On February 26, 2020, the Office of Foreign Assets Control (OFAC) announced a $7,829,640 settlement with Switzerland-based Société Internationale de Télécommunications Aéronautiques (SITA) for 9,256 violations of the Global Terrorism Sanctions Regulations (GTSR). The settlement, which concerns SITA’s provision of computer services and software subject to U.S. jurisdiction for the benefit of sanctioned airlines, is the latest OFAC enforcement action to highlight the importance of sanctions compliance for software and digital service providers inside and outside the United States.

The takeaway: Non-U.S. providers of software and digital services should avoid the provision of U.S.-origin products or the involvement of U.S.-based infrastructure or subsidiaries in activities with U.S.-sanctioned customers and territories, unless licensed under, or exempted from, OFAC regulations.

High-Risk Customers

SITA provides telecommunications and IT services to civilian airlines, including reservation, flight operations, baggage and cargo handling, and messaging services, among others. According to the OFAC settlement notice, some of SITA’s services “are provided from or supported in the United States,” including servers operated by SITA’s U.S.-based subsidiary.

From April 2013 to February 2018, SITA operated three services that “benefited the . . . airlines, directly or indirectly” and which relied on data processing or servers located in the United States or U.S.-origin software. Prior to the initiation of OFAC’s investigation, SITA took steps to reduce its exposure to the SDGT airlines, including by reviewing contracts and terminating some services other than the three services at issue in the settlement.

Digital Jurisdiction

In its settlement notice, OFAC explained its enforcement jurisdiction as follows: “These services and software were subject to U.S. jurisdiction because they were provided from, or transited through, the United States or involved the provision of U.S.-origin software with knowledge that customers designated as SDGTs would benefit from the use of that software.” (Emphasis added.)

Rather than giving SITA credit for having reduced its exposure to the SDGT airlines, OFAC appears to have taken the opposite position —that these moves showed that the company had “actual knowledge” that they were providing the remaining services and software directly or indirectly for the benefit of the SDGTs. In other words, the SITA settlement does not appear to be a case in which sanctioned persons accessed online services unbeknownst to the provider.

While the basis for OFAC’s jurisdiction over U.S.-origin software is not fully elaborated, the settlement appears to reflect a view that dealings in US-origin software outside the United States may be viewed as involving US persons for the purposes of the GTSR.

Although not directly at issue in the case, the settlement may also raise questions about the limits of OFAC’s so-called “inventory exception” under the Iranian Transactions and Sanctions Regulations (ITSR), which, in summary, permits non-U.S. distributors to provide some U.S.-origin products and services to sanctioned persons or territories, where the U.S.-origin goods or services were not obtained specifically or predominantly for that purpose. As shown in other cases, such as OFAC’s settlement with California-based Epsilon Electronics, OFAC may view the inventory exception as not applying where an enforcement target knew or should have known of the involvement of sanctioned customers or territories when engaging in exports from the United States.

Compliance and Technology

Like non-U.S. financial institutions, software and digital service providers can face considerable OFAC risks owing to the complexity of data networks with a potential nexus to the United States and the difficulty of identifying particular parties or other details of high frequency of online transactions for the purpose of sanctions compliance screening.

For example, in November 2015, a California-based company paid $38,930 to settle violations involving web-based software sold by a UK subsidiary to customers in Iran, Sudan, and Syria. In January 2017, a Canadian financial institution received a finding of violation of OFAC’s Iran and Cuba sanctions regulations in relation to online services provided through a Luxembourg-based subsidiary. In November 2019, a U.S.-based technology company paid $466,912 to settle violations of the Foreign Narcotics Kingpin Sanctions Regulations for providing online services to a Specially Designated National (SDN) based in Slovenia.

U.S. technology companies and non-U.S. companies that rely on U.S.-origin software or digital infrastructure in the United States are advised to implement risk-based sanctions compliance programs incorporating, at a minimum, name screening controls to identify sanctioned customers (including any ultimate or beneficial owners) and, to the extent possible, geographical (e.g., country code top-level domain or IP address) screening to identify users located in or otherwise affiliated with territories subject to U.S. comprehensive sanctions (i.e., Crimea, Cuba, Iran, North Korea, and Syria).

The statutory maximum civil monetary penalty applicable in SITA’s case was approximately $2.45 billion. The final penalty reflects OFAC’s determination that the case was “non-egregious” and the agency’s assessment of various mitigating factors, including SITA’s “extensive remedial efforts and enhancements to its compliance program,” and that SITA terminated its relationships with the SDGT airlines.