Restrictions on Russia Highlight Growing Complexity of U.S. Sanctions Regime
Enforcement by Treasury’s OFAC reaches into cybersecurity realm
Friday, March 18, 2022
By John Hintze
The stepped-up economic sanctions against Russia and the sectors they target exacerbate the burdens and risks for businesses facing compliance obligations – tasks both facilitated and complicated by technology.
Sector sanctions were first introduced by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in response to Russia’s 2014 invasion of Crimea, levied against Russia’s oil and gas and weapons-manufacturing sectors as well as debt and equity investments in organizations enabling violence in Ukraine. Sanctions were ramped up this February in Russia and expanded to include the breakaway republics in eastern Ukraine.
Sectoral sanctions rest atop OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list and jurisdictional sanctions imposed on countries such as Cuba and Iran. The jurisdictional ones prohibit doing business in designated geographies except when specified conditions, such as humanitarian aid, are verified. Sectoral sanctions can require significant additional effort to understand and comply with.
“That’s resulted in financial institutions having to devote more technology and compliance resources, to make sure the requirements of the directive are being met if there’s a transaction with one of the designated parties or for sanctioned activity,” said Ralph Wright, principal in the financial services risk management group at accounting, consulting and technology firm Crowe.
Amber Vitale, FTI Consulting
The sectoral sanctions’ impact extends to nonfinancial institutions “because debt could also be an invoice,” explained FTI Consulting managing director Amber Vitale. “If a sanctioned oil and gas company owed payment under an invoice to a U.S. person, the payment terms can’t go beyond the allowed timeframe.”
Knowing the Customer
A positive SDN match requires organizations to determine whether it is an SDN or another sanctioned party for which they must simply freeze or reject the assets, or investigate further to understand whether a license is required.
“Sanctions compliance is inherently complex, because organizations really need to know their customers and what the customer is doing,” Wright said, adding that applying jurisdictional and sectoral sanctions to an economy as large as Russia’s further compounds the issue.
Will Schisa, Davis Polk
OFAC sanctions have been imposed on the defense and surveillance-technology sectors in China, whose economy is much bigger and more globally connected than Russia’s. Davis Polk counsel Will Schisa said those sanctions are in place, after being initiated by the Trump administration, to address concerns about human rights violations against ethnic minorities in the Xinjiang Uyghur Autonomous Region.
“That’s significant, because prior sanctions were against countries not fully meshed in the global economy in the way China is,” said Schisa, who previously worked at OFAC. “It’s such a huge market, and so interconnected with the U.S. and the rest of the world, that dealing with sanctions that impact China is just materially different than those against a country like Iran.”
Most recent OFAC actions, Wright said, have stemmed from the more complex sectoral or jurisdictional sanctions regimes and increasingly impacted nonfinancial companies such as Amazon, Expedia and Black & Decker. They tend to be more at risk than the major financial institutions that devote significant resources to understanding sanctions complexities.
Amazon’s July 2020 settlement shows how technology facilitates the sale of products and services globally, potentially to sanctioned persons or entities, while regulators expect companies to use increasingly sophisticated technology to monitor for potential violations. OFAC said Amazon was deficient in analyzing transactions and relevant customer data.
In some instances, OFAC said, orders specifically referenced a sanctioned jurisdiction, a city within a sanctioned jurisdiction, or a common alternative spelling of the jurisdiction, “yet Amazon’s screening process did not flag the transactions for review.”
Atlanta-based fintech BitPay last year agreed to a $507,375 settlement for allowing persons in multiple sanctioned jurisdictions to transact with U.S. merchants using digital currencies, even though it had their internet protocol addresses and other location data that it was using for other purposes.
“Nonfinancial organizations and smaller financial institutions must have controls that are commensurate with their level of risk,” Wright said.
Resources at Scale
Rachel Fiorill, a Paul, Weiss, Rifkind, Wharton & Garrison litigation counsel and former enforcement section chief at OFAC, said the agency is taking a “strong view” that reliance on software improperly calibrated to identify potential involvement of sanctioned parties won’t be a shield against enforcement.
“Companies’ compliance departments really need to make sure they’re devoting their resources to match the scale and sophistication of their operations,” Fiorill said. “That’s going to continue to be a theme, particularly with respect to more sophisticated entities such as financial institutions and technology firms.”
Rachel Fiorill, Paul Weiss
She added that the newer Russia sanctions may result in false matches or acronyms not on the SDN list. Consequently, organizations must screen all available information regarding the persons and entities they interact with.
“Recently we’ve seen OFAC take a hard stance with companies that are collecting information for non-sanctions purposes that, through a sanctions lens, would have led them to realize there was a sanctions issue,” Fiorill said.
“A Novel Application”
Technology can also result in sanctions infractions indirectly. Non-U.S. entities must be wary of facilitating a sanctioned entity’s use of U.S. products or services, Fiorill said. OFAC settled with Société Internationale de Télécommunications Aéronautiques in 2020 for $7.8 million after determining that the Swiss-based company provided commercial services and software originating in the U.S., or involving U.S. servers, to customers designated as terrorists.
Fiorill called that “a novel application of OFAC’s jurisdiction.”
In a similar vein, OFAC annnounced a $2.1 million settlement in April 2021 with software company SAP, which sold its software subscription services to entities in Iran on cloud servers in the U.S.
Russia’s Ukraine invasion raised concerns about ransomware attacks. Ransom paid to a sanctioned entity could result in sanctions-related enforcement. Steps to mitigate that risk include ensuring that a company’s cybersecurity measures are updated and commensurate with the organization’s exposure, and alerting applicable government agencies while the attack is progressing.
“If organizations do that, they should stay on the non-public, non-monetary side of the enforcement spectrum,” Schisa said.
Vitale said that given sanctions’ increasing complexity, executives overseeing the compliance programs need to consider how they overlap with other compliance areas. Sanctions and anti-money laundering (AML) rules have long been connected, and recently OFAC has issued advisories in areas including ransomware and virtual currencies.
“The takeaway is that sanctions compliance is becoming tied to cybersecurity,” Vitale said. “If you don’t have risk officers thinking about their firms’ cybersecurity, they could be leaving their firms open to sanctions risk.”
She added that current Russia sanctions almost certainly will prompt targeted entities to seek to evade them by altering trade routes or by layering U.S. dollar payments, in which one party pays for goods or services that another, sanctioned entity receives.
Training is critical to give client-facing executives, and those on the front line in trading, investing, lending and payment processing, the ability to identify sanctions issues relevant to their job duties. “If they don’t have targeted sanctions training,” Vitale said, “they won’t know how to identify potential red flags that should be escalated to the appropriate party.”