New Changes at OFAC Means Service Providers May Unknowingly be Violating Sanctions Laws

The Office of Foreign Assets Control seems to be making changes by the minute these days. U.S. companies providing services globally need to ensure that they are keeping up with both substantive and procedural changes at OFAC.   Also, U.S. companies must confirm that none of their customers are offering services in a way that violates U.S. law.  For instance, if you provide services to a company that has business or employees in Cuba, Syria or Iran, your company may be unknowingly providing the services to those subsidiaries or employees as well.  Your company has a duty to determine if you are violating the law.  Is your compliance program up to date? Do you have a system for tracking future changes in sanction law and U.S. regulations that may affect your business and/or customers?

Currently, As Mary Jacobs reported in, OFAC has increased its “prosecutorial approach” to enforcement.  OFAC’s Director is a former prosecutor and was counsel to the Deputy Attorney General.  OFAC is also getting more efficient in many ways and is using its new knowledge base to become more “procedure oriented” and less discretionary in its determinations.  This is both good and bad.  Today I received a new piece of correspondence from OFAC (via snail mail with no previous email) and it tells me that OFAC is getting a system for handling the barrage of requests for no license required (NLR) confirmation letters.  This correspondence demonstrates a new streamlined approach for NLRs.

Looking forward, with the current political  focus on Iran, the trend may draw more attention to the new Iranian transaction limitations.  For example, the President signed new sanctions into law on December 31, 2011 which will further isolate Iran’s financial sector, enable the U.S. government to deny foreign financial institutions access to the U.S. system if they engage in certain Iranian transactions, and freeze the assets of Iran’s financial institutions.  These sanctions are not yet implemented so it is difficult to pinpoint their full effect on U.S. entities.  What is clear is that these sanctions, although not focused on U.S. businesses and will primarily effect foreign financial institutions, can affect U.S. companies.  Non-U.S. banks may refuse to process Iran-related transactions in order to avoid any chance of triggering U.S. government action against them.  Thus, U.S. companies need to be cognizant of the indirect effects of the sanctions.  In this case, particularly if they are operating under a specific or general license with Iran.

My compliance point is that U.S. service providers can’t assume that they are not affected by these changes.  Internal self-audits must be undertaken to ensure that your compliance programs recognize and include these issues and that you have thought through all the nuances with related overseas parties.  Cloud computing, deemed exports, and re-exports are all issues that need to be reviewed and updated.   With the heightened prosecutorial focus, all global service providers need to be savvy to the changing regulations and update your programs (for example – Iran and Syria have been recently revised).  Such diligence is becoming a full-time job.