For U.S. businesses, sanctions compliance has never been more challenging or more important. The U.S. has responded to Russia’s invasion of Ukraine with a broad range of sanctions targeting the Russian government, its officials, oligarchs and Russia’s financial and energy industries, among others. Indeed, since the invasion of Ukraine, the agency that administers sanctions, the Office of Foreign Assets Control (OFAC), has added over 2500 Russia-related targets to the Specially Designated Nationals and Blocked Persons (SDN) List. These new sanctions mean that there are now more sophisticated and motivated sanctions evaders than ever before. In turn, the U.S. has made clear its determination to pursue those who violate sanctions. As a means of capturing its new level of intensity and commitment to sanctions enforcement, the leadership of the Department of Justice (DOJ) has described sanctions enforcement as “the new FCPA.” Moreover, all of the above was true before Hamas’ attack on Israel and the escalation of violence in the Middle East, which increases the importance of sanctions targeting Hamas, Hezbollah, Iran and other adversaries of the U.S. based in the Middle East.
A key tool for protecting against sanctions violations is a program for screening customers and other third parties against OFAC’s lists of sanctioned persons and jurisdictions. Willful violations of sanctions may be criminally prosecuted by DOJ. And, OFAC can impose civil penalties for sanctions violations based on a strict liability legal standard. That is, a U.S. person need not be aware that it is dealing with a sanctioned person in order to be liable. Under these circumstances, it is imperative that U.S. businesses make every reasonable effort to screen out any counterparty that is under sanctions.
But a sanctions screening program will only provide false comfort if the screening procedures are out of date or otherwise flawed. Several recent OFAC enforcement actions demonstrate the risks of screening measures that are not expanded to account for all available information. In each of these instances, the business involved had systems in place to screen for sanctions compliance. But the screening was ultimately ineffective, because it failed to incorporate all that the business knew about the counterparty.
Recent Enforcement Actions by OFAC
In November of 2023, OFAC announced a $206,213 settlement with financial services firm Swift Prepaid Solutions, Inc. d/b/a daVinci Payments (DaVinci) to resolve its potential civil liability arising from 12,391 pre-paid cards issued to customers in sanctioned jurisdictions. DaVinci provides payment reward card programs for clients, typically as part of loyalty, award or promotional incentive for employees, customers or other beneficiaries. These pre-paid cards were associated with a unique token which required card users to enter personal data and email address information into DaVinci’s website to redeem. Users could not enter an address in a sanctioned jurisdiction and their identities were screened against sanctions lists.
But DaVinci discovered that that on 12,378 occasions it had redeemed prepaid cards for users with IP addresses associated with Iran, Syria, Cuban, and Crimea. After DaVinci began blocking access from IP addresses associated with these sanctioned jurisdictions, it further discovered it had redeemed prepaid cards for 13 card recipients who had used email addresses with suffixes associated with sanctioned jurisdictions (e.g., Syria is .sy, Iran is .ir) during the redemption process and who were apparently residents of those jurisdictions. OFAC concluded that DaVinci knew or had reason to know of redeemers’ IP addresses and email suffixes, but did not incorporate that information into its compliance controls. DaVinci’s voluntary self-disclosure of the apparent violations contributed to imposition of a significantly discounted penalty. According to OFAC, the case “demonstrates the potential shortcomings of controls that rely on customer-provided information, rather than a holistic information-gathering system that can mitigate evasion or misrepresentation.”
A similar flaw was at the heart of a December 2023 OFAC settlement with CoinList Markets LLC, a virtual currency-exchange based in California (CLM). CLM agreed to pay $1.2 million to settle its potential civil liability arising from transactions processed on behalf of users in Crimea, a provision of services that has been prohibited since 2014.
To trade on CLM, users were required to provide standard Know-Your-Customer (KYC) information, including listing the user’s country of residence and address. CLM then used the KYC information to screen new and existing customers against OFAC and other sanctions lists and to monitor transactions. But, in screening for users in sanctioned jurisdictions, CLM’s screening program apparently focused on the country of residence provided by the user, and not the user’s actual address. As explained in the settlement,
CLM’s screening procedures failed to capture users who represented themselves as resident of a non-embargoed country but who nevertheless provided an address within Crimea. In particular, CLM opened 89 accounts for customers, nearly all of whom had specified “Russia” as their country of residence but all of whom provided addresses in Crimea upon account opening, e.g., by identifying a city in Crimea or providing the term “Crimea.” Because “Russia” was provided in the country-of-residence field in these instances, CLM’s screening protocols failed to recognize that “Crimea” or a city name in Crimea, provided in another data field, indicated likely residence in Crimea.
This deficiency led to CLM processing 989 transactions for Crimean users from April 2020 to May 2022, and to a finding from OFAC that CLM knew or had reason to know that it was conducting transactions on behalf of persons who were likely to be residing in Crimea. In the settlement announcement, OFAC noted, “This case, like previous OFAC settlement actions with firms operating in the virtual currency space, highlights the importance of integrating all available KYC and other relevant information into a company’s screening process and broader compliance functions.”
A third recent settlement reminds us that screening is particularly important in light of OFAC’s 50 Percent Rule, under which any entity that is owned 50% or more by a blocked person is also considered blocked, even if the entity is not found on OFAC’s SDN list. On December 21, 2023, OFAC announced a $466,200 settlement with Privilege Underwriters Reciprocal Exchange (PURE) to settle its potential civil liability for 39 apparent violations of Russia-related sanctions. In 2010, PURE offered insurance policies for luxury assets and issued policies for an auto fleet, jewelry, art and homes to Panama-based Medallion, Inc. (Medallion). Emails from that time indicate that a PURE employee knew that the policies were for properties of Russian oligarch Viktor Vekselberg. And, Vekelberg was identified as the sole shareholder of Medallion in a corporate disclosure questionnaire provided to PURE in 2010. In 2018, OFAC designated Vekselberg as an SDN. By virtue of OFAC’s 50 Percent Rule, Medallion became a blocked person at the same time.
After the 2018 designations, PURE continued to collect 38 premium payments from Medallion. PURE also paid a $7500 claim related to one of the policies in 2020. According to OFAC’s settlement, the 2010 form identifying Vekselberg as the owner of Medallion was never uploaded into the underwriting system, so the ownership information was not incorporated into PURE’s sanctions screening program. OFAC concluded that PURE had reason to know that it was receiving payments from and providing coverage to a blocked person. OFAC stated that the case demonstrates the importance of implementing sanctions compliance controls that “capture and incorporate all relevant available information to conduct responsive and regular screening, including risk-based steps to comply with OFAC’s 50 Percent Rule and to account for changes to applicable sanctions.”
The companies targeted in these enforcement actions may have thought that their screening procedures were sufficient protection against sanctions. The violations occurred because the screening focused on a limited set of company data. Those who are responsible for a company’s sanctions compliance should make sure that they understand the details of the company’s screening program, including whether there is a gap between information available to the company and the information used in screening. Screening should incorporate all available information to verify a customer’s identity or residency, including location-related data or other information not specifically volunteered or collected in connection with prospective screening.
For assistance evaluating your current screening program or understanding sanctions compliance more generally, please contact the authors of this article or your McGuireWoods relationship attorney.
 DOJ, Deputy Attorney General Lisa O. Monaco Keynote Remarks (June 16, 2022).