Money Transmitters
Lessons From The OFAC Compliance Settlements With SAP And MoneyGram
Dec 21, 2023
·
InnReg
·
8 min read
Contents
It is essential to ensure that you implement proper IP address tracing protocol for any cloud-based services which may be used by someone in a foreign country.
If you work with third-party vendors who engage with people in other countries, you must complete proper due diligence to ensure that they are not selling your services to people on an SDN list. If you do business with people from foreign countries, you must ensure that they are not blocked by the Department of the Treasury.
Finally, it is important to ensure that you have a proper Compliance and Audit team to ensure that you are able to audit your own systems and ensure that no violations are occurring.
See also:
Key Facts
The Office of Foreign Asset Control recently settled two lawsuits with SAP, a German software company with US offices, and MoneyGram, a Texas-based global payments company. Both entities violated US sanctions regulations against multiple foreign countries and entities.
In particular, SAP violated Section 560.204 of the Iranian Transactions and Sanctions Regulations by allowing their software to be purchased, downloaded, and used by Iranian companies.
Meanwhile, MoneyGram violated their OFAC Compliance Commitments by violating a host of sanctions regulations, including:
The Foreign Narcotics Kingpin Sanctions Regulations;
The Narcotics Trafficking Sanctions Regulations;
The Syrian Sanctions Regulations;
The Democratic Republic Of The Congo Sanctions Regulations; and
The Central African Republic Sanctions Regulations;
The Similarities Between SAP and MoneyGram
Both companies were selling the products and services abroad in different countries. Both companies also failed to properly monitor the transactions to ensure they were not in violation of US sanctions policies.
Both companies also helped mitigate the violations by fully cooperating with the investigation and making proactive changes to ensure violations did not continue. These proactive actions included:
changing their transaction monitoring systems,
providing better training for their staff to spot transactions that might violate US Sanctions regulations and
ensuring that their compliance departments were properly staffed to be able to monitor and respond to any issues with transactions.
It is important to note that both companies settled their OFAC Compliance Commitment violations, and therefore, the violations were apparent rather than proven.
The SAP Settlement
The SAP settlement is unique as it is the first time that the DOJ has gone after a foreign company for sanctions violations since implementing The Export Control and Sanctions Enforcement Policy for Business Organizations in December 2019.
Background Of The SAP OFAC Settlement
The SAP settlement was part of a much larger investigation that involved the OFAC, the US Department of Justice, and the US Department of Commerce Business Initiative and Security, which resulted in a settlement totaling eight million dollars ($8 million).
As part of that settlement, SAP has agreed to pay the OFAC two million one hundred and thirty-two thousand one hundred and seventy-two dollars ($2,132,172) in settlement of the approximately one hundred and ninety (190) Iranian Sanctions violations committed.
Conduct Which Led To The OFAC Compliance Commitment Violations
In the investigation, it was determined that between June 1, 2013, and January 1, 2018, SAP violated the Compliance Commitments in three major ways:
by not tracking Internet protocol (IP) addresses for those entities and individuals downloading their software, its updates, or using their software,
by failing to do proper due diligence on their third-party vendors, and
failing to properly audit and fix deficiencies with newly acquired subsidiaries to ensure compliance.
Failure To Track IP Addresses
SAP did not properly track IP addresses for end users of their software to determine whether the software was being used in countries subject to sanctions such as Iran. The OFAC Compliance Commitment Violation was exacerbated because SAP had undergone several audits and was told to start tracking IP addresses for their end-users.
SAP was made aware of the need to track end-user IP addresses as early as 2004 when the geolocation IP screening technology was introduced. SAP did not implement such protocols until approximately January of 2018.
Because SAP's software was cloud-based, IP address tracking was an essential part of SAP's OFAC Compliance Commitments. IP address tracking helps to ensure that the software is not being used by entities blocked under US sanctions. Because SAP has offices in the United States, they were subject to the US sanctions regulations despite being based in Germany.
Failure To Conduct Proper Due Diligence For Their Third-Party Vendors
SAP also failed to do proper due diligence on their third-party vendors. The OFAC found SAP failed to do proper due diligence on some of their third-party vendors. Some of these vendors were selling the software to companies owned by Iranian entities. SAP allowed such sales to occur. SAP also failed to do due diligence on their third-party vendors to discover their communications with Iranian entities about the software, its use, and updates.
SAP also failed to do proper due diligence to discover that many of these third-party vendors were dealing with companies known to be owned by Iranian entities but based in countries such as Malaysia and the United Arab Emirates.
See also:
Failure To Properly Audit And Fix Deficiencies In Newly Acquired Subsidiaries
The OFAC found additional Compliance Commitment Violations when SAP failed to integrate a cloud-based company that they purchased in the United States in a timely manner. Instead, SAP allowed the Cloud Based Group to function independently under the SAP banner, almost as a separate entity. In addition, SAP relied on a skeletal compliance and audit team based in the US to handle any violations that might occur.
It is important to note that it was specifically stated in the settlement announcement that the SAP enforcement action “emphasizes the importance of conducting sufficient pre-and post-acquisition due diligence to identify and promptly remediate compliance deficiencies in newly acquired subsidiaries.”
Mitigating Factors Found By The OFAC
When determining the settlement, several mitigating factors were found in SAP's favor. The company had taken steps to honor its OFAC Compliance Commitments and stop the flood of violations. These actions include:
firing multiple employees who knew about the software sales to Iranian entities,
implementing a geolocation IP screening protocol which denied access to SAP's software if the IP address originates in a blocked country; and
hiring new employees specifically tasked with export control and sanction compliance.
The MoneyGram Settlement
A settlement worth $34,328.74 with MoneyGram was sealed for various OFAC compliance commitment violations.
Conduct Which Led To The OFAC Compliance Violations
Between March 2013 and March 2016, MoneyGram provided payment services to the Department of Justice's Federal Bureau of prisons ("BOP"). These services allowed federal inmates to send and receive money from their commissary accounts with people outside of the prison system.
The OFAC Compliant Commitment Violations occurred when inmates who were blocked by various United States Sanctions regulations were allowed to send and receive money to foreign entities from their commissary accounts. The violated sanctions include:
MoneyGram also failed to check that the BOP inmates using their services were not subject to the OFAC's List of Specially Designated Nationals And Blocked Persons List ("SDN list"). In the investigation, it was also found that MoneyGram knew that some of the BOP inmates were, in fact, on the SDN list and allowed the blocked inmates' money transfer requests to continue to occur.
Mitigating Factors Found In The Settlement
When determining whether to settle the case against MoneyGram for OFAC Compliance Commitment Violations, a number of mitigating factors were found in MoneyGram's favor. These factors include:
Internal audits and self-reporting
Cooperating with the investigation
Implementing improvements to protocols for compliance commitments
Internal Audits And Self Reporting
Moneygram’s violations were discovered in an internal audit to increase OFAC compliance standards. The company self-reported these violations.
Cooperating With The OFAC Investigation
MoneyGram fully cooperated with the investigation that occurred after they self-reported the Compliance Commitment violations. The cooperation included allowing complete access to the files and records, including those for transactions that did not violate the OFAC's Compliance Commitments.
See also:
Implementing Improvements To Protocols For Compliance Commitments
The OFAC found that MoneyGram took a number of important steps to ensure that further Compliance Commitment Violations did not occur. These steps included:
Launching a new screening system which more carefully monitored people and entities using the company's money transfer services;
Launching a new screening program specifically designed for BOP inmates which checks whether federal inmates are on the SDN list;
Ensuring that any federal inmates who are on an SDN list cannot send or receive money from their commissary account;
Providing additional training to its employees to check use records against sanctions lists to ensure compliance; and
Increasing the compliance auditing service division to 128 employees
What Do These Settlements Mean For Your Business?
In order to avoid these OFAC Compliance Commitment Violations, there are several steps that companies can take.
1. IP Tracking
If you are a company that engages in a cloud-based service, it is essential that you incorporate a geolocation IP address tracking protocol. This ensures that no one from a sanctioned country is using your product.
2. Vendor Check
If you work with third-party vendors, you must do proper due diligence to ensure that they are not communicating with people from these sanctioned countries. Immediately stop working with any third-party vendor found to be in violation of the United States sanction policy.
3. Fast Compliance Program Deployment Following an Acquisition
When acquiring a business, it is essential that you do proper due diligence both before and directly after purchasing the company to find any deficiencies in compliance with the OFAC Compliance Commitment standards.
It is critical that you incorporate the company into your company as quickly as possible. Ensure that the company is following your protocols and guidelines for compliance. Do not allow them to function as a single separate entity under your umbrella.
This is especially important if the company in question has been found to have deficiencies in its compliance with the Compliance Commitment Standards.
4. Employee Training
All employees must be properly trained as to the data and information that is needed to ensure that your company does not violate the OFAC standards. This training should also give information on how to cut off access to any customer or third-party vendor who violates these Compliance Commitments.
5. Proper Teams
When dealing with foreign entities or those who might be subject to United States Sanctions Regulations, you must have a robust Compliance and Audit team that is sufficiently staffed to be able to ensure compliance.
6. Self-Reporting
Finally, if your company does discover that you have committed a violation of the OFAC’s Compliance Commitment, it is essential that you self-report as quickly as possible and fully cooperate with the investigation.
By self-reporting and cooperating with the investigation, you are more likely to get your case settled rather than prosecuted, and the fine is likely to be lower because you are not trying to hide violations.
Conclusion
To ensure that a company does not incur OFAC violations, companies must set up IP tracking, perform vendor due diligence, set up a single entity for the company, ensure proper employee training, ensure self-reporting if the company discovers issues, and set up proper competent teams for compliance.
Latest LinkedIn Posts
Related Articles
