The Office of Foreign Assets Control (OFAC) has closed eight enforcement actions so far in 2023. These enforcement actions targeted companies, financial institutions, and individuals in the United States and abroad, and they resulted in more than $550 million in settlements.
What can other companies, financial institutions, and individuals learn from these enforcement actions? OFAC publishes Enforcement Releases on its website, and these releases provide some notable insights into OFAC’s sanctions enforcement tactics and priorities. By understanding these tactics and priorities, potential targets of OFAC enforcement actions can take strategic steps to bolster their sanctions compliance programs and efforts and reduce their risk of facing OFAC scrutiny.
Notably, all eight of OFAC’s enforcement actions so far in 2023 resulted in settlements with the target. As discussed further below, the majority of these enforcement actions also resulted from voluntary self-disclosures—so it makes sense that the companies and financial institutions involved were interested in settling. There are several other notable consistencies among OFAC’s 2023 enforcement actions as well.
OFAC Enforcement Actions in 2023
Here is a brief summary of each of OFAC’s enforcement actions so far in 2023:
1. Godfrey Phillips India Limited
Statutory Maximum Civil Monetary Penalty (CMP): $1.78 million
Base Penalty Amount: $475,000 (non-egregious violation, no voluntary self-
disclosure)
Settlement Amount: $332,500
Godfrey Phillips India Limited (GPI) faced an enforcement action related to its use of U.S. financial institutions to process transactions for exporting tobacco to North Korea. According to OFAC, GPI “relied on several third-country intermediary parties to receive payment, which obscured the nexus to the DPRK and caused U.S. financial institutions to process these transactions.”
In agreeing to a $332,500 settlement with GPI, OFAC considered the following
aggravating factors under its Economic Sanctions Enforcement Guidelines:
- GPI acted “recklessly” and exercised a “minimal degree of caution or care for U.S. sanctions laws and regulations.”
- Several company managers had actual knowledge that the conduct at issue “concerned the exportation of tobacco to [North Korea].”
- The company’s actions harmed U.S. foreign policy objectives “by providing a sought-after, revenue-generating good to the North Korean regime.”
Mitigating factors in this case included:
- GPI had not received a Penalty Notice or Finding of Violation from OFAC in the previous five years.
- GPI took remedial measures upon learning of the apparent violations, including implementing new know-your customer measures and recordkeeping requirements.
- GPI cooperated with OFAC during its investigation.
2. Wells Fargo Bank, N.A.
Statutory Maximum CMP: $1.066 billion
Base Penalty Amount: $533,369,211 (egregious violation, voluntary self-disclosure)
Settlement Amount: $30 million
Wells Fargo Bank, N.A. faced an enforcement action related to its predecessor Wachovia Bank’s decision to provide software to a foreign bank that used the software to process trade-finance transactions with sanctioned nations and entities. While noting multiple failures by the bank (including its failure to identify the issue for seven years “despite concerns raised internally within Wells Fargo on multiple occasions”), OFAC agreed to settle Wells Fargo’s potential half-billion-dollar liability for $30 million. Aggravating factors in this case included:
- Reckless disregard for U.S. sanctions requirements and failure to exercise a minimal degree of caution or care.
- The fact that senior management “should reasonably have known” that the software was being used for transactions with sanctioned jurisdictions and entities.
- Wells Fargo undermined the policy of OFAC’s sanctions programs for Iran, Sudan, and Syria by providing the software platform.
Mitigating factors in this case included:
- Wells Fargo had a strong sanctions compliance program at the time of the apparent violations.
- The “true magnitude of the sanctions harm underlying the conduct” is less than the total value of the transactions conducted using the software platform.
- Wells Fargo had not received a Penalty Notice or Finding of Violation from OFAC in the previous five years and remediated the compliance issue immediately.
3. Uphold HQ Inc.
Statutory Maximum CMP: $44,468,494
Base Penalty Amount: $90,288 (non-egregious violation, voluntary self-disclosure)
Settlement Amount: $72,230
Uphold HQ Inc., a California-based money services business, faced an enforcement action related to its processing of transactions for customers who self-identified as being located in Iran or Cuba or as employees of the Government of Venezuela. The 152 transactions at issue involved a total value of $180,575. Aggravating factors in this case included:
- Failure to exercise due caution or care when conducting due diligence on customers who provided information indicating sanctions risks.
- Uphold had reason to know that it was processing payments for customers in Iran and Cuba and who were employees of the Venezuelan government.
Mitigating factors in this case included:
- Uphold had not received a Penalty Notice or Finding of Violation from OFAC in the previous five years.
- Uphold cooperated with OFAC’s investigation.
- Uphold undertook “numerous” remedial measures in response to OFAC’s investigation.
4. Microsoft Corporation
Statutory Maximum CMP: $404.6 million
Base Penalty Amount: $5.96 million (non-egregious violation, voluntary self-disclosure)
Settlement Amount: $2.98 million
Microsoft Corporation faced an enforcement action related to its exportation of “services or software” to Specially Designated Nationals (SDNs) and blocked persons in violation of OFAC’s Cuba, Iran, Syria, and Ukraine/Russia-related sanctions programs. According to OFAC’s Enforcement Release, “[t]he majority of the apparent violations . . . occurred as a result of [Microsoft’s] failure to identify and prevent the use of its products by prohibited parties.” Aggravating factors in this case included:
- Microsoft demonstrated a reckless disregard for U.S. sanctions over a seven-year period.
- The apparent violations harmed U.S. foreign policy objectives by providing software and services to more than 100 SDNs or blocked persons, “including major Russian enterprises.”
- Microsoft is a “world-leading technology company operating globally with substantial experience and expertise in software and related services sales and transactions.”
Mitigating factors in this case included:
- There was no evidence that anyone in Microsoft’s U.S. management was aware of the apparent violations at any time.
- Microsoft cooperated with OFAC’s investigation.
- Microsoft undertook “significant remedial measures and enhanced its sanctions compliance program through substantial investment” after learning of the apparent violations.
5. British American Tobacco P.L.C.
Statutory Maximum CMP: $508.61 billion
Base Penalty Amount: $508.61 billion (egregious violation, no voluntary self-
disclosure)
Settlement Amount: $508.61 billion
British American Tobacco P.L.C. entered into a settlement for the full statutory maximum CMP resulting from apparent violations of OFAC’s sanctions against North Korea. According to OFAC, the company engaged in a conspiracy “to export tobacco and related products to North Korea and receive payment for those exports through the U.S. financial system” by obscuring the source of the funds involved. Aggravating factors in this case included:
- The company “willfully conspired” to unlawfully transfer hundreds of millions of dollars from North Korea through U.S. banks.
- The company concealed its business in North Korea through “a complex remittance structure that relied on an opaque series of front companies and intermediaries.”
- The company’s management had actual knowledge of the apparent conspiracy “from its inception through its termination.”
- The transactions at issue “helped North Korea establish and operate a cigarette manufacturing business . . . that has reportedly netted over $1 billion per year.”
- British American Tobacco is “a large and sophisticated international company operating in approximately 180 markets around the world.”
Mitigating factors in this case included:
- British American Tobacco has not received a Penalty Notice or Finding of Violation in the past five years.
- British American Tobacco cooperated with OFAC’s investigation.
6. Poloniex, LLC
Statutory Maximum CMP: 19.69 billion
Base Penalty Amount: $99.23 million (non-egregious violation, voluntary self-disclosure)
Settlement Amount: $7.59 million
Poloniex, LLC, which operates an online trading platform in the United States, agreed to settle after it was discovered that the company committed 65,942 apparent violations of various sanctions programs by processing transactions with a combined value of over $15 million. In settling for a small fraction of the base penalty amount, OFAC noted that Poloniex was a “small start-up” when most of the apparent violations were committed and that its acquiring company had already adopted a more-robust OFAC compliance program.
7. Murad, LLC
Statutory Maximum CMP: $22.22 million
Base Penalty Amount: $11.11 million (egregious violation, voluntary self-disclosure)
Settlement Amount: $3.33 million
Murad, LLC, a California-based cosmetics company, faced an OFAC enforcement action after it self-disclosed that it had exported products worth $11 million to Iran. While OFAC found that the company acted willingly in violating its sanctions on Iran, as mitigating factors OFAC noted the company’s remedial response and the “benign
consumer nature” of the products involved.
8. Swedbank Latvia AS
Statutory Maximum CMP: $112.32 million
Base Penalty Amount: $6.24 million (non-egregious violation, no voluntary self-disclosure)
Settlement Amount: $3.43 million
Swedbank Latvia AS faced an enforcement action related to the use of its e-banking platform by a customer with a Crimean IP address to send payments to persons in Crimea through U.S. correspondent banks. While OFAC noted that Swedbank Latvia is “a sophisticated financial institution with over one million customers” and failed to exercise due caution or care, it also noted that the bank took “significant remedial action” in response to the apparent violations and “substantially cooperated” with its investigation.
Insights from OFAC’s 2023 Enforcement Actions To Date
As these recent enforcement actions show, OFAC appears to be willing to give substantial weight to companies’ and financial institutions’ good-faith compliance efforts as well as their remedial efforts after discovering apparent sanctions violations. Cooperation was a key factor in several of OFAC’s 2023 enforcement actions as well. When facing OFAC scrutiny or the need to make a voluntary self-disclosure, companies and financial institutions must work with their counsel to make informed decisions, and they must move forward with a strategic plan in place focused on achieving a favorable outcome in light of the facts at hand.