Print Article



On July 8th, the Office of Foreign Assets Control (OFAC) announced a settlement agreement with, Inc. ("Amazon") for a large number of violations across a wide spectrum of OFAC's sanctions programs (the agreement published by OFAC lists 14 sets of regulations and Executive Orders). While the total amount of the settlement was negligible for a firm of Amazon's size ($134,523, or one-half the sum of the transaction amounts), the action teaches a number of lessons about sanctions compliance that are relevant for all firms, regardless of industry or size.

What happened?

According to the settlement agreement, for just under seven years starting in 2011, Amazon committed a range of sanctions violations:

  • Parties in Iran, Syria and Crimea conducted business on Amazon's websites with end-users located in those jurisdictions.
  • Amazon processed orders for persons at foreign diplomatic facilities for Cuba, Iran, Syria, Sudan and North Korea.
  • Amazon processed orders placed by parties on the Specially Designated Nationals and Blocked Persons (SDN) List from a wide range of sanctions programs. These included the counter-terrorism, weapons of mass destruction (WMD) non-proliferation,  counter-narcotics trafficking, and organized crime organization sanctions programs, as well as the country sanctions programs for Democratic Republic of the Congo, Venezuela and Zimbabwe.

The OFAC action states that the violations did not involve high-value goods and services and that the total value of all the violations totalled approximately $269,000. The violations, which were voluntarily self-disclosed, were deemed to be "non-egregious."

In addition to these violations, 362 transactions that were licensable under the now-defunct Ukraine/Russia-related General License 5 (which permitted certain transactions needed to wind down Crimea-related operations) were not reported to OFAC before the 10-day regulatory deadline for the General License lapsed. OFAC noted that Amazon had previously properly reported an additional 245 transactions within the required time frame, but that these violating transactions were not reported until "well after" the deadline. Due to this, these transactions were considered violations rather than permissible.

It should be noted that while conditions placed on General Licenses are unusual, they are not unheard of. Perhaps the most prominent example is reflected in General Licenses created pursuant to the Trade Sanctions Reform and Enhancement Act of 2000 (TSRA). Under these General Licenses, exports to Iran and Sudan of certain foodstuffs require a 1-year specific license, although most do not.

Why did it happen?

OFAC blamed Amazon's failures to properly identify and interdict the prohibited transactions on a number of factors, all related to the firm's automated screening processes.

First, it identified that Amazon did not stop orders that included an address of "Yalta, Krimea," noting both that the firm neither stopped the orders either for the reference to Yalta or the alternate spelling (or misspelling) of "Crimea." OFAC also noted that transactions shipped to "Embassy of Iran" were not stopped for review.  But, finally, the notice pointed out that the firm's systems failed to stop properly-spelt names and addresses of parties as they are listed on the SDN List.

A Framework for Learning

Since May of this year, OFAC has included a section in its enforcement actions entitled "Compliance Considerations." In actuality, this section, which provides the takeaways for other firms from the enforcement action, is not all that new; giving it a proper heading to call attention to it is a recent innovation. In this case, the lessons to be learned are very much in line with OFAC's May 2019 publication "A Framework for OFAC Compliance Commitments" ("Framework document").

The Amazon enforcement action notes that compliance programs and tools are risk-based and commensurate to the "speed and scale of their business operations." While the Framework document does talk about the need to configure compliance controls and tools in a risk-based way, this action goes further. It specifically points out, as conjectured in a previous section, the need to screen "relevant customer information" and to handle issues such as "common misspellings."

The enforcement action also points out that testing systems on a routine basis, to make sure they are functioning properly, is probably a thing that firms (especially larger and more sophisticated ones) ought to do. Similarly, OFAC also spotlights the utility of instituting short-term tactical controls to mitigate the risk from an identified deficiency in program processes, procedures or systems, until a root cause analysis can be completed. Both of these specific elements were initially introduced in the Framework document.


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email