This article looks at the results of our in-depth analysis of Office of Foreign Assets Control (OFAC) penalties for sanction violations and suggests some factors that companies should take account of when considering sanction-related risks. Our analysis examined over 80 OFAC sanction violation settlements made between 2009 and January 2021 to identify some of the key learning points for any company that is exposed to sanctions risk.

OFAC penalties

Financial penalties for sanctions breaches can be eye-wateringly high. In 2012, HSBC settled with US regulators a financial penalty of $1.9 billion. In 2014, BNP was fined $8.9 billion over sanctions breaches to which it pleaded guilty in US courts. Of that figure, approximately $1 billion related to the OFAC penalty.

The approach that OFAC takes to determining penalties for sanction violations is well documented. Organisations that are under investigation will know that there are incentives, through potential discounts on penalties that encourage cooperation with OFAC, for example, by voluntarily self-disclosure of a potential breach of sanctions.

Additionally, when OFAC makes a public announcement of civil penalties and enforcement action, any aggravating and mitigating factors that it took into account when setting the quantum of the penalty are set out in the notice. This information is a goldmine of insight into the factors which OFAC takes into consideration in determining the level of any financial penalty. As penalties in the hundreds of millions (USD) are not unusual, discounts through mitigating factors can be significant.

Key observations from the analysis

The total value of all the penalty notices that we examined was in excess of 5.6Bn USD since 2009. Our analysis showed that:

• Over one-third of all cases (35%) involved penalties imposed on the parent organisation resulting from the activities of its subsidiaries or affiliates, suggesting that the importance of knowing exactly what is happening in subsidiaries or affiliates, particularly in global organisations cannot be overstated. This is particularly important in the context of M&A activity, where pre-acquisition due diligence is crucial;
• Over two-thirds of all cases (70%) involved organisations that were deemed to be large and commercially sophisticated – in other words, mature organisations where you would expect the controls to be in place to detect and prevent sanctioned activity. It pays to pay key staff to be on the front line, not bogged-down in administration;
• In over two-thirds of all cases (71%) OFAC determined that actual knowledge or involvement of senior management of the activities leading to the violation was an important aggravating factor;
• Almost half of all cases (48%) involved organisations that had failed to heed previous warnings or alerts about potential sanctions violations. Learning from past mistakes and from the mistakes of others is crucial; and
• The financial services sector accounted for almost half the cases (48%) whilst engineering (7%), manufacturing (5%), technology (8%) and shipping (7%) also had a small handful of cases.

However, with regards to mitigating factors, we found that, in almost every case (94%), the introduction of stronger and more robust compliance measures was viewed favourably and credit was given to those organisations that already had a strong compliance program in place prior to the OFAC investigation.

In 81% of cases, the organisation got credit for being cooperative with OFAC. For example, for prompt and comprehensive responses to questions or requests for information, voluntary self-disclosure of a potential violation and the signing of tolling agreements to extend the period of an investigation where the statute of limitations would otherwise prevent the investigation concluding.

Over 90% of all cases involved organisations that had not received a similar penalty in the previous 5 years which was viewed by OFAC as a significant mitigating factor.

Many organisations also volunteered to undertake and commit to a future programme of compliance improvements.

What mitigating factors did OFAC specifically mention

Many of the mitigating factors that OFAC notifications described are precisely the types of activities that well managed organisations should have in place in any event. The 3 key areas that were consistently highlighted by OFAC as being mitigating factors were:

1. Compliance improvements

A significant focus on enhanced and strengthened compliance functions was one of the most common factors. It is clear that a sanctions compliance program is crucial. Activities that were mentioned specifically included:

• The creation of specialised sanctions compliance leadership roles and hiring of experienced resources;
• Sanctions compliance training, which is tailored to specific roles and business models, and covers entity and country level sanctions;
• The development of a stronger compliance culture;
• The proactive dissemination of sanctions related information, and updates to policies and procedures – all supported by training and refresher programmes;
• The implementation of a robust risk assessment process;
• The introduction or enhancement of regular and comprehensive testing and audit procedures;
• Enhanced screening and monitoring procedures, often with the introduction of new technology driven solutions to include, for example, negative news screening, and country, client and vessel screening; and
• Amendment of policies and procedures to eliminate the opportunity to conceal or omit identification data and encourage transparency.

2. Management response upon discovery of a violation

The way that an organisation responded upon identification of a violation was also a mitigating factor that was consistently recognised by OFAC. Organisations that were proactive, transparent and acted quickly and decisively placed themselves in a more advantageous position when it came to the consideration of any penalties.

The following response activities were consistently highlighted as mitigating factors by OFAC:

• Voluntary self-disclosure of the violation;
• Immediate cessation of the activities resulting in the violation;
• Comprehensive and independent investigation conducted prior to any OFAC involvement;
• Removal of any staff or management involved, or with actual knowledge of the activities resulting in the violations – in some cases this involved replacement of board members;
• Appointment of independent 3^rd party specialists to assist the response;  and
• Immediate risk-based restrictions around transactions of a similar nature that could potentially lead to a further violation.

3. Cooperation with OFAC

Transparency and a genuine will to cooperate with OFAC during enforcement proceedings are consistently highlighted as a crucial mitigating factor considered during the process of determining the appropriate penalty for a sanctions violation.

Genuine cooperation was demonstrated in a number of different ways and included:

• Voluntary self-disclosure of the violation;
• Prompt and comprehensive response to questions or information requests;
• Well-ordered and presented information;
• Entering into tolling agreements;
• Settlement of penalties; and
• Commitment to future and ongoing compliance programmes and initiatives.

Conclusion

Being the subject of OFAC enforcement proceedings is serious, costly and highly disruptive for any business. It impacts on the reputation of an organisation and in some cases can impinge on the credibility of local regulators, who may be seen as ineffective.

It is clear from our analysis of historic OFAC penalties that:

1. Improving and strengthening the compliance function, for example through training and revised policies and procedures;
2. Responding quickly, transparently and decisively following the discovery of a sanctions violation, for example by performing an independent investigation to help inform a decision around voluntary self-disclosure; and
3. Demonstrating genuine cooperation with OFAC during proceedings by for example responding promptly, comprehensively and transparently clearly help to mitigate OFAC penalty risk.

Ultimately, it is better is to avoid a violation in the first place. However, sanction risk is a complex area which often requires specialist advice and training to assess and manage effectively. Equally, the way that an organisation responds in the wake of a sanctions violation is also a complex process and requires considerable coordination and expertise to navigate effectively.

For more detailed information on our analysis of OFAC financial penalties and on how we can help you manage sanctions risk or respond more effectively to suspected sanction violations, please contact any of the authors listed below.