Would you leave your house, carefully locking your front door, but with the back door and all the windows wide open? Probably not. Fully protecting your home, and the people or valuable assets within it, naturally includes securing all avenues of access against vulnerabilities. Protecting against risk from sanctions violations is similar. Our customers may be doing the equivalent of leaving the back door and windows wide open with respect to sanctions vulnerability. Risks in sanctions compliance are potential threats that, if ignored and not properly handled, can lead to violations of Office of Foreign Assets Control (OFAC) regulations and have other negative impacts to reputation and financial security.
Background on OFAC Sanctions compliance
All individuals and entities that fall under U.S. jurisdiction and those that transact in U.S. dollars are subject to the Department of Treasury’s OFAC requirements, which prohibit transactions with sanctioned entities and within sanctioned countries. Violations can result in penalties, with fines up to $1 million and/or up to 20 years in prison for each violation. Civil offenses are strict liability, meaning that there is no intent requirement for an OFAC violation. It is not necessarily to knowingly or purposefully engage in a prohibited transaction in order to be liable. Recently we have seen a rash of OFAC enforcements and settlements related to failures to block transactions originating from a sanctioned country when the company had access to IP address or location intelligence gathered by their website or mobile app. These OFAC actions have made it clear: if an organization’s app or website is collecting IP address or location, regulators expect it to be used to control for sanctions risk.
Lock the front door
To prevent and detect sanctions violations, the Department of Treasury encourages organizations subject to U.S. jurisdiction to adopt an effective compliance program, especially if the organization engages in international business, both directly and through intermediary parties. Many sanctions compliance programs focus on names, addresses and other physical identity details collected from clients and business partners to determine if they are blocked parties, connected to blocked parties, or if they are transacting from within sanctioned countries.
Check the back door and windows
When it comes to digital transactions, controlling for sanctions risk becomes more complex. A party operating in a sanctioned country may leverage the anonymity of digital channels to evade detection, presenting an alternate identity – whether stolen, manipulated, synthetic or mule. They may also evade traditional IP blocking controls by using a VPN, proxy or TOR browser to obfuscate their true location. Unfortunately, if a company’s compliance program doesn’t look deeper, they may expose themselves to the very real risk of transactions within sanctioned countries or with sanctioned parties. A robust sanctions compliance program needs a combination of policies, procedures and technologies to ensure that no transactions or services in violation of OFAC requirements are supplied to these entities.
Preventing digital evasion requires digital solutions – an additional layer of digital intelligence is needed to bolster defenses. We recently introduced our LexisNexis® Financial Crime Digital Intelligence solution which leverages crowd-sourced digital identity intelligence to help organizations better detect, manage and investigate suspicious activity while transforming financial crime compliance workflows.
For more information:
LexisNexis® Financial Crime Digital Intelligence Press Release
LexisNexis® Financial Crime Digital Intelligence Product Information
Tracy Manning, Director of Financial Crime Compliance – U.S. and Canada, contributed to this article.
The information contained herein: (a) is for educational purposes only and is not intended to and shall not be used as legal advice, and (b) may not reflect all recent legal developments and may not apply to the specific facts and circumstances of individual transactions. You should consult with qualified legal counsel before acting on any of the information provided herein.