On August 10, 2017, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement agreement with IPSA International Services, Inc. (IPSA), a U.S. company, for apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. Part 560. OFAC alleged that IPSA had engaged in the prohibited import into the United States of Iranian-origin services on 44 separate occasions in violation of § 560.201, as well as in transactions or dealings related to Iranian-origin services by facilitating payments to providers of Iranian-origin services in violation of §§ 560.206 and 560.208. Due to its exposure to potential civil liability resulting from this conduct, IPSA agreed to settle the matter with OFAC for the sum of $259,200.

According to OFAC’s Notice, IPSA “is a global business investigative and regulatory risk mitigation firm that provides due diligence services for various countries and their citizenship by investment programs.” The conduct at issue involved two separate contracts: (1) a March 2012 contract with a third country with respect to its citizenship by investment program; and (2) an October 2012 contract between IPSA’s Canadian subsidiary and a separate third-country financial institution. Under both of the contracts, certain of the applicants for the citizenship by investment programs were Iranian nationals and – as such – required information regarding such applicants to be checked or verified inside Iran. As a result, IPSA Canada and IPSA’s Dubai-based foreign subsidiary hired subcontractors to conduct due diligence in Iran and those subcontractors appear to have hired third parties to validate information that could only be verified within Iran.

OFAC alleged that this conduct resulted in apparent violations of the ITSR. Specifically, while acknowledging that IPSA’s foreign subsidiaries “managed and performed both [contracts],” IPSA imported into the U.S. Iranian-origin services with regard to the first contract because IPSA’s foreign subsidiaries “conducted the due diligence in Iran on behalf of and for the benefit of IPSA.” Moreover, IPSA engaged in a transaction or dealing related to Iranian-origin services and facilitated its foreign subsidiaries’ engagement in such transactions or dealings by “review[ing], “approv[ing], and initiat[ing] the foreign subsidiaries’ payments to providers of the Iranian-origin services.”

This appears to be an appropriate application of the relevant law at the time of the conduct. What is less clear is why OFAC decided to impose civil liability on IPSA instead of resolving the matter in an alternate fashion, including via a cautionary letter. This is all the more the case considering the fact that IPSA is a “risk mitigation firm” engaged in the conduct of due diligence on behalf of third countries for their citizenship by investment programs. OFAC routinely notes the fact that a great majority of its investigations do not result in criminal or civil liabilities – those being reserved only for the most serious of cases. Yet, OFAC’s enforcement actions – including the one here targeted at a risk mitigation firm that was admittedly engaged in due diligence work involving Iran – betray this claim.

Most interesting, however, is OFAC’s note that “the conduct underlying the apparent violations is not eligible for OFAC authorization under existing licensing policy,” meaning, even if IPSA had requested specific license authorization to engage in the transactions discussed herein, OFAC would have denied such license request as being contrary to current U.S. licensing policy. In other words, OFAC views it as anathema to U.S. interests for U.S. companies to engage the services of third-parties to provide due diligence services in Iran – even if such services are being procured to ensure the legitimacy of Iranian counter-parties.

Such a licensing policy might have made sense at the time of the conduct, but OFAC’s Notice appears to make deliberate use of the present tense to underline the fact that its current licensing policies would prevent it from authorizing the conduct at issue. To maintain an OFAC licensing scheme under which applications for the procurement of due diligence services inside Iran to verify information regarding Iranian individuals or entities are presumptively denied makes much less sense at the present time when U.S. sanctions policy is geared towards limiting commercial interaction with certain Iranian parties – not any longer seeking to broadly fence Iran off from the world (as was true in the pre-JPOA world).

Consider, for example, the following circumstance: a U.S. company seeks to engage in lawful trade with Iran via the Personal Communications General License (GL D1) and contracts for the lawful export of certain tech goods to specific Iranian counterparties. Under current law, the U.S. company is required to take steps to ensure that it is not dealing with certain designated parties – including those that may be constructively blocked under OFAC’s 50 Percent Rule – but is limited in its ability to conduct due diligence due to the ITSR’s prohibition on the import into the United States of Iranian-origin services (i.e., the U.S. company is barred from hiring third-parties to conduct due diligence inside Iran to verify information, including information related to ownership and control of the Iranian entity). Given the available information, the U.S. company determines that the Iranian entity is not itself designated for sanctions and is not owned 50% or more by designated parties. However, unbeknownst to the U.S. company, proper due diligence inside Iran would have revealed that the Iranian entity was under the effective control of the IRGC (or, more likely, IRGC-related individuals and entities). Nothing under U.S. law may have barred the transaction, but the U.S. company nonetheless would have been unlikely to proceed with the export had it known the true identity of the Iranian entity. Doing so, moreover, would have served to the benefit of U.S. policy objectives in ensuring that the IRGC and IRGC-related individuals and entities are unable to commercially interact in a meaningful way with U.S. and foreign parties.

Yet, not only does the ITSR prohibit a U.S. company from engaging in such due diligence, OFAC’s current licensing policy would presumptively deny an application by U.S. companies to engage in such due diligence. In other words, OFAC is more comfortable with U.S. companies not having precise and accurate knowledge as to the ownership and control of a given Iranian counterparty in a lawful dealing than with U.S. companies engaging the services of third parties to confirm information regarding such Iranian counterparties inside of Iran. Frankly, that doesn’t make much sense to me, insofar as it appears to undermine U.S. policy objectives. Revisiting its current licensing policies may be a project in order.