Benchmarking OFAC Enforcement Actions for Sanctions Compliance

Benchmarking Sanctions Compliance

When creating or enhancing a U.S. economic sanctions compliance program, businesses will typically refer to certain published guidance from the U.S. Government that may include the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) A Framework for OFAC Compliance (“Compliance Framework”), the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs (Updated March 2023), and/or the U.S. Federal Sentencing Guidelines for Organizations’ section 8B2.1’s Effective Compliance and Ethics Programs. However, while these publications may serve as helpful high-level outlines to follow, they don’t provide specific guidance for businesses based on their respective size, industry, customer-base, supply chain, products/services, relevant geographical locations, and other operational idiosyncrasies.

With the countless varieties of potential sanctions risks businesses can face, the ever-changing laws and regulations, and the evolving nature of relevant internal compliance controls that can be implemented, it would be a monumental feat to create an “off the shelf” sanctions compliance program. The risk profiles of a cryptocurrency exchange, an international shipping and logistics company, and a U.S. lobbying firm are going to be very different from one another. As OFAC cautions in its Compliance Framework, there is indeed no “one-size-fits all” risk assessment. Once a business does undergo its own sanctions risk assessment, it must then also concern itself with tailoring and implementing internal controls specific to mitigating all its identified risks.

While customizing relevant sanctions compliance controls, one major difficulty faced by businesses is determining what specific control(s) to implement for each risk area. For example, questions that businesses’ compliance professionals may be asking themselves once they’ve conducted a risk assessment include: “how should we manage sanctions-related training?”; “how should we prevent the diversion of exported goods and services to prohibited end-users and destinations?”; “how should we calibrate our third-party screening tool?” Unfortunately, answering such questions can feel like a guessing game, as OFAC is unlikely to provide anyone with a specific answer (and who can blame them?).

As a result, compliance professionals attempt to benchmark for the right answer by: (1) relying on their own professional experiences in dealing with other businesses’ compliance programs; (2) conferring with other experienced compliance professionals in their network; and/or (3) retaining the services of external professionals who can provide insight based on their experiences in supporting other similar businesses’ compliance programs. However, OFAC’s published civil enforcement actions are another valuable resource often overlooked for benchmarking purposes.

OFAC has been publishing certain civil penalty enforcement information since 2003, when it amended its own regulations to do so (See, 31 C.F.R. § 501.805(d)). What started as periodically published spreadsheets with very limited amounts of information related to persons subject to civil enforcement actions, has since evolved into individualized enforcement action publications providing many useful compliance data points. Specifically, as of 2018 OFAC has regularly detailed the lessons to be learned from a respective enforcement action, while also including comprehensive details on the subject’s specific compliance failures and corresponding remedial measures implemented.

These additional data points can provide sanctions compliance professionals with more than 4 years of useful compliance information, which are readily available on OFAC’s Civil Penalties and Enforcement Information web-page. Here are three hypothetical scenarios to help illustrate the utility of these published enforcement actions for compliance benchmarking purposes, even across industries:

Example 1: Use of Geolocation Blocking Controls

Based on your most recent risk assessment you identify that your internet-based business operations are susceptible to the inadvertent supply of services to comprehensively U.S. sanctioned and embargoed countries/regions such as Iran, North Korea, Cuba, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine, even though your company prohibits dealings with these destinations as a matter of policy. Sifting through OFAC’s prior enforcement actions you will be able to identify similar compliance gaps that facilitated numerous apparent violations—with 4 such actions in 2022 alone—and how IP address screening and geolocation controls were implemented as a remediating measure to help identify and block sanctioned countries/regions moving forward. Several such actions involved digital currency and payment service providers (See e.g.Bittrex, Inc. (Oct. 11, 2022); Kraken Inc. (Nov. 28, 2022)), as well as businesses operating in various other industries (See e.g.Airbnb Payments (Jan. 3, 2022); Tango Card, Inc. (Sept. 30, 2022)).

Example 2: Anti-Diversion Controls

Your business engages in the leasing of aircraft engines, and is unclear what compliance measures it should put in place after the point-of-sale, if any. In OFAC’s enforcement action against Apollo Aviation Group, LLC (Nov. 7, 2019), the company was alleged to have violated the since rescinded Sudanese Sanctions Regulations when it initially leased certain aircraft engines to an U.A.E. entity that were then subleased to a Ukrainian airline, who later installed them on an aircraft it had wet leased to then sanctioned Sudan Airways. Although Apollo’s lease agreements with the U.A.E. entity included a U.S. sanctions compliance clause, OFAC reprimanded Apollo for not having obtained a U.S. law export compliance certificate from lessees and any sub-lessees during the lease term, and found that it had otherwise failed to monitor/verify adherence to the compliance clause. Nevertheless, OFAC noted that Apollo had remediated the underlying compliance issue, in part, by obtaining U.S. law export compliance certificates both from lessees and any sub-lessees moving forward.  

Example 3: U.S. Sanctions Risks for Foreign Entities

Your business is a Turkish entity with no connections to the United States, including no U.S. persons involved in its ownership or control structure, and having no U.S. person employees or third-party agents. Your business’s operations are limited to the sale and export of Turkish-origin agricultural commodities. Even though it appears there is no U.S.-nexus in your business’s overall operations, you are unclear if you still need to comply with OFAC administered sanctions programs. 

Looking at past OFAC enforcement actions, the agency has increasingly targeted non-U.S. businesses that have engaged with its sanctioned targets, which violated applicable regulations in the process by causing U.S. persons to engage in prohibited transactions. In short, this is because the statutory basis for most OFAC administered sanctions programs—the International Emergency Economic Powers Act (“IEEPA”)—makes it unlawful for any person (U.S. or not) to cause a violation to occur of any orders, regulations, or prohibitions issued pursuant to the statute’s otherwise broad authority. See50 U.S.C. § 1705(a). Accordingly, the agency has penalized non-U.S. businesses where the financial transactions underlying their commercial activity with an OFAC sanctioned target was indirectly processed through a U.S. financial institution or otherwise involved a foreign branch of a U.S. financial institution, violating applicable OFAC regulations by causing U.S. financial institutions to inadvertently export prohibited financial services to the sanctioned target. 

The remedial actions undertaken by the non-U.S. person businesses in these enforcement actions ranged from the implementation of their very first OFAC sanctions compliance program (See e.g.Godfrey Phillips India Limited (March 1, 2023)), to significant overhauls of their existing sanctions compliance programs (See e.g.Sojitz (Hong Kong) Limited (Jan. 11, 2022); Toll Holdings Limited (April 25, 2022), to adequately account for potential U.S. sanctions risks. For example, in Toll Holdings Ltd., OFAC acknowledged the company conducting a risk-mapping exercise to identify the root causes of the compliance lapses before instituting appropriate remedial measures and targeted controls detailed therein. 

There are countless other sanctions compliance risk and control parallels that can be drawn from OFAC’s published enforcement history. Although it may feel impossible to be able to identify the perfect controls and live in a risk free (sanctions) world, reference to such history in your compliance can be a very useful benchmarking tool.


The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at [email protected].

Sign up for blog updates

Please note that no such content constitutes legal advice, and the legal authorities discussed in this Blog are subject to change. By subscribing, you agree with our privacy policy and our terms of service.

More Posts

financial institutions

Banks are Busier than Ever Verifying Export Compliance

Exactly a year ago, I published an article on our blog titled Banks Are Busy Verifying Client BIS Export Licenses. With the U.S. Department of Commerce’s Bureau of Industry and Security’s (“BIS”) October 2024 issuance of Guidance for financial institutions (“FIs”) containing best practice recommendations for compliance with the Export Administration Regulations (“EAR”), 15 C.F.R. parts 730-774, it’s a good time to revisit this topic. BIS’s Guidance is effectively a warning shot to FIs that they must also take compliance with the EAR seriously—illustrating certain instances where they may be held liable for a violation—and to dispel any notions that compliance

Read More
OFAC Unblocking

Significant Changes to OFAC’s Unblocking Procedures

On October 7, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) confirmed some rather significant changes to its unblocking procedures for blocked property, which will have a notable impact on organizations’ sanctions compliance efforts. Most of these changes were initially announced in an interim final rule on May 10, 2024 and became effective as of August 8, 2024, with a fractional remainder to become effective on November 7, 2024. In this article I break down these regulatory and policy changes that are specific to the agency’s Procedures for unblocking property believed to have been blocked and

Read More

What Are OFAC’s “Secondary Sanctions” on Russia, Truly?

One concern I hear a lot from businesses outside the United States is regarding so-called  “secondary sanctions” of the United States (“U.S.”), especially since the rapid expansion of the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) Russia-related sanctions regime beginning in February 2022. For example, a typical inquiry will be something like : “Our dealings with a Russian entity do not involve the U.S. or any U.S. persons, but what about U.S. secondary sanctions?” Unfortunately for them (and myself as a sanctions attorney), OFAC has never officially defined the term “secondary sanctions” for any of its programs,

Read More

OFAC and the End of Chevron Deference: Does It Even Matter?

For better or worse, the U.S. Supreme Court has overruled Chevron v. Natural Resources Defense Council (“Chevron”), which for the last 40 years has provided many U.S. government agencies with significant leeway in interpreting the statutes they administer. One agency that perhaps didn’t bat an eye when the Court’s decision in Loper Bright Enterprises v. Raimondo (“Loper”) laid Chevron to rest, was the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), which administers U.S. economic sanctions laws and regulations. Historically, the agency has for the most part come out unscathed from a plethora of judicial disputes challenging OFAC’s agency actions on a range

Read More