Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 1, the White House released Executive Order 14117 (E.O.) titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” to issue safeguards against Americans’ private information. The E.O. was preceded by the White House’s Fact Sheet which included provisions to protect Americans’ data on their genomic and biometric information, personal health, geolocation, finances, among others. The E.O. shared how this data can be used by nefarious actors such as foreign intelligence services or companies and could enable privacy violations. Under the E.O., President Biden ordered several agencies to act but primarily called on the DOJ. The president directed the DOJ to issue regulations on protecting Americans’ data from being exploited by certain countries. The White House also directed the DOJ to issue regulations to protect government-related data, specifically citing protections for geolocation information and information about military members. Lastly, the DOJ was directed to work with DHS to prevent certain countries’ access to citizens’ data through commercial means and the CFPB was encouraged to “[take] steps, consistent with CFPB’s existing legal authorities, to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.”
A few days before, the DOJ released its fact sheet detailing its proposals to implement the White House’s E.O., focusing on national security risks and data security. The fact sheet highlighted that our current laws leave open lawful access to vast amounts of Americans’ sensitive personal data that may be purchased and accessed through commercial relationships. In response to the E.O., the DOJ plans to release future regulations “addressing transactions that involve [Americans’] bulk sensitive data” that pose a risk of access by countries of concern. The countries of concern include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The DOJ will also release its Advance Notice of Proposed Rulemaking (ANPRM) to provide details of the proposal(s) and to solicit comments.
On June 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued a Fact Sheet for “Provision of Humanitarian Assistance and Trade to Combat COVID-19.” The Fact Sheet, among other things, highlights Treasury’s humanitarian-related or other general licenses (GL) issued to support people impacted by Covid-19 across Iran, Venezuela, North Korea, Syria, Cuba, and Russia. Relatedly, OFAC issued Iran-related GL N-2, Venezuela-related GL 39B, and Syria-related GL 21B to authorize transactions and activities related to the prevention, diagnosis, or treatment of Covid-19, as well as several amended FAQs.
On April 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in consultation with the Department of Commerce’s Bureau of Industry and Security (BIS), announced a $3.3 million settlement with a multinational technology company to resolve potential civil liabilities stemming from the exportation of services or software from the United States to sanctioned jurisdictions and to Specially Designated Nationals (SDNs) or blocked persons. The settlement comprised an agreement with OFAC to pay a civil penalty of $2,980,264.86 and an administrative penalty of $624,013 with BIS. In light of the related OFAC action, the company was given a $276,382 credit by BIS contingent upon the company fulfilling its requirements under the OFAC settlement agreement, resulting in a combined overall penalty amount of $3,327,896.86.
According to OFAC’s web notice, the conduct underlying the administrative penalty imposed by BIS stemmed from certain conduct involving the company’s Russian subsidiary. The conduct underlying the settlement with OFAC took place between July 2012 and April 2019, when the company and certain subsidiaries allegedly “sold software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine.” The total value of the 1,339 apparent violations was more than $12 million. OFAC alleged that the causes of these apparent violations stemmed from a lack of complete or accurate information on end customers for the company’s products, and that during the relevant time period, there were shortcomings in the company’s restricted-party screening controls. Among other things, OFAC alleged that the company’s screening architecture did not aggregate identifying information across its various databases to identify SDNs or blocked persons, failed to screen and evaluate pre-existing customers in a timely fashion, and missed common variations of restricted party names.
In arriving at the $2,980,265.86 settlement amount, OFAC considered various mitigating factors, including that (i) evidence did not show that persons located in U.S. offices or management were aware of the alleged activity at the time (the apparent violations were revealed during a self-initiated look back); (ii) upon identifying the apparent violations, the company self-disclosed the matter to OFAC, conducted a retrospective review of thousands of past transactions, cooperated with OFAC throughout the investigation, terminated the accounts of the SDNs or blocked persons, and updated internal procedures to disable access to products or services upon discovery of a sanctioned party; and (iii) the company “undertook significant remedial measures and enhanced its sanctions compliance program through substantial investment and structural changes.” OFAC outlined several compliance considerations for companies conducting business through foreign-based subsidiaries, distributors, and resellers, and reminded businesses that OFAC’s SDN List is dynamic, and that when changes to the list are made, “companies should evaluate their pre-existing trade relationships to avoid dealings with prohibited parties.”
On March 31, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $72,230 settlement with a global digital trading platform to resolve allegations that it processed transactions for customers who self-identified as being located in Iran or Cuba, or were employees of the Government of Venezuela (GoV). OFAC’s web notice stated that between March 2017 and May 2022, the company, or certain of its non-U.S. affiliates, allegedly maintained accounts for customers who submitted information showing their locations were in a sanctioned jurisdiction. OFAC further maintained that the company violated the Venezuela Sanctions Regulations by processing transactions on behalf of two customers who self-identified as employees of the GoV. OFAC claimed, among other things, that the company implemented inadequate compliance processes to identify, analyze, and address risks.
In its web notice, OFAC stated that it determined that “the violations were voluntarily self-disclosed and were non-egregious.” OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook numerous remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.
The company issued the following response: “We appreciate that OFAC recognized our full cooperation and remediation of the issues involved in this matter. These were self-identified and self-reported matters that reflect the rigor of our compliance review processes.”
Orrick represented the company in this matter.
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
On September 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published frequently asked question (FAQ) 1090 related to Cuba sanctions. The FAQ clarifies that “U.S. persons send remittances to Cuba using digital payments,” and that OFAC’s general licenses are self-executing, meaning that if U.S. persons assess that their transactions fall within the scope of the authorizations, “they may execute such transactions without further assurance from OFAC. For transactions that do not fall within the scope of these authorizations, U.S. persons may apply for an OFAC specific license.” OFAC further noted that it “will prioritize specific license applications seeking authorization to enable remittances to flow more freely to the Cuban people via digital payments.”
On September 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $720,258 settlement with an indirect subsidiary of a Switzerland-based bank for allegedly processing transactions in violation of the Cuba, Ukraine-related, Iran, Sudan, and Syria sanctions programs. According to OFAC’s web notice, from April 2013 to April 2016, the bank processed 273 transactions totaling approximately $3,076,180 on behalf of individuals residing in Cuba, Crimea, Iran, Sudan, and Syria. Specifically, OFAC noted that customers in sanctioned jurisdictions were able to continue to purchase and sell securities through the U.S. financial system and to receive related dividend and interest payments until the bank took further steps to prevent such payments.
In arriving at the settlement amount of $720,258, OFAC considered various aggravating factors, including that bank personnel “had reason to know they were processing transactions through the U.S. financial system for individual customers located in comprehensively sanctioned jurisdictions based on the underlying [know-your-customer (KYC)] data obtained by [the bank], which included address information indicating the customers’ location,” and “conferred approximately $3,076,180 in economic benefit to persons in Cuba, Crimea, Iran, Sudan, and Syria,” which caused harm to multiple sanctions programs' integrity. OFAC also considered various mitigating factors, including that the bank cooperated with OFAC throughout the investigation, and has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
Separately, the same day OFAC announced a $401,039 settlement with a different indirect subsidiary of the Switzerland-based bank for allegedly processing transactions in violation of the Cuba, Ukraine-related, Iran, Sudan, and Syria sanctions programs. According to OFAC’s web notice, from December 2011 until July 2016, the bank processed 426 transactions totaling approximately $1,233,967 on behalf of individuals ordinarily resident in Cuba, Iran, and Syria.
In arriving at the settlement amount of $401,039, OFAC considered various aggravating factors, including that bank personnel “had reason to know they were processing transactions through the U.S. financial system for individual customers located in comprehensively sanctioned jurisdictions based on the underlying KYC data [the bank had] obtained,” and the bank “conferred approximately $1,233,967 in economic benefit to persons in Cuba, Iran, and Syria,” which caused harm to multiple sanctions programs' integrity. OFAC also considered various mitigating factors, including that the bank cooperated with OFAC throughout the investigation, and has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
On June 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a final rule amending the Cuban Assets Control Regulations, and further implementing portions of President Biden’s foreign policy to increase support for Cuban people. Specifically, the final rule “authorizes group people-to-people educational travel to Cuba and removes certain restrictions on authorized academic educational activities, authorizes travel to attend or organize professional meetings or conferences in Cuba, removes the $1,000 quarterly limit on family remittances, and authorizes donative remittances to Cuba.” The final rule is effective June 9.
In conjunction with the announcement, OFAC published a number of new and updated Cuba-related frequently asked questions addressing, among other things, remittance transactions, travel activities, and authorized imports.
On April 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $141,442 settlement with a Colorado-based multinational mining firm for allegedly violating the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, between June 2016 to November 2017, a wholly-owned subsidiary of the firm purchased Cuban-origin explosives and explosive accessories from a third-party vendor to be used in a mine construction. The distributor, on the subsidiary’s behalf, imported Cuban-origin explosives and explosive accessories for the mine on at least four separate occasions, despite the subsidiary being “generally prohibited from dealing in Cuban-origin goods.” According to OFAC, shipping documents clearly identified that the goods were sourced from Cuba. In addition, purchase orders failed to contain express statements that items provided to the subsidiary may not originate from embargoed jurisdictions, nor did the subsidiary ask for country-of-origin information for the goods acquired from its suppliers. Additionally, OFAC contended that the subsidiary’s failure to provide appropriate export and trade sanctions training led to the apparent violations.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the parent firm and subsidiary failed to exercise reasonable due diligence to ensure it complied with U.S. Cuba sanctions requirements; and (ii) the firm and its subsidiaries and affiliates are “a large and sophisticated organization operating globally as a leading gold producer with experience and expertise in international transactions.” OFAC also considered various mitigating factors, including that (i) the apparent violations were self-disclosed and constituted a non-egregious case; (ii) the firm and subsidiary have not received a penalty notice from OFAC in the preceding five years; (iii) the amount of payments were not significant compared to the total volume of transactions undertaken on an annual basis; and (iv) the firm and its subsidiary cooperated with the investigation, signed a tolling agreement, and are currently implementing remedial measures to prevent future violations.
Separately, OFAC also announced a $45,908 settlement with a Florida-based company affiliated with a distributor of explosives and accessories for mining operations. According to the web notice issued in this action, on four occasions in 2016 and 2017, the company and certain affiliates procured Cuban-origin explosives and related accessories from a third-party vendor originating from Cuba on behalf of a U.S. company for the U.S. company’s mining project in Suriname in violation of the CACR. OFAC contended that the company was responsible for overseeing the processing of purchase orders and invoices for these transactions, and that in 2018, after the U.S. company customer learned of the goods’ Cuban origins, it was asked to no longer procure goods from Cuba. According to OFAC, the apparent violations occurred primarily because of the company’s failure “to understand U.S. prohibitions on dealings in Cuban property or engaging in transactions related to merchandise of Cuban origin outside the United States,” adding that the company did not have a compliance program in place when the four transactions occurred, nor did it realize the transactions were prohibited until they were flagged by the customer. The company immediately ceased all activities involving Cuba after learning of the sanctions implications but did not voluntarily self-disclose the violations, which OFAC deemed non-egregious.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the company failed to “exercise a minimal degree of caution or care” when procuring Cuban-origin goods from its supplier; (ii) the company “had actual knowledge that it was financing the provision of Cuban-origin goods for export to Suriname”; and (iii) the company’s actions harmed the U.S. sanctions program. Mitigating factors included that the company is (i) small and largely overseen by one individual; (ii) the company has not received a penalty notice from OFAC in the preceding five years; and (iii) the company provided timely information and entered into a tolling agreement. Providing context for the settlement, OFAC stated that “[t]his case illustrates the risks facing companies of any size operating internationally that do not develop or maintain basic awareness of sanctions risks and do not institute appropriate measures to identify and prevent potential violations.”
On January 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $91,172 settlement against a registered money services business for allegedly processing payment transactions for guests traveling to Cuba "for reasons outside of OFAC’s authorized categories” and failing to maintain certain required records associated with Cuba-related transactions. These actions, OFAC, stated, allegedly violated the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, as the company scaled up its traveler services in Cuba, its technology platforms were allegedly unable to manage the associated sanctions risks, which led to the alleged violations. Among other things, OFAC maintained that the company used a manual process to screen hosts and guests for potential sanctions issues until it began using a customized IP blocking system. Additionally, the company’s alleged recordkeeping violations were primarily attributed to technical defects involving an older version of the company’s mobile application that could be used for Cuba-related travel without “maintain[ing] complete functionality for [g]uests to make an attestation regarding their reason for travel to Cuba.”
In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that the company is a large, sophisticated U.S.-based technology company, and that its alleged violations followed a 2015 foreign policy change with respect to Cuba, as well as associated changes to the CACR, which maintained certain specified restrictions. OFAC also considered various mitigating factors, including that the company (i) did not receive a penalty notice or finding of violation in the past five years preceding the earliest transaction giving rise to this settlement; (ii) conducted a comprehensive review of its sanctions compliance program, voluntarily reported its findings to OFAC, and substantially cooperated with the investigation; and (iii) undertook significant remedial measures to ensure sanctions compliance.