From last week’s blog, it became clear that using sophisticated screening software that utilizes fuzzy logic is now a necessity to be compliant. Please see: https://thesanctionsgeek.com/is-fuzzy-logic-now-clear/
Two recent OFAC enforcement actions underscore the importance of screening the IP address of a customer to ensure an embargoed country is not at issue. If such a country is implicated, a simple block with a notice, such as “We regret we are unable to provide service for your jurisdiction”, is all that is needed. This was a capability I witnessed while working at HP, Inc. back in 2015 through 2017, but, it turns out, not every company is sophisticated enough to think of this when providing online services/tech support.
The two recent cases are the BitGo and BitPay cases from December 2020 and February 2021 respectively. I will review each case below for conclusions on best practices on IP address screening.
I. The BitGo IP Address Screening Failure
Please see this URL for additional information on this case: https://home.treasury.gov/system/files/126/20201230_bitgo.pdf
BitGo, Inc. (“BitGo”) is a technology company based in Palo Alto, California that implements security and scalability platforms for digital assets and offers non-custodial secure digital wallet management services. BitGo agreed in December 2020 to remit $98,830 to settle its potential civil liability for 183 apparent violations of multiple sanctions programs.
As a result of deficiencies related to BitGo’s sanctions compliance procedures, BitGo failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria from using its non-custodial secure digital wallet management service. All of these countries are under comprehensive U.S. embargo.
Between approximately March 10, 2015 and December 11, 2019, BitGo processed 183 digital currency transactions, totaling $9,127.79, on behalf of individuals who, based on their IP addresses, were located in these sanctioned jurisdictions.
BitGo had reason to know that these users were located in sanctioned jurisdictions based on Internet Protocol (IP) address data associated with devices used to log in to the BitGo platform. BitGo’s reason to know was based on BitGo’s practice of tracking its users’ IP addresses for security purposes related to account logins. BitGo, however, did not use this IP address information for sanctions compliance purposes.
At the time of the transactions, however, BitGo failed to implement controls designed to prevent such users from accessing its services. OFAC determined that BitGo did not voluntarily self-disclose the violations and that the violations constituted a non-egregious case.
II. The BitPay IP Address Screening Failure
Please see this URL for additional information on this case: https://home.treasury.gov/system/files/126/20210218_bp.pdf
BitPay, Inc. (“BitPay”) is a private company based in Atlanta, Georgia that offers a payment processing solution for merchants to accept digital currency as payment for goods and services. BitPay agreed to remit $507,375 to settle its potential civil liability for 2,102 apparent violations of multiple sanctions programs.
BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on BitPay’s platform. This happened even though BitPay had location information, including IP addresses and other location data, about those persons prior to consummating the transactions.
BitPay’s sanctions compliance program deficiencies enabled persons in these sanctioned jurisdictions to engage in approximately $129,000 worth of digital currency-related transactions with BitPay’s merchant customers. The settlement amount reflects OFAC’s determination that BitPay’s apparent violations were not voluntarily self-disclosed and were non-egregious.
III. Conclusion on IP Address Screening
If a business offers a service online (be it digital currency services, tech support services or other services), it will be necessary to screen the IP addresses of customers prior to providing services. If such customers are from one of the comprehensively embargoed countries (currently, the Crimea region, Cuba, Iran, North Korea and Syria), it will be necessary to impose a transaction block.
The Crimea region of the Ukraine presents a bit of a challenge as one does not want to block all business with the Ukraine. The way we overcame this issue at HP, Inc. is we requested from the U.S. Postal Service all zip codes associated with the Crimea region. Hence, the initial IP address for the Ukraine was flagged, and then, the decision on whether to impose a transaction block was then subject to a secondary flag based on the zip code. If the code was within the Crimea, the transaction block message would be sent and the IP address would be blocked accordingly.
While the BitGo and BitPay penalties may seem relatively low, their cases have been made public, and it is likely that other U.S. person intermediaries (banks in particular) will impose additional due diligence vetting on both of these companies. That, in turn, can cause cash flow delays and outright disruptions. It is therefore well worth undertaking the proper compliance these cases illustrate.
I wrote briefly about “fuzzy logic” in a prior post (please see: https://thesanctionsgeek.com/3-key-steps-in-ofac-compliance-screen-screen-and-screen/). What I did not mention is that a couple of America’s biggest companies have recently gotten caught for failures to pick up aliases that their respective software programs should have caught.
The Office of Foreign Assets Control (OFAC) itself has recently upgraded the “fuzzy logic” in its own search tool in January 2021. Please see: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210125.
Those two companies that got in trouble recently for inadequate “fuzzy logic” capabilities are Apple and Amazon. This blog will review both cases to illustrate the importance of proper “fuzzy logic” capabilities in a chosen software service provider.
I. Apple’s Failure with Fuzzy Logic
In November 2019, Apple, Inc. agreed to pay $466,912 to settle its OFAC case for apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations. (Please see: https://home.treasury.gov/system/files/126/20191125_apple.pdf).
Apple dealt in the property or interests in property of SIS, d.o.o. (“SIS”), a Slovenian software company previously identified on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) as a significant foreign narcotics trafficker (“SDNTK”). The SDN List provided the following identifying information for SIS: SIS D.O.O., 19 Spruha, Trzin 1236, Slovenia; Registration ID 5919070 (Slovenia); Tax ID No. SI91729181 (Slovenia) [SDNTK].
Apple screened the newly designated SDNTKs against its app developer account holder names using its sanctions screening tool. However, Apple failed to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked. Apple later attributed this failure to its sanctions screening tool’s failure to match the upper case name “SIS DOO” in Apple’s system with the lower case name “SIS d.o.o.” as written on the SDN List. The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company.
OFAC determined the following to be mitigating factors regarding Apple’s correction of its “fuzzy logic” deficiency in its screening software, namely, Apple:
• Reconfigured the primary sanctions screening tool to fully capture spelling and capitalization variations and to account for country-specific business suffixes, and implemented an annual review of the tool’s logic and configuration; • Expanded sanctions screening to include not only app developers, but also their designated payment beneficiaries and associated banks; and • Updated the instructions for employees to review potential SDN List matches flagged by the primary sanctions screening tool.
II. Amazon Fuzzy Logic Failure
Amazon.com, Inc.agreed to pay $134,523 in July 2020 to settle its potential civil liability for apparent violations of multiple OFAC sanctions programs (please see: https://home.treasury.gov/system/files/126/20200708_amazon.pdf). As a result of deficiencies related to Amazon’s sanctions screening processes, Amazon provided goods and services to persons sanctioned by OFAC; to persons located in the sanctioned region or countries of Crimea, Iran, and Syria; and to individuals located in or employed by the foreign missions of countries sanctioned by OFAC.
The settlement amount reflects OFAC’s determination that Amazon’s apparent violations were non-egregious and voluntarily self-disclosed, and further reflects the significant remedial measures implemented by Amazon upon discovery of the apparent violations.
Overall, OFAC found the apparent violations consisted primarily of transactions involving low-value retail goods and services for which the total transaction value of the apparent violations was approximately $269,000. OFAC further determined the apparent violations occurred primarily because Amazon’s automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to compliance with OFAC’s sanctions regulations.
What served as chief mitigating factors was that Amazon undertook significant remedial measures to address its sanctions screening deficiencies. Such measures included:
• Employing internal and third-party sources to conduct a thorough review of Amazon’s sanctions compliance program and its automated screening systems in order to address the screening failures that gave rise to the apparent violations. In particular, Amazon is incorporating additional automated preventative screening controls designed to scale and operate effectively for its overall retail business; • Developing internally custom screening lists to minimize the risk of processing transactions that raise sanctions compliance concerns; and • Enhancing its sanctioned jurisdiction Internet Protocol (IP) blocking controls and implementing automated processes to update continually its mapping of IP ranges associated with sanctioned jurisdictions.
III. “Fuzzy Logic” Becomes Clear Logic
After reviewing both the Apple and Amazon cases, it becomes readily clear why proper “fuzzy logic” capabilities in picking up alternate spellings and aliases is so important. While such “fuzzy logic” can result in an overwhelming number of “false positive” matches, the logic can be tweaked to match the risk profile of a given company, depending on types of business partners and geographies covered.
Because a given company’s risk profile can evolve over time, it is most helpful to undertake the commitment Apple made in implementing an annual review of the screening tool’s logic and configuration (likely best done as part of an annual risk assessment).
From last week’s post (https://thesanctionsgeek.com/oh-the-myriad-ways-ofac-can-blacklist-you/), if you happen to find yourself or a business partner triggering a blacklist screen alert, there might be different reasons for the trigger that merit inquiry. It could be due to mistaken identity or changed circumstances, and there is potential to request delisting.
I. Mistaken Identity Delisting
In my last Fortune 200 company job, I travelled to Mexico City with one of our internal auditors (who was fully bilingual in both Spanish and English). The problem was that his named triggered a “specially designated national” (SDN) match which also translated into a “Do Not Fly” prohibition. Fortunately, this was not the first time my former work colleague had encountered this issue, and he produced an electronic file with key documentation indicating his full name, place and date of birth as well as his current residence address. All of these were distinguishing facts that helped clear his name. We boarded our flight without further ado.
There is an Office of Foreign Asset Control (OFAC) procedure under 31 CFR § 501.806 to petition to unblock funds that have been frozen due to mistaken identity. Under subsection (d), a request to release funds should include the following information, where known, concerning the transaction:
(1) The name of the financial institution in which the funds are blocked;
(2) The amount blocked;
(3) The date of the blocking;
(4) The identity of the original remitter of the funds and any intermediary financial institutions;
(5) The intended beneficiary of the blocked transfer;
(6) A description of the underlying transaction including copies of related documents (e.g., invoices, bills of lading, promissory notes, etc.);
(7) The nature of the applicant’s interest in the funds; and
(8) A statement of the reasons why the applicant believes the funds were blocked due to mistaken identity.
This can happen more often than not if the financial institution uses screening software with fuzzy logic that picks up potential aliases. Indeed, many banks have received harsh OFAC penalties and tend to err on the side of caution. A well documented request can ensure release of overzealous fund blocking in relatively short order.
II. Changed Circumstances Delisting
It is also possible that one is being blocked as a result of a true SDN match. There is also a procedure to request reconsideration based on changed circumstances. 31 CFR § 501.807 governs Requests for delisting from the SDN and Blocked Persons List.
This regulation provides a procedure for submitting arguments or evidence that might establish that insufficient basis exists for the SDN designation. The blocked person also may propose remedial steps, such as corporate reorganization, resignation of persons from positions in a blocked entity, or similar steps, which the person believes would negate the basis for designation.
As another example, the regulation explains a person owning a majority interest in a blocked vessel may propose the sale of the vessel, with the proceeds to be placed into a blocked interest-bearing account after deducting the costs incurred while the vessel was blocked and the costs of the sale. Taking such action could provide grounds for delisting as an SDN.
III. It is Advisable to Request a Meeting with OFAC on Delisting
§ 501.807(c) permits a blocked person to request a meeting with the OFAC decision makers; however, the regulation states such meetings are not required and that OFAC may, at its discretion, decline to conduct such a meeting.
With experienced counsel, it is highly advisable to request such a meeting. The value of establishing credibility in-person cannot be understated with so much at stake in such proceedings. When making the initial request, it will be necessary to inquire about the in-person meeting opportunity at the same time. To have the best hope of having a meeting request granted, one should present a proposed agenda along with a list of supporting documents, visual aids and third party certifications and verifications.
Following last week’s post on the importance of screening (https://thesanctionsgeek.com/3-key-steps-in-ofac-compliance-screen-screen-and-screen/), it is mission critical to know OFAC has more than one way to blacklist a bad actor.
I. Specially Designated Nationals and Blocked Persons Blacklist (SDNs)
The SDNs comprise a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Their assets are blocked and U.S. persons are generally prohibited from dealing with them. (Please see: https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists).
II. Other Non-Blocking OFAC Blacklists
OFAC also generates these other sanctions blacklists (where blocking is not required but other prohibitions and investment restrictions apply). (Please see: https://home.treasury.gov/policy-issues/financial-sanctions/consolidated-sanctions-list-data-files):
Foreign Sanctions Evaders List – a list of foreign individuals and entities determined to have violated, attempted to violate, conspired to violate, or caused a violation of U.S. sanctions on Syria or Iran pursuant to Executive Order 13608. It also lists foreign persons who have facilitated deceptive transactions for or on behalf of persons subject to U.S. sanctions.
Non-SDN Palestinian Legislative Council List – section (b) of General License 4, issued pursuant to the Global Terrorism Sanctions Regulations (31 C.F.R. Part 594), the Terrorism Sanctions Regulations (31 C.F.R. Part 595), and the Foreign Terrorist Organizations Sanctions Regulations (31 C.F.R. Part 597), authorizes U.S. financial institutions to reject transactions with members of the Palestinian Legislative Council (PLC) who were elected to the PLC on the party slate of Hamas, or any other Foreign Terrorist Organization (FTO), Specially Designated Terrorist (SDT), or Specially Designated Global Terrorist (SDGT).
Non-SDN Iranian Sanctions List – under Section 6 of the Iran Sanctions Act or under the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010, as amended, the President, the Secretary of State, or the Secretary of the Treasury imposes non-blocking sanctions on a person.
Non-SDN Menu-Based Sanctions List (NS-MBS List) – this list is designed as a reference tool that identifies persons subject to certain non-blocking menu-based sanctions that have been imposed under statutory or other authorities, including certain sanctions described in Section 235 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), as implemented by Executive Order 13849, and the Ukraine Freedom Support Act of 2014, as amended by CAATSA. The NS-MBS List also will specify the type of sanction or sanctions imposed on the listed person and the legal authority under which the person is sanctioned.
III. Distinguish Treasury’s OFAC from Commerce Blacklists
It is important to distinguish these Treasury OFAC lists from Commerce’s Bureau of Industry and Security (BIS) Denied Persons and Entity Lists. (https://home.treasury.gov/policy-issues/financial-sanctions/faqs/56).
The Denied Persons List consists of individuals and companies that have been denied export and reexport privileges by BIS. The Entity List consists of foreign end users who pose an unacceptable risk of diverting U.S. exports and the technology they contain to alternate destinations for the development of weapons of mass destruction.
Accordingly, U.S. exports to those entities may require a license. Authority for the Denied Persons List and the Entity List can be found in Title 15, Part 764, Supplement No. 2 and Title 15, Part 744, Supplement No.4 of the U.S. Code of Federal Regulations, respectively.
I occasionally receive questions over how best to cover the bases when OFAC can easily add new specially designated nationals on a daily basis. The three key steps are to screen, screen and screen!
I. Screen Intervention Points
The intervention points for screening include:
At the onboarding stage for business partners;
At the order in-take stage in a given transaction; and
At the time of shipment should there be a lag between the date of order intake versus shipment date.
It will also be necessary to batch screen on a periodic basis to make sure previously on-boarded business partners are still in the clear. That is, there are certainly instances where a customer or supplier will clear the initial screening only to turn into a bad apple at a later date.
II. URL Screen
If the company provides technical support on-line, it will even be necessary to screen for embargoed country URL addresses to avoid inadvertently undertaking business with prohibited parties. This scenario arises more frequently than not as third parties in benign countries can resell to parties in one of the embargoed countries (currently, those countries and regions include: Crimea, Cuba, Iran, North Korea and Syria).
III. Alias Screen
There is also the need to be able to pick up close spellings and aliases. This screening functionality is known as “fuzzy” logic. In fact, OFAC just upgraded its own free screening tool with this capability as reported last month (please see: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210125). The URL for OFAC’s screening tool is: https://sanctionssearch.ofac.treas.gov/
IV. Key Lists To Screen Against
Moreover, if a company is globally deployed, it will be necessary to ensure other key lists are screened above and beyond the U.S. lists. At a minimum, screening should take place against these lists:
CAATSA Section 231(d) Defense and Intelligence Sectors of the Government of the Russian Federation
US Dept. of Treasury
List of Foreign Financial Institutions
US Dept. of State
SDN, Western Balkans (OFAC)
US Dept. of Treasury
Correspondent Account or Payable-Through Account Sanctions (OFAC)
US Dept. of Treasury
Chemical Biological Weapons Concerns (DOS)
US Dept. of State
Non-SDN Communist Chinese Military Companies List
US Dept. of Treasury
Cuba Prohibited Accommodations List (DOS)
US Dept. of State
Countering America’s Adversaries Through Sanctions Act of 2017 (CAATSA) – Section 224 (OFAC)
US Dept. of Treasury
Malicious Cyber-Enabled Activities (OFAC)
US Dept. of Treasury
Department of State Debarred Parties (DOS)
US Dept. of State
Department of State, China
US Dept. of State
Foreign Interference in a United States Election (OFAC)
US Dept. of Treasury
Designated Terrorist Organization (DOS/OFAC)
US Dept. of State
Department of State Cuba Restricted List
US Dept. of State
End-User Requiring License – Entity List
US Dept. of Commerce
European Union Sanctions List
European Union
US Presidential Executive Order List
White House
Foreign Sanctions Evaders List (OFAC)
US Dept. of Treasury
Money Laundering Concerns (FINCEN)
US Dept. of Treasury
German Proliferation Concerns (Concern List Only)
German Government (BAFA)
Human Rights Information Technology (OFAC)
US Dept. of Treasury
Blocking Property of Certain Persons Associated with the International Criminal Court
US Dept. of Treasury
Iran Sanctions Act (DOS)
US Dept. of State
Iran, North Korea and Syria Non-proliferation Act
US Dept. of State
Japanese Proliferation Concerns (METI)
Japanese Ministry of Economy, Trade and Industry (METI)
Transfer of Lethal Military Equipment (DOS)
US Dept. of State
Military End User List, Commerce
US Dept. of Commerce
Missile Technology Concerns (DOS)
US Dept. of State
Merchant Vessel, Cuba (OFAC)
US Dept. of Treasury
Weapons of Mass Destruction Proliferators and Their Supporters
US Dept. of Treasury
Non-SDN Menu-Based Sanctions List (CAATSA RUSSIA) (OFAC)
US Dept. of Treasury
Non-SDN Palestinian Legislative Council (OFAC)
US Dept. of Treasury
Red Flag Concerns (BIS)
US Dept. of Commerce
Specially Designated Global Terrorist-SDGT (OFAC)
US Dept. of Treasury
Specially Designated Terrorists – SDME (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Belarus (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Burundi
US Dept. of Treasury
Specially Designated Nationals, Cuba (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Central African Republic
US Dept. of Treasury
Specially Designated Nationals, Congo (OFAC)
US Dept. of Treasury
Specially Designated National, Hong Kong (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Iraq (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Iran (OFAC)
US Dept. of Treasury
Specially Designated Nationals, N. Korea (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Libya (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Lebanon
US Dept. of Treasury
Specially Designated Nationals, Mali
US Dept. of Treasury
Specially Designated Nationals, Nicaragua (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Sudan (OFAC)
US Dept. of Treasury
Specially Designated Nationals, South Sudan (OFAC)
US Dept. of Treasury
Specially Designated Nationals, Sergei Magnitsky (OFAC)
