The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) has significantly expanded the number of entities and individuals subject to Russia sanctions and separately censured U.S. insurance and financial institution entities for failing to keep current with OFAC’s sanctions list to prevent transactions with sanctioned parties. Economic sanctions continue to evolve as political situations change in the comprehensively sanctioned jurisdictions of Cuba, Crimea, Iran, North Korea, Sudan and Syria, as well as in countries targeted by more limited but often more complicated sanctions such as those relating to Russia, Burma/Myanmar and many other countries. The recent actions by OFAC highlight the need for continuous, active monitoring for compliance with U.S. sanctions developments by U.S. companies and non-U.S. companies with a U.S. nexus (e.g., co-investors, management, partnerships, shareholders, suppliers or service providers).
Russia Sanctions Expanded, Ivory Coast Sanctions Program Ended
Tensions between the United States and Russia remain high, and on September 1, 2016, OFAC announced expanded Russia sanctions targeting entities with a connection to existing sanctions — including entities that provided material assistance to or are owned by designated parties and 18 construction, transportation and defense entities that operate in Crimea. The European Union also announced recently the extension of Russia sanctions.
Since December 2014, OFAC has prohibited most transactions by U.S. persons and with a U.S. nexus involving Crimea following Russia’s annexation of this territory from Ukraine. A Russian shipping and logistics company, Sovfracht-Sovmortrans Group, was included in the recent designations. U.S. person dealings directly or indirectly with designated parties in general are prohibited. Affiliates of the Bank of Moscow and Gazprombank were explicitly named under more limited sectoral sanctions.
In addition, effective September 7, 2016, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) placed 86 new entries on its Entity List pursuant to U.S. sanctions on persons contributing to the situation in Crimea. Notably, several of the entities identified on the Entity List are located outside Russia or Crimea, in destinations such as Hong Kong and India. Strict export control policies are applicable to persons on the entity list, and BIS severely limits exports from the United States or from third countries of U.S. goods, data or technology to such persons.
Sanctions programs do periodically come to an end, when the political situations that prompted the sanctions are resolved or substantially subside. On September 14, 2016, U.S. sanctions targeting Côte d’Ivoire, in place since 2006, were terminated by Executive Order. Companies will want to update compliance sanctions screening and other measures to reflect that this is no longer a high-risk jurisdiction for U.S. sanctions.
Pitfalls of Failing to Update Customer Diligence
On August 2, 2016, OFAC announced its findings of U.S. economic sanctions violations for two major insurance companies. Specifically, OFAC found that these companies violated the Foreign Narcotics Kingpin Sanctions Regulations (“Kingpin Regulations”) by providing, receiving premiums and servicing health insurance policies for three individuals sanctioned under the regulations. The Kingpin Regulations target foreign narcotics traffickers and their organizations throughout the world.
One insurance company provided health insurance policies to three individuals beginning in 1992, and another company’s subsidiary served as the Third Party Administrator (“TPA”) for the individuals’ policies. Seventeen years later, in 2009, OFAC added these three individuals to the list of Specially Designated Nationals and Blocked Persons List (the “SDN List”) under the authority of the Kingpin Regulations. According to OFAC, the insurance companies were unaware of their policyholders’ designation on the SDN List because the companies “failed to implement controls and measures to ensure [they] could identify, block and report insurance policies, premiums, or claims payments in which an OFAC sanctioned person had an interest.” After the policyholders were placed on the SDN List, the companies processed and received 34 premium payments from them. The violations were only discovered when a third health insurance company began providing TPA services for the policies in question and screened for restricted parties. At that point, the two insurance companies that originally issued and serviced the policies voluntarily disclosed the violations and fully cooperated with OFAC’s investigation.
Given the companies’ valid voluntary disclosure, the relatively low value of the transactions (below $15,000), and the fact that neither company had any history of sanctions violations, OFAC’s enforcement action did not impose financial penalties. Nonetheless, the companies incurred substantial costs. Internal investigations, disclosure and remediation of these types of OFAC issues typically are costly and moreover the companies’ violations have been publicly announced.
Significantly, in its notice of findings, OFAC pointed out that the TPA had responsibility for screening the names of policyholders for sanctions compliance even though the company had not assumed financial responsibility for the policies. OFAC’s enforcement action demonstrates its expectation that companies will be thorough in developing and implementing their screening and sanctions compliance policies and practices, even if they are not the primary party in transactions with foreign persons.
On July 27, 2016, OFAC announced its finding that a bank branch office in Texas violated the Kingpin Regulations by maintaining bank accounts for two individuals placed on the SDN List. The bank accounts pre-dated the imposition of sanctions on the account holders. Nevertheless, OFAC found that the bank violated sanctions because it had not identified and blocked the accounts in question once sanctions were imposed. OFAC observed that the bank’s failure to comply with the Kingpin Regulations resulted from “a misconfiguration in the bank’s screening software . . . that prevented it from reviewing dormant or inactive accounts against additions or changes to the SDN List.” OFAC also found that bank personnel became aware of the account holders’ placement on the SDN List through a negative news report, but that the bank failed to take immediate steps to remedy the violation. In short, the bank’s compliance policies were not adequate to prevent the violation of economic sanctions.
OFAC did not impose a financial penalty on the bank because management-level employees had no knowledge of the violation, the SDN account holders did not receive any economic benefit, and the company promptly remedied the gaps in its compliance program. However, as already noted above, the process leading to a violation finding by OFAC and having the violation made public have significant costs for a company.
Take-Away Compliance Guidance
These companies’ sanctions violations provide useful guidance for practically any U.S. business:
- Compliance with OFAC sanctions is subject to strict liability, so that violations occur even where a company inadvertently engages in prohibited activity.
- It is not sufficient to screen only a subset of counterparties such as new customers. The SDN List is constantly updated and may be revised to include a company’s existing vendors, customers, or partners. Companies should regularly screen existing, as well as new, customers and other counterparties against the SDN List.
- A company cannot rely on other parties to a transaction to verify compliance with sanctions. A company that knew or should have known of a potential violation can be held liable under sanctions laws. U.S. companies should implement their own policies for screening against restricted parties.
- A business model focused on the U.S. market does not eliminate the need for active, robust sanctions compliance policy and practices. Transactions in the United States involving non-U.S. persons can result in the application of U.S. economic sanctions to business dealings.
- Periodic internal audits of compliance practices can help avoid more serious liability under U.S. sanctions laws, as well as any reputational damage. Detecting and reporting potential violations as early as possible significantly reduces exposure to U.S. economic sanctions. Reviewing compliance practices on a regular basis can prevent ongoing or repetitive sanctions violations that can result in higher penalties.
- Voluntarily disclosing violations to OFAC and fully cooperating with any follow-on investigation can greatly mitigate penalties assessed by the agency. OFAC’s guidelines specifically contemplate reduced liability for parties that self-report potential violations and assist the agency in its investigation.
This post comes to us from Kirkland & Ellis LLP. It is based on the firm’s client update, “Russia Sanctions Developments Highlight Need for Active Compliance Efforts,” dated September 15, 2016, and available here.