September 10, 2021
By Alejandro Leáñez, ACSS
Technology companies with cross-border activities across the globe can be subject to sanctions. The rapid advance of the technology sector creates worldwide compliance challenges. OFAC has been turning its focus on the technology sector with decisive enforcement actions that are increasingly requiring high-growth technology companies to incorporate strong compliance teams to prevent such actions.
We will show several enforcement actions from OFAC, ranging from software, cloud services and global information technology services to financial technology (Fintech), maintenance and support, among others.
On April 29, 2021, German software company SAP SE, which provides cloud-based services, enterprise application software, and related maintenance and support, reached a settlement with OFAC and agreed to pay $2,132.174. The total value of the transactions constituting the apparent violations was $3,693,898.
OFAC settled on that figure because it concluded that SAP’s conduct was “non-egregious” and “voluntarily self-disclosed”. It also takes into account SAP’s remedial response.
The settlement consisted of potential civil liabilities arising from 190 apparent sanctions violations encompassing the export of software and related services from the US to Iran. SAP had knowledge or reason to know that the software or services, and the cloud-based software subscription services sale, were specifically for the Iranian market.
SAP used “pass-through entities”, which consisted of partners that sold licenses and services to companies in third countries, including companies controlled by Iranian companies that provided the SAP software to users in Iran. SAP servers in the US were used for the software delivery, and SAP’s US-headquartered content delivery provider was used.
Two of SAP’s cloud business group subsidiaries in the US, with SAP’s knowledge or reason to know the services would be provided specifically to Iran, were used by SAP for the sale of cloud-based subscription services to third country-based customers that then provided access to users located in Iran.
According to OFAC, the total value of the transactions constituting the apparent violations was $3,693,898. SAP appears to have violated § 560.204 of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR), which prohibits the export, re-export, sale, or supply, directly or indirectly from the US, or by a US person, wherever located, of any goods, technology, or services to companies and individuals in Iran, including the export, re-export, sale, or supply to a third country undertaken with knowledge or reason to know the goods, technology, or services are intended specifically for Iran.
On February 26, 2020, the Société Internationale de Télécommunications Aéronautiques SCRL (SITA), headquartered in Geneva, reached a potential civil liability settlement with OFAC and agreed to pay $7,829,640 for 9,256 apparent violations of the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (GTSR) totaling approximately $2,428,200.
From April 2013 to February 2018, SITA apparently violated the GTSR by providing commercial services and software subject to US jurisdiction for the benefit of airline customers OFAC identified as specially designated global terrorists (SDGTs). In its investigation, OFAC discovered that Mahan Air, Syrian Arab Airlines, and Caspian Air, which flew the SDGTs, were member-owners of SITA. The airlines were entities designated by OFAC as SDGTs pursuant to Executive Order 13224.
The SDGT airlines were subject to US jurisdiction because they were provided from, or transited through, the US or were involved in the provision of US-origin software with the knowledge that customers designated as SDGTs would benefit from the use of that software. Specifically, SITA provided the SDGT airlines, directly or indirectly, with the services of Type B messaging, Maestro DCS Local, and WorldTracer.
Other Notable Enforcement Actions
In all of the following enforcement actions, OFAC recognized that the apparent sanctions violations were non-egregious and voluntarily self-disclosed.
On September 24, 2020, Keysight Technologies, Inc, a Santa Rosa, California-based company that designs and sells test and measurement equipment and related software products to the wireless industry, entered into a $473,157 settlement with OFAC. This followed an investigation into its potential civil liability arising out of re-exports of US export-controlled test measurement equipment to Iran. Keysight made the settlement on behalf of its former Finnish subsidiary, Anite Finland Oy.
Anite had conducted business with Iran before Keysight acquired it. Keysight devised a policy to restrict such sales, but its employees continued selling to Iran, hiding them from its parent company. As a result, US licensing requirements for export or re-export to Iran were applicable to Anite’s exportation of goods. Also, Anite had knowledge that such goods were destined for end-users in Iran. Keysight and Anite subsequently implemented remedial measures intended to prevent future unauthorized sales.
On July 8, 2020, OFAC targeted Seattle, Washington-based Amazon.com Inc, which provides retail, e-commerce, and digital services to millions of customers worldwide. Amazon agreed to settle for $134,523 for its potential civil liability for apparent violations of multiple OFAC sanctions programs.
Amazon provided goods and services to persons sanctioned by OFAC in Crimea, Iran, and Syria as well as to individuals located in or employed by the foreign missions of countries sanctioned by OFAC. Also, Amazon did not report timely several hundred transactions conducted pursuant to a general OFAC license that establishes mandatory reporting requirements.
On November 25, 2019, OFAC sanctioned Cupertino, California-based Apple, Inc, a technology company. Apple agreed to settle its potential civil liability for apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR) for $466,912.
Apple violated the FNKSR by dealing in the property or interests of a Slovenian software company called SIS, d.o.o. (SIS), which was previously identified on OFAC’s SDN List as a significant foreign narcotics trafficker. Specifically, Apple hosted, sold, and facilitated the transfer of SIS’s software applications and associated content.
Compliance Considerations for Technology Companies
There is an increasing trend in the technology sector of OFAC’s enforcement and communication of its compliance expectations through civil enforcement actions that reinforces the guidance OFAC provided in its 2019 Framework for OFAC Compliance Commitments.
Moreover, there are several compliance considerations that technology companies should take into account:
- Cloud-based services providers need to assess the adequacy of their sanctions compliance programs. A risk-based sanctions compliance program should reflect the company size, sophistication, marketing and operational structures.
- Pre-and post-acquisition due diligence.OFAC has made it clear that it expects acquiring or merged companies to conduct adequate due diligence and that compliance functions be integrated accordingly. Compliance efforts should be sufficiently resourced and empowered to examine risks and implement appropriate controls, even (and, perhaps, especially) when encountering resistance from a newly formed subsidiary.
- Sanctions nexus due diligence. Companies should adequately investigate information reasonably available to them, such as information that would have revealed a sanctions nexus. If a global technology company receives information in which there might be a sanctions violation, it should use it for an internal investigation.
- Understand regulatory obligations. Companies should clearly understand their obligations under the applicable sanction regimes. If a company does not understand the full scope of an OFAC license, it should seek counsel to implement the OFAC license within its operations.
- Consider implementing IP geolocation screening and blocking.OFAC expects companies with access to relevant IP information and whose products and services are at risk of being accessed by persons in sanctioned jurisdictions to implement IP screening and blocking controls. Internal audits of a compliance program may be insufficient when there is a repeated failure to implement geolocation IP address screening.
- Use of effective screening tools. Outdated or inadequate screening tools are a big issue in OFAC enforcement cases. Such screening tools should always be updated and be adequate for the required tasks to identify new SDNs.
- Act on the findings of internal audits and whistleblower reports. One particular audit identified several weaknesses of a company’s sanctions compliance program that were not taken into account by management. Clearly, it should have acted to improve the program.
- Cooperation with regulators during an investigation may require significant resources. Companies may receive credit for their cooperation during an investigation. OFAC can determine that the company expended significant time and resources toward what appeared to have been a forward-leaning investigation. If a company during OFAC’s investigation of possible violations expended significant time and resources toward the forward-leaning investigation this might reduce the settlement.
An Insider’s View
We asked Baruch Weiss, Partner at Arnold & Porter, a Washington DC-based law firm, for his comments.
ACSS: Do you see a rise or a trend in OFAC enforcement actions against the technology sector?
Baruch Weiss: There is little doubt that we will see a rise in enforcement actions involving technology companies. Technology companies are occupying more and more space in the world economy, so by the sheer size of the industry alone, we can expect to see more enforcement.
So much of the world of technology has little respect or recognition of borders. The settlement in April between the US government (DOJ, BIS and OFAC) and SAP SE, which allowed its cloud-based software subscription services to be made available to users in Iran, is but one example of what we can expect to see more frequently.
ACSS: Do you have any recommendations for the technology sector to avoid OFAC-enforcement actions for sanctions violations?
Baruch Weiss: There is no question that the US government expects technology companies to use their capabilities not only to develop their products but also to develop appropriate software and to implement appropriate measures to make sure that those products do not end up being used by sanctioned countries or individuals. As OFAC made clear in its 2019 Framework for OFAC Compliance Commitments, which it referred to in its enforcement release on its settlement with SAP SE, the company must make sure that “[s}ufficient control functions exist that support the organization’s [sanctions compliance program]—including but not limited to information technology software and systems.”
As companies improve on the technology of their products, they must at the same time improve on the technology of their compliance systems.
Upcoming Trends and Considerations
While new technologies bring increased opportunities for global operations, there is more risk of companies with such technology breaking sanctions rules. OFAC, for one, will continue to create potential enforcement actions that could be to the detriment of those operating in this evolving landscape.
Technology companies operating across borders, whether through third parties, customers, or their own employees, should take precautions and create a strong compliance program to ensure that they remain compliant with the sanctions regime.