Historically, corporate sanctions compliance programs have tended to focus primarily on ensuring that products and services are not sold or diverted to prohibited customers or sanctioned territories. There has often been less focus on the entirety of the supply chain, particularly the significant sanctions compliance risks that can arise upstream in the context of suppliers and vendors. Over the past few years, there has been a shift, with many companies now paying closer attention to supply chain risks in their sanctions compliance risk assessments and resulting compliance program improvements. It is no coincidence that the Office of Foreign Assets Control (“OFAC”), the main US sanctions enforcement agency, has been emphasizing supply chain risks in its recent enforcement actions and advisories, with the Xianjing Supply Chain Business Advisory issued on July 1 being the most recent example. OFAC mentions “supply chain” five times in its “A Framework for Compliance Commitments” published in May 2019 and accompanying “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions”.
All of this is happening at a time when OFAC is providing more information than ever in its web notices for published enforcement actions, including detailed summaries of the facts and potential compliance missteps, commentary on where sanctions compliance risks are likely to arise, and insight into OFAC’s expectations for how these risks might be addressed by a company’s sanctions compliance program. What can these recent enforcement cases tell us about sanctions compliance risks and OFAC’s compliance program expectations in the supply chain context? We examined the last few years of OFAC enforcement actions to answer this question. In our review, five key categories of risks and compliance program expectations emerged, which we have summarized below along with our comments on how companies might seek to address these risks in their sanctions compliance programs:
Supply Chain Sanctions Compliance Risk #1: Actions of Suppliers
OFAC Compliance Program Expectation: Know Your Suppliers And Address Sanctions Compliance Risks They May Introduce
Recent OFAC enforcement cases demonstrate that sanctions compliance risks can arise through the actions of a company’s suppliers, especially when sourcing from high-risk regions.
A recent enforcement action against a US cement and construction materials company demonstrates this point. The company settled with OFAC for apparent violations of the Iranian Transactions and Sanctions Regulations involving the purchase of Iranian-origin materials (cement clinker) from a company located in the United Arab Emirates (“UAE”), apparently with knowledge that the materials were sourced from Iran, which then resold and transported the cement clinker to a company in Tanzania. The UAE is a well-known transshipment location for Iran. As one of the aggravating factors, OFAC highlighted that the company had “contemporaneous risk indicators” (e.g., OFAC stated that the company knew that the goods were shipped from a port in Iran). Based on OFAC’s summary, it appears that the company was under a lot of pressure to meet a customer ship date requirement following a supply shortage from its existing supplier.
Another enforcement action involved a US cosmetics company that apparently purchased false eyelashes from two China-based suppliers, 80% of which contained materials sourced from North Korea over the course of a five-year period. As one of the aggravating factors, OFAC highlighted that the company’s sanctions compliance program, which OFAC said focused on quality issues rather than sanctions compliance, did not exercise “sufficient supply chain due diligence” while sourcing products from China, which is “a region that poses a high risk to the effectiveness” of the North Korean sanctions. To improve its supply chain sanctions compliance program, the company stated that it, among other things, implemented supply chain audits to verify the country of origin of goods and services, and adopted new procedures requiring suppliers to certify compliance with US sanctions.
These cases demonstrate OFAC’s expectation that companies know (and do something about) the sanctions compliance risks posed by their suppliers. Most companies have “Know Your Supplier” processes for onboarding new suppliers, but a one-time screening and review of suppliers is not enough. Companies should ensure that their sanctions compliance programs include risk-based processes for transaction risk assessments, training, and auditing to mitigate the risk that a supplier could source products from a sanctioned territory or restricted party, particularly in higher risk jurisdictions like China and the UAE.
When looking to improve their sanctions compliance program to address supplier risks, we suggest companies consider whether some of these measures could potentially be built on top of an existing US import compliance program for greater synergies and efficiency (e.g., inserting a sanctions compliance check as part of the existing country of origin or forced labor verification process for US customs compliance purposes). Cross-training between different groups on sanctions compliance issues (e.g., including functions such as Purchasing, Sourcing, and Quality Control in the company’s regular sanctions compliance training) might be a great starting point.
Supply Chain Compliance Risk #2: Possibility of Sanctioned Parties in Your Supply Chain Not Being Caught Due to Limitations of Third-Party Automated Screening Tools
OFAC Compliance Program Expectation: Know and Test Your Screening Rules and Algorithms
We have also seen enforcement cases related to failures of automated screening tools to catch prohibited parties. These cases demonstrate that companies remain liable for dealings with prohibited parties even if the violation stems from failure related to the screening tool.
In a recent enforcement case, a company’s screening tool did not flag a party named “Almaz Antey Telecom” as a potential hit of “JSC Almaz Antey,” a Specially Designated National (“SDN”), although the company had set the search criteria to “fuzzy” so that it would detect partial matches. Ultimately, the company implemented improved screening solutions so that such potential hits would be flagged for review to determine whether they were a true match or false positive. As shown by a recent OFAC enforcement case, kinds of issues can also arise in the e-commerce context, which often involves a high volume of transactions with a large number of parties.
While these cases tended to focus on the downstream supply chain, the same risks are present upstream. We recommend that companies assess their screening procedures to consider whether and how they address suppliers and other parties in the upstream supply chain.
We recommend that companies work with their third-party screening vendors to ensure that their automated screening tools are catching the appropriate number of potential hits commensurate to the relevant risks. As these cases show, simply setting the search criteria to “fuzzy” may not be enough; there may be a need for further tweaking to the screening rules and algorithms. There is a balance between minimizing the risk of missing a hit to a restricted party list and setting the threshold so low that it results in an unworkable amount of false positives requiring human review. We recommend periodic reviews of the screening rules and algorithms to assess whether the tool is striking the right balance.
Supply Chain Sanctions Compliance Risk #3: Actions of Shipping Companies and Freight Forwarders
OFAC Compliance Program Expectation: Know Your Freight Forwarders and Address Sanctions Compliance Risks They May Introduce
In 2019 alone, OFAC settled three enforcement cases against shipping companies/freight forwarders. One such case involved a US-based marine transportation services provider, whose subsidiaries located in China and Turkey engaged two vessels of Islamic Republic of Iran Shipping Lines, an SDN, for certain charter party agreements.
While these cases targeted the shipping companies and freight forwarders, these types of circumstances could create headaches for the companies that engage freight forwarders to transport products sourced or sold through their supply chain. We suggest that companies consider whether their freight forwarder clearly understands their own sanctions compliance obligations. Companies could review their agreements with their freight forwarders to add or beef up sanctions compliance clauses as part of an effort to minimize these risks.
Supply Chain Sanctions Compliance Risk #4: Actions By Non-US Companies Recently Acquired by US Companies
OFAC Compliance Program Expectation: Include Sanctions Compliance in Pre-Acquisition Due Diligence and Post-Acquisition Integration
Another theme we have been observing in analyzing recent OFAC enforcement cases is a focus on sanctions compliance in the mergers and acquisitions context. This was also highlighted as an area requiring a risk-based approach to risk assessment in OFAC’s “A Framework for Compliance Commitments” mentioned above.
There have been several recent examples of enforcement cases targeting US companies that had recently acquired non-US companies that might not have had a legal obligation to comply with US sanctions prior to the acquisitions but that apparently continued sanctioned business post-acquisition despite the US purchasers’ extensive sanctions compliance efforts both during pre-acquisition due diligence and post-acquisition integration.
While these cases focused on prohibited sales or products and services to sanctioned countries like Iran, US companies acquiring non-US companies should be aware that these same risks could be present in the upstream supply chain context (e.g., a target’s pre-acquisition sourcing from sanctioned countries). We suggest that any sanctions compliance pre-acquisition due diligence and post-acquisition integration consider these risks. Given that recent non-US acquisitions may not be familiar with US sanctions requirements, the US acquiring company might conduct additional training, heightened monitoring, and enhanced periodic audits during the integration period.
Supply Chain Sanctions Compliance Risk #5: Non-US Companies Sourcing from US Suppliers/US Dollar Transactions
OFAC Compliance Program Expectation: Know and Understand How US Sanctions Can Apply to Non-US Companies
OFAC has not shied away from settling enforcement cases against non-US companies that engage in sanctioned transactions where a US nexus is present. While many people might think first of the numerous big-ticket penalties against foreign financial institutions processing payments for transactions in US dollars, OFAC has over the years increased its enforcement against non-US trading companies for engaging in prohibited transactions with a US nexus. For example, in March 2017, a Chinese telecommunications company agreed to pay roughly one billion dollars for sourcing US-origin goods for supply to Iran. Similarly, in December 2018, a Chinese oil field company settled a case with OFAC related to sourcing US-origin goods ultimately destined for Iran. Another enforcement case targeted a non-US trading company that initiated US dollar payments to Iranian vendors for a project in Iran. Most recently, OFAC settled with a non-US company that sold products to North Korea through a third-country distributor where the only apparent US nexus was the use of US dollars and the foreign branch of a US financial institution. In that case, the company also entered into a Deferred Prosecution Agreement with the US Department of Justice.
OFAC has made it clear in its “A Framework for Compliance Commitments” that non-US companies engaged in transactions with a US nexus should implement risk-based sanctions compliance programs. These recent enforcement cases demonstrate that this is not an empty threat. As OFAC increasingly focuses on sanctions compliance issues in the supply chain, non-US companies with US touchpoints anywhere in their supply chain should take a close look at how their existing compliance programs stacks up against OFAC’s expectations for a sanctions compliance program designed to mitigate these risks.