The publication of every new OFAC settlement is a mine of information for the sanctions practitioners. The recent Apple Inc settlement reminds that regulators judge our decisions and methodology and not the data or the software tools used (usually deficient).
1. “..hosted, sold, and facilitated the transfer of SIS’s software
applications and associated content (the “Apparent Violations”)..”
● The relation to a sanctioned entity may not be always and
uniquely through a financial transaction.
● Any indirect facilitation (e.g. application hosting) is a breach to
the ‘knowingly’ term.
● Every single activity with a customer (e.g. hosting, selling,
facilitting) should be individually checked against sanctions
2. “..During this screening, Apple failed to identify that SIS, an App Store
developer, was added to the SDN List and was therefore blocked.
Apple later attributed this failure to its sanctions screening tool’s
failure to match the upper case name “SIS DOO” in Apple’s system
with the lower case name “SIS d.o.o.” as written on the SDN List...”
● Screening software matching failures are not mitigating factors.
● Relying on private databases and third-party software for
sanctions screening may have serious consequences.
● For sanctions screening, use only and uniquely the OFAC online
search tool.
● Check regularly and document the performance of your screening
tool with with test data on the production environment.
3. “..The owner of the Third Company took over the administration of
SIS’s App Store account and replaced SIS’s App Store banking
information with his own banking information. These actions were all
conducted without personnel oversight or additional screening by
Apple...”
● Changes to a relationship fundamental data requires thorough
review and screening of the complete file.
● We should go beyond ‘tick the box’ and always clarify ‘Why a
change is requested’.
● Internal procedures and IT systems should incorporate:
Regulatory Approval and require due diligence on customer
fundamental data updates.
4. “..Apple made 47 payments associated with the blocked apps,
including payments directly to SIS, during the period of time that SIS
was listed on the SDN List. In total, over 54 months, Apple collected
$1,152,868 from customers who downloaded SIS apps..”
● Apple relied uniquely on software tools for detecting payments to
sanctioned entities and not additional risk factors.
● The number of transactions, the total amount and time period (54
months) made the relation with the sanctioned entity: ‘significant’
and aggravated the case.
● Random checks should be performed on ‘significant’ relations.
● Checks and controls are more effective when done before the
transaction is booked.
5. “..Reconfigured the primary sanctions screening tool to fully capture
spelling and capitalization variations and to account for country-
specific business suffixes, and implemented an annual review of the
tool’s logic and configuration;..”
● Relying on private databases and third-party software for
sanctions screening may have serious consequences.
● For sanctions screening, use only and uniquely the OFAC online
search tool.
● Reconfiguring third party tools may either miss relevant hits or
significantly increase irrelevant hits. (false positives)
6. “..Compliance measures should also anticipate potential
vulnerabilities in a company’s compliance program that could allow
sanctions evasion and circumvention, and should include preventative
measures that alert and react to sanctions evasion warning signs, such
as business and employment connections between individuals and
entities...”
● Compliance program should be reviewed in depth regularly.
● Improve preventive measures with random checks on
‘significant’ relations and do not rely only on screening tools.
● Internal procedures and IT systems should incorporate:
Regulatory Approval and require due diligence on customer
fundamental data updates.
7. “..As noted in OFAC’s Framework for Compliance Commitments, U.S.
companies can mitigate sanctions risk by conducting risk assessments,
and exercising caution when doing business..”
● OFAC refers more and more frequently to the Framework for
Compliance Commitments document for an effective compliance
program.
● Risk assessment becomes essential before getting into a
relationship
● Exercise caution (measure risk) when doing business
8. “..commitments to minimize the risk..mitigate sanctions risk..pose high
risks..”
● Apply an effective risk management and go beyond the mere
language of statutes and regulations.
● Regulators do not judge the amount of data or the software tools
you are using but rather the decisions you take.
● Go beyond the ‘tick the box’ and name matching. Ask yourself
‘why’ and look for indirect links to sanctioned entities.