Most Common Compliance Mistakes – At Times ‘the Devil is in the Details’ - Association of Certified Sanctions Specialists

By David Williams, ACSS Editor
December 24, 2022

Top 10 lists – or whichever other number is chosen – are devised to be an attention-grabber. They must work because they are used so frequently. In this case, it has been compiled to draw your attention to the leading causes of sanctions violations, as cited by the Office of Foreign Assets Control (OFAC). You can expect agencies in other jurisdictions to apply similar rules for similar causes.

Without further adieu, the top 10 are:

  1. Lack of a formal OFAC sanctions compliance program.
  2. Misinterpreting OFAC regulations.
  3. Facilitating transactions by non-US persons.
  4. Exporting or re-exporting US-origin products to sanctioned countries.
  5. Processing prohibited payments through the US financial system.
  6. Screening software errors.
  7. Inadequate due diligence on business partners.
  8. Inconsistent application of the sanctions compliance program.
  9. Using non-standard payment or commercial practices.
  10. Individual liability.

The latter refers to people who purposefully violate sanctions laws.

Lack of a Formal OFAC Sanctions Compliance Program

Bittrex is a US virtual currency exchange and electronic wallet company. From 2014 to 2018, Bittrex processed more than 116,000 transactions worth over $263 million, which violated US sanctions laws. Bittrex did not implement a compliance program until December 2015, when it began verifying customer identities. In February 2016, Bittrex hired an outside vendor to screen transactions but did so only against the OFAC SDN list. Bittrex did not implement a screening system for customers or transactions for a nexus with sanctioned countries until 2017. Bittrex agreed to pay a civil penalty of $24,280,829.

“Given the value of the transactions, this was a very generous settlement on the part of OFAC,” said Scott Nance, attorney, Langley Compliance Consulting, speaking at an ACSS webinar. “Bittrex immediately took remedial measures, which is why OFAC reduced the amount by so much.”

Bittrex did not know that the vendor was not looking at the SSI or EU consolidated lists or that the vendor was not screening the customer or transaction for a nexus with the sanctioned country.

“The Bittrex case is particularly interesting, considering FTX, another currency exchange,” says Nance. “Given how its CEO described its lack of internal controls, I would be surprised if it had any sanctions program. It wouldn’t surprise me to discover that OFAC is investigating.”

Misinterpreting OFAC Regulations

OFAC regulations allow US persons to participate in transactions involving 12 categories of travel to Cuba, including the government, journalists and professional research but not general tourism.

From 2015–2020, Airbnb made about 3,500 payments for $500,000 of business for connections for stays in Cuba. Airbnb did not correctly address the complexities of business with Cuba in its internet-based travel services. It did not fully update its system to comply with US sanctions regulations. It settled with OFAC for around $91,000.

“You have to follow the relevant rules and regulations in processes and procedures, said Martijn Feldbrugge, director of BSCN BV. He told a group of webinar attendees: “We all heard former President Obama had planned to lighten sanctions against Cuba, allowing tourism, but it didn’t happen – reality may differ.”

Facilitating Transactions by Non-US Persons

Houston-based Cameron International provides goods and services to the oil and gas industry. It is a subsidiary of Schlumberger, which is organized under the laws of Curacao.

In 2015 and 2016, Cameron International managers approved five contracts by Cameron Romania to provide goods to an oil project in the Russian arctic to Gazprom-Neft Shelf, a subsidiary of Gazprom. But Ukraine-related sanctions prohibit US persons from providing goods, services or technology to designated entities in connection with Arctic, offshore or shale oil projects. Cameron agreed to pay a penalty of around $1.4 million.

The involvement of US persons triggered the liability. Cameron did have a special process for dealing with Russian transactions, but the procedure did not limit the ability of US persons to participate. It also misinterpreted OFAC regulations.

Exporting or Re-exporting US-Origin Products to Sanctioned Countries

Nordgas Srl is an Italian company that designs gas boiler systems and sells dedicated air pressure switches. From 2013-2017, it bought air pressure switches from a US company to re-export them to customers in Iran. After the US supplier informed it that it could not provide Nordgas with switches destined for Iran, Nordgas told the US supplier it was buying switches on behalf of an affiliate in Italy. Nordgas made 27 shipments to Iran for around $2.5 million.

Exporting or re-exporting US-origin goods to Iran is prohibited without a license. Nordgas agreed with OFAC to a fine of $900,000 and undertook specific compliance commitments.

US-origin goods always fall under US sanctions laws. Nordgas would not have violated export controls If it had obtained a license from OFAC for the switches, including any other US content in the products that comprise less than 10% of the value (the de minimis rule) and are not controlled goods.

Processing Prohibited Payments Through the US Financial System

Bank of China (UK) routed 111 transactions worth around $40.6 million involving Sudanese parties from 2014-2016 through correspondent banks in the US. US law prohibited the export of financial services from the US to Sudan. The BOC UK Customers were based outside Sudan, but the transactions were conducted by or on behalf of branches or subsidiaries in Sudan.

It violated US sanctions laws by routing payments involving sanctioned parties or countries through the US financial system. The customers were not Sudanese, but they had Sudanese affiliates.

BOC UK had information in its KYC files showing the Sudanese connections. It paid a penalty of around $2.30 million to settle its potential liability in all cases of transactions performed for the benefit of the Sudanese branch or subsidiary. BOC UK was taking strong remedial measures, which is why the penalty was not larger.

Screening Software Errors

Toll Holdings is a freight-forwarding and logistics company headquartered in Melbourne, Australia. From 2013-2019, it routed 2,958 transactions with sanctioned parties or countries worth more than $48 million through US banks.

In 2007, Toll expanded rapidly, buying many small companies, mainly in the Asia-Pacific region. Its network comprised 1200 agents, offices, franchises and affiliates. Its sanctions compliance policy stated it would abide by all sanctions laws. But it failed to adopt or implement policies and controls that prevented it from conducting transactions with parties or countries subject to US sanctions.

“It had over 600 applications, showing how vital it is to implement internal controls into your business practices,” Nance said. OFAC indicated the problem was that, as it expanded, it did not ensure its agents and affiliates were applying the same measures. “It shows the complexities of dealing with sanctions laws when you are a large multinational organization.”

Toll agreed to pay around $6,13 million in civil penalties to OFAC.

The most fundamental mistake in screening is failing to account for all business partners and transactions. OFAC requires that companies know all information regarding a business partner within the organization, whatever its form or location.

“Transactions should be routinely screened for sanctioned parties and a nexus to a sanctioned country, including physical and IP addresses. Other screening errors include not having a method to pick up accidental or deliberate misspellings or name variations,” Nance said.

Inadequate Due Diligence on Business Partners

SAP is a German software company that provides enterprise software applications, software maintenance and cloud-based services. It operates cloud servers in the US and uses a US-based content provider. SAP sells its products through third-party providers (SAP Partners).

From 2013-2018, SAP Partners made 190 sales of SAP products to companies in or associated with Iran. OFAC determined that SAP knew or should have known that SAP Partners was making sales to Iran – some SAP Partner websites even said they were conducting business in Iran.

SAP agreed to a penalty of around $2.14 million and, in a separate investigation by the Bureau of Industry and Security, paid about $6 million in fines for violations of US export control laws. It reached a non-prosecution agreement with the US Department of Justice, which launched a criminal investigation.

“It had requested a commitment from its partners not to sell to Iran, but that did not absolve it from its duty to conduct adequate due diligence,” Nance said. “You need to know what your customers’ business is.”

Inconsistent Application of the Sanctions Compliance Program

CA Indo-Suez (CAIS) and CFM Suex Wealth are financial institutions in Switzerland and Monaco that provide wealth management, investment and commercial banking services. They are indirect subsidiaries of Credit Agricole SA, a French banking group.

From 2013–2016, CAIS operated US-dollar-denominated banking and securities accounts on behalf of individuals in countries subject to US sanctions. From 2011-2016, CFM operated US-dollar-denominated banking and securities accounts on behalf of individuals in countries subject to US sanctions.

Within both companies, KYC information showed the location of the customers. Credit Agricole had implemented a worldwide sanctions compliance program designed to prevent violations of US law. However, CFM should have implemented measures within its internal controls to prevent US-related transactions involving these accounts.

CAIS agreed to a penalty of $720,258; CFM agreed to a fine of $401,039. OFAC stated in the penalty notice: “This case emphasizes that global subsidiaries, when instructed to implement a parent company’s compliance policies, should do so in a timely and effective manner.”

OFAC went on t say: “Credit Agricole should have installed a quality assurance policy and procedures to ensure policies are implemented promptly and correctly. “[It should have ensured] any transaction on behalf of individuals in countries subject to US sanctions is escalated in compliance with approval [and that] compliance has second-line controls in place to prevent such transactions from continuing unnoticed.”

Using Non-Standard Payment or Commercial Practices

Stanley is a US tools manufacturing company that bought JGT, a Chinese tools manufacturer, which had conducted business with Iranian companies. In 2013-2015, JGT made 23 shipments of power tools to Iran with a value of around $ 3.2 million.

Some shipments were through third parties. JGT used non-routine business practices for these sales, including routing sales through trading companies, creating fictitious bills of lading, and instructing customers not to write “Iran” on business documents.

Stanley took several steps to prevent such sales, including providing sanctions training for JGT employees and obtaining written confirmation from JGT that it would not sell to Iran. But Stanley had an over-arching obligation to ensure such sales did not occur.

“JGT’s non-standard business practices could have tipped off Stanley to these sales. A review of bills of lading might have revealed JGT’s scheme to continue selling to Iran,” Nance said. “If you have a subsidiary, a promise not to do business with Iran is insufficient. You have an obligation to make sure it complies with US sanctions laws, which means you have to monitor its activities.”

Stanley agreed to an approximate $1.9 million settlement.

Individual Liability

The BIS Office of Export Enforcement (OEE) issued a charging letter to Russian oligarch Roman Abramovich for violating US export controls related to flights of his private jets. Abramovich owns a Boeing 787-8 Dreamliner that costs about $350 million and a Gulfstream G650ER (around $60 million).

Two coordinated enforcement actions were issued  – OEE’s charging letter and US Department of Justice seizure warrants. Also, any aircraft subject to EAR registered in, owned or controlled by or under charter or leased by Russia or a national of Russia is prohibited from using an EAR license exemption for flights to Russia, regardless of whether that Russian national also has dual nationality. In 2021, Russian oligarch Roman Abramovich was given Portuguese nationality.

Feldbrugge told webinar attendees Abramovich could have avoided BIS fines by flying around the world without landing in a sanctioned country. “Flying to another country and landing there is the same as exporting. Abramovich was obliged not to export US goods, which includes US-origin aircraft.”

As a Russian national, Abramovich is prohibited from using an EAR license exemption for flights to Russia, regardless of whether he has dual nationality. It is unlawful for anyone to participate in any way in an export transaction with a denied person.

Feldbrugge said Abramovich can own the aircraft but not use them in any way once his export privileges are withdrawn. “Export and sanctions controls apply to non-US persons long after they purchase US goods.”

Nance said the case serves as another illustration of how complicated US sanctions and export controls can be. “Dual nationality does not help if you have Russian citizenship. The devil really is in the details.”

ACSS members can access the webinar: Top 10 Missteps in Sanctions and Export Control Compliance at: The central library has a wide selection of webinars featuring top sanctions compliance and export controls speakers. Webinars are only one benefit of ACSS membership.

Affiliate Members