As part of our ‘Ask the Expert’ series, we ask Hdeel Abdelhady, Principal Attorney at MassPoint Legal and Strategy Advisory PLLC and Professorial Lecturer in Law, The George Washington University Law School, about international sanctions, enforcement trends, and the role of lawyers as gatekeepers of the financial system.
Lawyers play a variety of roles in the international fight against financial crime – from prosecutors who press cases to attorneys in policy roles who develop and influence anti-financial crime legislation and policy.
Behind the front line, the role of practising lawyers in the fight against international financial crime, namely money laundering and terrorism financing, varies according to the laws and rules of one or more relevant jurisdiction, such as where an attorney is licensed and/or practices law.
In line with the FATF Recommendations on designated non-financial businesses and professions (DNFBPs) – a category that includes lawyers, accountants, and trust and company formation agents – many countries, including European Union (EU) Member States, impose on lawyers affirmative obligations to act as financial system gatekeepers. Lawyers in such jurisdictions have obligations to, for example, conduct client due diligence and file suspicious activity (or transaction) reports (SARs), and are prohibited from “tipping off” clients that they have filed a SAR.
Lawyers in the United States are not treated as gatekeepers as part of the U.S. AML/CFT regime.
First, companies should have in place sanctions compliance programs that are risk-based and capable of consistent, effective implementation at the operational level. Off-the-rack sanctions compliance programs are not sufficient.
The necessity of a compliance program may seem obvious, but it is not uncommon to encounter businesses – including public or other larger companies with robust international business – operating without sufficient sanctions compliance programs in place.
Second, it is important to understand in practical terms that sanctions compliance is not just for banks and defense companies, or entities that engage in higher value transactions.
OFAC has made it unmistakably clear on a number of recent occasions that sanctions compliance is expected of all U.S. persons and foreign parties engaged in business with the United States, or using “U.S.-origin” goods or services.
More recent OFAC enforcement actions have reached across industries – from insurance to agriculture to cosmetics – and applied to ‘run of the mill’ transactions, such as the provision of services or benefits under individual health and life insurance policies.
U.S. and foreign persons with U.S. sanctions compliance obligations should ensure that their sanctions risk assessments and expectations reflect today’s dynamic regulatory and enforcement climate.
For example, agencies without direct roles in sanctions enforcement may nevertheless be part of the regulatory and enforcement ecosystem – a case in point is the U.S. Securities and Exchange Commission (SEC), which has in recent years raised sanctions compliance and risk inquiries with public company filers. SEC inquiries underscore the critical point that sanctions risk is a business risk, and the quality of a company’s sanctions compliance and risk management is a data point for shareholders and the market more generally.
Companies should be aware that the sanctions enforcement has become more globalized. Regulators and enforcement authorities coordinate across borders in some cases.
Even without coordination, an enforcement action in one jurisdiction (for example, the United States) may spur action in one or more other countries with ties to case facts or parties. The potential for multi-jurisdictional enforcement at greater legal, reputational, and financial costs, makes effective sanctions compliance all the more valuable, and necessary.
If the measure of sanctions effectiveness is the achievement of an ambitious, top level policy goal, such as regime change, then the examples of U.S. sanctions on Iran and Cuba – which have been in place in various forms for more than four decades in the case of Iran and six decades in the case of Cuba – would suggest that unilateral sanctions are not effective, even if they are punishing at the individual, business, and country levels.
Proponents of the view that multilateral sanctions are more effective might point to the Iran deal as an example, with the conventional wisdom being that multilateral sanctions brought Iran to the negotiating table, making the Joint Comprehensive Plan of Action possible.
At targeted levels, U.S. unilateral sanctions have been effective as applied to sanctioned parties. U.S. sanctions generally exclude sanctioned parties from the U.S. financial system, international dollar-denominated transactions, business with U.S. persons, and international supply chains. Backed by the strength, size, and global interconnectedness of the U.S. economy and financial system, U.S. unilateral sanctions – both primary and secondary – are uniquely global in their reach and harsh in impact.
A number of recent sanctions enforcement and regulatory actions – individually and together – are notable for their facts and the broader lessons they have yielded. I note two cases and one regulatory development here, along with what makes them significant:
In February, OFAC published enforcement information involving SITA (Société Internationale de Télécommunication Aéronautique SCRL), a Switzerland-headquartered provider of computing, communications, and technology software and services to the global air transport industry.
The enforcement notice stated that SITA had provided software and services that directly or indirectly benefited airlines that were Specially Designated Global Terrorists (SDGTs). The firm paid $7,829,640 to settle its potential civil liability for 9,256 apparent violations of the Global Terrorism Sanctions Regulations (GTSR).
OFAC reasoned that the services and software provided by SITA to the SDGT airlines were within U.S. jurisdiction “because they were provided from, or transited through, the United States or involved the provision of U.S.-origin software.”
While the SITA case involved a modest penalty (by OFAC standards), it is significant. OFAC’s interpretation of U.S. jurisdiction in the case is expansive and, if applied in future cases, could have far-reaching consequences for a range of transactions that do not involve U.S. parties and are commercially detached from the United States, but come within U.S. jurisdiction because they involve – as many transactions do – U.S. origin software or networking hardware in the United States.
Viewed in tandem with the May 2019 Framework for OFAC Compliance Commitments, the jurisdictional rationale of the SITA case should not be viewed as a one off. The framework is addressed to “organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services.”
2. Amex – Striking the Human-Technology Balance
In an April 29, 2020 enforcement release, OFAC announced a Finding of Violation issued to American Express Travel Related Services Company (Amex).
No monetary penalty was imposed, and the value of the transactions giving rise to the Finding of Violation totalled only $35,246.82. Nevertheless, the Amex case offers a lesson in the appropriate use of sanctions screening technology.
According to OFAC, in 2015, Amex issued an American Express GlobalTravel Card to an individual who in 2009 was a Specially Designated National (SDN) pursuant to the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMD Regulations).
The SDN individual applied for the Amex card through a non-U.S. bank that was an authorized card issuer. A screening engine flagged the individual as an SDN and automatically generated multiple “declined” messages to the non-U.S. bank. The non-U.S. bank made several approvals attempts nonetheless, causing the system to “time out” and trigger an automatic approval of the application.
The screening engine also routed the application for manual review. An “Amex compliance analyst incorrectly determined” that the applicant was not an SDN. The card was issued and the SDN engaged in 41 card transactions in Germany and the UAE in less than three months in 2015. The card activity violated the WMD Regulations.
The Amex case, in OFAC’s words, “highlights the importance of taking the steps necessary to ensure that automated sanctions compliance controls measures cannot be overridden without appropriate review.”
Given the criticality of sanctions compliance technology to financial institutions and other parties, OFAC’s explicit compliance message should be noted and reflected in automated systems settings and protocols for human-technology interactions.
3. Reporting, Procedures and Penalties Regulations – Expanded Reporting Requirements
In June 2019, OFAC issued an interim final rule substantially expanding reporting requirements under the Reporting, Procedures and Penalties Regulations (the RPPR).
The revised rule requires filers to report more specific information in reports on blocked and unblocked property. More significantly, the revised RPPR significantly expanded rejected transactions reporting requirements.
Today, all U.S. persons and persons subject to U.S. jurisdiction (for example, foreign entities owned or controlled by U.S. persons) must file reports on a very wide range of rejected transactions, such as related to “trade finance” and “goods and services.” Previously, the RPPR required only financial institutions to file rejected transaction reports related to “funds transfers.”
The revised reporting rule deserves careful review of its technicalities. Perhaps more importantly, by extending reporting obligations to all persons subject to U.S. jurisdiction (including foreign parties) and to a vast range of transaction types, OFAC has signalled a more assertive enforcement posture.
In part two of our Q&A with Hdeel Abdelhady, we ask her what the COVID-19 pandemic means for international sanctions and supply chains.