21 Jul 2020
On July 8th, the Office of Foreign Assets Control (OFAC) announced a settlement agreement with Amazon.com, Inc (“Amazon”) for a large number of violations across a wide spectrum of OFAC’s sanctions programs (the agreement published by OFAC lists 14 sets of regulations and Executive Orders). While the total amount of the settlement was negligible for a firm of Amazon’s size ($134,523, or one-half the sum of the transaction amounts), the action teaches a number of lessons about sanctions compliance that are relevant for all firms, regardless of industry or size.
According to the settlement agreement, for a period of just under 7 years starting in 2011, Amazon committed a range of sanctions violations:
- Parties in Iran, Syria and Crimea conducted business on Amazon’s websites with end users located in those jurisdictions.
- Amazon processed orders for persons at foreign diplomatic facilities for Cuba, Iran, Syria, Sudan and North Korea.
- Amazon processed orders placed by parties on the Specially Designated Nationals and Blocked Persons (SDN) List from a wide range of sanctions programs. These included the counter-terrorism, weapons of mass destruction (WMD) non-proliferation, counter-narcotics trafficking, and organized crime organization sanctions programs, as well as the country sanctions programs for Democratic Republic of the Congo, Venezuela and Zimbabwe.
The OFAC action states that the violations did not involve high-value goods and services, and that the total value of all the violations totaled approximately $269,000. The violations, which were voluntarily self-disclosed, were deemed to be “non-egregious.”
In addition to these violations, 362 transactions that were licensable under the now-defunct Ukraine/Russia-related General License 5 (which permitted certain transactions needed to wind down Crimea-related operations) were not reported to OFAC before the 10-day regulatory deadline for the General License lapsed. OFAC noted that Amazon had previously properly reported an additional 245 transactions within the required time frame, but that these violating transactions were not reported until “well after” the deadline. Due to this, these transactions were considered violations rather than permissible.
It should be noted that while conditions placed on General Licenses are unusual, they are not unheard of. Perhaps the most prominent example is reflected in General Licenses created pursuant to the Trade Sanctions Reform and Enhancement Act of 2000 (TSRA). Under these General Licenses, exports to Iran and Sudan of certain foodstuffs require a 1-year specific license, although most do not.
Why did it happen?
OFAC blamed Amazon’s failures to properly identify and interdict the prohibited transactions on a number of factors, all related to the firm’s automated screening processes. First, it identified that Amazon did not stop orders that included an address of “Yalta, Krimea,” noting both that the firm neither stopped the orders either for the reference to Yalta or the alternate spelling (or misspelling) of “Crimea.” OFAC also noted that transactions shipped to “Embassy of Iran” were not stopped for review. But, finally, the notice pointed out that the firm’s systems failed to stop properly-spelled names and addresses of parties as they are listed on the SDN List.
To be clear, however, OFAC’s explication of Amazon’s failures is incomplete. Given the stated examples, it is difficult to know which elements of Amazon’s process were at fault. For example, one or more of the following could require remediation:
- Screening for geographic place names for countries which are subject to comprehensive sanctions (i.e. for which there are substantive restrictions on trade transactions, regardless of the specific party): this data should include the names of countries and regions (e.g. provinces, states, territories and other intermediate terms which might be used in addressing party location), as well as cities, airports and seaports. While parties that deal in high-value goods might be able to restrict their list of cities to ones with larger populations (either on a gross or proportional level), the nature of Amazon’s business likely requires a broader, if not comprehensive, set to properly mitigate their risk in this area.
- Screening all provided addresses: parties associated with the embassies may have provided their home addresses as billing addresses, but the embassy address as the shipping destination, for example. The failure to find the Embassy of Iran reference may have been due merely to the company’s screening application not checking the relevant data fields.
- Screening all relevant fields: one reason why Amazon may have missed exact matches to SDN List party names might be that the field in which that reference occurred was improperly excluded from screening. In general, any unstructured data field should be screened. For example, bank compliance officers are well-aware that field 72 of SWIFT messages not infrequently contains party information, not to mention shipping information such as cargo vessel names. Such information can end up in field 72 for a variety of reasons, from system limitations limiting options for placing such data in more appropriate fields, on the one hand, to attempts to evade detection, at the other extreme.
- Handling of alternate spelling: Assuming that the references to “Krimea” were in fields being screened, identifying them properly could be remediated in two ways. First, if “Krimea” is a spelling in common use, it could be added to a table of equivalent terms (also known as “aliases” or “synonyms,” among others). This may be preferable to using software technologies, such as edit-distance “fuzzy” algorithms or phonetic algorithms, as a matter of efficiency. In particular, allowing the first letter of a word or token or be incorrect (e.g. substituted for, or transposed with the second character) appreciably degrades software performance, and are considered the least likely errors to be committed and not noticed. Screening systems may offer the ability to enable or disable this feature to best suit each customer’s risk appetite.
Was it fair?
In considering whether the settlement amount was appropriate, one should consider both whether the penalty was overly harsh, as well as whether or not Amazon got off too easy. In addressing the issue of OFAC being overly lenient, one needs to consider how penalties are calculated. OFAC’s Enforcement Guidelines clearly show 4 classes of base penalties, determined by whether or not the company disclosed its sanctions violations before OFAC became aware of them independently, and whether or not the violations were “egregious,” which is an admittedly vague term. Given the total amount of the assets involved, the low average value of each transaction, and that the violations appeared to have stemmed from behavior that was more negligent than willful, considering the sum total of the violations as non-egregious is not unreasonable. That quadrant on the penalty grid in the Enforcement Guidelines sets the base penalty at exactly what Amazon was fined.
Base penalties are then adjusted upwards based on “aggravating factors” and downwards based on “mitigating factors,” all of which relate to the General Factors listed in the Enforcement Guidelines. To the company’s detriment, a firm of their size and “commercial sophistication” was expected to be more diligent, especially on routine matters such as completing regulatory reporting on time. Additionally, the penalty was considered as more serious because of the “personal security” nature of some of the goods sold to parties at a number of Iranian embassies which, in theory, could include goods (e.g. pepper spray) listed in the Iran Threat Reduction and Syria Human Rights Act as prohibited, due to their ability to be used to commit human rights abuses against the Iranian people.
The mitigation extended to Amazon is common to many of those penalized by OFAC. According to the enforcement information by provided, the firm had not recently (within the past 5 years) been the subject of a substantive enforcement action (e.g. a civil monetary penalty or Finding of Violation). Additionally, the firm not only cooperated with OFAC’s investigation but provided details to OFAC based on its own internal investigation. Finally, the firm made a significant amount of remediation to its compliance program; one notable enhancement OFAC has made to their enforcement action documentation in recent years is to list out the steps that penalized firms took to bring their programs up to OFAC’s standards.
It should be noted that OFAC did not call out the amount of damage to sanctions programs objectives, which was likely limited for any given program, given the limited total value transacted, and the number of violated programs involved, It also did not highlight the fact that company management was unaware of these issues, and the lack of willful violation. OFAC did, however, point out that Amazon “failed to exercise due caution or care” as an aggravating factor. On the other hand, the fact that Amazon’s actions violated so many sanctions programs, consisted of hundreds of violations, and persisted for such an extended period of time was not listed as an aggravating factor.
Even if these elements were taken into account, using the base penalty as the ultimate fine seems to strike an appropriate balance of the scale and scope of Amazon’s failures, on the one hand, and the actual impact of the violations, as well as the lack of willful behavior, on the other.
A Framework for Learning
Since May of this year, OFAC has included a section in its enforcement actions entitled “Compliance Considerations.” In actuality, this section, which provides the takeaways for other firms from the enforcement action, is not all that new; giving it a proper heading to call attention to it is a recent innovation. In this case, the lessons to be learned are very much in line with OFAC’s May 2019 publication “A Framework for OFAC Compliance Commitments” (“Framework document”). The Amazon enforcement action notes that compliance programs and tools are risk-based and commensurate to the “speed and scale of their business operations.” While the Framework document does talk about the need to configure compliance controls and tools in a risk-based way, this action goes further. It specifically points out, as conjectured in a previous section, the need to screen “relevant customer information” and to handle issues such as “common misspellings.”
The enforcement action also points out that testing systems on a routine basis, in order to make sure they’re properly functioning, is probably a thing that firms (especially larger and more sophisticated ones) ought to do. Similarly, OFAC also spotlights the utility of instituting tactical short-term controls to mitigate the risk from an identified deficiency in program processes, procedures or systems, until a root cause analysis can be completed. Both of these specific elements were initially introduced in the Framework document.
In retrospect, the biggest question left unanswered is the really strategic one: how could this happen in a firm as large and commercially sophisticated as Amazon? Compared to the recent action against Apple, where poor system design appears to have not properly handled punctuation (an issue which still should have been identified during application testing) when screening one client’s information over the span of approximately 27 months, this action seems to be borne out of a more systemic failing.
It makes you wonder about the ongoing involvement in maintaining the compliance program by various groups within Amazon. Between the compliance, quality assurance and audit functions (not to mention senior management, which is ultimately responsible for the compliance program), one would not have expected such pervasive, yet facially core sanctions compliance screening issues to have festered for almost seven years. But, perhaps it was more basic than that: compliance may have not been seen as a core competence by Amazon, but as merely an administrative function required as a cost of doing business. While it is impossible to tell from the OFAC enforcement action, the pursuit of Amazon’s “Work Hard. Have Fun. Make History.” ethos may have blinded the firm to the need to incorporate a culture of compliance, as mentioned in the Framework document. Ultimately, regardless of the root cause. Amazon showed a lack of rigor in ensuring that the sanctions compliance program was well-designed and was being properly executed. And that is likely not the kind of history the firm wanted to be known for making.
RiskScreen: Eliminating Financial Crime with Smart Technology
Advance your CPD minutes for this content, by signing up and using the CPD WalletFREE CPD Wallet