Navigating OFAC Sanctions: A Practical Guide for Businesses
In today’s global economy, every financial transaction has the potential to be an international one. If the sale involves U.S. dollars, then it is overseen by the Office of Foreign Asset Control (OFAC). The OFAC is charged with ensuring that no American companies use American assets to support terrorism, narcotics or human trafficking, sales or manufacture of weapons of mass destruction, or other prohibited activities.
Businesses have a responsibility to know about OFAC sanctions and protect themselves against violations. There are heavy penalties for doing business with sanctioned companies or individuals, even by mistake. Due diligence helps avoid costly errors.
What Are OFAC Sanctions?
The actions of some countries, entities, or individuals have been held to be a threat to the policies and interests of the United States. By various legislative and executive means, the U.S. government imposes sanctions against these countries, entities, and individuals, rather than engage in warfare or other coercive means to force change.
The OFAC carries out these sanctions when they involve trade or other financial interactions. The most common types of sanctions include:
- Investing in a blocked nation, or in a property or entity in which a blocked nation, entity or individual has an interest
- Directly or indirectly sending supplies or services to a blocked nation or entity
- Directly or indirectly importing or exporting goods from a blocked nation or entity
- Transferring funds to or from a blocked nation or entity
U.S. companies that wish to do business in blocked nations, or with blocked corporations, must obtain authorization from the OFAC or be exempted by statute. A blocked nation or entity may be blocked under multiple programs based on different national security goals or interests.
Performing Due Diligence and Finding Sanctioned Businesses
The burden is on each company to perform its own due diligence and ensure that the business or nation they intend to work with is not on the OFAC’s sanctions list. This is considered a “strict liability” rule, and ignorance of the law is not sufficient to excuse non-compliance.
Countries, businesses, and individuals are added and removed from the sanctions list constantly as U.S. policy changes and international relations fluctuate. At this writing, there are 2542 “recent actions” updating the OFAC’s Sanctions Lists. The OFAC has Sanctions Lists for every conflict and hot spot on the globe, including:
- Specially Designated Nationals (SDN)
- Consolidated Sanctions List (non-SDN)
- Foreign Sanctions Evaders
- National sanctions lists
- “Blood diamond” trade sanctions
- Cyber-related sanctions
If you need to locate a country, business, or individual before entering a business transaction, the OFAC has a comprehensive search engine which allows you to look for individuals and entities with a variety of search parameters. If a check of an individual or entity comes back “flagged” as possibly sanctioned, you can search here for additional information.
Each sanctions list subpage also contains the most recent actions and updates for that type of sanction. This is essential for businesses who want to remain compliant with the OFAC’s strict regulations on obeying sanctions.
Staying Compliant and Protecting Your Company
In 2023, Microsoft paid approximately $3 million USD in fines and penalties to settle an OFAC suit for violations that took place between 2012 and 2019. The violations involved the sale and activation of 1339 Microsoft software licenses sold in the U.S. and Ireland to end-users in and around Cuba, Iran, Syria, Russia, and Russian-held Crimea. There was no evidence of malfeasance, or that Microsoft Corporation itself even knew of the sales (the licensees were subsidiaries). Nevertheless, it was a violation, which Microsoft acknowledged, and paid the fines.
Protecting your company requires top-down awareness and constant communication in both directions, as Microsoft discovered. The OFAC determined that one reason for Microsoft’s violations was lack of corporate contact with the overseas subsidiaries, especially Microsoft Rus LLC. The OFAC has outlined five components companies should follow to avoid making the same mistake.
- Management support. This includes all senior managers, including executives and the board of directors. Upper management must empower middle and lower management to report any issues and ensure clear lines of communication.
- Resources must be provided to ensure those tasked with compliance can do their job effectively.
- Upper management must create a corporate culture of compliance, following up on misconduct and encouraging creative solutions
- Creation of Internal Controls. Management and staff need to work together to define expectations, create procedures, and ensure everyone understands the process for OFAC compliance. Internal controls may include:
- Identifying the company’s primary business and functions to narrow sanction search protocols
- Devising policies and procedures that identify and flag prohibited transactions or activities
- Regularly scheduled internal audits to reinforce best practices and strengthen weak points (lack of routine audits was highlighted as one of Microsoft’s failings)
- Development of automated systems to reduce the human error factor in testing
- Risk Assessment. A thorough risk assessment should examine the company to determine where it is most likely to violate sanctions and how the risks can be addressed.
- Risks may exist in the supply chain, within corporate interactions, or in host nations. A risk assessment should analyze whether the risk is direct (contact with a blocked entity or individual) or indirect (contact with an entity which has connections with a blocked entity) and how that must be handled.
- The risk assessment can inform management where and how due diligence must be carried out during subsequent transactions.
- Testing and auditing. Following a risk assessment, testing should be carried out to assess whether the risks have been addressed or if they still exist. End-to-end tests should be carried out periodically to ensure the system remains free of errors.
- Audits are best carried out by an outside agency so that the results can be analyzed independently of the company’s own testers. Weaknesses and negative results should be reported at once to upper management for implementation of corrective measures
- Both tests and audits should be conducted regularly, and repeated any time there is a major change within the company.
- Training is essential for all employees who have any accountability for OFAC compliance. Not all personnel in a company will be required to monitor compliance, but those who are should have:
- Job-specific knowledge of OFAC sanctions and what to be aware of in their position
- Knowledge of who direct report is and how to report sanctions violations
- Understanding of the potential risks of violation and awareness of the reasons for the sanctions
- Access to resources for additional information about OFAC sanctions and reporting practices
The OFAC found that some common reasons for lack of compliance in businesses include:
- Lack of a formal compliance plan
- Failure of employees to understand the OFAC regulations
- Breakdown in communications with non-U.S. workers
- Insufficient or decentralized application of compliance functions
These were all strongly implicated in the Microsoft case. By learning from their errors, businesses can avoid making costly mistakes and avoid exposing themselves to compliance violations.