On February 23, 2024, the United States issued a broad set of new Russia-related sanctions and export controls in response to the second anniversary of Russia’s invasion of Ukraine and the February 16, 2024, death of opposition leader, Aleksey Navalny, in Russian custody.

The Treasury Department’s Office of Foreign Assets Control (OFAC), the Commerce Department’s Bureau of Industry and Security (BIS), and the State Department all issued new designations.  The agencies also issued an inter-agency advisory warning non-Russian companies from doing business in or with Russia.

Continue Reading US Government Imposes New Russia Sanctions, Designating Over 500 Parties and Issuing Interagency Russia Business Advisory

The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has published major revisions to its humanitarian authorizations and other general licenses under the North Korean Sanctions Regulations (“NKSR”), which took effect on February 16, 2024.  These regulatory changes expand the scope of authorized activity in North Korea, which should lead to fewer specific license applications for NGOs engaged in humanitarian work relating to the DPRK.  In this regard, OFAC has narrowed the restriction on authorized activity arising from “partnerships” with the DPRK government.  OFAC has also established a new authorization for journalistic activities in North Korea.  These revisions to the NKSR, along with some improved guidance from OFAC regarding banks’ due diligence expectations, may result in less de-risking by financial institutions when it comes to customer activity involving North Korea.

At the same time, there remain important limitations and conditions to these authorizations that must be observed.  Moreover, OFAC has implemented a new advance reporting requirement if one intends to use the revised humanitarian general license, which may increase the compliance burden on NGOs as well as provide the State Department an opportunity to object to the use of the general license on a case-by-case basis. 

Continue Reading OFAC Issues Significantly Revised NGO Authorizations for North Korea

The UK government introduced new reporting requirements under The Russia (Sanctions) (EU Exit) Regulations 2019 (“Russia Regulations”) in December 2023, with the goal of strengthening transparency in relation to assets frozen under the regime and assisting HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”) to monitor compliance with, and detect evasion of, financial sanctions administered under the Russia regime.  The two new reporting measures are the immobilized assets reporting measure and the designated persons asset reporting measure.  On February 12, 2024, OFSI’s Director, Giles Thomson, published a new blog explaining the practical implications of these new measures.  OFSI also has updated its Russia sanctions guidance to include new FAQs addressing the implementation of the second new reporting obligation.

Continue Reading OFSI Publishes Update on New Russia Sanctions Reporting Requirements

Asia Pacific (APAC) countries continue to “stagnate” in their rankings in 2023, only minimally above the global average, with most well below, according to two anti-corruption due diligence tools, TRACE’s 2023 Bribery Risk Matrix (TRACE Matrix) and Transparency International’s 2023 Corruption Perceptions Index (TI CPI). While the two ranking systems share the same view of the least and most risky countries, the TRACE Matrix presents a slightly more positive view overall, ranking most Asia Pacific counties as moderate risk. In contrast, the TI CPI ranks most as being high risk. When considered together, the two systems allow for a more complete and accurate view of the risks and opportunities offered in the APAC region based on their different methodologies and factors.  

TRACE considers just a quarter of the countries in the region to be high to very high risk, but two thirds are at least moderate risk. However, for the TI CPI, the average score of APAC countries was above the global average score (45 versus 43, as for the past four years), with more than half perceived as high to very high, hence TI’s description of the region’s scores as stagnating. The 2023 TRACE Matrix publication packet is available at https://www.traceinternational.org/trace-matrix, and the 2023 TI CPI is available at https://www.transparency.org/en/cpi/2023.

Although these tools offer a good starting point for assessing risk, they are not a substitute for adequate risk-based due diligence on counterparties in the region. Notably, many international bribery cases involve companies headquartered or conducting business operations in jurisdictions with very low-risk rankings. This is probably because their anti-corruption efforts support the investigation and prosecution of bribery. Countries with no track record of meaningful enforcement against their own companies for overseas bribery should be closely reviewed for bribery and corruption risks. These bribery risk tools should also be supplemented with other publicly available reports on money laundering and bank secrecy risks, as these are also indirect indicators of bribery and corruption risk.

Continue Reading Asia Pacific 2023 Anti-Corruption Rankings: Transparency International’s CPI and the TRACE Bribery Risk Matrix

The UK’s National Economic Crime Centre (“NECC”) recently issued an amber alert concerning the sanctions evasion, money laundering, and trafficking in cultural property risks presented to UK industries linked to artwork storage facilities and the art storage sector (the “Amber Alert”).  The Amber Alert highlights that criminals are finding ways to utilize the art market to conduct illicit activity and includes case studies and key indicators that those operating within the art storage sector can use to detect such activity.  This development underscores the UK government’s continued commitment to cracking down on the evasion of sanctions (particularly under the Russia sanctions regime), as well as an increased focus on identifying and targeting more avenues for sanctions evasion so that counter measures can be implemented to thwart those efforts.  It also highlights the increasingly interconnected approach the UK government and law enforcement are adopting to address activity with potential touchpoints to a range of financial and other crimes. 

Continue Reading UK NECC Publishes Amber Alert on Sanctions Evasion in the Art Storage Sector

On February 8, 2024, the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (2024 NPRM) about Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regulations concerning persons involved in residential real estate closings and settlements. To promote U.S. AML/CFT objectives, the NPRM proposes a system of streamlined Suspicious Activity Reports (SARs) for certain U.S. real estate transactions. The NPRM does yet not have the force and effect of law, and FinCEN has requested public comments to be submitted until on or about April 16, 2024. A brief summary of the background and substantive provisions for the NPRM follows.

Continue Reading Potential new SAR-like Reporting Requirements for Certain U.S. Real Estate Transactions

In a recent proposed rule, the Department of Commerce has taken additional steps toward imposing significant regulations on infrastructure as a service (IaaS) providers, including providers engaged in training certain large AI models. The notice of proposed rulemaking (NPRM) is published by Commerce’s Bureau of Industry and Security (BIS) and, in particular, its newly-created Office of Information and Communications Technology and Services (OICTS). The NPRM does not impose any immediate obligations on industry. Rather it requests comments on the proposed rules, which Commerce will consider before issuing a final rule. Comments are due by April 29, 2024.

The NPRM is OICTS’s first step toward implementing the Biden Administration’s executive order on AI (discussed in Steptoe’s alert here) and further implements a prior executive order on IaaS providers (discussed in Steptoe’s alert here).

The NPRM would require providers of IaaS products to implement customer identification programs (CIPs) to verify the identity of foreign customers. The CIP requirement is similar, in many respects, to the CIPs that certain US financial institutions must implement as part of their anti-money laundering (AML) compliance programs. The NPRM also delineates the ability of Commerce to identify foreign jurisdictions and persons posing a heightened threat to US national security and to prohibit or require conditions on the provision of IaaS products to such jurisdictions or persons. IaaS providers would be obligated to identify and report to Commerce when a foreign person uses their products to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity. Furthermore, IaaS providers would be required to ensure their resellers comply with the same set of rules.

Continue Reading Commerce Proposes Significant New Regulations on AI Training and IaaS Providers

On January 16, 2024, the Assistant Secretary for Export Enforcement at the Department of Commerce’s Bureau of Industry and Security (BIS) issued a memorandum, announcing that:

  1. parties disclosing minor or technical violations that occurred close in time can submit a single Voluntary Self-Disclosure (VSD) on a quarterly basis, which may include an abbreviated narrative account of the suspected violations; and
  2. parties sending formal requests to BIS’s Office of Exporter Services to engage in otherwise prohibited activities with respect to items involved in violations of the Export Administration Regulations (EAR) should also send courtesy copies to the Office of Export Enforcement (OEE), which will help expedite BIS’s processing of such requests.

The memorandum builds upon previous changes to BIS’s administrative enforcement program, which were announced in memoranda dated June 30, 2022 and April 18, 2023.  These changes are intended to help OEE fast-track its review of “minor” or “technical” VSDs and to encourage additional disclosures of potentially significant violations of the EAR, but do not apply to VSDs relating to Part 760 of the EAR (antiboycott and restrictive trade practices).  For a detailed analysis of the previous memoranda, see our blog posts from July 6, 2022 and April 26, 2023.  

Continue Reading BIS Makes Further Changes to Administrative Enforcement, But Questions Remain

As of January 1, 2024, the Corporate Transparency Act (CTA) is effective, impacting millions of entities. On September 30, 2022, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published a final rule to implement the beneficial ownership information (BOI) reporting provisions of the CTA, which was enacted as part of the Anti-Money Laundering Act of 2020 within the National Defense Authorization Act for Fiscal Year 2021.  Note that since the final rule was published, which was the subject of a prior blog post, FinCEN has made several modifications.

The CTA is intended to protect US national security and the US financial system by preventing and combatting fraud, corruption, money laundering, and terrorist financing, among other illicit activities, by parties seeking to hide money and other assets in the United States via shell companies and other opaque legal structures. The law aims to provide essential information to national security, intelligence, and law enforcement agencies by requiring certain business organizations and entities to report information to FinCEN about the beneficial owners and controllers of such organizations and the individuals who have filed an application with specified government authorities to form the entity or register it to do business. The FinCEN rule implementing the CTA’s BOI reporting provisions describes who must file a beneficial ownership information report, what information must be reported, and when a report is due.

The CTA has widespread application, and it is expected that an estimated 33 million entities are now subject to the new BOI disclosure rule.

Continue Reading Beneficial Ownership Reporting Requirements Under the Corporate Transparency Act Are Now In Effect

Enforcement of the Foreign Corrupt Practices Act (FCPA) in 2023 has been described as a lull, a continued downward trend, or a slump, but that may be “bullsh*t,” to quote an FCPA academic. However they are described, the 2023 FCPA statistics show a return to the median range in case numbers but an absence of any blockbuster cases with billion-dollar fines. The largest case, a joint enforcement action by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), resulted in a US$218 million penalty and, not surprisingly, involved a range of Asia Pacific countries. Out of the nine SEC actions in 2023, four involved companies with corporate conduct in Asia. Among the twelve DOJ actions, three involved an Asia nexus. These cases constituted 99.6% of the total US$521 million in SEC and DOJ fines in 2023.

Here are 2023’s top ten FCPA enforcement actions in the Asia-Pacific region.

  1. Telefonaktiebolaget LM Ericsson

On March 2, 2023, Sweden-based telecommunications company Telefonaktiebolaget LM Ericsson pled guilty to two charges under the FCPA and agreed to pay over US$206 million for breaching its 2019 Deferred Prosecution Agreement (DPA) relating to alleged bribery schemes and other misconduct in China, Vietnam, Indonesia, Kuwait, and Djibouti. The DOJ also extended Ericsson’s monitorship an additional year.

In December 2019, Ericsson had agreed to a DPA under which it would pay over US$520 million in criminal penalties and submit to a three-year compliance monitor. It also paid US$540 million, in total, to the SEC for disgorgement and prejudgment interest, the second-largest FCPA settlement at the time. However, in October 2021, the DOJ notified Ericsson that the company had breached its DPA obligation in failing to disclose all factual information related to the China bribery scheme and other potential FCPA violations.

Also of note, media reports have linked a 2023 SEC award of nearly US$279 million to a whistleblower whose information and assistance led to the 2019 Ericsson settlement.

  • Takeaway: Most DPAs are ultimately dismissed when a company fulfills the agreement terms, cooperates fully, and pays the required penalties, allowing the company to move forward without a tarnished record. While rare, companies should note that failure to comply with the terms of the DPA could potentially result in reinstated charges, additional penalties, and the extension of monitorship.   
  1. Albemarle Corporation

On September 29, 2023, Albemarle Corporation, a publicly-traded specialty chemicals manufacturing company headquartered in North Carolina, agreed to pay more than US$218 million to resolve DOJ and SEC FCPA investigations. According to the non-prosecution agreement (NPA), Albemarle bribed government officials to win businesses in Vietnam, Indonesia, and India by using third-party intermediaries.

Takeaway: The SEC pointed out that Albemarle failed to address the red flags in a series of internal audit reports in 2013, 2015, and 2016 that identified multiple gaps in Albemarle’s internal accounting controls.

  1. 3M Company

On August 25, 2023, 3M Company agreed to pay more than US$6.5 million to resolve charges that its China-based wholly owned subsidiary violated the FCPA. The SEC’s order found that employees of the subsidiary, through a travel agency, provided Chinese government officials with overseas travel, including guided tours, shopping visits, and other leisure activities under the appearance of overseas conferences, educational events, and health care facility visits, for which it provided fake agendas to get approval and told the attendees to keep the true agenda private. In this way, the company induced employees of state-owned healthcare facilities to purchase 3M products.

Takeaway: 3M’s case exemplifies a practice in the healthcare sector – providing something of value to hospitals to secure the purchase of pharmaceuticals and, subsequently, concealing these payments in the financial records of third parties.

  1. Clear Channel Outdoor

On September 28, 2023, Clear Channel Outdoor Holdings Inc. agreed to pay more than US$26 million to resolve charges that it bribed Chinese government officials to obtain outdoor advertising. Between 2012 and 2017, Clear Media, which, at the relevant time, was a Clear Channel majority-owned subsidiary in China, provided improper benefits to government officials, directly or indirectly, by using “cleaning and maintenance” vendors to obtain and renew concessions and advertising contracts in China. Despite repeated red flags raised by its internal auditors, Clear Channel failed to address the deficiency in internal accounting controls that allowed Clear Media to continue these improper payments for many years.

Takeaway: This case underscores the critical importance of diligently following up on the findings from internal audits; it also emphasizes the significance of conducting risk-based due diligence when dealing with third-party entities. 

  1. Koninklijke Philips N.V. 

On May 11, 2023, Dutch medical supplier Koninklijke Philips N.V. agreed to pay more than US$62 million to resolve charges for violating the FCPA relating to its sales of medical diagnostic equipment in China. According to the SEC’s order, Philips’ subsidiaries in China used special price discounts with distributors that created a risk that excessive distributor margins could be used to fund improper payments to government employees. Moreover, employees, distributors, or sub-dealers of Philips’ subsidiaries in China engaged in improper conduct to influence hospital officials to draft technical specifications in public tenders to favor Philips’ products.

Takeaway: It is necessary for companies to design and implement internal accounting controls that are commensurate with the scope of their business operations – employees, distributors, and sub-dealers. In April 2013, the SEC charged Philips in connection with similar misconduct in Poland. Companies should recognize that internal accounting controls are not a one-time fix but an ongoing process that requires attention, adaptation, and resources to maintain compliance and financial integrity.

  1. Samuel Bankman-Fried

In the first FCPA case involving cryptocurrency bribery, a superseding indictment against FTX founder Samuel Bankman-Fried (SBF) was issued on March 28, 2023, charging that he had authorized and directed the transfer of at least US$40 million in cryptocurrency to induce Chinese government officials to unfreeze certain cryptocurrency trading accounts, worth around US$1 billion. These bribery charges were severed from the seven fraud charges for which he was convicted in November 2023. SBF was supposed to go to trial on the FCPA charges in March 2024, but in December 2023, the DOJ announced it was dismissing the FCPA charges, given that he was already facing more than 110 years in jail. 

Takeaway: “Anything of value” under the FCPA now refers also to cryptocurrency in addition to traditional cash, gifts, entertainment, employment opportunities, etc.   

  1. Ng Chong Hwa (Roger Ng)

On March 9, 2023, a former Malaysian Goldman Sachs banker, Ng Chong Hwa (a.k.a “Roger Ng”), involved in the 1 Malaysia Development Berhad (1MDB) case, was sentenced to 10 years in prison following his conviction for bribery and money laundering charges in April 2022. Ng conspired with others to circumvent Goldman Sachs’ internal accounting controls to launder billions of dollars, including funds 1MDB raised in 2012 and 2013 through three bond transactions it executed with Goldman Sachs. For further background, see our “The Top Ten Asia-Pacific FCPA Enforcement Actions” for 2019, 2020, and 2022

Takeaway: Ng’s case illustrates the current trend in FCPA enforcement strategies to target not only corporate entities but also the individuals responsible for corrupt payments.

  1. Trafigura

On December 6, 2023, Singapore-headquartered global commodities trader Trafigura said that it has been seeking to resolve investigations by regulatory authorities in the United States, Brazil, and Switzerland of payments made by former employees via third parties more than 10 years ago.  

  1. Inotiv

On May 23, 2023, Inotiv, an Indiana-based company providing non-clinical and analytical drug discovery and development services, received a voluntary request from the SEC seeking documents and information regarding possible bribery related to the importation of non-human primates from Asia.

  1. Stryker

On May 2, 2023, Stryker, a Michigan-based corporation that manufactures and distributes medical devices and products around the world, disclosed that it had been contacted by the SEC and DOJ for possible FCPA violations. In 2013 and 2018, the SEC and Stryker settled two FCPA investigations related to violations of FCPA with fines of US$13.3 million and US$7.8 million, respectively, pertaining to bribes paid by Stryker subsidiaries in Argentina, Greece, Mexico, Poland, Romania, India, China, and Kuwait.

Conclusion

No record breakers or blockbusters among the 2023 FCPA enforcement actions, but they do include helpful reminders of traditional risks, such as third parties, gifts, hospitality, and overseas travel, but also of new risks, like cryptocurrency. Many of these cases also show that red flags, objective audit reports, DPAs, and monitorships actually provide opportunities to make things right before everything goes wrong. Finally, they demonstrate that there has not been a pivot away from Asia-Pacific, so expect similar numbers in 2024, probably in the healthcare sector.