On September 21, 2021, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) issued an updated advisory on the sanctions risks of facilitating ransomware payments. OFAC issued a prior version of its advisory on October 1, 2020. In the months since, attacks have continued and target entities in the United States, including many in sensitive industries, generating increased concern over the scale of the problem. OFAC’s updated advisory is part of the Biden administration’s ongoing efforts to address the national security and economic risks posed by such attacks. The updated advisory emphasizes that OFAC “strongly discourages” victims from making ransom payments and reemphasizes the sanctions risks of doing so, but also seeks to provide victims with greater clarity about the steps that can be taken to reduce the likelihood of a public enforcement response if a company inadvertently makes or facilitates ransom payments that may have a sanctions nexus.
On September 24, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued General License 14 (GL-14) and General License 15 (GL-15), authorizing certain types of humanitarian transactions involving Afghanistan that could relate to the Taliban or the Haqqani Network that would otherwise be prohibited by the Global Terrorism Sanctions Regulations (GTSR), the Foreign Terrorist Organizations Sanctions Regulations (FTOSR), or Executive Order (EO) 13224.
Both the Taliban and the Haqqani Network are designated by OFAC as Specially Designated Global Terrorists (SDGTs) pursuant to EO 13224. The Haqqani Network is also designated by the US Department of State as a Foreign Terrorist Organization (FTO) under section 219 of the Immigration and Nationality Act. Furthermore, several of the individual members of the Taliban and the Haqqani Network are designated by OFAC as SDGTs.
These groups have recently taken control of, and appointed officials (including at least one individual designated as an SDGT) to administer, the Government of Afghanistan and its associated agencies and organizations. As a result, there are concerns that interactions with the Government of Afghanistan could be prohibited to the extent they involve a person subject to US sanctions or expose parties to broader risks under US counter-terrorism financing laws.
On September 20, 2021, the Biden administration announced its intention to end all COVID-related geographic travel suspensions, beginning in November 2021. Travel suspensions are currently in place for Brazil, China, India, Ireland, Iran, the Schengen countries, South Africa, and the UK. In lieu of these restrictions, all travelers to the United States will be required to verify full COVID vaccination. The vaccination requirement is in addition to the current requirement that all individuals present proof of a negative COVID test as a condition of embarking on travel to the United States.
On September 9, 2021, the long-awaited recast of the EU Dual-Use Regulation (the Regulation) will enter into force. It provides for new rules on cyber-surveillance technology, the provision of technical assistance, as well as export restrictions for reasons of public security and human rights considerations. Additionally, the new Regulation provides for large project authorizations as well as two new EU General Export Authorizations.
Like the United States and other like-minded countries, the EU regularly uses targeted financial sanctions against foreign organizations, legal entities, and individuals as a proportionate response in situations where an international disagreement or a crisis cannot effectively be resolved by conventional instruments of diplomacy, or to give weight to its demands against foreign powers. The procedure for the adoption of financial sanctions by the EU is in principle governed by strict standards as concerns due process and the respect of the rule of the law. However, when the parties targeted by sanctions seek legal redress, they are often frustrated by the outcome. This is illustrated by two judgments of the EU General Court in a matter involving Viktor Yanukovych, the former President of Ukraine, and his son, Oleksandr Yanukovych (see cases T-303/19 and T-302/19).
In 2015, the People’s Republic of China (PRC) enacted the first part of its comprehensive data security regime with the promulgation of the State Security Law, which provided a statutory basis for the construction of a nationwide network and information security system. The Cybersecurity Law (CSL), which followed in 2017, addressed cybersecurity protection and introduced the concept of a “Critical Information Infrastructure Operator” (CIIO). Subsequently, other laws, regulations, and rules have been promulgated addressing the requirements of China’s digital economy, related state security matters, and personal information privacy rights. Among those, the Data Security Law (DSL) became effective on September 1, 2021, and the Personal Information Protection Law (PIPL) will go into effect on November 1, 2021. After subsidiary regulations and rules addressing implementation of the DSL and PIPL have entered into force, China’s new data security architecture should be largely complete.
On August 20, 2021, the Biden administration issued a new Executive Order (“EO”) entitled “Blocking Property with Respect to Certain Russian Energy Export Pipelines.” At the same time, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) added five entities and 13 vessels to the List of Specially Designated Nationals and Blocked Persons (“SDN List”) under the new EO.
These developments – the latest in a series of US actions related to the Nord Stream 2 and TurkStream pipelines – suggest that the United States is attempting to strike a balance between formally opposing the Nord Stream 2 project and cooperating with major allies who favor the pipeline’s completion, such as Germany. Importantly, the sanctions under the new EO are not as incrementally significant as they may seem: of the 18 new SDNs, all but four (two entities and two vessels) were already subject to sanctions under the Protecting Europe’s Energy Security Act of 2019 as amended (“PEESA”), which were imposed in May 2021 and were virtually identical to the new sanctions. Rather than reflecting a more aggressive US stance in opposition to Nord Stream 2, the new EO appears to be driven primarily by legal technicalities including a limitation on the sanctions that could be imposed under PEESA.
On July 20, 2021, the European Commission published its long-awaited legislative package titled “Anti-money laundering and countering the financing of terrorism” as announced in the Commission’s 2020 Action Plan for a comprehensive EU policy on preventing money laundering and terrorist financing (ML/TF).
As expected, the proposals seek to harmonize the application of more detailed anti-money laundering and counter-financing of terrorism (AML/CFT) rules, by suggesting to create an EU-level AML authority, to strengthen the supervisory framework and further harmonize and detail EU AML/CFT rules, and to adapt such rules to digitalization and technological innovation. Further, in promoting higher disclosure and transparency requirements, the proposed legislation could have far-reaching consequences in relation to those transacting or using cryptocurrencies.
In this Client Alert, we provide an overview of the four Commission proposals, including the creation of a new EU AML Authority (AMLA).
On August 9, 2021, the United States, United Kingdom and Canada announced further coordinated sanctions to mark one year since the allegedly fraudulent 2020 Belarusian presidential election in response to the continued undermining of democracy and human rights violations by the Lukashenko regime. The new sanctions follow the imposition by the United States, United Kingdom, European Union and Canada, on June 21, 2021, of targeted financial sanctions against dozens of individuals and entities as well as EU sectoral-style sanctions against certain sectors of the Belarusian economy, as discussed in our June 28, 2021 blog post.
On August 5, 2021, HM Treasury’s Office of Financial Sanctions Implementation (“OFSI”) announced a GBP 50,000 monetary penalty against TransferGo Limited (“TransferGo”) for multiple breaches of The Ukraine (European Union Financial Sanctions) (No. 2) Regulations 2014 (the “UK Regulations”).
According to OFSI’s penalty report, TransferGo, a fintech company, transferred funds to accounts held by non-designated persons with the Russian National Commercial Bank (“RNCB”), an entity subject to an asset freeze. This resulted, according to OFSI, in 16 transactions made between March 20, 2018, and December 18, 2019, in which TransferGo “made funds available to a person designated under Council Regulation (EU) No 269/2014” (the “EU Regulation”) (i.e., RNCB).
The TransferGo case represents the fifth use of OFSI’s civil monetary penalty powers since they were introduced under Part 8 of the Policing and Crime Act 2017 (“PACA”). While OFSI’s enforcement priorities remain somewhat unclear given the relatively limited use of its powers to impose monetary penalties, the TransferGo case provides some useful hints.
OFSI is not only interested in traditional financial institutions
The TransferGo enforcement action underscores that OFSI has its sights set on fintech and other companies, “not just traditional financial institutions.” The TransferGo case – like OFSI’s 2019 enforcement action against Telia Carrier UK Limited (“Telia”) – suggests that OFSI’s investigations may continue to cover a broad range of sectors.
The value of OFSI’s penalties is fluctuating, but OFSI’s discretion as to what is “reasonable and proportionate” is at least as important when calculating penalties as the value of the funds/resources at issue
Under the PACA, OFSI has the discretion to determine the amount of a penalty up to the greater of GBP 1,000,000 or 50 percent of the value of the funds or resources involved in a sanctions breach. The version of OFSI’s Monetary Penalties for Breaches of Financial Sanctions Guidance (the “Guidance”) applicable to the TransferGo case states that, in calculating a penalty, OFSI has regard to what is “reasonable and proportionate.”
TransferGo’s penalty of GBP 50,000 related to transactions with a combined value of GBP 7,764.77. The maximum possible penalty was therefore GBP 1,000,000. TransferGo did not receive any voluntary disclosure discount on its penalty, as some of the pertinent transactions were only disclosed in response to information requests issued by OFSI.
The GBP 50,000 penalty imposed on TransferGo was therefore based on what OFSI considered to be a reasonable and proportionate penalty, taking into consideration a range of factors, including that TransferGo:
- is a FCA regulated authorized payment institution with knowledge of sanctions;
- issued instructions to send payments to accounts of individuals resident in Crimea using a Russian Bank Identification Code that identified RNCB as the receiving financial institution for the payments;
- demonstrated a poor understanding of financial sanctions throughout its engagement with OFSI;
- failed to inform OFSI of the breaches as soon as practicably possible, despite being a relevant institution under the UK Regulations; and
- fully cooperated with OFSI and promptly provided all information which was requested of it during OFSI’s investigation.
The approach to penalty calculation in the TransferGo enforcement action appears to echo OFSI’s move toward the more holistic assessment of cases, as reflected in recent revisions made to the Guidance concerning the connection between the value of a sanctions breach and the available penalty amount.
The importance of due diligence
The TransferGo enforcement action communicates OFSI’s position that a person transferring funds to accounts held by non-designated persons with designated banks breaches the prohibition in the UK Regulations on making funds available to a designated person if the person knew, or had reasonable cause to suspect, he/she/it was doing so.
OFSI’s penalty report makes clear its expectation that companies and individuals must ensure that they carry out due diligence on both the parties to transactions and the banks and financial institutions involved in those transactions to ensure that financial sanctions are not breached.
There is not always benefit to be derived from appealing OFSI’s initial penalty
Both Standard Chartered and Telia benefited from appealing OFSI’s initial penalty decision in previous enforcement actions. After challenging OFSI’s penalty decision through ministerial review, the Economic Secretary to the Treasury (the “Minister”) reduced Standard Chartered’s total penalty by GBP 11,030,000 (approximately 35 percent), having concluded that OFSI should have given greater weight to certain mitigating factors when calculating the penalty. Telia also had its penalty reduced on appeal by over 50 percent. These cases suggested that the subjects of OFSI enforcement actions may achieve significant penalty reductions by exercising their right to ministerial review under Section 147 of the PACA.
The TransferGo enforcement action goes against that nascent trend. Having reviewed the case materials, the Minister upheld OFSI’s decision both to impose the penalty on TransferGo and on the amount of the penalty, concluding that the initial penalty was “within the range of reasonable and proportionate options open to OFSI.”
It also is worth noting that the Minister rejected TransferGo’s request for anonymity in the event that its penalty was upheld following the ministerial review process. The Minister considered anonymizing the penalty to be contrary to the objectives of OFSI’s sanctions enforcement regime and not in the public interest.
OFSI will continue to investigate and impose penalties for financial sanctions breaches occurring under EU sanctions regulations
The sanctions breaches in the TransferGo case occurred prior to the end of the Brexit transition period in 2018 and 2019 and were therefore breaches of the relevant EU Regulation. The case underlines OFSI’s commitment to continue investigating and, where appropriate, imposing monetary penalties for breaches occurring under EU sanctions regulations prior to the end of the Brexit transition period on December 31, 2020.
- Sanctions compliance for fintech and non-financial institutions is of growing importance, as OFSI has demonstrated its appetite for bringing enforcement actions for financial sanctions breaches in a range of sectors.
- It is crucially important for companies and financial institutions to conduct robust due diligence checks to ensure that they understand with whom they are doing business. Implementing such steps will enable companies/financial institutions to mitigate their potential risk through, among other things, the early identification of designated persons involved in potential transactions.
- The investigation and disclosure to OFSI of potential breaches of financial sanctions should be undertaken carefully and with appropriate cooperation, to maximize the likelihood of a swift and satisfactory outcome. While OFSI’s penalty report acknowledged TransferGo’s full cooperation with OFSI’s investigation, it also stated that “had TransferGo voluntarily disclosed these transactions it could have received a discount of 50% of the baseline penalty amount.”