OFAC FINE AMAZON

On July 8^th, the Office of Foreign Assets Control (OFAC) announced a settlement agreement with Amazon.com, Inc. ("Amazon") for a large number of violations across a wide spectrum of OFAC's sanctions programs (the agreement published by OFAC lists 14 sets of regulations and Executive Orders). While the total amount of the settlement was negligible for a firm of Amazon's size ($134,523, or one-half the sum of the transaction amounts), the action teaches a number of lessons about sanctions compliance that are relevant for all firms, regardless of industry or size.

• settlement agreement = https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200708_amazon.pdf

What happened?

According to the settlement agreement, for just under seven years starting in 2011, Amazon committed a range of sanctions violations:

• Parties in Iran, Syria and Crimea conducted business on Amazon's websites with end-users located in those jurisdictions.
• Amazon processed orders for persons at foreign diplomatic facilities for Cuba, Iran, Syria, Sudan and North Korea.
• Amazon processed orders placed by parties on the Specially Designated Nationals and Blocked Persons (SDN) List from a wide range of sanctions programs. These included the counter-terrorism, weapons of mass destruction (WMD) non-proliferation,  counter-narcotics trafficking, and organized crime organization sanctions programs, as well as the country sanctions programs for Democratic Republic of the Congo, Venezuela and Zimbabwe.

The OFAC action states that the violations did not involve high-value goods and services and that the total value of all the violations totalled approximately $269,000. The violations, which were voluntarily self-disclosed, were deemed to be "non-egregious."

In addition to these violations, 362 transactions that were licensable under the now-defunct Ukraine/Russia-related General License 5 (which permitted certain transactions needed to wind down Crimea-related operations) were not reported to OFAC before the 10-day regulatory deadline for the General License lapsed. OFAC noted that Amazon had previously properly reported an additional 245 transactions within the required time frame, but that these violating transactions were not reported until "well after" the deadline. Due to this, these transactions were considered violations rather than permissible.

It should be noted that while conditions placed on General Licenses are unusual, they are not unheard of. Perhaps the most prominent example is reflected in General Licenses created pursuant to the Trade Sanctions Reform and Enhancement Act of 2000 (TSRA). Under these General Licenses, exports to Iran and Sudan of certain foodstuffs require a 1-year specific license, although most do not.

Why did it happen?

OFAC blamed Amazon's failures to properly identify and interdict the prohibited transactions on a number of factors, all related to the firm's automated screening processes.

First, it identified that Amazon did not stop orders that included an address of "Yalta, Krimea," noting both that the firm neither stopped the orders either for the reference to Yalta or the alternate spelling (or misspelling) of "Crimea." OFAC also noted that transactions shipped to "Embassy of Iran" were not stopped for review.  But, finally, the notice pointed out that the firm's systems failed to stop properly-spelt names and addresses of parties as they are listed on the SDN List.

A Framework for Learning

Since May of this year, OFAC has included a section in its enforcement actions entitled "Compliance Considerations." In actuality, this section, which provides the takeaways for other firms from the enforcement action, is not all that new; giving it a proper heading to call attention to it is a recent innovation. In this case, the lessons to be learned are very much in line with OFAC's May 2019 publication "A Framework for OFAC Compliance Commitments" ("Framework document").

• https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf

The Amazon enforcement action notes that compliance programs and tools are risk-based and commensurate to the "speed and scale of their business operations." While the Framework document does talk about the need to configure compliance controls and tools in a risk-based way, this action goes further. It specifically points out, as conjectured in a previous section, the need to screen "relevant customer information" and to handle issues such as "common misspellings."

The enforcement action also points out that testing systems on a routine basis, to make sure they are functioning properly, is probably a thing that firms (especially larger and more sophisticated ones) ought to do. Similarly, OFAC also spotlights the utility of instituting short-term tactical controls to mitigate the risk from an identified deficiency in program processes, procedures or systems, until a root cause analysis can be completed. Both of these specific elements were initially introduced in the Framework document.