One of the most powerful agencies in the United States’ international fight against terrorism, drug trafficking, and money laundering is the U.S. Treasury’s Office of Financial Assets Control (OFAC), the regulatory body that enforces U.S. sanctions around the world.
The main way OFAC exercises its power is by carefully monitoring international business activity and prosecuting or fining financial institutions and companies that it determines are in violation of U.S. policy.
In theory, organizations that find themselves in violation of any U.S. sanctions are encouraged — though not explicitly required — to report the violation to OFAC. This makes self-reporting to OFAC an organizational judgment call, one complicated by the fact that OFAC is not shy about handing out hefty penalties to violators, especially if they don’t self-report. In 2019, for example, OFAC fined UniCredit Bank and Standard Chartered Bank a total of $2.2 billion for violating multiple sanctions; and in 2020, OFAC has taken 18 actions totaling more than $18 million.
Another concern for multinationals is that OFAC’s former focus on financial institutions has expanded to include more investigations into corporate malfeasance, especially in the tech sector, which has prompted many international corporations to re-evaluate their anti-money laundering (AML) screening protocols with OFAC’s long reach and heavy hand in mind.
Holding executives accountable
At this year’s national conference for the Association of Certified Anti-Money-Laundering Specialists (ACAMS), held virtually in September, in a session entitled, The Latest on Sanctions: Enforcement Actions and Emerging Trends, panelists discussed OFAC’s impact on multinational organizations.
Vincent Gaudel, a compliance expert for Accuity, kicked off the discussion by pointing out that in addition to aggressively pursuing companies for sanctions violations, OFAC has also become much more inclined to hold individual executives accountable. “This should be made clear to everyone, because it is likely to set a precedent,” Gaudel said. There are personal risks for “business executives who engage in willful sanction violations,” he warned, because penalties for individuals can reach $20 million and 30 years in prison.
This year, two-thirds of the organizations OFAC has taken action against have been corporations, not financial institutions, Gaudel noted. “This is important because it clearly sends the message that sanctions compliance is for every company, not only for banks.”
A more aggressive OFAC
When it comes to sanctions, the larger issue facing many multinational corporations is their relationship to the United States. “The U.S. financial system is the largest in the world, and is also the biggest risk you have as an international institution,” said panelist John Smith, co-head of Morrison & Foerster’s National Security Practice and a former OFAC regulator. In many ways, the U.S. exerts its power around the world through sanctions, and “OFAC has been incredibly aggressive about enforcing U.S. nexus through the U.S. financial system,” Smith added. This means that financial institutions or companies that don’t even do business in the U.S. — but may have some connection to a U.S. entity through their supply chain — can be considered by OFAC to be part of the U.S. financial system, and therefore subject to prosecution.
Another way that OFAC has expanded its reach is by expanding the definition of a “U.S. person” to include almost any foreign person or entity that has even the remotest connection to the U.S. financial system.
“A lot of foreign entities are triggering U.S. jurisdiction for things they might not have expected,” said Melissa Duffy, a partner at Dechert. “For example, if you’re using a U.S. server or some sort of U.S. web platform or software-as-service that is being hosted in the U.S., but your business is otherwise outside the U.S. — that’s another way that, through the tech sector, OFAC can exercise jurisdiction over foreign persons.”
Self-report or not?
Not surprisingly, OFAC’s broad reach and increasingly aggressive tactics are prompting many organizations to reconsider whether and when to report sanctions violations to OFAC. Reporting is technically voluntary, and usually results in leniency; however, self-reporting can also backfire and result in a fine. Still, according to Accuity’s Gaudel, organizations that choose not to report a sanctions violation to OFAC are, if caught, penalized an average of 10-times more than those who self-report.
Still, there are circumstances where a company may reasonably choose not to report an apparent sanctions violation to OFAC, especially if it is a minor, one-time occurrence, but such decisions should be considered carefully, said MoFo’s Smith. “Companies that have committed an apparent violation but choose not to report it are taking a real risk, not only with the penalty they may receive, but also with their reputation,” he explained, adding that in such cases, “you are far more likely to get hammered by a more significant penalty, as well as a tarnished reputation that will be publicly disclosed.”
According to Dechert’s Duffy, OFAC has developed a particular interest in tech companies that process payments as part of their business. “OFAC is reaching a lot of companies that you don’t think of primarily as a payment company, but the payment activity is an important part of what they do,” she explained. And because “U.S. person status” can be triggered by almost any financial association with any business, Duffy said, extremely thorough screening protocols are paramount.
“You need to focus not just on your customers, but on all third parties that are feeding into your digital services platform,” Duffy said. “This includes parties that are uploading content onto your platform, or parties that you may be engaging to support your digital service, as well as your customers’ customers — people who are buying their digital services or content.”
Potential sanctions violations can lurk in the unlikeliest places, the panel agreed, so thorough due diligence in AML compliance can pay huge dividends.
Check out our additional coverage of this year’s ACAMS annual conference.