia's war in Ukraine, technological and economic competition with China and global human rights abuses. As such, OFAC, BIS and DDTC expect businesses to update their trade compliance programs to meet this new burden. U.S. and non-U.S. companies alike, regardless of their size and geographic footprint, should routinely evaluate the effectiveness of their compliance procedures and consider expanding internal controls. This could include the utilization of enhanced screening and due diligence procedures (to include tracing organizational structures to the ultimate beneficial owners), robust contractual provisions focused on trade compliance, deployment of technological solutions like geo-IP blocking and improved implementation of existing programs through training and auditing.