Cybersecurity has been in the news almost every day for the past few years, and for a good reason – it’s an ever-growing problem that costs companies millions of dollars each year, and breaches have even occurred at some of the most powerful institutions in the world. In light of the gravity of the situation, many governments have put sanctions and exclusions on certain kinds of cybercrime, ranging from credit card fraud to cyber warfare to hacking software or hardware.
The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. There are two types of sanctions: targeted, which can be individualized; and comprehensive, which targets an entire sector, such as trade in certain goods. Sanctions often lead to exclusion from government contracts or funding opportunities. This is due to concern over corrupt practices that could result from working with sanctioned companies/individuals/entities.
The US government has several tools at its disposal for imposing sanctions against foreign governments, individuals, and businesses. These include economic sanctions (such as arms embargoes); financial sanctions (such as freezing assets); travel bans; import bans; export bans; criminal indictments; asset seizures and more. The US Department of Treasury’s Office of Foreign Assets Control (OFAC) administers these measures. OFAC also enforces compliance through civil and criminal penalties. Penalties range from $5,000 per violation to $1 million per day for organizations. Individuals face maximum fines of $250,000 per violation and up to 20 years imprisonment. OFAC also maintains a list of Specially Designated Nationals (SDNs), which includes individuals and entities subject to sanctions programs administered by OFAC.
First, make sure that your company is actually subject to sanctions. If it’s a U.S.-based company, it’s highly likely that its transactions are being tracked by OFAC and other regulators, especially if it does business internationally in countries like Iran or North Korea (or has even been flagged for possible money laundering). A detailed investigation into your international activity will show what other laws apply to you. For example, if you have an office in Europe and do business with European companies, EU regulations might also be relevant. And don’t forget about local regulations—if your product requires FCC approval for sale in America, don’t assume that getting approval elsewhere won’t require similar steps.
Also, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments to provide organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States or U.S. persons, or that use U.S.-origin goods or services, with OFAC’s perspective on the essential components of a sanctions compliance program.
There is a process through which companies or individuals can petition for sanctions relief. The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has jurisdiction over matters related to export control enforcement, including listings, sanctions, and licensing. If your company is listed on any of these lists, BIS recommends that you submit a request for review as soon as possible. To do so, fill out an online submission form on BIS’ website.
You will be asked to provide information regarding your company’s relationship with Iran or other sanctioned countries, as well as details about its products and services. If it appears that there was an error in listing your company on one of these lists, BIS will work with your organization to correct it. Be aware that appeals are not always successful; sometimes, even if your appeal is granted, it could take months for your name to be removed from a list.
As such, if you do business internationally, it pays to stay up-to-date on global regulatory trends affecting your business area so you don’t get blindsided by new requirements or laws down the road.