OFAC Compliance – A Deep Dive
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. However, this article is not intended to provide legal or other professional advice, and should not be relied on as such.
Compliance with Office of Foreign Assets Control (OFAC) regulations is a challenging area for financial institutions. On the surface, these regulations seem simple: they tell us to not violate the foreign economic and trade sanctions set forth by the U.S. government. OFAC also provides a handy list of over 20,000 names of parties “blocked” by these sanctions. Millions are spent every year on specialized screening software to detect any blocked party names on transactions or within the customer base. Yet it is precisely because OFAC’s regulations are based on such a broad mandate that compliance is a challenge. Each financial institution must decide what degree of risk it is willing to assume, and establish compliance policies and procedures accordingly.
This article first provides a foundation for understanding OFAC and its mission to administer and enforce U.S. economic sanctions: what is the purpose of sanctions, how they come about, and OFAC’s Specially Designated Nationals and Blocked Persons List. Next is a review of the recommended framework for an effective OFAC compliance program, including a closer examination of risk assessment. “Deep dives” into some of the more nuanced aspects of OFAC compliance follow, including certain aspects of automated name screening, OFAC licensing and reporting, the complex “50% Rule,” and a look at OFAC civil penalties from a different perspective.
The Basics: What is OFAC?
OFAC is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions that support U.S. national security and foreign policy objectives. OFAC operates under the Treasury’s Office of Terrorism and Financial Intelligence, and is primarily staffed by intelligence officers and attorneys.
OFAC as it operates today was established in 1950, when China entered the Korean war. President Harry Truman declared a national emergency and froze all Chinese and North Korean assets subject to U.S. control. In addition to freezing these assets, it began administering regulations and orders issued under the amended Trading with the Enemy Act.
What are economic sanctions?
Economic and trade sanctions are a means for one country to coerce, deter, punish or shame another country, group, or person into changing their policies, decisions, or behaviors. In today’s world, these include terrorism, international narcotics trafficking, human rights abuses, cybercrime, unrestricted nuclear weapons, military aggression, and many others.
They are referred to as economic and trade sanctions because their intent is to block the target’s access to the U.S. financial system and markets. Trade restrictions, travel bans, or freezing the target’s assets in the U.S. are common outcomes.
In essence, sanctions are a tool for responding to foreign policy issues, and the United States uses economic sanctions more than any other country. The U.S. currently has three dozen active sanctions programs: some target specific countries, while others are aimed at curbing activities like terrorism, cybercrime and drug trafficking. The United Nations is the second largest sanctioning body, followed by the European Union.
Sanctions are a form of intervention that provides a lower-cost, lower-risk course of action when there is a choice between diplomacy and war. Sometimes sanctions are issued while world leaders evaluate more punitive actions. For example, in 1990 the United Nations Security Council imposed comprehensive sanctions against Iraq only four days after Saddam Hussein’s invasion of Kuwait. Yet the use of military force was not authorized until months later.
How do U.S. economic sanctions come about?
U.S. sanctions stem from two forms of legal powers. One is Congress, which can pass legislation imposing new sanctions or modify existing ones. Several different laws may be involved with a single sanctions program, such as those pertaining to sanctions on Cuba and Iran.
However, the more common way that sanctions come about is through Presidential Executive Orders. In 1977 Congress passed the International Emergency Economic Powers Act, commonly known as IEEPA. IEEPA gives the President the power to declare a national emergency in response to an “unusual and extraordinary” foreign threat. It gives the President special powers to regulate commerce in order to address that threat. The legal authority of the Executive Order allows a U.S. president to exercise power unilaterally and often very quickly, deploying sanctions without any input from Congress.
The executive and the legislative branches of U.S. government sometimes clash on sanctions policy. For example, in July 2017, Congress passed, and President Trump reluctantly signed, a bill imposing new sanctions on Russia for interfering in the previous U.S. presidential election. The bill also placed limits on Trump’s ability to lift any sanctions on Russia, and it passed with veto-proof majorities.
Process for sanctions through Executive Orders
The process of deploying sanctions through a Presidential Executive Order begins with some type of foreign crisis, such as Russia’s invasion of Ukraine’s Crimea region. The National Security Council (NSC), which leads the National Security Agency (NSA), then begins to facilitate discussions among federal agencies, and crafts the scope and list of initial targets. The NSC then submits a recommendation to the president and the Cabinet. Upon their agreement, OFAC begins drafting a sanctions Executive Order that fits the desired policy impact, and is sufficiently broad to impact both initial and potential future targets. OFAC consults with several federal agencies, such as the State Department, the Department of Justice (and any of its applicable agencies, such as the DEA or Homeland Security), as well as the Commerce Department. The Commerce Department’s participation is very important, because its Bureau of Industry and Security (BIS) enforces the Export Administration Act, which regulates foreign trade.
OFAC’s draft Executive Order is then reviewed by the State Department, the Department of Justice, and White House attorneys, to ensure legality and scope of power under IEEPA. Finally, the NSC prepares the final Executive Order, the list of initial targets, and the formal policy decision, and presents it to the president for signature. OFAC then publishes the corresponding sanctions regulations in the Federal Register and updates the Specially Designated Nationals and Blocked Persons List.
Image source: Wikipedia – United States Sanctions (2020)
Types of economic sanctions
OFAC administers the three dozen existing U.S. sanctions programs. Historically, these programs are referred to as either comprehensive or targeted.
Comprehensive sanctions typically prohibit all commercial activity with an entire country – such as North Korea or Cuba. However, it is often only specific individuals and organizations within a country’s government – not entire the country – that are the sanctions targets. Nevertheless, OFAC sanctions programs are typically named based on the country involved (such as Venezuela, Libya or Nicaragua) even though the sanctions are not all-encompassing.
Currently, the most comprehensive sanctions target Cuba, North Korea, Iran, and Syria. Although restrictions on Cuba were loosened somewhat during the Obama administration, they reverted to their original state under Trump. North Korea and Syria sanctions are extremely comprehensive. Iran’s complex sanctions primarily focus on the country’s government, its financial sector, and its aviation and petroleum industries.
Targeted sanctions programs, in contrast, are aimed at specific activities, such as terrorism, international narcotics trafficking, cyber-crime, or foreign interference in a U.S. election, for example.
Traditionally, sanctions prohibit only the imposing country’s citizens and companies from doing business with a blocked party. However, the U.S. has also imposed extra-territorial sanctions (also known as secondary sanctions). These are intended to restrict the economic activities of other countries’ governments, businesses, and individuals to ensure their compliance with U.S. sanctions programs. Many governments consider these extra-territorial sanctions to be a violation of their sovereignty and of international law.
The Specially Designated Nationals and Blocked Persons List (SDN List)
As of mid-February 2021, OFAC’s SDN List had over 20,400 party names. These include “primary” names, as well as alternate names, or aliases. Names or identifying nomenclature of 277 aircraft and 403 vessels are also included in this total.
The targeted vessels are predominantly associated with Iran, Cuba, and North Korea; the aircraft are almost all from Iran (as per U.S. sanctions on Iran’s aviation sector) and the remainder are tied to Venezuela. The targeted vessels are primarily Iranian, but also include those of North Korean, Venezuelan, and Cuban origin. Sanctioned vessel names are of primary concern to U.S financial institutions financing export transactions, to ensure no such vessel is being used to transport the goods.
Collectively, all names on the SDN List are known as Specially Designated Nationals and Blocked Persons, or SDNs. The SDN’s assets under U.S. control are considered “blocked” or “frozen.” These assets may include bank accounts, real estate, business enterprises, and other items of value. All U.S. persons, including U.S. businesses and their foreign branches, wherever located, as well as foreign financial institutions with U.S. offices or subsidiaries, are forbidden from transacting with an SDN.
When considering the SDN List, it is important to remember that the “F” in OFAC stands for “foreign.” Accordingly, SDNs are not domestic terrorists, domestic narcotics traffickers, or other U.S. parties engaged in activities otherwise targeted by U.S. sanctions.
However, there are a small number of U.S. parties on the SDN List, based on their participation or association with a foreign sanctioned party, group, or activity. As of mid-February 2021, these included:
- Twelve individuals: three with U.S. dual citizenship or temporary/permanent resident status; and nine foreign individuals w. U.S. addresses
- Forty-five U.S. companies: all defunct shell companies established by narcotics traffickers
- Seven U.S.-based charities with connections to terrorist financing. For example, in 2001 the Holy Land Foundation (HLF), the largest Muslim charity in the U.S., was targeted for providing material support to Hamas. All its assets were frozen, and the entity itself and several individuals were indicted. Subsequently, a federal jury found HLF and five persons who worked with it guilty of thirty-six counts related to the illegal transfer of millions of dollars to Hamas, as well as money laundering and tax fraud.
- Four foreign-based businesses with a U.S. location or address
- One aircraft registered in the U.S.
- A criminal gang originating in Los Angeles, that is now considered a Transnational Criminal Organization
The OFAC compliance program
Every U.S. financial institution should have a formal OFAC Compliance Program in place, as should businesses that have dealings with foreign parties regardless of where located.
In May 2019, OFAC published a Guidance Document[i] describing what it considers to be the core elements of an effective OFAC Compliance Program.
This structure may look familiar to anti-money laundering compliance professionals. It includes most of the same pillars of an anti-money laundering program, minus the Customer Due Diligence element.
However, in contrast with the Bank Secrecy Act, OFAC regulations do not provide any clear, concise, specific rules to follow. Instead, the answer to the question of how to comply with OFAC sanctions is, essentially, “don’t violate the sanctions.”
It is a common misconception that screening transactions and counterparties against the OFAC SDN list constitutes compliance with OFAC regulations. In fact, there are no regulations that require any type of OFAC SDN List screening. OFAC describes the SDN List as a tool to help U.S. parties in their efforts to comply with sanctions programs. If a party is involved in sanctioned activities – such as international narcotics trafficking – but that party’s name is not on the SDN list, having dealings with that party is effectively a sanctions violation. This is because sanctions are not entirely about names, but also the underlying targeted activities – whether that be transnational organized crime, terrorism, military aggression towards another country, and many others.
OFAC risk assessment for financial institutions
OFAC is the epitome of “risk based compliance” because every single entity has its own unique level of risk of dealings with sanctioned parties or countries.
Every financial institution should have a comprehensive, written OFAC risk assessment that is reviewed and updated regularly. Sanctions programs are constantly changing, as political and economic events occur around the world.
An OFAC risk assessment begins by identifying every area and process, and evaluating the risks of dealings with a sanctioned party or country. Some of the most common areas with a higher OFAC risk exposure for a financial institution include:
|Customers||Nonresident aliens, PEPs, foreign financial institutions, foreign legal entities|
|Payments||Cross-border wires and Automated Clearing House (ACH)|
|Foreign correspondent banks||Export finance, letters of credit, loan participations|
|Other financial services||Payable-through accounts, private banking|
|Employees||Foreign employees on work visas; employees of foreign branches/subsidiaries|
Export financing presents a particularly high OFAC risk. A financial institution handling export letters of credit, documentary collections, and other trade services must ensure that no party to an export transaction, no bank, no ship, and no country involved are OFAC-sanctioned. Depending on the commodity, OFAC licensing may come into play with exports to sanctioned countries. (OFAC licensing is discussed further below.)
Vendors may or may not present an OFAC risk. If the financial institution only deals with well-established U.S. based companies, then OFAC risk is negligible to non-existent.
Deep Dive: OFAC SDN List screening practices
A financial institution’s OFAC risk assessment should direct its risk-based policies and procedures. Automated SDN List screening is a core element of most institutions’ OFAC compliance processes.
However, it should be re-emphasized that there are no regulations or requirements for how, what, or when to screen against the SDN List – or even whether to screen at all. OFAC compliance centers on each institution’s unique risk assessment and level of risk tolerance.
This Deep Dive segment includes some of the most commonly-recommended best practices regarding SDN List screening, as well as certain challenges with SDN party names and how to address them.
Recommended best practices
SDN List screening generally involves two main areas: payments and counterparties.
Automated OFAC screening of electronic payments is a well-accepted best practice. Payments, both outgoing and incoming, are a significant aspect of a financial institution’s activities, and the bulk of these will be customer-driven. Foreign, or cross-border, transactions pose a higher potential OFAC risk. Most cross-border payments involve some type of electronic funds transfer (EFT) – typically wire transfers or international ACH.
Should a financial institution attempt to segregate domestic and cross-border payments for OFAC screening? The type of EFT impacts this decision. Wire transfer screening is a cost/benefit and risk trade-off. The complex programming required to identify and segregate cross-border wire transfers for OFAC screening is, in the long run, less efficient and potentially riskier than simply screening all wire transfers. Statistically, more false positive matches may need to be managed, but these are usually very obvious. Screening software settings may also mitigate excessive false positives.
Automated Clearing House (ACH) payments, however, allow for a different approach. It is a common practice in the U.S., and OFAC has even opined,[ii] that domestic ACH transactions do not need to be screened. According to the FFIEC’s BSA/AML Examination Manual, “[…] the Originating Depository Financial Institution (ODFI) is responsible for verifying that the Originator is not a blocked party and making a good faith effort to ascertain that the Originator is not transmitting blocked funds. The Receiving Depository Financial Institution (RDFI) similarly is responsible for verifying that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC regulations.”[iii]
International ACH transactions (IATs) either start or end in a foreign country; therefore, reliance between financial institutions cannot be assumed because one financial institution is based outside the United States. Fortunately, IATs are clearly identifiable based on codes, and thus are relatively simple to segregate and OFAC screen.
With respect to both wire transfers and IATs, every field on these payment records should be included in automated OFAC screening. These include the Originator and Beneficiary names and addresses, names and addresses of all financial institutions, and all free-form text fields (Originator to Beneficiary Information (OBI), Reference For Beneficiary (RFB), Bank to Bank Information (BBI) and all remittance fields.
Export or import finance and trade services pose a significant OFAC risk, because these inherently involve foreign parties. As well, most OFAC country-based sanctions programs are heavily focused on restricting trade. Accordingly, the underlying documents and the payments involved in a trade finance transaction should be OFAC screened – not only for blocked parties or countries, but also any sanctioned vessel names.
Checks are another a significant payment type for financial institutions. These include checks drawn on customer accounts, as well as deposited by customers. For most U.S. institutions, the majority of checks negotiated involve another U.S. financial institution. Accordingly, the “ACH philosophy” would seem to apply to domestic checks, whereby each financial institution ensures its customer is not a blocked party. Financial institutions that clear foreign-drawn checks deposited by their U.S. customers should, however, evaluate the OFAC risks involved with these types of payments and whether OFAC screening of foreign check payor names is an appropriate risk-based procedure.
Customers are the largest category of counterparties for a financial institution.
OFAC screening of a new customer name, and now the name of any beneficial owner of a legal entity customer, is a commonly-accepted best practice as part of the customer due diligence process. The CIP (or customer identity verification) Rules state that the financial institution should determine “whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators.”[iv] However, according to the FinCEN guidance document titled “FAQs: Final CIP Rule”[v] there has yet to be any such list designated, and lists published by OFAC have not been designated as lists for purposes of the CIP Rules.
Nevertheless, OFAC screening of new customer names and any beneficial owners’ names as part of customer identity verification and due diligence is a recommended best practice, from an OFAC risk mitigation perspective, even if not for compliance with the CIP Rules.
Another established best practice is to OFAC screen the entire database of existing customer names on a regular basis, as well as immediately after every SDN List update.
Failure to follow this practice has resulted in OFAC sanctions violations for several financial institutions over the years. For example, in 2010 Discover Financial Services was assessed a civil penalty for maintaining a personal credit card account over a two-year period for an individual on the Narcotics Trafficking Kingpin sanctions list.[vi]
“Periodic” screening is open to interpretation and risk assessment. A financial institution that screens the entire customer database after every OFAC SDN List update is doing so multiple times every month. An institution that does not follow this practice may have a much greater exposure. For example, if the customer database is screened only once per month, and a few days later an SDN List update results in a customer being designed as a blocked party, an entire month will pass before the party is detected. Meanwhile, that customer could have processed a large number of transactions. OFAC civil penalties are based in part on transaction amounts and volumes.
Non-customer counterparties could include vendors, employees, foreign correspondent banks or participant banks.
If the financial institution has no dealings with non-U.S. vendors, there’s no perceived OFAC risk – and accordingly, no justification for screening new or existing vendors in accounts payable systems. Similar justification applies to OFAC screening of employee names. If all employees are U.S. based or have authorization to work in the U.S. then OFAC screening their names provides little added value.
Foreign bank counterparties are typically the subject of extensive due diligence at the onset of the relationship, which should include OFAC screening – especially if the bank is domiciled in, or has a branch in, a country where sanctions have been imposed.
Ultimately, the financial institution’s OFAC risk assessment should describe and document the risks associated with all types of counterparties, and screening processes should then be designed based on the identified risks.
Automated OFAC screening: challenges with SDN party names
Issues with automated OFAC screening often arise based on certain aspects of sanctioned party names. These include “weak aliases” and non-Western name parsing.
OFAC sanctioned party records include both the party’s primary name as well as any aliases (AKAs). OFAC designates party aliases as either “strong” or “weak”. “Weak” aliases are nicknames, noms-de-guerre, and extremely common acronyms. OFAC includes weak aliases because parties may refer to themselves, or may be referred to, by such names, and so these may be useful for identification purposes. OFAC guidance specifically states that “[…] OFAC does not expect that persons will screen for weak AKAs, but expects that such AKAs may be used to help determine whether a “hit” arising from other information is accurate.”[vii]
Non-Western Name Parsing
In certain cultures, it can be more challenging to break down, or parse, an individual’s name between first, middle and last name (surname).
In Spanish cultures, a person can have a lengthy surname. Often there are two last names, where the first is the person’s father’s last name, and the second is the mother’s maiden name. For example, the last name of Alexandria Ocasio Cortez is Ocasio Cortez. This reflects her father’s last name, Ocasio, and her mother’s maiden name, Cortez.
In Asian cultures, a person’s surname is given first, followed by their first name. Chan Kong-sang is therefore parsed as first name Kong-sang, and last name Chan. (Chan Kong-sang is the original name the actor Jackie Chan.)
Arabic names are also complex. Take, for example, an individual named Saleh ibin Tarick ibin al Khaalid al Fulan. Saleh is his personal name, used by his family and friends. Ibin translates as “son of”, therefore Tarick is Saleh’s father. Ibin Khaalid means that Tariq is the son of Khaalid, therefore Khaalid is the grandfather of Saleh. Finally, al-Fulan is Saleh’s family name. This person’s full name therefore translates to: Saleh, the son of Tariq, the son of Khaalid, of the family of al-Fulan.
SDN party names must be accurately separated into their corresponding elements to ensure accurate automated OFAC screening. This was a significant challenge to software developers for many years, as OFAC continued to add new SDN List file formats to accommodate different screening software applications.
In 2015, OFAC became the first to implement a new “universal” sanctions list format. Jointly developed by the United Nations and the Wolfsberg Group called the XSD File format, or “advanced sanctions data model.” This format has many advanced capabilities, particularly with identifying weak aliases and party name parsing. Specific labeling goes beyond the standard “last name, first name” to allow unique name parts to be properly ordered based on the nomenclature rules of a specific culture, language, or region.
Importantly, the XSD format did not replace the prior standard XML format. OFAC continues to support all of its prior data formats, including the legacy fixed-width, CSV, PIP (pipe delimited), and DEL (@ delimited).
Note that weak aliases are only identified in the XML and XSD formats; flat and delimited files lack this detail. If a financial institution’s current OFAC screening software cannot identify and exclude weak aliases, or cannot properly parse non-Western names, the OFAC SDN List file format employed by the system should be evaluated to determine if the XML, or the most advanced XSD file format, can be used instead.
Deep Dive: OFAC Licenses
Economic sanctions generally prohibit all dealings with a targeted party, faction, government or country. However, the U.S. encourages activities such as humanitarian assistance; and desires to avoid detrimental impacts on significant sectors of its own economy. U.S. industries that rely heavily on exports of goods and services are often the most negatively impacted by economic sanctions. For example, the U.S. exports approximately 25% of its agricultural production each year, and for certain commodities, exports are as high as 75%. OFAC licenses are a means to mitigate sanctions’ negative impacts.
A license is an authorization from OFAC to engage in a transaction that otherwise would be prohibited, such as agricultural exports. OFAC licenses are categorized as specific or general.
A specific license is an authorization for a U.S. party to conduct a specific activity that would otherwise be prohibited by sanctions. OFAC requires a written application for a specific license prior to engaging in the activity, and a separate license is required for each instance of the activity. Some examples where specific licenses are required include traveling to Cuba and exporting agricultural commodities, medicine, and medical devices to Iran and Sudan.
A general license, on the other hand, is a type of blanket exception to sanctions regulations for specific activities. A general license authorizes a particular type of transaction without the need to apply for a specific license. For example, exports of U.S. agricultural products are permitted to Syria, and non-governmental organizations may conduct humanitarian projects in North Korea, both under authorization from general licenses.
OFAC publishes every general license associated with a particular sanctions program on its website, on the sanctions program’s details page. If there is no general license for a particular activity, or the activity is not authorized within the text of the regulations, then it is prohibited unless authorized by a specific license.
Deep Dive: OFAC Reporting Requirements
When a financial institution’s OFAC screening system flags a match to a sanctioned party on a transaction such as a wire transfer, the first step is to evaluate whether the match is valid or a false positive. If there are characteristics indicating it may be a valid match, OFAC offers an online inquiry form for “in process wires.” However, OFAC will typically respond with the following questions, which the financial institution could evaluate independently without contacting OFAC:
- Does the party address also match, or simply the country?
- Is there any other identification or detail that would point to this being a valid match?
- What information has the customer provided as to the purpose of the transaction?
- Could the transaction be exempt from OFAC sanctions based on a general or a specific license?
Blocking or rejecting transactions
Assuming the match is determined to be valid, the financial institution’s next steps are to either block or reject the transaction, and to report the transaction to OFAC within ten days of this action.
To block a transaction is to (a) not process the transaction, and (b) hold/freeze the funds. Rejecting means simply refusing to process the transaction.
A transaction must be blocked when a blockable interest exists, meaning that funds are destined for, or are received from, an SDN. For example:
A bank flags an OFAC match on an outgoing wire transfer from its customer to a beneficiary located in St. Petersburg, Russia with the name Internet Research Agency LLC. This entity is an SDN under OFAC’s cybercrime sanctions. Because the bank has these funds in hand, and they were destined for the benefit of a sanctioned party, the transaction must be blocked.
Blocked funds must be held in a separate interest-bearing account. OFAC will ultimately determine the disposition of the funds.
A transaction without a blockable interest must be rejected. One example would be an OFAC match on a commercial payment destined for the account of ABC Import-Export in North Korea, whose account is with a bank in South Korea. Neither the beneficiary nor its bank is an SDN, so there is no blockable interest in this transaction. However, under the North Korean sanctions regulations, all trade with North Korea is prohibited. By processing this payment, a financial institution would be effectively facilitating trade with North Korea. Accordingly, the transaction should be rejected.
Unlike Suspicious Activity Reports, there are no secrecy or confidentiality requirements with respect to blocked or rejected transactions or reporting to OFAC. In fact, a financial institution should advise its customer that their transaction has been blocked or rejected, as the customer may wish to petition OFAC for either a release of the blocked funds or a specific license to complete the transaction.
Reporting blocked/rejected transactions
A blocked or rejected transaction must be reported to OFAC within ten days of the decision to do so. OFAC provides the online ORS system, where a blocked or rejected transaction report may be filed electronically by completing an online form.[viii] Use of ORS is voluntary, and pre-registration is required. Alternatively, an electronic form of the report may be emailed to OFAC.
Annual Report of Blocked Property
Each year, every financial institution or other entity holding blocked assets must file an annual report with OFAC providing details about the funds. The effective date of the report is June 30th, with a due date of September 30th. The report requires extensive details about each account or entry, such as the nature of the transaction associated with the block, the sanctions target involved, and the sanctions that required the blocking.
Deep Dive: Entities Owned by Blocked Persons, or the 50% Rule
“[…] any entity owned in the aggregate, directly or indirectly, 50 percent or more by one or more blocked persons is itself considered to be a blocked person. The property and interests in property of such an entity are blocked regardless of whether the entity itself is listed in the annex to an Executive order or otherwise placed on OFAC’s list of Specially Designated Nationals (“SDNs”). Accordingly, a U.S. person generally may not engage in any transactions with such an entity, unless authorized by OFAC.”
– OFAC’s Revised Guidance on Entities Owned by Persons
Whose Property and Interests in Property Are Blocked
OFAC’s “50% Rule” is a complex and challenging requirement for economic sanctions compliance. One particularly significant aspect of this rule is that it speaks only to ownership and not to control. An entity that is controlled, but not owned, 50 percent or more by one or more SDNs is not considered automatically sanctioned per the 50 Percent Rule. There must be actual ownership.
Second, OFAC sanctions generally prohibit transactions involving, either directly or indirectly, a blocked party, even if that party is acting on behalf of a non-blocked entity. OFAC advises caution when conducting business with a company in which a blocked party is involved, even if the party does not have 50% ownership. For example, sanctions prohibit entering into a contract that is signed by an SDN on behalf a company.
Examples of the 50% Rule
[Note: all company names in the following examples are fictitious]
Example 1: Direct and Indirect Ownership
SDN David Guberman owns 50% of a company called Acme Corp. Acme Corp owns 50% of another company, Altex Manufacturing. Both Acme Corp and Altex Manufacturing are considered blocked parties under the 50% Rule, because Acme is directly owned 50% by an SDN, and Altex is indirectly owned 50% by that same SDN.
Example 2: Indirect and Aggregate Ownership
Now assume David owns 50% of Acme and 50% of Altex. Both of these companies remain blocked parties, based on direct ownership of 50% or more by an SDN. Each of these companies owns a 25% share in Crypto Partners Limited. Crypto Partners is considered a blocked party as well, because it is directly owned 50% by two entities that are blocked parties pursuant to their direct ownership by David.
Example 3: Aggregate Direct Ownership
In this third example, David owns 15% of GV Exports Ltd, and another SDN, Vladimir Venkov, owns 40%. GV Exports Ltd is a blocked party under the 50% Rule, as OFAC aggregates ownership by one or more SDNs when evaluating the blocked status of an entity. If David and Vladimir each owned 15% of GV Exports Ltd, it would not be considered a blocked party because their interests total less than 50%.
Mitigating risk with the 50% Rule
OFAC does not publish information about entities owned by sanctioned parties on any type of list, which therefore eliminates automatic screening and simple name matching to detect these blocked entities in transactions, customers or other counterparties. Rather, it places the burden on financial institutions and other U.S. parties to analyze complex, multi-tiered ownership structures designed specifically to disguise the ultimate beneficial owners. As well, sanctioned individuals frequently divest their ownership and transfer it to family members, while continuing to retain control over the entity. According to Anders Rodenberg, an expert on OFAC sanctions, 6.5 million companies change ownership every month.[ix] Clearly, the 50% Rule is an incentive for financial institutions to apply rigorous customer due diligence for any legal entity customer.
Recommendations to financial institutions for managing risk with the 50% Rule include the following:
- Examine closely the ownership structure of legal entity customers located in countries with a significant presence of individuals and entities on the SDN list. Apply similar due diligence to domestic entities with a foreign parent or affiliates.
- Capture beneficial owner names electronically and ensure these are being OFAC screened, similarly to primary customer names.
- Partner with correspondent institutions to develop a communication and information sharing process in the event that institution flags a transaction to be blocked or rejected based on a 50% Rule violation.
- Invest in technology that provides public ownership data, negative media, and corporate structures. Oftentimes the media publishes stories about companies associated with sanctioned parties. For example, in 2015 the Wall Street Journal reported that OFAC had identified Seguros Continental S.A., a Honduran firm, as “more than 50% owned” by Inversiones Continental S.A. de C.V., a Honduran business owned by the Rosenthal family, whom the U.S. has charged with laundering money for drug cartels.[x] Inversiones Continental S.A. and Rosenthal family members are sanctioned parties on the OFAC SDN list, but Seguros Continental S.A. does not, as of the date of this article.
Deep Dive: OFAC Civil Penalties
Over the past fifteen years, OFAC has assessed multi-million dollar civil penalties against financial institutions and companies for sanctions violations. While media coverage of these enormous fines can generate significant concern from a financial institution’s executives and auditors, there is one important unifying factor to consider: all of these penalties were the result of deliberate and intentional acts, either to literally evade sanctions altogether, or knowingly allowing weaknesses in processes or systems to go unaddressed, sometimes for years. The following are several representative examples of these deliberate and intentional behaviors.
Deliberate and intentional acts
In 2012, HSBC was fined $1.9 billion[xi] and Standard Chartered Bank was fined $667 million[xii] for an activity known as payment stripping. A number of other major financial institutions have also been assessed civil penalties for the same activity over the years. Payment stripping is a deliberate process performed by a non-U.S. bank to physically remove any reference to a U.S. sanctioned party from wire transfer instructions so that the transaction will process through a U.S. bank without generating an OFAC match. These institutions knew exactly what they were doing, and this activity provided a profitable niche market in assisting individuals and groups associated with terrorism and narcotics trafficking to move funds to the U.S. undetected.
In 2014, Bank of America was fined $16.6 million[xiii] for a “demonstrated reckless disregard for U.S. sanctions requirements.” For more than two years, the bank knew about, but failed to address, significant issues with their OFAC screening system which prevented the identification of potential matches to SDNs with multiple or multi-part last names. Between 2005 and 2009 the bank processed several hundred transactions for six SDNs under the narcotics trafficking sanctions.
In 2018, Zoltek Companies Inc. was fined $7.8 million[xiv] for continuing to purchase supply chemicals from a Belarus company after it became an OFAC sanctioned party. Zoltek executives knew this and deliberately chose to ignore the sanctions, making twenty-six separate purchases over three years after the supplier was added to the SDN list. The purchases were made through a Zoltek subsidiary in Hungary.
A twist on OFAC civil penalties
Sanctions regulations prohibit “deliberately having dealings with known sanctioned parties.” But what if those dealings are unwillingly the result of criminal extorsion?
A landmark OFAC case resulting from extortion involved Chiquita Brands International.[xv] Chiquita had significant banana growing operations in parts of Colombia over which several paramilitary/leftist rebel groups fought for control. These groups, known as United Self-Defense Forces of Colombia (“AUC”), the National Liberation Army, and the Revolutionary Armed Forces of Colombia were all sanctioned parties under the terrorism sanctions due to their extremely violent activity, kidnapping, and massacres of local populations. In 1997 Chiquita began paying AUC, and later the two other groups, in exchange for protection for the company’s employees. Between 1997 and 2004 Chiquita paid these organizations almost $2 million, knowing they were OFAC sanctioned parties. Company executives were aware of the payments, which were disguised in the company’s books. Ultimately, the company’s attorneys convinced them to go to OFAC, and a $25 million penalty was the result. Chiquita also pulled all of its operations out of Colombia in 2004.
Another very real risk of potential dealings with a sanctioned party is ransomware payments. Ransomware is a type of computer malware that completely blocks access to computer systems and data, usually by encryption. The criminals then exort a ransom, or payment, from the victim to get their computer unlocked. Often the criminals threaten to completely wipe the computer, or even to publicly disclose the victim’s data, if the ransom isn’t paid. Payment is always required in digital currency to avoid banks and retain anonymity.
Ransomware attacks are becoming more frequent, sophisticated, and costly. The FBI has reported[xvi] that from 2018 to 2019, there was a 37% increase in reported ransomware cases and a 147% increase in associated losses. Ransomware attacks have grown even more in the wake of COVID-19, targeting the online systems that people and companies rely on to continue doing business.
Typically, ransomware attacks are on large corporations, but are increasingly targeting small- and medium-sized businesses, local governments, hospitals, and school districts, which often have fewer resources to invest in cyber protection.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
– OFAC Advisory on Potential Sanctions
Risks for Facilitating Ransomware Payments
A number of malicious cyber actors are sanctioned parties under OFAC’s cybercrime and other sanctions programs, including perpetrators of ransomware attacks and parties who facilitate ransom payments. If a ransomware demand may have a connection to a sanctioned party, the victim – or a party facilitating a ransom payment on behalf of a victim – should contact OFAC for guidance. In rare cases, OFAC may grant a special license to make a ransom payment to an SDN. If the attack involves a U.S. financial institution, or may cause significant disruption to a firm’s ability to perform critical financial services, the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection can provide assistance.
Summary of key points
- The OFAC SDN List is a tool to help U.S. parties comply with sanctions regulations. However, there are no regulations that require automated SDN List screening of transactions or counterparty names.
- The “F” in OFAC stands for foreign. The SDN List does not include, nor do economic and trade sanctions target, U.S.-based activities or parties. However, the SDN List does include a very small number of individuals, companies and groups with ties to the U.S.
- A written OFAC Compliance Program, including a comprehensive OFAC risk assessment, is essential for any financial institution.
- OFAC licenses permit otherwise prohibited activities involving sanctioned parties or countries. Details on general licenses by sanctions program are available on OFAC’s website.
- Rigorous due diligence on legal entity customers is essential to mitigate potential violations of OFAC’s 50% Rule.
- OFAC civil penalties are always the result of deliberate/intentional acts, not unintentional errors.
- Ransomware attacks carry an additional risk of potential sanctions violations in making payments to cyber criminals.
[i] Department of the Treasury, Office of Foreign Assets Control. “A Framework for OFAC Compliance Commitments.” May 2019. https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf
[ii] Department of the Treasury, Office of Foreign Assets Control. “Guidance to National Automated Clearinghouse Association (NACHA) on Domestic and Cross Border ACH Transactions.” 9 November 2004. https://home.treasury.gov/system/files/126/gn121404.pdf
[iii] Federal Financial Institutions Examination Council (FFIEC) BSA/AML Manual. “Office of Foreign Assets Control – Overview: Screening Automated Clearing House Transactions” p. 148. 27 February 2015.
[iv] 31 CFR § 1020.220(a)(4) Customer Identification Program Requirements for Banks: Comparison with Government Lists.
[v] Department of the Treasury, Financial Crimes Enforcement Network. “Guidance on Customer Identification Regulations – FAQs: Final CIP Rule.” January 2004. https://www.fincen.gov/sites/default/files/guidance/finalciprule.pdf
[vi] Department of the Treasury, Office of Foreign Assets Control. Enforcement Information for December 21, 2010. https://home.treasury.gov/system/files/126/12212010.pdf
[vii] Department of the Treasury, Office of Foreign Assets Control. FAQ #124 dated 18 January 2011. https://home.treasury.gov/policy-issues/financial-sanctions/faqs/124
[viii] Department of the Treasury, Office of Foreign Assets Control. OFAC Reporting System. https://home.treasury.gov/policy-issues/financial-sanctions/ofac-reporting-system
[ix] Allsec Technologies. “Implementing CDD in light of the 50% OFAC rule.” 01 November 2019. https://www.allsectech.com/implementing-cdd-in-light-of-the-50-ofac-rule/
[x] The Wall Street Journal. “U.S. Says Honduras Seizes Shares in U.S.-Blacklisted Firm.” 22 October 2015. https://www.wsj.com/articles/BL-252B-8513
[xi] Department of the Treasury, Office of Foreign Assets Control. “Treasury Department Reaches Landmark Settlement with HSBC.” 11 December 2012. https://www.treasury.gov/press-center/press-releases/Pages/tg1799.aspx
[xii] The Wall Street Journal. “Standard Chartered’s Fine Tally Runs to $667 Million.” 10 December 2012. https://www.wsj.com/articles/BL-DLB-40874
[xiii] Department of the Treasury, Office of Foreign Assets Control. “Bank of America, N.A. Settles Potential Civil Liability for Apparent Violations of Multiple Sanctions Programs.” Enforcement Information for July 24, 2014. https://home.treasury.gov/system/files/126/20140724_bofa.pdf
[xiv] Department of the Treasury, Office of Foreign Assets Control. “Zoltek Companies, Inc. Settles Potential Civil Liability for Apparent Violations of the Belarus Sanctions Regulations.” Enforcement Information for December 20, 2018. https://home.treasury.gov/system/files/126/20181220_zoltek.pdf
[xv] NBC News.com. “Chiquita admits to paying Colombia terrorists.” 14 March 2007. https://www.nbcnews.com/id/wbna17615143
[xvi] Department of the Treasury, Office of Foreign Assets Control. “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” 01 October 2020. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf