Beyond Guidance – Lessons Learned from Sanctions and Export Compliance Enforcement Actions

Regulatory authorities and enforcement agencies like the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), the U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”) and the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”), and others, periodically publish guidance surrounding the key elements of an effective compliance program. The guidance these regulators put forth often contains the same key compliance program elements, such as Management Commitment, Risk Assessments, and Audit & Compliance Monitoring. 

The most common compliance factors included in almost all regulatory guidance can be distilled into nine key elements. Please see this companion piece for a discussion of these key program elements.

While many organizations are well versed in these key elements and have implemented them in their compliance programs, nuances apply to each industry and jurisdiction in which these organizations operate that call for compliance program enhancements not specifically enumerated in published regulatory guidance. 

By reviewing recent enforcement actions taken by sanctions and export compliance regulatory agencies, organizations can proactively identify common compliance pitfalls and program gaps that may be more relevant to their industry, and that may exist within their own compliance program and internal control infrastructure.  Staying informed of recent enforcement actions and leveraging them as cautionary tales can help organizations make compliance program improvements they may not have previously considered. Organizations taking these proactive steps to enhance their compliance programs will further protect themselves from regulatory enforcement and help mitigate against the risk that they too will possibly make similar mistakes as previous offenders. 

Top Five Recent Enforcement Action Insights

Regulatory agencies including OFAC, BIS, and the New York State Department of Financial Services (“NYDFS”) publish public press releases, settlement agreements, and enforcement actions that outline the specific compliance deficiencies that led to violations. As noted above, organizations can supplement the key compliance program elements outlined in published guidance with nuanced compliance program considerations described in these enforcement actions. 

Below is a list of five thematic observations of compliance deficiencies and lessons learned from a holistic review of enforcement actions published in 2023 and 2024:

1. Complexity of Global Transactions with Modern Payment Methods
   Noncompliant actors often take advantage of the complexity of global transactions and modern payment methods to obfuscate illicit activity. For example, in 2021, the New York branch of an international financial institution entered a very costly multi-agency resolution with NYDFS, the Federal Reserve, and OFAC after it unwittingly processed a large volume of wire transfers for Sudanese beneficiaries. The New York branch processed these payments despite applicable sanctions because other international branches intentionally excluded any mention of Sudan or Sudanese entities from the wiring instructions and disguised the wires as bank-to-bank cover payments. 
   
   This enforcement action illustrates that financial institutions in the U.S. need to implement enhanced due diligence to identify the true originators and beneficiaries of all transactions they facilitate and pay particular attention to complex transaction chains that can be repurposed as a kind of “back-door” to route funds to and from sanctioned jurisdictions.
2. Failure to Apply Advanced Technology, including Data Analytics and AI
   The sophistication of sanctions and export compliance programs and the solutions they use to prevent and detect instances of noncompliance should be commensurate with the complexity and inherent risk of the industries in which organizations operate. Failure to implement advanced technical solutions within a compliance program can expose organizations to unnecessary risks.
   
   For example, in 2022, a U.S.-based cryptocurrency exchange reached a significant settlement with OFAC related to over 100,000 apparent violations of multiple sanctions programs. These violations occurred because the organization prioritized launching its business and gaining market share over implementing advanced technical solutions, such as screening available IP address and physical address data to detect customers in sanctioned jurisdictions. 
3. National Security Threats & Strengthened Enforcement of Laws and Policies
   National security threats justify many new U.S. export control laws directed at adversarial or competitor nations (e.g., Russia, Belarus, China) and U.S. regulators and enforcement agencies continue to use swift enforcement actions to demonstrate to various industry operators how aggressively those threats are being addressed. For example, in April 2023, BIS imposed a record-setting penalty on a multi-national computer company to resolve alleged violations of U.S. export controls related to the sale of hard disk drives (HDDs) to a widely-known Chinese technology company that has been a restricted entity since 2019. The penalty was more than twice the amount BIS estimated the computer company earned from selling the HDDs to this company. Additionally, the penalty was issued at the conclusion of a 13-month investigation, whereas these types of investigations typically take years to complete. It is critical that organizations recognize that enforcement agencies in the U.S. will not hesitate to issue hefty penalties in response to allegations or findings of noncompliance with export and sanctions rules and require companies to fortify their compliance programs accordingly.
4. Cooperation Between Agencies, Industries, and Countries
   It is becoming increasingly common for OFAC, BIS, DDTC/State, DOJ, and FBI to work together on enforcement, especially for national security purposes against our foreign adversaries. Similarly, private-sector organizations are increasingly coordinating on their compliance efforts and taking steps such as alerting one another to potential compliance risks and regulatory exposure of certain transactions or entities in high-risk industries or jurisdictions. It is critical for organizations to participate in this global effort to combat against export and sanctions violations, first by developing and prioritizing their own robust compliance programs, followed by sharing insights and information with industry peers and considering the multi-jurisdictional implications of such potential violations. 
5. The Cost of Noncompliance
   As noted in the recent enforcement actions discussed above, committing violations of sanctions and/or export law is quite costly, and can be far more expensive than building and maintaining a robust compliance program proactively to flag potential violations in advance and address them before any violation occurs. In addition to monetary penalties, organizations can also suffer reputational damage and continued scrutiny from regulators. Prudent organizations will prioritize providing compliance programs with the resources, staffing and budget they need - and incorporate lessons learned from recent enforcement actions and industry best practices in addition to prescriptive guidance from regulators and ever-changing regulations.
   
   

On March 21, 2024, compliance professionals from BDO USA P.C. and an international trade attorney from Barnes & Thornburg LLP discussed a series of recent enforcement actions that provide valuable insight into common compliance program gaps, and how organizations can proactively enhance their sanctions and export control compliance programs to address them. See a link to a recording of this webcast here.