On June 21, 2019, in an unexpected move, U.S. Office of Foreign Assets Control (OFAC) modified its regulations to require all U.S. persons—not just financial institutions—to report any transaction that is “rejected” due to sanctions. This change could have a broad impact on U.S. businesses that, until now, have not been obligated to report such rejected transactions.
What is OFAC and How Does it Relate to me?
OFAC is the department of the U.S. Department of Treasury that regulates and enforces U.S. economic sanctions. Economic sanctions may be implemented for a variety of foreign policy, national security, and other policy reasons. Generally speaking, sanctions may be levied against specific individuals or entities (think: specific terrorists or companies owned by them); entire countries or regions (Iran, Cuba, North Korea, Syria, Crimea), or industries (think: Russian Deep Sea Exploration). Sanctioned individuals and entities are called Specially Designated Nationals (SDNs) and are put on a list (the SDN List). Any person in the U.S. and any U.S. person, wherever they are in the world, is required to comply with OFAC regulations. Every company in the U.S. is also required to comply, although the rules about foreign subsidiaries vary by sanction.
OFAC sanctions are “strict liability” this means that even if you don’t know you have committed a violation, you can still face a civil penalty. If you do know, or should have known, then you can face criminal liability. Civil penalties range up to $88,976 per violation or twice the amount of the underlying transaction. Criminal penalties range up to $10 million and up to 20 years imprisonment.
What Regulations Did OFAC Change?
OFAC modified 31 C.F.R. § 501.604 to expand reporting requirements for rejected transactions. Whereas historically OFAC regulations have only required financial institutions such as banks to report transactions rejected due to sanctions, the modified regulations now require all U.S. persons (including both individuals and organizations) and those subject to U.S. jurisdiction to report any “transaction” that the person “rejects” due to sanctions.
The regulations define “transaction” broadly to “include transactions related to wire transfers, trade finance, securities, checks, foreign exchange, and goods or services.” The regulations do not explicitly define what it means to “reject” a transaction. Historically, however, OFAC has distinguished between “blocked” transactions—in which property must be held by the recipient—and “rejected” transactions—in which property is simply returned to the sender and reported to OFAC.
By its terms, the amendment greatly expands the pool of those responsible for reporting rejected transactions.
What Does This Mean in Practice for U.S. Businesses?
OFAC has not yet released any of its usual FAQs to clarify how it intends to apply the new regulations. Existing FAQs that apply to financial institutions provide some guidance on how OFAC is likely to interpret the new requirement.
In clarifying when banks are required to block or reject transactions, OFAC FAQ 53 guides in the context of wire transfers. As OFAC explained, if a bank receives “concrete instructions from its customer” to send funds to a Specially Designated National (SDN), then the transaction must be blocked. In contrast, if the customer simply asks: “Can I send money to Cuba?” then the bank can simply explain to the customer this is not permitted. As OFAC explained, this latter example is not considered a “reject” by the bank because it has not received instructions from its customer to send the funds.
Applying this guidance to the new regulation, it is likely that OFAC will take a somewhat practical approach to determine whether a transaction is deemed to have been “rejected,” triggering a reporting requirement. For example, if an Iranian citizen contacts a U.S. manufacturing company to ask whether the Iranian can purchase products, the company can likely tell the person that it is not permitted to do business with Iran without triggering a reporting requirement. In contrast, if an Iranian citizen (non-SDN) sends a purchase order to the U.S. manufacturing company requesting the purchase of specified goods for shipment to Iran, the company would need to reject the request and report it to OFAC within 10 days.
U.S. companies should take immediate action to implement procedures to record and report transactions rejected due to sanctions. Failure to do so can have significant consequences. Although OFAC has not yet used its authority to impose penalties for failing to meet reporting requirements, Appendix A to 31 C.F.R. § 501 implies that the same penalties applicable to executing a transaction in violation of sanctions would apply to a failure to make a required report. Theoretically, this means that persons could be fined as much as twice the value of the underlying transaction for not reporting. However, the more likely scenario is that, once OFAC suspects reporting requirements are not being met, a broader investigation into the compliance program and other possible violations could be launched. Such investigations invite scrutiny, introduce increased risk, and can be very expensive.
As a U.S. Company, What Should I Do Next?
If you already have an OFAC compliance program, then you should review and revise your policies and procedures to ensure compliance with the new reporting requirement (pro tip: don’t forget to review other potentially impacted policies such as your Privacy Notice or Terms of Service)
If you don’t have an OFAC compliance program, it might be time to conduct a risk assessment to determine whether you need one.
Have questions? Talk to our expert attorney Jill Williamson.
If you have questions about how this new regulation might impact your business, contact Jill Williamson at Gravis Law, PLLC for a free phone or in-person consultation. Jill Williamson works in the Seattle office of Gravis Law and has held high-level compliance positions in both Fortune 100 and mid-sized global public companies, addressing issues such as OFAC compliance, anti-corruption, anti-money laundering, data privacy and government, and internal investigations.