OFAC Enforcement Indicates Sanctions List Screening Isn’t Enough

OFAC Sanctions Screening

Many businesses are of the impression that as long as their internal trade compliance controls include screening against the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) various sanctions lists—e.g., the Specially Designated Nationals and Blocked Persons (“SDN”) List—and prohibiting and interdicting any potential dealings with comprehensively embargoed jurisdictions (e.g., Iran, North Korea, Cuba, Syria, and certain regions of Ukraine), then their U.S. economic sanctions risks are adequately addressed. Unfortunately, as illustrated by two recent OFAC enforcement actions— published within a week of one another in March/April 2023—this is not necessarily the case because many OFAC administered sanctions programs also block and prohibit dealings with various individuals and entities (“persons”) without identifying them on any OFAC lists, and irrespective of their connection to a comprehensively embargoed jurisdiction. In this post we consider relevant portions of these enforcement actions, and relevant sanctions risks and  internal controls for compliance. 

In nearly all published OFAC civil enforcement actions—made publicly available since 2003—the violating party did so because it either failed to prevent dealings with a person that was actually identified on a corresponding OFAC sanctions list, and/or failed to prevent dealings involving a comprehensively embargoed country. Rarely (if at all to my memory), did the alleged violations purely stem from dealings involving a person that was subject to U.S. sanctions blocking requirements and/or prohibitions, but not otherwise identified on an OFAC sanctions list or connected to a comprehensively sanctioned country. OFAC’s enforcement actions against Uphold HQ Inc. (“Uphold”) and the Microsoft Corporation shed new light on such sanctions risks, but not so much on potentially applicable internal controls.

Persons Meeting the Definition of a Blocked Government (Uphold HQ Inc.)

Uphold—a California-based money services business—allegedly engaged in 152 total violations related to OFAC’s Iran, Cuba, and Venezuela sanctions programs. 58 of them were for transactions it processed on behalf of 2 customers who self-identified as being employees of the Government of Venezuela (“GoV”). Since its August 5, 2019 issuance, E.O. 13884 blocks, amongst other things, all property interests of the GoV that are or come within the possession or control of U.S. persons, and prohibits persons subject to U.S. jurisdiction from engaging in virtually any transactions with it. However, the Order also blocks and extends such prohibitions to any person meeting the very broad definition of the GoV, which includes: 

“…the state and Government of Venezuela, any political subdivision, agency, or instrumentality thereof, including the Central Bank of Venezuela and Petroleos de Venezuela, S.A. (PdVSA), and any person owned or controlled, directly or indirectly, by the foregoing, and any person who has acted or purported to act directly or indirectly for or on behalf of, any of the foregoing, including a member of the Maduro regime” In addition, “the term ‘Government of Venezuela’ shall not include any United States citizen, any permanent resident alien of the United States, any alien lawfully admitted to the United States, or any alien holding a valid United States visa.”

It is important to note that certain OFAC sanctions programs similarly block and broadly define other governments, with notable examples including Iran, Cuba, North Korea, and Syria. However, because these countries are also subject to comprehensive embargoes, businesses that impose blanket prohibitions and interdict potential dealings, are generally able to knock two birds with one stone for compliance purposes. This is not the case with Venezuela, which is not subject to a comprehensive embargo, meaning a lot of activity by persons subject to U.S. jurisdiction with the country are not subject to sanctions.

Where the 2 Uphold customers self-identified during its enhanced customer diligence as employees of GoV-owned PdVSA, OFAC deemed them to have satisfied E.O. 13884’s definition of GoV, and held that Uphold failed to use such information to ensure compliance with the E.O. Nevertheless, the names of these two PdVSA employees wouldn’t have appeared on any OFAC sanctions lists if Uphold had screened them. So, businesses with exposure in potentially dealing with persons that may satisfy the definition of Venezuela’s GoV should be asking themselves what relevant controls look like if simply screening relevant parties against OFAC’s sanctions lists isn’t sufficient. 

OFAC’s enforcement action doesn’t provide a clear answer, and only mentions with respect to Uphold’s Venezuela-related transactions how it has previously noted in FAQ 680 that it expects financial institutions to conduct due diligence on their own direct customers (including, for example, their ownership structure) to confirm that those customers are not persons whose property interests are blocked, such as employees of the GoV, including state-owned entities. 

OFAC’s 50 Percent Rule (Microsoft Corporation)

OFAC’s 50 Percent Rule, which is applicable to several key OFAC sanctions lists—including the SDN and Sectoral Sanctions Identifications (“SSI”) lists for example—extends relevant blocking requirements and/or prohibitions to numerous entities worldwide that aren’t themselves identified on any such lists. Under the 50 Percent Rule, any entity that is owned 50 percent or more, whether individually or in the aggregate, directly or indirectly, by any persons identified on such lists, is also blocked and/or prohibited to the same extent as the corresponding listed persons. 

In OFAC’s April 6, 2023 enforcement action against Microsoft—complemented by a separate U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) enforcement action for alleged export controls violations—certain apparently violative transactions of OFAC’s Cuba, Iran, Syria, and Ukraine-/Russia-Related sanctions programs related to various Microsoft foreign subsidiaries and their supply of services and software to sanctioned targets, included parties not specifically listed on the SDN List but that were otherwise subject to the 50 Percent Rule. In faulting Microsoft for this alleged violation, OFAC specifically noted that its “…screening against restricted-party lists did not identify parties not specifically listed on the SDN List, but owned 50 percent or more by SDNs…” So, what could Microsoft have done differently to identify parties subject to the 50 Percent Rule before doing business with them?

Again, OFAC’s enforcement action doesn’t provide a straight answer. The agency did credit Microsoft for numerous remedial measures it has undertaken to prevent related violations in the future, which included improving its research methods for potential sanctions matches by for example, deploying a multi-disciplinary internal investigative team to aid its contractors and full-time employees in reviewing and researching potential restricted-party hits. Collectively, the investigative team members are fluent or proficient in 16 foreign languages including Russian, Chinese, Farsi, and Arabic. The team researches corporate organizational documents, physical and email addresses, and various other open-source materials to identify SDNs or blocked persons, and has shared its findings with a provider of commercial restricted-party screening lists, helping to enhance the utility of those lists for other subscribers. 

Compliance Considerations

If you’re concerned about U.S. sanctions risks for inadvertent dealings with persons subject to OFAC’s 50 Percent Rule, or meeting the definition of a blocked government, then you’ve already taken your first step in the right direction. OFAC expects your business’s sanctions compliance program and its relevant policies, procedures, internal controls, and training to be risk-based. When conducting a sanctions risk assessment for your business, your overall objective should also include identifying potential areas in which your operations may directly or indirectly engage with blocked or sanctioned persons not identified on any OFAC sanctions lists or in comprehensively embargoed jurisdictions. A few examples of questions you could be asking include: 

  • What are your potential touchpoints with Venezuela generally? As well as with persons, wherever located but outside of the U.S., that may satisfy the E.O. 13884 definition of Venezuela’s GoV? This could depend on your own, your customers’, supply chain’s, intermediaries’, and counter-parties’ geographic locations, as well as the products and services you offer. For example, if you are a financial institution with a global customer base, or if you’re in the oil & gas industry (where Venezuela is a key global player), your risks are generally higher. 
  • What are your potential touchpoints with entities, wherever located, that may be owned by OFAC sanctioned parties and thereby subject to the 50 Percent Rule? For example, do you risk dealing with offshore shell company jurisdictions (e.g. British Virgin Islands, Cyprus), or countries like Russia which are subject to many U.S. sanctions authorities and where sanctioned parties are known to use corporate vehicles in obscuring otherwise sanctioned ownership interests? 

Where such risks are present, you’ll need to design and implement commensurate controls. While you don’t necessarily need to go as far as Microsoft did in deploying a multi-disciplinary internal investigative team—unless you have similar sophisticated technology operations and a global customer base as noted by OFAC—a few examples of internal controls for sanctions risks detailed in this article include: 

  • Imposing a company-wide stop-hold-review-release process for transactions involving any parties in Venezuela and/or any foreign government agencies, instrumentalities, or employees, to clear any potential U.S. sanctions risks prior to authorizing the transaction to move forward. 
  • Acquiring third-party screening tools/due diligence services that provide entity ownership information.
  • Requesting customer, vendor, or other pertinent third-party entity ultimate beneficial ownership details, and employer/government affiliations for individuals, for KYC purposes, including restricted party list screening.
  • Training employees and third-party agents on relevant red flags (e.g., refer to the recent Tri-Seal Compliance Note on Russia).

Ultimately, designing and implementing appropriate internal controls is not a straight forward process (arguably more creative in nature), and first depends on your business’s respective sanctions risks profile. The entire process should include relevant company stakeholders, as well as internal/external U.S. economic sanctions expertise.


The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at [email protected]. 

Sign up for blog updates

Please note that no such content constitutes legal advice, and the legal authorities discussed in this Blog are subject to change. By subscribing, you agree with our privacy policy and our terms of service.

More Posts

financial institutions

Banks are Busier than Ever Verifying Export Compliance

Exactly a year ago, I published an article on our blog titled Banks Are Busy Verifying Client BIS Export Licenses. With the U.S. Department of Commerce’s Bureau of Industry and Security’s (“BIS”) October 2024 issuance of Guidance for financial institutions (“FIs”) containing best practice recommendations for compliance with the Export Administration Regulations (“EAR”), 15 C.F.R. parts 730-774, it’s a good time to revisit this topic. BIS’s Guidance is effectively a warning shot to FIs that they must also take compliance with the EAR seriously—illustrating certain instances where they may be held liable for a violation—and to dispel any notions that compliance

Read More
OFAC Unblocking

Significant Changes to OFAC’s Unblocking Procedures

On October 7, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) confirmed some rather significant changes to its unblocking procedures for blocked property, which will have a notable impact on organizations’ sanctions compliance efforts. Most of these changes were initially announced in an interim final rule on May 10, 2024 and became effective as of August 8, 2024, with a fractional remainder to become effective on November 7, 2024. In this article I break down these regulatory and policy changes that are specific to the agency’s Procedures for unblocking property believed to have been blocked and

Read More

What Are OFAC’s “Secondary Sanctions” on Russia, Truly?

One concern I hear a lot from businesses outside the United States is regarding so-called  “secondary sanctions” of the United States (“U.S.”), especially since the rapid expansion of the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) Russia-related sanctions regime beginning in February 2022. For example, a typical inquiry will be something like : “Our dealings with a Russian entity do not involve the U.S. or any U.S. persons, but what about U.S. secondary sanctions?” Unfortunately for them (and myself as a sanctions attorney), OFAC has never officially defined the term “secondary sanctions” for any of its programs,

Read More

OFAC and the End of Chevron Deference: Does It Even Matter?

For better or worse, the U.S. Supreme Court has overruled Chevron v. Natural Resources Defense Council (“Chevron”), which for the last 40 years has provided many U.S. government agencies with significant leeway in interpreting the statutes they administer. One agency that perhaps didn’t bat an eye when the Court’s decision in Loper Bright Enterprises v. Raimondo (“Loper”) laid Chevron to rest, was the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), which administers U.S. economic sanctions laws and regulations. Historically, the agency has for the most part come out unscathed from a plethora of judicial disputes challenging OFAC’s agency actions on a range

Read More