Part II: Sanctions Enforcement Actions

Multinational Firm’s Ineffective Compliance Program Led to Sanctions Violations, OFAC Says

Danfoss committed 225 sanctions violations when it caused the U.S. bank to “facilitate prohibited financial transactions and export financial services to sanctioned jurisdictions,” OFAC said, adding that the violations in part stemmed from “deficiencies” in Danfoss’ global sanctions compliance program. Danfoss disclosed the violations to OFAC after the agency was already aware of the transactions, so OFAC didn’t give the company credit for a voluntary self-disclosure.

The Danish company’s subsidiary, United Arab Emirates-based Danfoss FZCO, sold cooling and heating equipment to customers in Sudan, Syria and Iran from November 2013 to August 2017, OFAC said. Employees at the subsidiary told customers to send payments to at least three accounts at UAE banks, including Danfoss’ U.S. branch account, the notice said. The customers used third-party agents, including “money exchangers” in non-sanctioned jurisdictions, to pay Danfoss FZCO at this account. Danfoss FZCO also used third-party payers to transfer payments from its U.S. branch account to parties in Syria and Iran, OFAC said.

The use of third-party payers “disguised the originator or beneficiary of these transactions,” the agency said, allowing the payments to slip through the bank’s “transactional screening filters." OFAC said the total value of the transfers was $16,959,683.

While OFAC said it “found no evidence” Danfoss “willfully” used the third-party payers to evade sanctions, it said Danfoss FZCO was aware since at least 2011 that using a U.S. bank to send or receive payments to and from sanctioned jurisdictions could be illegal. The agency said Danfoss FZCO “received communications” from Danfoss, “as well as from various financial institutions,” that its banking activity could give “rise to sanctions concerns, including rejected transactions.”

In one instance in 2011, OFAC said Danfoss’ U.S. bank rejected a payment connected to Iran. In another instance in 2016, the company’s compliance department found that an Iranian customer was invoiced in U.S. dollars, and compliance employees told Danfoss FZCO “such activity was impermissible,” OFAC said. “Despite these communications, Danfoss FZCO continued to use its U.S. Branch Account to collect payments from customers in sanctioned jurisdictions.”

The violations stemmed from Danfoss’ ineffective compliance program, OFAC said, adding that the company didn’t have procedures to “regularly monitor” Danfoss FZCO’s activities to look for potential sanctions issues. “As a result, Danfoss lacked the means to know when problems arose unless Danfoss FZCO proactively contacted Danfoss’ Compliance Program Manager,” OFAC said.

The agency also said Danfoss FZCO’s employees, including its regional finance director, didn’t have “substantive training” on U.S. sanctions and didn’t consult with Danfoss’ compliance program manager on the transactions. “This insufficient understanding of U.S. sanctions left the Regional Finance Director with a lack of urgency to address Danfoss FZCO’s banking issues and substantially contributed to the delay in stopping the violative transactions,” OFAC said.

The agency said the U.S. bank notified Danfoss of the sanctions violations in May 2017. Although Danfoss disclosed the violations to OFAC in October of that year, the agency already knew about the violations and “assessed that Danfoss’ submission did not qualify as a voluntary self-disclosure.”

The maximum civil penalty for Donfass was more than $71 million, but OFAC fined the company $4,379,810 due to several mitigating factors, including because the violations were non-egregious. OFAC also said Danfoss hadn’t received a penalty notice in the previous five years, was “highly cooperative” during OFAC’s investigation and took “quick action to ascertain the root causes of the conduct at issue” and implemented several new compliance controls.

The new controls included a new procedure for monitoring and documenting payments to U.S. bank accounts to “identify true originators and reject any payments that originate from a sanctioned jurisdiction.” The company also updated its export control standards and export control manual to specify the sanctions compliance roles and responsibilities of all employees and released new “documentation” to “reinforce” its employees’ understanding of U.S. export controls and sanctions. Danfoss also created a sanctions compliance manual for its UAE subsidiary to “make clear their obligations under U.S. sanctions and the risks specific to doing business in the Middle East.”

OFAC also pointed to several aggravating factors, including Danfoss’ failure to “exercise a due degree of caution or care in complying with U.S. sanctions requirements” and its failure to “recognize warning signs” it was committing sanctions violations. The company also had “actual knowledge” that it was dealing in payments with customers from sanctioned countries and “prevented the foreign branch of a U.S. financial institution from appropriately screening and rejecting these transactions.” OFAC also said Danfoss is a “commercially sophisticated entity” that serves customers in more than 100 countries.

In a Dec. 30 statement, Danfoss stressed that "no products sold were subject to sanctions or export controls" and "no evidence was found that Danfoss willfully accepted payments for the purpose of potentially evading sanctions." The company pointed to the fact that OFAC said Danfoss "took quick action to ascertain the root causes of the conduct at issue, cooperated fully with OFAC, and also adopted new and more effective internal controls and procedures to prevent a recurrence of the apparent violations." The company added that its last shipment to Iran "took place in January 2019."

The case highlights the risks for multinational companies that use the U.S. financial system for payments involving sanctioned jurisdictions, OFAC said. “Commercial activity that might not otherwise violate OFAC regulations -- such as the sale of non-U.S. goods by a non-U.S. person to an entity in an OFAC sanctioned country -- can nonetheless cause a violation when the financial transactions related to that activity are processed through or involve U.S. financial institutions,” the agency said.

OFAC said companies need to “train key staff,” including senior management, to “identify and escalate potential violations of U.S. sanctions” to compliance personnel. “It is particularly important to implement controls specific to the risks posed by the regions in which subsidiaries operate, and any risks stemming from specific business practices,” the agency said, “such as accepting payments from third parties.”

OFAC Fines Currency Exchange Kraken for Iranian Sanctions Violations

The Treasury Department fined U.S. crypto exchange Kraken $362,158.70 for violating U.S. sanctions against Iran, the agency said Nov. 28. Treasury’s Office of Foreign Assets Control said Kraken, also known as Payward, exported services to users who “appeared to be” in Iran and allows them to conduct virtual currency transactions on Kraken’s platform. The violations stemmed from Kraken’s "failure to timely implement appropriate geolocation tools, including an automated [internet protocol] address blocking system," OFAC said.

OFAC said Kraken had an anti-money laundering and sanctions compliance program, which included screening customers and reviews of IP address information during onboarding to prevent users in sanctioned jurisdictions from opening accounts. But the company didn’t “implement IP address blocking on transactional activity across its platform,” allowing account holders who established their accounts outside of sanctioned jurisdictions to access the platform from sanctioned jurisdictions at later dates.

Between October 2015 and June 2019, Kraken processed 826 transactions, totaling about $1,680,577.10, on behalf of people who appeared to have been located in Iran at the time of the transactions, OFAC said. After identifying this problem, Kraken implemented automated blocking for IP addresses linked to sanctioned jurisdictions. Kraken also implemented multiple blockchain analytics tools to assist with its sanctions monitoring, OFAC said.

OFAC said the maximum civil monetary penalty was more than $272 million, but the agency settled on a lower amount due to a range of mitigating factors, including that the violations were voluntarily self-disclosed. Other mitigating factors were that Kraken had not received a penalty notice from OFAC in the previous five years, the company cooperated with OFAC's investigation and it undertook "significant remedial measures," including agreeing to invest an additional $100,000 in more sanctions compliance controls.

Kraken also added geolocation blocking to “prevent clients in prohibited locations from accessing their accounts on Kraken’s website,” invested in more compliance training for its staff and hired a “dedicated head of sanctions” to lead its compliance program. The company also expanded its contract with its screening provider to make sure it complies with OFAC’s 50% rule, and hired another vendor to help with “identification and nationality verification.”

OFAC also pointed to an aggravating factor. It said Kraken failed to exercise "due caution or care for its sanctions compliance obligations" when, knowing it had customers worldwide, it applied its geolocation controls only at the time of onboarding. OFAC said Kraken did this “despite having reason to know based on available IP address information that transactions appear to have been conducted from Iran.”

The agency said the settlement highlights the importance of an “adequate sanctions compliance program” for companies in the virtual currency industry. The compliance program will depend on the “type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served,” OFAC said.

OFAC also stressed the importance of geolocation tools, including IP blocking and other location verification tools, to prevent users in sanctioned regions from using certain services. "In particular, limiting the use of such controls only to the time of account opening -- and not throughout the lifetime of the account or with respect to subsequent transactions -- could present sanctions risks to virtual currency-related companies,” OFAC said. Companies should also implement “robust remedial measures after becoming aware of a potential sanctions issue,” the agency said, “as well as committing to future sanctions compliance investments.”

Kraken is "pleased to have resolved this matter," said Marco Santori, the company's chief legal officer. Santori said the company had been improving its sanctions compliance procedures, including "further strengthening control systems, expanding our compliance team and enhancing training and accountability," before agreeing to the settlement. "With these enhanced systems in place," the company is in "a stronger position to continue our mission of accelerating the adoption of cryptocurrency," he said.

Puerto Rican Bank Violated Venezuela Sanctions, OFAC Says

Puerto Rico-based Nodus International Bank violated U.S. sanctions against Venezuela when it allowed an undisclosed sanctioned person to open and operate several accounts, the Office of Foreign Assets Control said Oct. 18. The bank also violated U.S. sanctions reporting regulations because it failed to maintain accurate records of its handling of the blocked property, OFAC said. The agency issued the bank a “Finding of Violation” instead of a fine due to several mitigating factors, including the fact that Nodus voluntarily disclosed the violations.

OFAC said the violations involved a person the agency added to its Specially Designated Nationals List in 2017. The person held several accounts with Nodus as well as an interest in securities issued by Nodus before the individual was designated. After learning of the designation, Nodus’s board of directors decided to sever ties with the designated individual and submitted a blocked property report to OFAC after blocking the persons’ accounts, which included two time deposit accounts, a savings account and an outstanding credit card balance.

OFAC also said Nodus, in an effort to sever ties with the sanctioned person, redeemed the blocked person’s securities and put the proceeds into a blocked account without obtaining a license from OFAC to deal in blocked property. The agency said Nodus did this despite assuring the Commissioner of Financial Institutions of Puerto Rico (OCFI) that it would apply for a license.

Nodus also, “as a result of human error,” allowed an “automatic debit from one of the blocked person’s blocked accounts in order to credit the blocked credit card account,” OFAC said. “Nodus then wrote off the balance of the blocked credit card account.”

The bank also violated OFAC’s sanctions reporting regulations when it informed the agency during OFAC's investigation that it no longer maintained access to records or communications related to the bank’s handling of the blocked property, noting that the bank’s compliance officer had left and the bank's systems had not kept records or communications of the action. Nodus submitted several “inconsistent” Annual Reports of Blocked Property to OFAC in the following years, the agency added.

OFAC said Nodus ultimately engaged in three transactions totaling over $50,000, failed to maintain records related to the handling of the blocked accounts and failed to report the blocked accounts accurately. Although the bank "failed to exercise a minimal degree of caution" and engaged in transactions involving blocked property without obtaining a license even though senior managers at the bank were aware one was needed, OFAC also said there were various mitigating factors.

OFAC noted that Nodus is a small financial institution that had not received a penalty notice from OFAC in the previous five years, the bank voluntarily self-disclosed the violations, the sanctions harm was not "significant," and Nodus took numerous remedial measures after the violations. This included hiring OFAC compliance experts to give “specialized training” to all Nodus employees, hiring an in-house lawyer to assist its compliance department and updating its practices surrounding blocked accounts. Nodus’ software provider also implemented “user controls” that require the compliance department’s approval for “any action affecting a blocked account,” OFAC said, and the bank updated its recordkeeping requirements to make sure it “maintains appropriate records related to blocked property.”

The action "emphasizes that financial institutions should properly maintain blocked property and records, report such information accurately ... and obtain a specific license ... in order to deal in blocked property," OFAC said. The agency also said banks should make sure they receive “all necessary licenses” from OFAC before dealing in blocked property and clearly communicate OFAC’s sanctions requirements “among an institution’s compliance and business lines.”

Nodus didn't respond to requests for comment.

OFAC Announces Record Fine Against Cryptocurrency Exchange for Sanctions Violations

Cryptocurrency exchange Bittrex was fined more than $24 million by the Office of Foreign Assets Control Oct. 11 for violating U.S. sanctions. OFAC announced the fine alongside a similar penalty by the Financial Crimes Enforcement Network, which fined the company more than $29 million for violating the Bank Secrecy Act. The OFAC and FinCEN settlements are the two agencies’ first parallel enforcement actions, OFAC’s largest-ever virtual currency enforcement action and the agency's largest fine since April 2019.

OFAC said Bittrex committed more than 116,000 violations of multiple sanctions programs -- which were not voluntarily self-disclosed -- stemming from “deficiencies” in its sanctions compliance procedures. The company failed to stop more than $263 million worth of virtual currency-related transactions from people located in Crimea, Cuba, Iran, Sudan and Syria, the agency said. Even though it collected both internet protocol address information and physical address information, Bittrex didn’t screen for “terms associated with sanctioned jurisdictions,” OFAC said.

Bittrex has “strived to comply with all government requirements diligently and in good faith," the company said in a statement, adding that it "fully resolved th[e] matter ... on mutually agreeable terms.” The company also noted that none of the alleged violations occurred after 2018. As part of its settlement agreement, FinCEN will credit its $29 million fine imposed on Bittrex with the $24 million the company owes to OFAC.

The violations stemmed from transactions between March 2014 and December 2017, when Bittrex operated 1,730 accounts that processed more than $260 million worth of virtual currency-related transactions in violation of U.S. sanctions. Although the company's policies and procedures dating back to 2015 showed that it had “some understanding of OFAC sanctions regulations,” Bittrex “had no internal controls” to screen customers or transactions for their nexus to a sanctioned region until October 2017, OFAC said.

The agency said Bittrex didn’t have a sanctions compliance program until December 2015, even though it began offering virtual currency services in 2014. The company in 2016 hired a third-party sanctions screening vendor, but OFAC said the vendor initially only screened transactions for hits against OFAC’s Specially Designated Nationals and Blocked Persons List and other government lists. The vendor didn’t “scrutinize customers or transactions for a nexus to sanctioned jurisdictions,” the agency said.

Bittrex didn’t realize the vendor was only screening against government lists until it was subpoenaed by OFAC in 2017 in relation to a sanctions investigation. OFAC said Bittrex began “restricting accounts and screening IP and other addresses associated with sanctioned locations” after receiving the subpoena.

The agency said Bittrex also implemented a new sanctions screening and blockchain tracing software, conducted more sanctions compliance training and hired additional compliance staff. “Once implemented, these remedial measures substantially curtailed the number of Apparent Violations,” OFAC said.

The agency said the maximum civil monetary penalty was $35 billion, but OFAC settled on a lower fine after determining the violations were non-egregious. Mitigating factors included the fact that Bittrex had not received a penalty notice in the previous five years; it was a “small and new company” during most of the violations; and it cooperated substantially with OFAC’s investigation. OFAC also said most of the violations “were for a relatively small amount” and the number of transactions was a “relatively small percentage” compared to the total number of transactions conducted by Bittrex annually. OFAC also pointed to the company’s range of remedial compliance measures, including its hiring of a dedicated chief compliance officer and the fact that it has undergone independent sanctions compliance audits.

OFAC also pointed to several aggravating factors, including Bittrex’s failure to “exercise due caution or care for its sanctions compliance obligations” for nearly two years after beginning to offer global virtual currency services. The agency also said Bittrex “had reason to know” that some of its customers were in sanctioned jurisdictions based on their IP addresses and physical addresses, and said the company “conveyed economic benefit to thousands of persons” subject to U.S. sanctions.

OFAC said the case highlights that virtual currency companies are subject to the same compliance expectations as other financial service providers. The agency said virtual exchanges “should develop a tailored, risk-based sanctions compliance program,” which will “depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.”

The case also demonstrates the importance of sanctions compliance among newer companies involved in emerging technologies, OFAC said. “As part of these controls,” the agency said, “companies should ensure that their sanctions compliance service providers are providing services commensurate with the institution’s sanctions compliance risk.”

“Virtual currency exchanges operating worldwide should understand both who -- and where -- their customers are,” OFAC Director Andrea Gacki said. “OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”

In a separate consent order, FinCEN said Bittrex failed to maintain an effective anti-money laundering system between February 2014 to at least December 2018, which included "inadequate and ineffective" transaction monitoring on its platform. The program also failed to address the risks associated with the products and services it offered, including anonymity-enhanced cryptocurrencies. Bittrex failed to file any suspicious activity reports for over three years between February 2014 and May 2017 and processed a significant number of transactions involving sanctioned jurisdictions.

“For years, Bittrex’s anti-money laundering program and suspicious activity reporting failures unnecessarily exposed the U.S. financial system to threat actors,” FinCEN Acting Director Himamauli Das said. “Bittrex’s failures created exposure to high-risk counterparties including sanctioned jurisdictions, darknet markets, and ransomware attackers. Virtual asset service providers are on notice that they must implement robust risk-based compliance programs and meet their BSA reporting requirements. FinCEN will not hesitate to act when it identifies willful violations of the BSA.”

Company’s Subpar Geolocation Processes Led to Sanctions Violations, OFAC Says

The Office of Foreign Assets Control fined Washington-based Tango Card $116,048.60 for violating U.S. sanctions as a result of its “deficient geolocation identification processes,” the agency said Sept. 30. OFAC said Tango Card, an electronic gift and reward services company, violated U.S. sanctions related to the Crimea region of Ukraine and sanctions imposed against Cuba, Iran, Syria and North Korea.

OFAC said Tango Card discovered the violations in 2021 when one of its clients found multiple award recipient email addresses had top-line domains associated with sanctioned jurisdictions. The company then conducted a “lookback review of its database” for any “similar occurrences involving email addresses previously provided by other clients,” OFAC said, and found several. In total, Tango Card transmitted more than 27,000 merchant gift cards and promotional debit cards worth more than $386,000 to people with internet protocol addresses linked to Cuba, Iran, Syria, North Korea and Crimea.

Although the company used geolocation tools to identify “high-risk” transactions, screened against OFAC sanctions lists and employed know-your-business “mechanisms,” the agency said it didn’t use those controls to “identify whether recipients of rewards, as opposed to senders of rewards, might involve sanctioned jurisdictions.” OFAC said this violated the Cuban Assets Control Regulations, the Iranian Transactions and Sanctions Regulations, the Syrian Sanctions Regulations, the North Korea Sanctions Regulations and an executive order that blocks certain transactions with people in the Crimea region of Ukraine.

The maximum civil monetary penalty amount was more than $9 million, but OFAC reduced the fine in its settlement with Tango Card because the case was non-egregious and the violations were voluntarily self-disclosed. OFAC also said Tango Card implemented a range of “remedial measures” by geo-blocking IP addresses and email addresses associated with sanctioned countries, hiring more compliance staff and instituting more compliance training. The company also brought on more sanctions screening tools, began monthly look-back reports to identify any recipients that could be located in sanctioned countries and “substantially” cooperated with OFAC’s investigation.

The agency also pointed to several aggravating factors that led to the six-figure fine, including Tango Card’s failure to impose “risk-based geolocation rules using tools at its disposal” despite having reason to know that it was sending rewards to people in sanctioned jurisdictions. OFAC also said the company conferred more than $386,000 in “economic benefit” to jurisdictions subject to U.S. sanctions.

OFAC said the case highlights the importance of using “geographic information” and geolocation tools as part of a sanctions compliance program. “In addition, while contractually obligating customers to comply with sanctions regulations can help mitigate risk,” the agency said, “it does not obviate the need to impose other sanctions compliance controls when appropriate on a risk basis.” Tango Card didn't respond to a request for comment.

OFAC Fines Two Wealth Management Companies for Sanctions Violations

The Office of Foreign Assets Control announced two separate settlement agreements Sept. 26, fining a Switzerland- and a Monaco-based wealth management company for violating U.S. sanctions. OFAC said both companies committed violations due to “deficiencies” in their sanctions compliance practices.

CA Indosuez Switzerland S.A. (CAIS), an indirect subsidiary of Swiss-based Credit Agricole Corporate and Investment Bank (CAIB), was fined $720,258 for violating sanctions related to Ukraine and sanctions imposed against Cuba, Iran, Sudan and Syria. CFM Indosuez Wealth (CFM), an indirect subsidiary of Monaco-based Credit Agricole Corporate and Investment Bank (CACIB), was fined $401,039 for violating U.S. sanctions against Cuba, Iran and Syria.

Between April 2013 and April 2016, OFAC said CAIS operated U.S. dollar banking and securities accounts for 17 customers in sanctioned jurisdictions and conducted business on their behalf through the U.S financial system, including through U.S. correspondent banks and U.S. registered brokers. OFAC specifically said CAIS allowed customers in sanctioned jurisdictions to buy securities through U.S. companies even though CAIS collected know-your-customer data. In total, CAIS allowed 240 transactions worth more than $2 million, OFAC said, and 33 commercial transactions worth more than $1 million.

In the second settlement, OFAC said CFM operated U.S. dollar banking and securities accounts for 11 customers in Iran, Syria and Cuba for five years. Like CAIS, CFM collected know your customer (KYC) information on its customers but still allowed them to buy securities through U.S. companies from December 2011 through July 2016. In total, CFM processed 410 transactions worth about $966,000 and 16 commercial transactions worth about $267,000.

Although both CAIS and CFM were required to follow compliance policies “relayed” by their parent companies, the investment firms didn’t “fully implement” the procedures, OFAC said. “As a result,” OFAC said, “the customers who were ordinarily resident in sanctioned jurisdictions were able to continue to engage in securities and commercial transactions involving the U.S. financial system using their accounts at” the investment firms.

CAIS and CFM discovered the accounts during a “periodic oversight review” conducted by their compliance departments, OFAC said, which showed CAIS’s customers were residents in Iran, Syria, Sudan, Crimea and Cuba, and CFM’s customers were residents in Iran, Syria and Cuba. Even though both companies “implemented internal restrictions aimed at preventing certain payments” on those accounts, they later discovered that the restrictions didn’t prevent securities-related payments.

OFAC said the maximum civil monetary penalty for CAIS’s violations was more than $64 million, but decided to reduce the fine because it was a non-egregious case and because the violations were voluntarily disclosed. The agency also pointed to the fact that CAIS hadn’t received a penalty notice in the previous five years and took “extensive remedial measures” to improve its compliance procedures, including introducing a new “commercial screening tool.” OFAC also said the company “substantially” cooperated with OFAC’s investigation with well-organized responses to OFAC’s requests for information and agreed to toll the statute of limitations.

OFAC also pointed to several aggravating factors, including the fact that CAIS “had reason to know” it was dealing with sanctioned transactions. The agency said CAIS conferred more than $3 million in “economic benefit” to people in Cuba, Crimea, Iran, Sudan and Syria and caused “harm to the integrity of multiple sanctions programs.”

The maximum civil monetary penalty for CFM was more than $106 million, but OFAC reduced the fine because the case was non-egregious and the violations were voluntarily disclosed. Mitigating factors included CFM’s lack of a penalty notice in the previous five years, its substantial cooperation with OFAC’s investigation and its work to improve its compliance program.

Aggravating factors included the fact that CFM employees had reason to know they were processing illegal transactions, and the fact that the company conferred more than $1.2 million in “economic benefit” to people in Cuba, Iran and Syria, which harmed U.S. sanctions programs.

OFAC said both cases demonstrate the importance of foreign financial institutions maintaining “effective” sanctions compliance programs and procedures. The agency said companies that do business in multiple jurisdictions and “across a number of product lines” should ensure their controls are implemented “consistently” across their business.

Companies can also benefit from integrating KYC data into their sanctions screening platforms, OFAC said, and testing and auditing their controls. The agency added that “global subsidiaries, when instructed to implement a parent company’s compliance policies, should do so in a timely and effective manner.”

CAIS and CFM couldn’t be reached for comment.

Bank’s Misunderstanding of Vendor Screening Led to Sanctions Violations, OFAC Says

MidFirst Bank violated the U.S. Weapons of Mass Destruction Proliferators Sanctions Regulations when it processed payments for two sanctioned people after they were designated by the Office of Foreign Assets Control, OFAC said in a July 21 enforcement notice. OFAC said the bank, headquartered in Oklahoma City, maintained accounts for the people and processed 34 of their payments in the two weeks after they were added to the Specially Designated Nationals List.

OFAC didn’t fine the bank and instead issued a “finding of violation” due to several mitigating factors, including the fact that the violations occurred within two weeks of the designations, and 98% of the value associated with the violations were for transactions that occurred within hours of the designations. The agency also said the bank had compliance procedures but misunderstood how frequently its vendor screened new names that were added to the SDN List against its existing customer base.

The violations began in September 2020, when MidFirst processed five transactions totaling $604,000 for accounts held by people who had been sanctioned by OFAC just hours earlier. MidFirst processed the 29 additional transactions over the next two weeks, which totaled nearly $10,000.

MidFirst told OFAC that it hadn’t been alerted to the sanctions until it was notified by its sanctions screening vendor on October 5, 2020, 14 days after their addition, the agency said. OFAC said the bank then “promptly” blocked the accounts.

Although MidFirst’s vendor conducted daily screenings of new and existing customers with certain “account changes” -- such as changes to a customer’s name or address -- the vendor only screened MidFirst’s entire customer base once a month, OFAC said. The agency said MidFirst “misunderstood” the scope of its contract with the vendor and “mistakenly” believed the daily screenings “would screen its entire customer base against additions and changes to the SDN List.” Depending on the timing of additions to the SDN List, MidFirst could be unaware for up to 30 days that it held the account of a blocked person on its books, OFAC said.

Although it didn’t issue a penalty, OFAC pointed to several aggravating factors, including the fact that the bank had reason to know that it maintained the accounts for blocked persons and that its vendor was not screening its entire accounts daily against changes to the SDN List. OFAC also said the two weeks of post-designation transactions could have “aided asset flight” for the sanctioned people.

OFAC also pointed to several mitigating factors, including the fact that the sanctions harm caused by the violations was “substantially less than the face amount of the violations,” mostly because two of the largest transactions were “internal book transfers” between one of the blocked person’s accounts. The agency also said the vendor began re-screening existing accounts more frequently after discovering the violations, and MidFirst implemented a “manual process” to be alerted to all OFAC list updates. The bank also cooperated with OFAC’s investigation and hadn’t received a penalty notice or finding of violation in the previous five years.

OFAC said the case “reaffirms” that financial institutions should take a “risk-based approach to sanctions compliance.” They should also make sure they understand the “scope and capabilities” of third-party sanctions compliance services to make sure they are “consistent with the financial institution’s assessment of its exposure to sanctions risks.” MidFirst couldn’t be reached for comment.

OFAC Settles With American Express for $430,500 Over Narcotics Sanctions Violations

The Office of Foreign Assets Control reached a settlement with American Express National Bank for $430,500 over apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations, according to a July 15 OFAC notice. Over the course of two months, OFAC said, Amex processed transactions for a card holder who was designated in connection with illegal drug distribution and money laundering.

According to the notice, Walter Alexander Del Nogal Marquez, an American Express cardholder since 2012, was designated under the Kingpin sanctions and added to OFAC's Specially Designated Nationals List in 2018. That triggered Amex's internal sanctions list screening system, but the alert was incorrectly closed by the Amex analyst that conducted the initial review, despite company requirements and matches for data on Marquez, OFAC said.

A month and a half later, an Amex analyst investigating an anti-money laundering alert identified Marquez's connection to the account and issued instructions to suspend all cards linked to the account. But the instructions didn't specify that the restriction was sanctions-related, so Marquez was able to get the suspension lifted the following day, OFAC said. Amex's anti-money laundering team caught the error again the next day, but the wrong suspension code was added, allowing the card to be used for additional transactions before it was finally closed about two months after Marquez was listed, it said. OFAC said Amex processed 214 transactions totaling about $155,000 involving the account between May 2018 and July 2018.

OFAC said the maximum penalty for the violations was more than $331 million but fined Amex only $430,500 due to several mitigating factors. Those factors include Amex's cooperation with OFAC and prompt responses to information requests as well as Amex's agreement to launch automated compliance measures, increase training for employees, move sanctions screening processes to a centralized team, and requirements to perform second-level reviews of high-confidence sanctions alerts.

OFAC also pointed to several aggravating factors, including its position as a large and sophisticated financial institution as well as its granting of "$155,189.42 in economic benefits" to an account associated with a sanctioned person.

OFAC said the case highlights the importance of "properly training employees on sanctions compliance procedures and ensuring that those procedures are followed appropriately," especially in handling high confidence alerts. The agency also said consistent application of company-wide compliance measures, especially in creating controls to prevent other departments from overriding compliance decisions, can help mitigate sanctions risks.

American Express didn't respond to a request for comment.

OFAC Fines Puerto Rican Bank for Venezuela Sanctions Violations

The Office of Foreign Assets Control fined Puerto Rican bank Banco Popular de Puerto Rico (BPPR) about $255,000 for violating U.S. sanctions against Venezuela. BPPR processed 337 transactions on behalf of two government employees of Venezuela, totaling $853,126, OFAC said May 27.

In 2019, BPPR began a review of accounts that might be affected by sanctions against Venezuela. It wasn't until October 2020 that BPPR identified the accounts linked with the two Venezuelan government employees and blocked the accounts. The delay in identifying these customers resulted in 337 apparent violations of the sanctions.

OFAC said BPPR’s apparent violations were non-egregious and voluntarily self-disclosed. The agency pointed to several mitigating factors, including the bank's remedial action in response to the violations, including enhancing its compliance program and creating sanctions procedures and guidance. The bank also closely cooperated with OFAC's investigation and had not received a penalty notice in the previous five years.

OFAC also pointed to several aggravating factors, including that the bank had "documentation indicating that two of its customers were low level employees" of the Venezuelan government, yet still failed to identify those customers for 14 months. OFAC also said the bank is "mid-sized" with more than $61 billion in assets.

The agency said the penalty highlights the importance of conducting due diligence on direct customers, including their ownership structure. Companies should especially conduct due diligence whenever new sanctions authorities and actions are announced, OFAC said.

OFAC Fines Australian Company for Nearly 3,000 Sanctions Violations

The Office of Foreign Assets Control on April 25 fined Toll Holdings, a Melbourne, Australia-based international freight and logistics company, more than $6.13 million for nearly 3,000 violations of multiple U.S. sanctions programs. OFAC said Toll received illegal payments connected to sea, air and rail shipments through multiple highly sanctioned countries, including North Korea, Iran and Syria. The transactions included sanctioned Iranian airline Mahan Air (see 2111190006) and Iran-based Hafiz Darya Shipping Lines.

The violations stemmed from Toll's "rapid" business expansion "without a requisite increase in compliance resources," OFAC said. The company began acquiring regional freight forwarding companies in 2007 -- and by 2017 had almost 600 "invoicing, data, payment, and other system applications spread across its various business units" -- but failed to update its compliance program and controls to "keep up with the pace and complexity of its growing operations."

Between January 2013 and February 2019, Toll or its affiliates "originated or caused to be received" 2,958 illegal payments in connection with the shipments to and from North Korea, Iran and Syria, OFAC said. These payments, worth nearly $50 million, were "generally originated or received" by Toll’s overseas units, OFAC said, including 23 of its entities across Asia, Europe, the Middle East and North America.

In May 2015, one of Toll’s banks identified a U.S. dollar transaction involving Syria and restricted a Toll subsidiary’s use of its U.S. dollar account, OFAC said. Afterward, a Toll employee at the company's headquarters instructed other employees in Toll’s United Arab Emirates and South Korean affiliates to "avoid including the names of sanctioned jurisdictions on invoices going forward," OFAC said. The employee at the headquarters was concerned that the Syria-related payment "would disrupt a separate, large impending internal transfer," OFAC said in its enforcement notice. Because of this, OFAC determined that some Toll employees had reason to know that the payments were in potential violation of U.S. sanctions.

After Toll's bank froze the account, the bank continued to raise sanctions compliance concerns with the company, OFAC said. Before it agreed to process any of Toll's transfers, the bank required the company to show documents that proved its transactions didn't violate U.S. sanctions, OFAC said. But the bank continued to be concerned about Toll's "problematic payments and apparent control deficiencies," the agency said, and "threatened to terminate its relationship" with Toll in June 2016. To keep doing business with the bank, Toll promised to abide by all sanctions laws and "attested" to the bank that it wasn't participating in blocked transactions.

As part of the commitment to its bank, Toll decided to cease all business with U.S.-sanctioned countries in June 2016, OFAC said. But even after "repeatedly instructing business units" to stop the shipments," Toll didn't implement compliance policies necessary to prevent the payments, OFAC said. The company also didn't "test whether shipments involved persons located in U.S.-sanctioned countries."

In February 2017, Toll introduced controls that disabled country and location codes for ports and cities in sanctioned countries in an effort to prevent those shipments in its freight management system, OFAC said. Of the nearly 3,000 illegally transacted payments that led to the violations, OFAC said, just 105 occurred after Toll implemented these "hard controls." Toll eventually voluntarily hired an accounting firm to conduct a "forensic examination" of its payment practices and sent its findings to OFAC as part of a voluntary self-disclosure

OFAC said the maximum penalty for the violations was more than $826 million but fined the company $6.13 million due to several mitigating factors, including its "extensive actions" to fix compliance gaps, including conducting a "risk-mapping exercise to identify the root causes of the compliance lapses" and restructuring its compliance division. Toll also created a sanctions compliance training program for its more than 500 employees, introduced risk-based screening of its customers against all restricted party lists, ended "all franchise relationships" and started "enhanced due diligence measures for on-boarding agents."

OFAC also pointed to several aggravating factors, including Toll's "reckless disregard for U.S. economic sanctions laws" and the violations occurring "despite an existing company compliance policy." Toll also "had reason to know" it was committing sanctions violations and didn't take "immediate or adequate steps" following the May 2015 warnings from one of its banks. OFAC also said about 14% of the transactions involved entities sanctioned for terrorism or weapons concerns.

Toll takes "compliance seriously” and has “acted to keep this from happening again," managing director Thomas Knudsen said in an April 25 email. Knudsen said the violations occurred because of a "misunderstanding about regulations regarding payments through the U.S. financial system related to otherwise permissible shipments." The company has instituted "rigorous control systems and enhanced training and accountability," Knudsen added.

OFAC said the case highlights the importance of "strong internal controls and procedures" to oversee payments involving affiliates that could involve sanctioned parties. Even though "complex payment and invoicing arrangements" may be "normal business conduct," they may pose sanctions risks when "linkages to sanctioned jurisdictions or persons are obscured, or when mechanisms to preclude their involvement with U.S. financial institutions are absent or not implemented effectively," OFAC said.

The agency also said companies should respond "promptly" to compliance concerns when they first arise and look to solve the heart of the issue. "Reminders of established compliance policies alone, may not result in concrete changes to conduct that poses risks of apparent violations," OFAC said.

OFAC Fines US Companies for Violating Cuba Sanctions

The Office of Foreign Assets Control April 21 fined Colorado-based Newmont Corp. and Florida-based Chisu International Corp. after the two mining companies bought Cuban-origin “explosives and explosive accessories” from a third-party vendor. The agency announced a $141,442 settlement with Newmont and a $45,908 settlement with Chisu for violating the Cuban Assets Control Regulations.

Newmon's violations began after the Suriname government granted it an "exploitation license" to mine gold in the country in 2014, OFAC said. Newmont Suriname, a subsidiary of Newmont, purchased Cuban-origin explosives and explosive accessories for the mining operations from a third-party vendor on at least four occasions, the agency said. In 2016, OFAC said a Newmont Suriname employee exchanged shipping documents with an operations manager for Newmont Suriname’s distributor, which showed the goods were provided by Cuba-based Union Latinoamericana de Explosivos (ULAEX). Newmont Suriname’s distributor fulfilled two more orders from ULAEX "without Newmont’s awareness," OFAC said.

All four bills "clearly identified" ULAEX and its address in Cuba, the agency said, adding that the Newmont Suriname employee "failed to understand the implications of engaging in transactions related to merchandise of Cuban origin." The employee didn't participate in the company's export control and sanctions compliance training and "did not understand the relevant sanctions prohibitions," OFAC said.

OFAC said the maximum civil penalty was $367,264, but the fine was reduced partly because the case was non-egregious and Newmont voluntarily self-disclosed the violations. Other mitigating factors included the fact that Newmont hadn't received a penalty notice in the previous five years, the total amount of payments stemming from the violations "were not significant" and Newmont cooperated with OFAC's investigation. The company also agreed to remedial compliance measures, including " comprehensive" training on export compliance, country-specific embargoes and denied persons screening. Newmont also agreed to create formal written compliance policies and procedures.

OFAC also pointed to several aggravating factors, including the fact that Newmont "failed to exercise a minimal degree of caution or care with respect to U.S. sanctions." It also said the company is a "large and sophisticated business" and a leading gold producer with experience conducting international transactions. A Newmont spokesperson didn't respond to a request for comment.

In the second settlement, OFAC said Chisu and its affiliates in 2016 and 2017 bought Cuba-origin explosives and "related accessories" from ULAEX on behalf of an unnamed U.S. company for that company’s mining project in Suriname. The bill of lading associated with the first transaction "clearly identified" ULAEX as the exporter of the goods, and the import permit indicated the goods originated in Cuba, OFAC said. The address provided for ULAEX was in Cuba and the point of export was a separate Cuban city.

OFAC said the violations "primarily" began because Chisu, a small company operated by one person, "failed to understand U.S. prohibitions on dealings in Cuban property." Chisu had no compliance program in place, OFAC said, and didn't know it couldn't deal indirectly in Cuban goods until a customer brought it to the company's attention. The agency said the "transaction value" stemming from the violations was $688,689.

OFAC said the maximum civil penalty was $367,264, but reduced the fine due to several mitigating factors, including the fact that the case was non-egregious. The agency said Chisu is a small company that had not received a penalty notice within the previous five years and cooperated with OFAC's investigation, including through a tolling agreement.

But OFAC also pointed to several aggravating factors, including Chisu's failure to voluntarily self-disclose the violations. OFAC also said the company "failed to exercise a minimal degree of caution or care" in procuring the goods and had "actual knowledge" that it was "financing the provision of Cuban-origin goods for export to Suriname." OFAC also said the violations "caused harm" to U.S. sanctions programs objectives. Chisu didn't respond to a request for comment.

OFAC said both cases highlight the importance of sanctions compliance for companies of "any size" if they are operating internationally. The agency said sanctions risks may arise "even where there is no direct dealing with a sanctioned person or jurisdiction." Companies should make sure they have strong controls in place to screen suppliers and are "conducting sufficient transactional due diligence to identify and promptly remediate compliance deficiencies."

OFAC Fines Financial Analytics Firm for Sanctions Violations

The Office of Foreign Assets Control on April 1 fined S&P Global, a business analytics firm, $78,750 for violating U.S. Ukraine-related sanctions regulations. OFAC said the case was non-egregious, partly due to S&P's cooperation and agreement to improve its compliance program.

The violations began when S&P Global and one of its companies, Petroleum Industry Research Associates, reissued and redated multiple invoices to continue to extend credit to JSC Rosneft, a state-owned Russian oil company, OFAC said. At the time, all transactions or other dealings in new debt of Rosneft of longer than 90 days' maturity were prohibited, the notice said, but S&P Global accepted past-due payments totaling $82,500 from Rosneft.

OFAC determined that S&P Global "failed to exercise a minimal degree of caution or care when it reissued the invoices to extend the payment date of invoices far beyond the authorized debt tenor," and likely knew the conduct would violate U.S. sanctions. OFAC also said the company is a "commercially sophisticated entity," considered a "leader in global energy market analysis" and didn't voluntarily disclose the violations.

OFAC also pointed to several mitigating factors, including the fact that S&P Global had not received a penalty notice in the previous five years. The company also took remedial measures by improving its compliance program by creating more robust training, adding periodic testing to invoices involving SSI List entities, and adding additional staff to manage sanctions issues. S&P's cooperation with OFAC and submissions of detailed documentation were also mitigating factors as part of a settlement agreement with OFAC. An S&P spokesperson didn't respond to a request for comment.

OFAC said the case underscored the importance of "careful adherence" to OFAC's regulations, especially in cases where "counterparties may make compliance challenging." The agency said "firms facing similar circumstances should contact OFAC if compliance becomes untenable due to actions or delays by their clients on" OFAC’s Sectoral Sanctions Identification List.

OFAC Fines Hong Kong Company $5.2M After Employees Hid Iranian-Related Transactions

The Office of Foreign Assets Control Jan. 11 fined a Hong Kong company more than $5.2 million after it illegally bought more than 64,000 tons of Iranian thermoplastic, the largest fine by OFAC in more than a year. The agency said Sojitz illegally bought the Iranian “high density polyethylene resin” from a Thai supplier to sell to Chinese consumers. OFAC determined the case to be non-egregious, partly because senior compliance officials weren’t aware of the illegal purchases and had repeatedly told its employees that they could not buy Iranian goods with U.S. dollars.

The violations stemmed from several “noncompliant employees” who disobeyed company policies to buy the polyethylene resin, OFAC said. Between 2016 and 2018, the employees secured a purchase agreement with a Thai supplier in which Sojitz paid the purchase price by wire transfer to the supplier after it shipped the products to Chinese buyers. OFAC said Sojitz made the wire transfers through 60 U.S. dollar payments, transferring about $75,000 through multiple U.S. “financial institutions,” including U.S. correspondent banks.

The Sojitz employees omitted references to Iran in their “funds transfer instructions,” OFAC said, which didn’t allow the U.S. banks to catch the violations. The employees also asked the Thai supplier to avoid referencing Iran on the bills of lading and told Sojitz’s senior management and compliance officials that the Thai supplier produced polyethylene resin. OFAC said the employees directly disobeyed the company’s compliance procedures because they were “explicitly and repeatedly advised” by Sojitz compliance officials that “they could not make U.S. dollar payments in connection with Iran-related business transactions.”

Although the case was non-egregious because the violations were voluntarily self-disclosed and Sojitz senior management wasn’t “aware” of the violations, OFAC still handed the company the largest U.S. sanctions fine since Jan. 4, 2021. In that case, OFAC fined a French bank more than $8.5 million for violating sanctions against Syria (see 2101040055). The maximum civil monetary fine OFAC could have imposed for Sojitz’s violations was about $151 million.

OFAC pointed to several aggravating factors that contributed to the $5.2 million fine, including that Sojitz employees left out Iranian country of origin information from “all relevant transactional documents” for two years. The agency also said one of the employees held a “mid-level managerial position,” and all employees were told the transactions would violate U.S. sanctions. Other aggravating factors included that the transactions likely "conferred significant economic benefits” to Iran, OFAC said, and that Sojitz is a “sophisticated offshore trading and cross-border trade financing company” with compliance experience and expertise.

OFAC also pointed to several mitigating factors, including Sojitz’s compliance team at its parent company in Japan, which instructed the employees that they couldn’t conduct U.S. dollar transactions with Iran. The agency also said Sojitz’s senior managers weren’t aware of the transactions, the company had no prior OFAC sanctions history and it cooperated with OFAC’s investigation.

The company also “undertook significant remedial measures,” OFAC said, including a “thorough internal look-back investigation” to find the root causes of the compliance failures. Sojitz also fired the employees who caused and hid the violations, bolstered its sanctions screening procedures and hired more compliance employees. Sojitz didn't respond to a request for comment.

The case highlights that violations by a few employees could lead to liability for an entire company, OFAC said. “Even where elements of a reasonable compliance program are in place, employees may act on their own initiative to pursue profit over compliance and find ways to circumvent their organization’s policies and procedures,” the agency said. “In such cases, their actions can result in violations attributable to their organizations.” OFAC said companies should continuously test and audit their compliance programs, especially so parent companies can “ensure that appropriate compliance programs and procedures are implemented at their overseas subsidiaries.”

Airbnb Compliance 'Deficiencies' Led to Cuba Sanctions Violations, OFAC Says

The Office of Foreign Assets Control fined Airbnb just over $91,000 for violating U.S. sanctions against Cuba, the agency said Jan. 3. OFAC said the company’s subsidiary, Airbnb Payments, illegally processed payments for guests traveling in Cuba and failed to keep certain records related to those payments.

Between 2015 and 2020, Airbnb processed payments for nearly 3,500 stays in Cuba for guests traveling outside OFAC’s “authorized” categories, the agency said, which include family visits and government travel. The company also processed payments for more than 3,000 “experiences transactions” wherein Airbnb “failed to keep records in accordance with the OFAC’s regulations,” and processed 44 transactions involving non-U.S. persons “engaging in Cuba travel transactions” before OFAC issued a specific license, the agency said.

OFAC said Airbnb committed the violations mostly because it established business operations in Cuba “without fully addressing the complexities of operating a Cuba-related sanctions compliance program for internet-based travel services.” The company launched its Cuba business in 2015 shortly after the U.S. shifted its policy toward Cuba, OFAC said, adding that “the scaling up of its services in Cuba appears to have outpaced the company’s ability to manage the associated sanctions risks via its technology platforms.”

OFAC said Airbnb used a manual process to screen hosts and guests for sanctions issues when it first launched in Cuba. The agency also said Airbnb’s recordkeeping issues were caused by “technical defects involving an older version of the Airbnb, Inc. mobile application that remained operational for Cuba-related travel.” The older version didn’t effectively allow guests to “make an attestation regarding their reason for travel to Cuba.”

Airbnb voluntarily disclosed the violations to OFAC after “proactively” beginning a review of its sanctions compliance program, the agency said. The company also “implemented subsequent remedial measures” to “address its sanctions compliance deficiencies.”

OFAC pointed to two aggravating factors, including that the violations took place during a change in U.S. policy toward Cuba and “undermined U.S. foreign policy.” The agency also said Airbnb is a “large and sophisticated U.S.-based technology company.”

Mitigating factors included that Airbnb hadn’t received a penalty notice in the previous five years and began its own review of its sanctions compliance program. The company also substantially cooperated with OFAC and agreed to further improve its compliance procedures, including through an IP “blocking regime.” The company also agreed to collect countries of residence and payment instrument information from customers and to screen hosts in Cuba.

OFAC said the case highlighted the risks of “entering new commercial markets” without “fully anticipating the complexities of legally operating in a U.S.-sanctioned jurisdiction.” It also shows the benefits of cooperating with OFAC and voluntarily disclosing violations. OFAC said it could have imposed a maximum penalty of more than $600 million if Airbnb hadn’t disclosed the violations and if OFAC determined the violations to be egregious.

An Airbnb spokesperson said the company was "pleased to have reached this agreement" with OFAC. "We take sanctions compliance very seriously," the spokesperson said in a Jan. 3 email. The company has recently come under criticism from at least one U.S lawmaker for listing more than a dozen homes for rent on land owned by a sanctioned paramilitary Chinese entity in China’s Xinjiang province (see 2112070062). Airbnb has said it doesn't believe the home rentals violate U.S. sanctions laws.