InfoBytes Blog
Multinational tech company to pay $3.3 million for OFAC and BIS violations
On April 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in consultation with the Department of Commerce’s Bureau of Industry and Security (BIS), announced a $3.3 million settlement with a multinational technology company to resolve potential civil liabilities stemming from the exportation of services or software from the United States to sanctioned jurisdictions and to Specially Designated Nationals (SDNs) or blocked persons. The settlement comprised an agreement with OFAC to pay a civil penalty of $2,980,264.86 and an administrative penalty of $624,013 with BIS. In light of the related OFAC action, the company was given a $276,382 credit by BIS contingent upon the company fulfilling its requirements under the OFAC settlement agreement, resulting in a combined overall penalty amount of $3,327,896.86.
According to OFAC’s web notice, the conduct underlying the administrative penalty imposed by BIS stemmed from certain conduct involving the company’s Russian subsidiary. The conduct underlying the settlement with OFAC took place between July 2012 and April 2019, when the company and certain subsidiaries allegedly “sold software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine.” The total value of the 1,339 apparent violations was more than $12 million. OFAC alleged that the causes of these apparent violations stemmed from a lack of complete or accurate information on end customers for the company’s products, and that during the relevant time period, there were shortcomings in the company’s restricted-party screening controls. Among other things, OFAC alleged that the company’s screening architecture did not aggregate identifying information across its various databases to identify SDNs or blocked persons, failed to screen and evaluate pre-existing customers in a timely fashion, and missed common variations of restricted party names.
In arriving at the $2,980,265.86 settlement amount, OFAC considered various mitigating factors, including that (i) evidence did not show that persons located in U.S. offices or management were aware of the alleged activity at the time (the apparent violations were revealed during a self-initiated look back); (ii) upon identifying the apparent violations, the company self-disclosed the matter to OFAC, conducted a retrospective review of thousands of past transactions, cooperated with OFAC throughout the investigation, terminated the accounts of the SDNs or blocked persons, and updated internal procedures to disable access to products or services upon discovery of a sanctioned party; and (iii) the company “undertook significant remedial measures and enhanced its sanctions compliance program through substantial investment and structural changes.” OFAC outlined several compliance considerations for companies conducting business through foreign-based subsidiaries, distributors, and resellers, and reminded businesses that OFAC’s SDN List is dynamic, and that when changes to the list are made, “companies should evaluate their pre-existing trade relationships to avoid dealings with prohibited parties.”