Two recent developments illustrate the importance of adaptable and decisive OFAC compliance programs.  The first development was President Obama's August 17, 2011 Executive Order 13582, which considerably tightened U.S. sanctions against Syria.  And on August 25, 2011, OFAC announced an $88.3 million settlement with JPMorgan Chase Bank, arising from alleged violations of several OFAC-administered regulations.  The new Syrian sanctions and the JPMC settlement highlight two different facets of OFAC compliance:  predictive risk analysis on the one hand, and crisis response on the other.  

Syrian Sanctions

President Obama signed Executive Order 13582, Blocking Property of the Government of Syria and Prohibiting Certain Transactions With Respect to Syria, on August 17, 2011.  The Executive Order tightened sanctions through blocking of all Syrian government property subject to U.S. jurisdiction.  Additionally, Executive Order 13582 announced several additional measures, including prohibitions on new investment in Syria; a prohibition on export or re-export of services to Syria; and provisions specifically targeting the Syrian petroleum industry.  The Executive Order also included a "facilitation" provision, which reaches U.S. involvement in foreign transactions, similar to the Iranian Transactions Regulations.[1] 

The new Executive Order is the third in a series of orders that have increasingly restricted dealings with Syria.  The first, Executive Order 13572, of April 20, 2011, directed blocking the property of persons associated with human rights abuses, but did not specifically target Syrian President Bashar Al-Assad or the Syrian government.  The second, Executive Order 13573, of May 18, 2011, extended blocking sanctions to President Assad and his government.  Recently-issued Executive Order 13582 is the third step in evolving U.S. sanctions against Syria.  Rather than blocking specific persons and entities, President Obama's new Executive Order more closely approaches an embargo on dealings with Syria, with narrow carve-outs granted under OFAC General Licenses 1 through 6, which were issued on August 18, 2011.[2]  

Developments in Syrian sanctions over 2011 not only reinforces the requirement to be prepared to react to change, but the Syrian example also offers an opportunity to consider how compliance programs might use risk assessment to predict next steps.  For example, after Syria failed to respond to earlier sanctions, the most recent sanctions might be seen as a likely possible outcome.  Although the exact contours of the unfolding "Arab Spring" could not be predicted in advance, businesses that deal in Syrian accounts, or that provide services to Syria, might have developed "what-if" scenarios, and worked through them within their compliance departments, and with counsel, if required.  Prior consideration permits better opportunity to execute a well-thought out response plan, rather than merely to react when sanctions change. 

JPMorgan Chase Bank, N.A. Settlement

JPMC agreed to settle potential civil liability for alleged violations of numerous OFAC sanctions programs, agreeing to a civil penalty of $88.3 million.[3]

Egregious Conduct:  OFAC cited "egregious" conduct regarding alleged violations of the Cuban Assets Control Regulations,[4] Weapons of Mass Destruction Proliferators Sanctions Regulations,[5] and OFAC's Reporting, Procedures, and Penalties Regulations[6]

Cuba:  JPMC processed over 1,700 wire transfers totaling approximately $178.5 million involving Cuban persons, in alleged violation of the CACR.  According to OFAC, the transactions occurred after another U.S. financial institution alerted JPMC that JPMC might be processing Cuban-related transactions through one of its correspondent accounts.  Although JPMC's internal investigation, reported to managers, confirmed the performance of Cuban-related transactions, OFAC stated that JPMC did not voluntarily self-disclose the prior transactions, nor take steps to prevent recurrence of similar transactions.  According to OFAC, the transfers conveyed considerable economic benefit to sanctioned persons.  The base penalty for this set of alleged violations was $111,215,000.

WMD Sanctions:  OFAC's Civil Penalties Information release stated that JPMC recognized a potential violation almost immediately after the bank made a trade loan for approximately $2.9 million in December 2009.  OFAC stated, however, that JPMC did not mail its voluntary self-disclosure until March 2010, three days prior to the date on which JPMC received repayment for the loan.  OFAC also stated that JPMC also failed to respond promptly and completely to an OFAC administrative subpoena seeking information regarding the trade loan.  Even with the delay and alleged lack of responsiveness, however, OFAC did determine that JPMC made a voluntary self-disclosure of this alleged violation, with a base penalty of $2,941,838.

Reporting Provisions:  OFAC issued JPMC an administrative subpoena, pursuant to section 501.602 of the RPPR, directing JPMC to provide certain specified documents related to a specific wire transfer referencing "Khartoum."  The Civil Penalties Information notice related that JPMC compliance management failed to produce several responsive documents in JPMC's possession.  OFAC also stated that it ultimately provided JPMC with a list of multiple responsive documents that OFAC had reason to believe were in JPMC's possession, based on communications with a third-party financial institution.  JPMC subsequently produced more than 20 responsive documents, and corrected prior statements that the bank possessed no additional responsive documents.  OFAC concluded that JPMC did not voluntarily self-disclose the alleged violation of the RPPT, and set a base penalty of $250,000.

Summary Regarding Egregious Conduct:  In reaching its determination that the above-mentioned alleged violations were egregious due to reckless acts or omissions, OFAC cited JPMC's size and sophistication.  OFAC also noted that JPMC managers and supervisors acted with knowledge of the conduct constituting the alleged violations, and recklessly failed to exercise a minimal degree of caution or care with respect to JPMC's U.S. sanctions obligations.

Mitigation:

OFAC mitigated the total potential penalty based on JPMC's substantial cooperation, including conducting an historical transaction review at OFAC's request and entering into tolling agreements with OFAC, and the fact that OFAC had not issued a Penalty Notice or Finding of Violation against JPMC in the five years preceding the transactions at issue.  JPMC's agreement to settle the alleged violations was also a mitigating factor.

Summary: 

Properly considered, compliance programs are risk-analysis tools that permit businesses to maximize value within legal boundaries.  Timeliness in both disclosing alleged violations and in implementing internal corrective measures are both relevant in characterizing whether OFAC will consider alleged violations to be egregious.  Gibson Dunn attorneys Judith Lee and James Doody discuss the usefulness of pre-planned responses in risk-based compliance program in their recent article in The Review of Banking & Financial Services, "OFAC:  The Little Agency with a Big Bite."  The article, which also reviews severity and mitigation in OFAC enforcement over the past few years, is available here

The new Syrian sanctions evolved as the U.S. administration added torque to tighten the screws on the Bashar al Assad regime.  Although not completely predictable, the recent sanctions would have been a reasonably probable outcome of a forward-looking decision tree.  Forward-looking assessment permits businesses to plan their response strategies.  An agile, risk-based compliance program might also yield insight regarding future opportunities.  For example, recent events in Libya that signal the possible end of the Qaddhafi regime may portend future changes in U.S. sanctions programs.  While "crisis management" is never completely avoidable, planning minimizes the likelihood of error.  Planning may also create business value, by reducing the pressure to choose an unnecessarily conservative business decision, made without the benefit of analysis, in a short-notice situation.  Finally, a risk-based approach also permits business leaders to develop response strategies to be employed when alleged violations occur. 

The JPMC matter shows the value of developing response strategies in advance.  OFAC's statement regarding JPMC is helpful to illustrate the factors that OFAC evaluates when determining what conduct amplifies or mitigates the impact of alleged violations.  Businesses, especially large entities with extensive customer networks and numerous points of contact to the global financial system, will likely come upon alleged violations sometime in a long series of transactions.  Advance planning allows responses that minimize both business disruption and financial penalty (to include the legal fees that accompany drawn out investigations).