In November, the Federal Financial Institutions Examination Council (FFIEC) issued a Joint Statement on Office of Foreign Assets Control (OFAC) cybersecurity sanctions. It warned that many entities sanctioned for malicious cyber activity claim to be domestically based and offer technology-related services to financial institutions under false pretenses. These sanctioned entities increase both operational and OFAC compliance risk for the institutions that have used or continue to use their services.
While assessing your exposure to this particular OFAC risk, take the opportunity to also review your compliance with OFAC’s 50 Percent Rule, as the two issues are closely related.
OFAC’s 50 Percent Rule
OFAC first addressed entity ownership in 2008. In 2014, it published Revised Guidance on Its 50 Percent Rule, which states that, “any entity owned in the aggregate, directly or indirectly, 50 percent or more by one or more blocked persons is itself considered to be a blocked person.”
The Treasury Department’s FAQ on the OFAC 50 Percent Rule “urges persons considering a potential transaction to conduct appropriate due diligence on entities that are party to or involved with the transactions or with which account relationships are maintained in order to determine relevant ownership stakes.”
6 Ways to Violate OFAC’s 50 Percent Rule
On its face, the 50 Percent Rule appears straightforward, but complying with it is quite complicated, in large part because OFAC does not publish a list of majority SDN-owned entities. That leaves the legwork to compliance teams to determine.
Here are six ways that a credit union, money services business or any other business can get tripped up by OFAC’s 50 Percent Rule:
- Fifty percent ownership by one or more SDN: Exactly as the rule states, if your organization conducts a transaction with an entity that is owned 50 percent or more by one or more SDNs, it has violated the 50 Percent Rule. Barclays Bank was fined $2.4 million by OFAC for doing just that. According to the OFAC enforcement action against Barclays, the activity took place between 2008 and 2013 and involved 159 transactions with an entity that was “owned 50 percent or more, directly or indirectly, by a person identified” on the OFAC SDN list.
This case highlights the difficulty in following the rule to the letter of the law. The enforcement action emphasized that, despite multiple attempts by the bank to improve its OFAC compliance program, Barclays screening system “had several limitations” and its “Know Your Customer (KYC) procedures were ambiguous and difficult to follow with respect to the requirement to identify related parties and/or beneficial owners of corporate customers.”
OFAC’s recent enforcement action against a technology company is another clear example. The first cited violation occurred when the company sold goods to a firm not itself listed as an SDN but that was owned 51 percent by an SDN. By the time of the tech company’s second and third transactions, the buyer had been added to the SDN List, but the firm’s “denied party screening produced no warnings or alerts.” For those three violations, the firm was fined $87,507.
Per its enforcement action, OFAC notes that, this “case demonstrates the importance of companies operating in high-risk industries (i.e., defense) to implement effective, risk-based compliance measures.” It also called on companies doing business internationally to “maintain a culture of compliance where frontline staff are encouraged to follow up on sanctions issues.”
- SDN-controlled entities: While the above scenario shows that majority ownership can be problematic, entities control by an SDN proves even trickier. According to OFAC, “an entity that is controlled (but not owned 50 percent or more) by one or more blocked persons is not considered automatically blocked pursuant to OFAC’s 50 Percent Rule.” However, it warns that such an entity could eventually be placed on the SDN List.
Entity control tripped up ExxonMobile to the tune of $2 million. According to OFAC’s enforcement action against the energy giant, it entered into eight business agreements with an entity (not on the SDN List) that were signed by a Russian oligarch who was on the SDN List. In regard to its 50 Percent Rule, OFAC specifically states that, “U.S. persons should be careful when conducting business with non-blocked entities in which blocked individuals are involved.” Further, they may not “enter into contracts that are signed by a blocked individual.”
- Significant but non-majority ownership by an SDN: Consider an entity owned 49 percent or even 40 percent by one or more SDNs. It is less than 50 percent ownership, so you can do business with it, right? Not so fast. OFAC “urges caution” whenever an SDN has significant ownership under 50 percent, although it does not provide a specific number. And again it stresses future possibility, noting that, “such non-blocked entities may become the subject of future designations or enforcement actions by OFAC.”
Dow Jones’ Risk and Compliance unit, which compiles its own Sanctions Ownership Research (SOR) list—a list of entities with 10 percent or more ownership by an SDN, also notes that blocked persons have been known to structure their ownership to avoid triggering the 50 Percent Rule.
- Russian-based entities: Given recent geopolitical and cyber activity, doing business with anyone located in or associated with Russia inherently increases OFAC risk. To begin with, the U.S. Department of Treasury continues to ramp up sanctions against Russian entities. In April alone, OFAC designated the following for sanctions: seven Russian oligarchs, 12 Russian companies owned or controlled by those oligarchs, 17 senior Russian government officials, and a state-owned entity and its subsidiary.
In addition, it is important to note that not all Russian persons and entities that have been designated for sanctions have been placed on the SDN List yet. This complicates OFAC compliance.
Finally, it is imperative that U.S. financial institutions understand from whom they are acquiring technology services, as well as with whom their third-party vendors might be interacting. OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that, “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that Russian technology firms span the globe, and their connection to their U.S. subsidiaries is often opaque.
- Majority-owned by a sanctioned government: In addition to avoiding business with entities that are 50 percent or more owned by SDNs, organizations must also be on the lookout for entities that are majority-owned by a government or country that is subject to a sanctions program.
In November of 2018, the French bank Société Genéralé was fined $54 million for activity occurring between 2007 and 2012 that included, among other things, doing business with a company majority-owned by the government of Sudan. TD Bank faced similar violations in 2017, as it was forced to pay $955,750 for maintaining accounts and processing transactions for a Canadian company owned by a Cuban company at a time when this was prohibited by the Cuban sanctions program.
- Past sins: Keep in mind that even if your organization’s current OFAC compliance program is fully in line with the 50 Percent Rule, it can still be penalized for past interactions that violated it, as evidenced by the enforcement actions described above.
If your organization is aware or becomes aware that a past violation occurred, it is wise to voluntary self-disclose it to OFAC, because that will typically count as a mitigating factor in reducing the base fine. On the other hand, failing to self-disclose is often cited as an aggravating factor that negatively impacts the final amount of any fine.
Incorporate OFAC’s 50 Percent Rule into Your Compliance Program
Holland & Hart, which provides legal services for financial institutions, describes OFAC’s 50 Percent Rule as “a logical extension of the prohibition on transactions and dealings involving blocked property.” However, “it also adds the substantial burden of an enhanced due diligence exercise.”
Here are some ways to more effectively handle that burden:
- Conduct routine risk assessments of your OFAC exposure.
- Review customer on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
- Review third- and fourth-party vendor management policies and procedures, specifically to include an assessment of their OFAC exposure and compliance programs.
- In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of both customers and vendors.
Upgrade your watch list screening process to cross reference a database, such as the Dow Jones SOR list, that identifies entities that are owned by sanctioned persons or jurisdictions.