August 31, 2020
Deficiencies in Sanctions Screening Process Lead to Settlement
On July 8, the U.S. Department of the Treasury announced a settlement with Amazon.com, Inc., related to the company's potential civil liability for apparent violations of multiple sanctions programs resulting from deficiencies in its automated sanctions screening process.
OFAC and the SDN List
The Office of Foreign Assets Control, a division of the DOT, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against foreign countries and groups of individuals involved in terrorism, narcotics, and other illegal activities. Additionally, OFAC administers the Specially Designated Nationals and Blocked Persons ("SDN") List.
SDNs are individuals, companies, or other entities identified as being owned by, controlled by, or acting for or on behalf of the governments of certain target countries or associated with international drug trafficking, terrorism, or other illegal activity. Businesses and individuals are prohibited from dealing or transacting business with any SDN. OFAC determines who appears on the SDN List.
All U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, and all U.S. incorporated entities and their foreign branches. In the case of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. In addition, certain programs require foreign persons in possession of U.S.-origin goods to comply.
From November 2011 to October 2018, persons located in Crimea, Iran, and Syria placed orders or otherwise conducted business on Amazon's websites for consumer and retail goods and services. The details of the transactions demonstrated that the goods or services would be provided to persons in Crimea, Iran, or Syria, all of which are sanctioned jurisdictions under U.S. law. Amazon also accepted orders from persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria, all of which are sanctioned jurisdictions under U.S. law. Additionally, Amazon accepted and processed orders from persons on the SDN List.
The apparent violations occurred because Amazon used automated sanctions screening processes that failed to analyze fully all transactions and consumer data relevant to compliance with OFAC's sanctions regulations. For example, the screening process did not flag orders with an address in "Yalta, Krimea" for either the name of a city in Crimea or the variation of the spelling of Crimea.
The failed screening processes led to violations of a long list of regulations related to sanctioned jurisdictions. The statutory maximum penalty for the apparent violations was $1,038,206,212. However, because Amazon voluntarily self-disclosed the apparent violations and because the apparent violations were deemed to constitute non-egregious cases, the base civil money penalty was imposed. That penalty equaled the sum of one-half of the transaction value for each apparent violation and amounted to $134,523.
OFAC's case against Amazon and resulting settlement highlight the importance of implementing and maintaining effective, risk-based sanctions and compliance controls. These requirements apply to all entities and are not limited to Internet-based entities like Amazon.
Businesses using automated sanctions screening processes must take reasonable, risk-based steps to ensure the automated processes are appropriately configured to screen relevant customer information and capture data quality issues such as common misspellings. Additionally, any automated processes should be routinely tested to identify any weaknesses or deficiencies.
Finally, in the event that a violation is discovered, voluntary self-disclosure, cooperation with investigations, and taking steps to address any apparent violations internally may be mitigating factors that could lead to penalties less than the statutory maximums.