The U.S. Treasury Department, Office of Foreign Assets Control (OFAC), recently announced that e.l.f. Cosmetics would pay a penalty of nearly $1 million to settle potential civil liability for more than 150 U.S. sanctions violations. e.l.f.'s offense? Importing fake eyelash kits from North Korea. Fake eyelashes may not be a top national security concern, but the penalties e.l.f. is suffering are very real — even though the company believed the kits were made in China.
Last year, OFAC also reached an $8 million settlement with Zoltek Corporation, a manufacturer and retailer of carbon fiber. According to OFAC, Zoltek and its subsidiaries purchased acrylonitrile (the primary component used to make carbon fiber) from a Belarussian entity that is a specially designated national (SDN). Under OFAC rules, U.S. businesses and individuals generally cannot do business directly or indirectly with any SDN.
Given the increasingly international scope of supply chains — and the distance organizations will go to find good, affordable inputs — it is essential to understand the risks that U.S. sanctions can create. Both e.l.f. and Zoltek serve as valuable warnings of how broadly U.S. sanctions are enforced. When your company goes shopping overseas, it is critical to know your supplier and the origin of the products it sells.
Understanding U.S. sanctions
The United States was a forerunner in using economic sanctions as an alternative to military action. Even in the years preceding the Revolutionary War, the colonies sought to impose limits on purchasing and importing British goods.
In more recent times, economic sanctions have been used against a host of targets, including SDNs, governments and other entities, individuals, and even vessels. At present, the United States maintains approximately 25 different sanctions regimes. Most are administered by OFAC.
Sanctions restrict or prohibit certain conduct — and go beyond merely controlling exports and imports. In many cases, even receiving services or financial support from a sanctioned target is prohibited.
U.S. sanctions apply to U.S. citizens, lawful permanent residents or individuals protected under the Immigration and Naturalization Act; anyone in the United States, regardless of the person’s nationality; and any company or organization headquartered in the United States. In the case of Cuba and Iran, the sanctions also apply to non-U.S. subsidiaries of U.S. businesses.
Some sanctions regimes are broad, although most are selective. For example, the United States currently maintains a near absolute embargo on Iran, which means virtually all transactions are prohibited. The United States also maintains significant sanctions on Russia, but those are targeted against specific entities and individuals. As the agency with primary responsibility for administering U.S. sanctions, OFAC is authorized to deliver sanctions regulations, issue licenses (though specific licenses are not issued very commonly), provide interpretive guidance on sanctions, take enforcement action, and otherwise oversee the interpretation and application of regulations.
In addition to sanctions against countries, the United States maintains sanctions against individuals and entities engaged in specific conduct that the U.S. government considers to be a threat to national security — for example, designated narcotics traffickers; terrorists and terrorist organizations; and parties involved in weapons proliferation, human rights abuse and cybercrime. These designated entities and individuals are identified as SDNs and are listed on the List of Specially Designated Nationals and Blocked Persons.
The problem with SDNs
The SDN list is vast and includes parties that reside nearly everywhere in the world. This creates a challenge because many of them are in countries not otherwise subject to U.S. sanctions. There are SDNs in many nations with which the United States maintains good trading relations, including Canada, Mexico and the United Kingdom. Thus, managing an international supply chain means managing your suppliers, regardless of where located, against the SDN List.
Further complicating things, because of OFAC’s so-called 50% rule, the SDN list is not even a complete list of all SDNs. Under the rule, any entity that is owned 50% or more by one or more SDN is itself considered an SDN, even if not on the list.
Imagine that your organization is interested in working with the Eastern European supplier EE Co. To comply with U.S. sanctions and before engaging EE Co., you screen the company against the SDN lists. There is no match, so it appears you can do business with EE Co. But what if it turns out that 50% of EE Co. is actually owned by one or more SDNs? In addition to simply screening your potential supplier, your company should have identified EE Co.’s ownership and screened each of those parties too.
The good news is that, if you do fail to identify such a problem, the bank involved in financing the transaction will almost surely spot the existence of the SDN. Both U.S. and non-U.S. banks have been subject to huge penalties for sanctions violations over the past decade. As a result, banks are more vigilant than ever before about spotting and halting transactions with prohibited parties. There is some bad news, too: When a bank halts a transaction with an SDN, it must report the matter to OFAC. This likely will lead to OFAC asking your company for information about its business with the SDN, resulting in some major headaches.
It is critical to conduct meaningful due diligence into any vendor or international transaction partner. You must go beyond mere sanctions risk to consider potential risk under U.S. export law; anti-money laundering law; and, perhaps most importantly, the Foreign Corrupt Practices Act and similar anti-corruption laws.
Begin with a risk assessment to determine which transaction partners present the most sanctions risk, and determine how to allocate compliance resources accordingly. Next, a process should be developed that reflects the level of risk associated with each potential supplier. Many businesses have several tiers of due diligence. The first level might involve screening the supplier against the various prohibited parties lists, conducting a credit check, and then obtaining a written certification from the supplier that it will comply with U.S. sanctions — especially not causing your company to violate the sanctions.
Intermediate-level diligence might include the same steps as first-level diligence, as well as a review of references from the supplier or require the supplier to provide more detailed information about its operations, its history of any compliance violations and other relevant data.
The most fulsome diligence exercises might include all of the intermediate diligence steps as well as interviews with key personnel, a visit to the facility and compliance training.
The most effective compliance programs are rooted in a strong corporate culture. To ensure ongoing vigilance about your supplier relationships, employees need to know that your business is committed to these initiatives. Leaders must regularly convey how important compliance is to the organization. That commitment should be embodied in clear, workable policies that employees can understand and follow. An effective policy will reflect your company’s particular operations, personnel, locations and risk factors.
OFAC has published “A Framework for OFAC Compliance Commitments,” which is available on its website. The document provides a detailed summary of the five primary elements of an effective compliance program. They include
- demonstration of management commitment
- robust internal controls in the form of policies and procedures
- routine testing and auditing of the compliance program
- periodic risk assessments to evaluate new or evolving sanctions risk
- compliance training.
The program also should govern personnel actions and empower them to play a leading role in day-to-day compliance. Therefore, it’s essential to have a mechanism by which employees can make good-faith reports of suspected or actual compliance violations without fear of reprisal. To that end, employees must understand how to identify potential or actual violations. Although not everyone has to be an expert on economic sanctions law and regulations, they do all need to be knowledgeable enough so that, if they encounter an unusual fact or situation, they recognize it as a potential problem and can report it.
Instruct staff members on how to look out for compliance red flags, such as if a supplier or its address is similar to that of a party found on any U.S. prohibited parties list. Other warning signs include if a supplier
- is reluctant to provide information about the source of parts it uses to manufacture products
- requests payment in a country outside of where it is based
- primarily supplies products in a completely different business line
- refuses to certify that it will comply with U.S. sanctions law.
Again, personnel do not necessarily need to know whether any of these facts, if present, mean that a violation is likely to occur. That is for your compliance team to assess. But employees should be aware enough to recognize that these situations are unusual and that transactions with an existing or potential supplier should not proceed until they have been reviewed. By implementing and abiding by a tailored, risk-based compliance program, U.S. sanctions violations can be avoided.
Perhaps most importantly, maintain records of your compliance efforts — due diligence, denied person screening, training presentations, audit reports, management communications related to compliance and so on. It is imperative to memorialize all steps taken. That way, if the worst happens, and your supplier commits a violation that could expose your company to liability, the written records become your organization’s best defense. Without them, the government will be skeptical that your business did an adequate review of the supplier before contracting with them and could claim that your company merely ducked its head in the sand about the likelihood of a violation. Unsurprisingly, the U.S. government rarely looks kindly upon an organization that willfully blinds itself to potential compliance issues.