When creating or enhancing a U.S. economic sanctions compliance program, businesses will typically refer to certain published guidance from the U.S. Government that may include the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) A Framework for OFAC Compliance (“Compliance Framework”), the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs (Updated March 2023), and/or the U.S. Federal Sentencing Guidelines for Organizations’ section 8B2.1’s Effective Compliance and Ethics Programs. However, while these publications may serve as helpful high-level outlines to follow, they don’t provide specific guidance for businesses based on their respective size, industry, customer-base, supply chain, products/services, relevant geographical locations, and other operational idiosyncrasies.

With the countless varieties of potential sanctions risks businesses can face, the ever-changing laws and regulations, and the evolving nature of relevant internal compliance controls that can be implemented, it would be a monumental feat to create an “off the shelf” sanctions compliance program. The risk profiles of a cryptocurrency exchange, an international shipping and logistics company, and a U.S. lobbying firm are going to be very different from one another. As OFAC cautions in its Compliance Framework, there is indeed no “one-size-fits all” risk assessment. Once a business does undergo its own sanctions risk assessment, it must then also concern itself with tailoring and implementing internal controls specific to mitigating all its identified risks.

While customizing relevant sanctions compliance controls, one major difficulty faced by businesses is determining what specific control(s) to implement for each risk area. For example, questions that businesses’ compliance professionals may be asking themselves once they’ve conducted a risk assessment include: “how should we manage sanctions-related training?”; “how should we prevent the diversion of exported goods and services to prohibited end-users and destinations?”; “how should we calibrate our third-party screening tool?” Unfortunately, answering such questions can feel like a guessing game, as OFAC is unlikely to provide anyone with a specific answer (and who can blame them?).

As a result, compliance professionals attempt to benchmark for the right answer by: (1) relying on their own professional experiences in dealing with other businesses’ compliance programs; (2) conferring with other experienced compliance professionals in their network; and/or (3) retaining the services of external professionals who can provide insight based on their experiences in supporting other similar businesses’ compliance programs. However, OFAC’s published civil enforcement actions are another valuable resource often overlooked for benchmarking purposes.

OFAC has been publishing certain civil penalty enforcement information since 2003, when it amended its own regulations to do so (See, 31 C.F.R. § 501.805(d)). What started as periodically published spreadsheets with very limited amounts of information related to persons subject to civil enforcement actions, has since evolved into individualized enforcement action publications providing many useful compliance data points. Specifically, as of 2018 OFAC has regularly detailed the lessons to be learned from a respective enforcement action, while also including comprehensive details on the subject’s specific compliance failures and corresponding remedial measures implemented.

These additional data points can provide sanctions compliance professionals with more than 4 years of useful compliance information, which are readily available on OFAC’s Civil Penalties and Enforcement Information web-page. Here are three hypothetical scenarios to help illustrate the utility of these published enforcement actions for compliance benchmarking purposes, even across industries:

Example 1: Use of Geolocation Blocking Controls

Based on your most recent risk assessment you identify that your internet-based business operations are susceptible to the inadvertent supply of services to comprehensively U.S. sanctioned and embargoed countries/regions such as Iran, North Korea, Cuba, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine, even though your company prohibits dealings with these destinations as a matter of policy. Sifting through OFAC’s prior enforcement actions you will be able to identify similar compliance gaps that facilitated numerous apparent violations—with 4 such actions in 2022 alone—and how IP address screening and geolocation controls were implemented as a remediating measure to help identify and block sanctioned countries/regions moving forward. Several such actions involved digital currency and payment service providers (See e.g., Bittrex, Inc. (Oct. 11, 2022); Kraken Inc. (Nov. 28, 2022)), as well as businesses operating in various other industries (See e.g., Airbnb Payments (Jan. 3, 2022); Tango Card, Inc. (Sept. 30, 2022)).

Example 2: Anti-Diversion Controls

Your business engages in the leasing of aircraft engines, and is unclear what compliance measures it should put in place after the point-of-sale, if any. In OFAC’s enforcement action against Apollo Aviation Group, LLC (Nov. 7, 2019), the company was alleged to have violated the since rescinded Sudanese Sanctions Regulations when it initially leased certain aircraft engines to an U.A.E. entity that were then subleased to a Ukrainian airline, who later installed them on an aircraft it had wet leased to then sanctioned Sudan Airways. Although Apollo’s lease agreements with the U.A.E. entity included a U.S. sanctions compliance clause, OFAC reprimanded Apollo for not having obtained a U.S. law export compliance certificate from lessees and any sub-lessees during the lease term, and found that it had otherwise failed to monitor/verify adherence to the compliance clause. Nevertheless, OFAC noted that Apollo had remediated the underlying compliance issue, in part, by obtaining U.S. law export compliance certificates both from lessees and any sub-lessees moving forward.  

Example 3: U.S. Sanctions Risks for Foreign Entities

Your business is a Turkish entity with no connections to the United States, including no U.S. persons involved in its ownership or control structure, and having no U.S. person employees or third-party agents. Your business’s operations are limited to the sale and export of Turkish-origin agricultural commodities. Even though it appears there is no U.S.-nexus in your business’s overall operations, you are unclear if you still need to comply with OFAC administered sanctions programs. 

Looking at past OFAC enforcement actions, the agency has increasingly targeted non-U.S. businesses that have engaged with its sanctioned targets, which violated applicable regulations in the process by causing U.S. persons to engage in prohibited transactions. In short, this is because the statutory basis for most OFAC administered sanctions programs—the International Emergency Economic Powers Act (“IEEPA”)—makes it unlawful for any person (U.S. or not) to cause a violation to occur of any orders, regulations, or prohibitions issued pursuant to the statute’s otherwise broad authority. See, 50 U.S.C. § 1705(a). Accordingly, the agency has penalized non-U.S. businesses where the financial transactions underlying their commercial activity with an OFAC sanctioned target was indirectly processed through a U.S. financial institution or otherwise involved a foreign branch of a U.S. financial institution, violating applicable OFAC regulations by causing U.S. financial institutions to inadvertently export prohibited financial services to the sanctioned target. 

The remedial actions undertaken by the non-U.S. person businesses in these enforcement actions ranged from the implementation of their very first OFAC sanctions compliance program (See e.g., Godfrey Phillips India Limited (March 1, 2023)), to significant overhauls of their existing sanctions compliance programs (See e.g., Sojitz (Hong Kong) Limited (Jan. 11, 2022); Toll Holdings Limited (April 25, 2022), to adequately account for potential U.S. sanctions risks. For example, in Toll Holdings Ltd., OFAC acknowledged the company conducting a risk-mapping exercise to identify the root causes of the compliance lapses before instituting appropriate remedial measures and targeted controls detailed therein. 

There are countless other sanctions compliance risk and control parallels that can be drawn from OFAC’s published enforcement history. Although it may feel impossible to be able to identify the perfect controls and live in a risk free (sanctions) world, reference to such history in your compliance can be a very useful benchmarking tool.

The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at [email protected].