What Procurement Teams Need to Know About the OFAC 50 Rule
The Office of Foreign Assets Control (OFAC) oversees America’s 38 active sanctions programs — including the well-known OFAC 50 rule. It’s also responsible for maintaining the Specially Designated Nationals and Blocked Persons List (“SDN List”).
The SDN list is a database of 6,300 individuals and companies sanctioned by the U.S. government. The list contains the terrorists, cyber attackers, and international criminals you’d expect to see. But also there are politicians and businesspeople who are accused of, in the words of the U.S. Department of the Treasury, “acting for or on behalf of targeted countries,” like Iran, Cuba, and most lately Russia, following its invasion of Ukraine.
In this article, we cover:
- What the OFAC 50% rule is
- What the consequences of non-compliance are
- How to achieve OFAC 50 compliance in your business
- How sanctions compliance processes are built into Certa
What Is the OFAC 50 Rule?
The U.S. Department of the Treasury’s website states clearly that “U.S. persons are generally prohibited from dealing with” individuals, groups, and entities on the OFAC SDN list.
Under OFAC 50, it’s against the law to trade with a business if 50% or more of it is owned by blocked entities that appear on the SDN list. This means both direct and indirect ownership.
This is where it can get quite complicated. People and companies on the list often go to great lengths to hide their ownership interests. They certainly don’t advertise their inclusion on the SDN list on their LinkedIn profiles.
Nevertheless, U.S. companies must check that:
- Customers in their personal capacities are not blocked persons
- The businesses they buy from or sell to have an ownership structure that’s compliant with OFAC 50
Please note that OFAC also recommends that companies exercise caution when dealing with companies where the total ownership held by blocked persons or entities is close to 50%.
Enforcement Actions Against Sanctions Breaches
The U.S. government takes sanctions very seriously, and it does not tolerate it when people or companies break them, accidentally or not. If you do get it wrong, you’ll be subject to civil penalties, criminal penalties, or debarment.
Civil Penalties
Civil fines can be eye-wateringly large. British-based Barclays Bank was hit with a fine totalling $298 million in 2010 after they breached the Iranian Transactions and Sanctions Regulations. The fine was so large because the “violations arose out of practices designed to circumvent filters … installed to detect transactions in violation of OFAC regulations,” according to the U.S. Treasury Department.
Six years later, the same bank was fined $2.48 million for 159 apparent violations for doing business with blocked entities in Zimbabwe. There were significant shortcomings in the way the bank captured beneficial ownership information — so much so that it breached the bank’s own anti-money laundering procedures as well as OFAC 50.
Criminal Penalties
In 2018, JPMorgan Chase (JPMC) was penalized $7.79 million for violating multiple sanctions programs, eventually paying $5.26m. According to OFAC, JPMC “acted with reckless disregard” by not properly screening people and companies against the SDN list. It was said to have “missed red flags and other warning signs on several occasions” dating back to 2011.
Prison is also a possible penalty for sanctions breakers, but it’s much more likely for those who want to break the law rather than because they have poor internal procedures. Mehmet Hakan Atilla was sentenced to 32 months in prison for “conspiring with others to use the U.S. financial system to conduct transactions on behalf of the government of Iran and other Iranian entities,” according to the local U.S. Attorney’s Office.
Debarment
Firms also face being banned from bidding on government contracts or receiving financial assistance from the government. In the case of Sudan OFAC violations, "debarment" could last for three years, while a violation against Iranian sanctions would warrant a debarment of no longer than two years.
3 Steps to Achieve OFAC 50 Compliance
OFAC sanctions are complicated, and they affect all companies involved in international trade.
To mitigate third-party risk to your company, you need to bake in enhanced due diligence from the screening phase and beyond. Consider taking the following three steps.
1. Base Decisions on the Widest Range of Intelligence
Don’t rely on one source of truth for OFAC compliance. It’s hard for any one single vendor to maintain up-to-date and accurate information on all sanctioned individuals and companies. Reduce risk by sourcing vendor and supplier risk intelligence from as many trusted providers as possible.
Relying on one screening provider to identify blocked entities led to Delaware-based virtual currency exchange Kraken being fined $362,158.70.
2. Accept That Compliance Never Stops
OFAC compliance is not one-and-done. The SDN list is not an immutable historic record. Someone not on the list today might be on it tomorrow if the ownership of a supplier changes or the government introduces new sanctions or export controls.
Run every company on your approved supplier database regularly against OFAC’s sanctions lists and your vendor and supplier risk intelligence providers’ lists. And bring forward your stakeholder meetings to reappraise your level of exposure to changing world events, especially when they might affect suppliers already on significant risks contracts.
3. Be Aware of Sanction Risks Across the Board
You need to think wider than just OFAC 50. There are plenty of other threats, like the sectoral sanctions programs, you have to be careful with.
Three current and high-profile examples of U.S. sanction regimes are:
- Russia and its defense, financial, and energy sectors (including the Rosneft deepwater Arctic oil facility)
- Human rights abusers from Saudi Arabia, Turkiye, and Russia under the Magnitsky Act
- Venezuela, where 22 individuals and 27 companies are the targets of American sanctions
What Procurement Teams Need to Know About the OFAC 50 Rule
The Office of Foreign Assets Control (OFAC) oversees America’s 38 active sanctions programs — including the well-known OFAC 50 rule. It’s also responsible for maintaining the Specially Designated Nationals and Blocked Persons List (“SDN List”).
The SDN list is a database of 6,300 individuals and companies sanctioned by the U.S. government. The list contains the terrorists, cyber attackers, and international criminals you’d expect to see. But also there are politicians and businesspeople who are accused of, in the words of the U.S. Department of the Treasury, “acting for or on behalf of targeted countries,” like Iran, Cuba, and most lately Russia, following its invasion of Ukraine.
In this article, we cover:
- What the OFAC 50% rule is
- What the consequences of non-compliance are
- How to achieve OFAC 50 compliance in your business
- How sanctions compliance processes are built into Certa
What Is the OFAC 50 Rule?
The U.S. Department of the Treasury’s website states clearly that “U.S. persons are generally prohibited from dealing with” individuals, groups, and entities on the OFAC SDN list.
Under OFAC 50, it’s against the law to trade with a business if 50% or more of it is owned by blocked entities that appear on the SDN list. This means both direct and indirect ownership.
This is where it can get quite complicated. People and companies on the list often go to great lengths to hide their ownership interests. They certainly don’t advertise their inclusion on the SDN list on their LinkedIn profiles.
Nevertheless, U.S. companies must check that:
- Customers in their personal capacities are not blocked persons
- The businesses they buy from or sell to have an ownership structure that’s compliant with OFAC 50
Please note that OFAC also recommends that companies exercise caution when dealing with companies where the total ownership held by blocked persons or entities is close to 50%.
Enforcement Actions Against Sanctions Breaches
The U.S. government takes sanctions very seriously, and it does not tolerate it when people or companies break them, accidentally or not. If you do get it wrong, you’ll be subject to civil penalties, criminal penalties, or debarment.
Civil Penalties
Civil fines can be eye-wateringly large. British-based Barclays Bank was hit with a fine totalling $298 million in 2010 after they breached the Iranian Transactions and Sanctions Regulations. The fine was so large because the “violations arose out of practices designed to circumvent filters … installed to detect transactions in violation of OFAC regulations,” according to the U.S. Treasury Department.
Six years later, the same bank was fined $2.48 million for 159 apparent violations for doing business with blocked entities in Zimbabwe. There were significant shortcomings in the way the bank captured beneficial ownership information — so much so that it breached the bank’s own anti-money laundering procedures as well as OFAC 50.
Criminal Penalties
In 2018, JPMorgan Chase (JPMC) was penalized $7.79 million for violating multiple sanctions programs, eventually paying $5.26m. According to OFAC, JPMC “acted with reckless disregard” by not properly screening people and companies against the SDN list. It was said to have “missed red flags and other warning signs on several occasions” dating back to 2011.
Prison is also a possible penalty for sanctions breakers, but it’s much more likely for those who want to break the law rather than because they have poor internal procedures. Mehmet Hakan Atilla was sentenced to 32 months in prison for “conspiring with others to use the U.S. financial system to conduct transactions on behalf of the government of Iran and other Iranian entities,” according to the local U.S. Attorney’s Office.
Debarment
Firms also face being banned from bidding on government contracts or receiving financial assistance from the government. In the case of Sudan OFAC violations, "debarment" could last for three years, while a violation against Iranian sanctions would warrant a debarment of no longer than two years.
3 Steps to Achieve OFAC 50 Compliance
OFAC sanctions are complicated, and they affect all companies involved in international trade.
To mitigate third-party risk to your company, you need to bake in enhanced due diligence from the screening phase and beyond. Consider taking the following three steps.
1. Base Decisions on the Widest Range of Intelligence
Don’t rely on one source of truth for OFAC compliance. It’s hard for any one single vendor to maintain up-to-date and accurate information on all sanctioned individuals and companies. Reduce risk by sourcing vendor and supplier risk intelligence from as many trusted providers as possible.
Relying on one screening provider to identify blocked entities led to Delaware-based virtual currency exchange Kraken being fined $362,158.70.
2. Accept That Compliance Never Stops
OFAC compliance is not one-and-done. The SDN list is not an immutable historic record. Someone not on the list today might be on it tomorrow if the ownership of a supplier changes or the government introduces new sanctions or export controls.
Run every company on your approved supplier database regularly against OFAC’s sanctions lists and your vendor and supplier risk intelligence providers’ lists. And bring forward your stakeholder meetings to reappraise your level of exposure to changing world events, especially when they might affect suppliers already on significant risks contracts.
3. Be Aware of Sanction Risks Across the Board
You need to think wider than just OFAC 50. There are plenty of other threats, like the sectoral sanctions programs, you have to be careful with.
Three current and high-profile examples of U.S. sanction regimes are:
- Russia and its defense, financial, and energy sectors (including the Rosneft deepwater Arctic oil facility)
- Human rights abusers from Saudi Arabia, Turkiye, and Russia under the Magnitsky Act
- Venezuela, where 22 individuals and 27 companies are the targets of American sanctions
We Built OFAC 50 Compliance Into Certa
Strengthen your company’s sanctions compliance with Certa. Certa automates 80% of third-party risk management while providing 100% visibility to stakeholders.
Ongoing, enhanced due diligence is part of our system’s core functionality. We constantly:
- Check U.S. sanctions lists: We keep on top of all 38 sanctions programs and the identities of the 6,000-plus specially designated nationals they contain.
- Check other countries’ watchlists: You can stay compliant in the jurisdictions you do business in with Certa’s global, always-updated monitoring.
- Monitor beneficial ownership in real time: This is vital when blocked entities redistribute their assets and ownership structures to try to get around sanctions. Certa consolidates and de-duplicates live ultimate beneficial owner databases from supplier and vendor risk intelligence providers like SAM.gov, Dun & Bradstreet, Dow Jones Risk Database, and U.S. Bancorp. We make screening of net names more accurate so it’s harder for sanctioned parties to hide non-compliant direct, indirect, or aggregate ownership.
- Optimize your payment blocking process: We can automate the blocking of payments to or from sanctioned entities or individuals through integrated finance systems, alerting your team that it’s done. OFAC compliance is not a one-and-done deal. A supplier or vendor not on the SDN list one day might be on it the next if ownership changes or new sanctions are introduced.
Learn more about always-on third-party risk management with Certa, and schedule a demo to see it in action.
