In March, there was a good deal of consternation in the general press trying to understand news that President Trump had overruled the actions of the Office of Foreign Assets Control (“OFAC”) to impose additional sanctions on North Korea. Beside the oddity of a President overruling actions by a part of the Executive branch after they had been taken, it remains a mystery what the President was seeking to overrule. Not being deterred, OFAC marched on, and in so doing, it provided multiple examples again how compliance programs need to not be just written, but also followed and enforced, and cost at least one American company $1,869,144 plus significant compliance upgrade costs.
The President tweeted on March 22, 2018 that he was overruling OFAC’s actions, but no new sanctions had been announced, threatened or imposed. What OFAC did the day before was to issue an advisory, of which the Dept. of State and the Coast Guard were co-publishers, titled “Updated Guidance on Addressing North Korea’s Illicit Shipping Practices.” In it, OFAC, State and the Coast Guard put “ship owners, managers and operators, brokers, flag registries, oil companies, port operators, shipping companies, classification service providers, insurance companies, and financial institutions” on notice to be cautious in their dealings with refined petroleum and coal. [The U.S. imposes comprehensive prohibitions on dealings with North Korea. However, the United Nations sanctions bar the importation and exportation of specific goods. For that reason, it would be wise for companies to review the full OFAC document which can be found here. The advisory goes on to publish several lists of ships identified as engaging in prohibited ship-to-ship transfers, along with summarizing deceptive shipping practices and proposing risk mitigation measures.
The deceptive practices include those ship-to-ship transfers, but also disabling and manipulating automatic identification systems (“AIS”) [if this sound familiar, you likely recall the plot line in Tomorrow Never Dies, the 1997 James Bond movie. The AIS was manipulated so the British Navy ship was actually in Chinese waters.], physically altering vessel identifications, and falsifying cargo and vessel documentation. Risk mitigation factors were identified to include research a ship’s history to identify regular AIS manipulation, monitor for AIS manipulation and disablement, promote continuous AIS broadcasts, conduct due diligence in the petroleum supply chain, conduct research re prior ship-to-ship transfers, review all applicable shipping documentation, clear communication with international partners and leverage available resources. These points will be of particular interest to insurance companies and financial institutions that do business with or are located in the U.S. and American companies which find their goods on any of these ships.
Four days later, on March 25th, OFAC published a similar advisory. This one was entitled: “Sanctions Risks Related to Petroleum Shipments involving Iran and Syria.” The advisory reminds those who “deliver or finance petroleum shipments to the Government of Syria or government-owned entities” about similar deceptive shipping practices. Again, a list of vessels was published. In this context, the prohibition relates to the “purchase, acquisition, sale, transport, or marketing of petroleum or petroleum products from Iran or providing material support to certain Iran-related persons who are on existing government denied parties lists. [Yes, according to OFAC, Iran is supplying Syria.]
The list of deceptive shipping practices mirrors, in large part, the list issued regarding North Korea: falsifying cargo and vessel documents, ship-to-ship transfers, disabling AIS and vessel name changes. Here, the first risk mitigation measure proposed is the strengthening of anti-money laundering and countering the financing of terrorism compliance. The same monitor for AIS manipulation is mentioned, to go along with clear communications with international partners, insurance and leveraging available resources. The new factor in this advisory is know your customer which is paired with review of shipping documents, both are discussed in some detail, and focus on identifying and dealing with red flags. As with the North Korean advisory, insurance companies and financial institutions that do business with or are located in the U.S. and American companies which find their goods on any of these ships will be most interested.
Then, there is the sad but not unheard of tale of what befell Black and Decker which was announced on March 27, 2019. Black and Decker acquired a company in China which was selling to Iran. Black & Decker filed a voluntary disclosure when it learned that despite its compliance program and the training it provided, Chinese management had represented it ceased all sales to Iran, but was actually taking affirmative steps to evade the U.S. sanctions on Iran. OFAC points out that Black & Decker, in its opinion, did “not implement procedures to monitor or audit [the Chinese subsidiary’s] operations to ensure that its Iran-related sales had in fact ceased or did not recur post-acquisition.” Those transactions eventually came out, and OFAC hit the company with a hammer.
In the course of the investigation, OFAC found several instances where Chinese managers and supervisors took steps we have all seen when adequate follow-up is not pursued. For example, business partners were told not to state Iran or Iranian ports on any of the shipping documents; China’s management continued to deal with buyers who it knew were selling into Iran, often through UAE trading companies; invoices were issued to Iranian buyers; shipment documents indicated contact details for one consignee, but the goods were actually shipped to a third party; there were also falsified bills of lading mentioned. OFAC states that in total “23 shipments of power tools and spare parts, with a total value of $3,201,647.73” were shipped.
While there was no finding of fault, Black and Decker was hit with a $1,869,144 fine. There is a long list of commitments to which senior management had to agree and will be costly to implement, including that
- The CEO and General Counsel affirm they are committed to supporting the company’s OFAC compliance program.
- To insure compliance units have adequate authority, autonomy and budget (including staffing and equipment).
- The sanctions compliance program is reviewed and approved by senior management.
- There is a “culture of compliance.”
- Demonstration of “recognition of the seriousness” of the violations, “acknowledge[ment]” to an understanding of the violations at issue, “commit[ment] to implementing the necessary measures to avoid recurrence; and that it no longer employ and will not employ directly or indirectly “the managers responsible for, and involved” in the violations in question.
The company is also obligated to conduct an OFAC risk assessment “in a manner, and with a frequency, that adequately accounts for potential risks.” It also must develop a methodology to “identify, analyze, and address” the risks discovered. There are 8 points it must address and strengthen when it comes to internal controls, plus a section on testing and auditing, and another on training, Black and Decker is further obligated to provide an interim report signed by a senior manager on the actions taken within 180 days, and annually thereafter for five (5) years.
For the full details about what the company must now do, please see the settlement agreement which can be found here.
There seems little doubt that Black and Decker was penalized to the degree it was because either its compliance program did not cover what happens after the program is written, or it did and those steps were not adequate or were not followed. Either way, this fine in particular serves as another reminder that trust but verify needs to be practiced internally as well as externally, and regularly!