Companies Disclose, Update Possible Sanctions Violations, Including Against Russia

Instructure Holdings, a Utah-based educational technology company that developed the learning software Canvas, said it may have “inadvertently” provided services to a sanctioned person in Russia, according to its February SEC filing. The company said it discovered the issue during the fourth quarter of 2023 after determining that one of its customers in Russia had been added to the Treasury Department’s Specially Designated Nationals List.

The company “immediately ceased providing services to the customer” and said it didn’t “receive any revenue” from the person after they were added to the SDN List. Instructure Holdings also said it filed a voluntary self-disclosure with OFAC but hasn’t yet heard back.

“Although we have taken corrective measures to prevent any future transactions with this customer, ceased services to our two other Russian customers and we believe the matter is immaterial, we cannot predict if OFAC will take any actions,” the company said.

DXC Technology Company, a multinational information technology services and consulting firm based in Virginia, said it also may have violated sanctions against Russia and doesn’t yet know whether it will be subject to any penalties. The company said it submitted a disclosure to OFAC in 2022 and a final voluntary self-disclosure to the Bureau of Industry and Security in November, according to a recent SEC filing.

After Russia invaded Ukraine in 2022, DXC said it tried to end its business in the country by selling the Russia-based business of Luxoft, a software engineering firm DXC had bought in 2019, to brokerage firm IBS Holding. DXC didn’t say how it may have violated U.S. sanctions, only that its disclosure to OFAC “pertains” to the sale. It said its separate disclosure with BIS also involves “potential export control violations in connection with its exit from the Russian market.”

The company said both “matters remain under review by OFAC and BIS.”

Zoetis, an American animal pharmaceutical company, said it received a “no action letter” from OFAC last year confirming that the agency won’t penalize the company after it disclosed possible violations of U.S. sanctions against Iran (see 2102190015). The disclosure involved Zoetis’ purchase of Platinum Performance, a company that had sold food, medicine or “devices” to people or entities with ties to Iran without a general license, according to its SEC filing.

Zoetis said it conducted an internal investigation and submitted disclosures to both OFAC and DOJ. It said DOJ “has not responded to date.”

Two companies said OFAC is still reviewing years-old disclosures they made about possible sanctions violations. Exodus Movement, a digital assets company, said OFAC is still reviewing disclosures and subpoena responses as old as 2018 involving the company’s potential sanctions violations related to Iran and North Korea. The company submitted a disclosure involving free downloads of its “un-hosted and non-custodial software wallet for digital assets” in certain embargoed countries, which may have included Cuba, Iran and Syria, and also received an OFAC subpoena seeking information about its possible transactions with certain North Korean cyber actors (see 2305260012).

Exodus has taken “remedial action designed to prevent similar activity from occurring in the future,” the company said in its SEC filing. Both the subpoena responses and voluntary self-disclosure are still “under review” by OFAC.

OFAC also still hasn't made a decision on a disclosure submitted by California-based Cloudflare, a website infrastructure company, for potentially allowing the company’s platform and products to be accessed by users in sanctioned countries, it said in an SEC filing. Both BIS and the Census Bureau closed out related Cloudflare disclosures with no penalties in 2020 (see 2008280034).

“The voluntary self-disclosure, which we may supplement as appropriate, remains under an ongoing review by OFAC,” Cloudflare said.