On April 25, 2019, OFAC announced that Haverly Systems, Inc. (“Haverly”), a New Jersey software company, had agreed to pay $75,375 to settle apparent violations from 2014 related to Haverly’s collection of payments from JSC Rosneft (“Rosneft”), a Russian oil major on OFAC’s Sectoral Sanctions Identifications (“SSI”) list. The key issue was OFAC’s finding that Haverly accepted the payments from Rosneft outside of the then-applicable 90-day window and thereby dealt in the restricted “new debt” of Rosneft. This appears to be the first time OFAC has published a settlement involving violations of the SSI list Directives, and underscores the importance for companies subject to US jurisdiction of monitoring invoicing and payments with SSI list entities and their subsidiaries. Non-US companies may also face “secondary sanctions” risk under Section 228 of CAATSA, on which we have previously advised, for certain types of transactions with SSI list designees. See also our previous advisory on OFAC’s SSI list sanctions, along with our previous discussion of the CAATSA-mandated changes to those sanctions.

Pursuant to Directive 2 under Executive Order 13662 and § 589.201 of OFAC’s Ukraine-Related Sanctions Regulations, US persons are prohibited from transacting or otherwise dealing in “new debt” of longer than certain stated maturity periods of SSI list designees or any entities of which they own 50% or more. At the time of this apparent violation, the relevant maturity period was 90 days.[1] “Debt” is defined broadly to include any “extensions of credit.” OFAC has stated in FAQ guidance that open payment terms, such as the time permitted to pay commercial invoices, also fall within the scope of “new debt.”

In its notice of enforcement, OFAC states that Haverly licensed software and provided related support to Rosneft and issued invoices for this on August 19, 2015. Haverly did not violate Directive 2 in issuing these invoices because they were payable by their terms in not more than 90 days. However, OFAC alleges that Rosneft did not make payment on the first invoice until May 31, 2016 – approximately nine months after its issuance. So the violation was in accepting this late payment. OFAC has issued FAQ guidance that in the event such an SSI list entity fails to make payment within the permitted period of time, a US person should report that to OFAC and consider seeking a specific license to authorize accepting the late payment. In our experience, however, obtaining such licenses can be a challenge. (OFAC states in its notice that “OFAC would have likely authorized the transactions had Haverly requested a license to receive the payments.” However, the processing times for such requests can be lengthy.)

So how did this issue come to OFAC’s attention? OFAC states that Haverly did not submit a voluntary disclosure. It appears that the parties’ banks may have reported the violations to OFAC after flagging concerns about possible Directive 2 violations and rejecting some of the attempted late payments. Parties should take note that blocked or rejected payments can be a significant OFAC enforcement risk.

OFAC states in the web notice that it encourages all companies “to exercise enhanced due diligence in business relationships with entities subject to the SSI list and to avoid the use of unorthodox business practices – such as the amendment or alteration of trade documents, or resubmission of payment information without a sanctions related term, phrase, or location.” Companies – both US and non-US – should monitor invoicing and payments involving SSI list entities and their subsidiaries, and flag for legal and compliance review any payments blocked or rejected by banks.

[1] For new debt issued on or after November 28, 2017, the relevant tenor under Directive 2 has been reduced to 60 days. Other SSI list Directives have other maturity periods.