February 1, 2004

Complying with U.S. Embargo and PATRIOT Act Requirements: A Practical Approach for U.S. Company Compliance

Jonathan M. Epstein | Ronald A. Oleynik

Until recently, most U.S. corporations involved in domestic businesses other than banking had little reason to consider issues relating to terrorism. However, following the September 2001 terrorist attacks against the United States, the U.S. Government greatly increased its efforts to identify entities that support terrorism and to seize their assets. While there are substantive and practical changes, there has been considerable hyperbole considering what companies must do to comply with the law. This article provides a synopsis of the law, and suggests a practical risk-based approach to company compliance.

Treasury Department Regulations

The United States has for many years imposed broad restrictions on trade with certain individuals, groups, and countries associated with terrorism. These restrictions are enforced by the U.S. Department of Treasury Office of Foreign Assets Control (OFAC). OFAC enforces trade sanctions against targeted foreign countries, terrorism sponsoring organizations, and international narcotics traffickers. A country may be the subject of a U.N.-sanctioned embargo, or may be unilaterally sanctioned by U.S. legislation or executive order because of that country’s specific policies or acts.

Currently, OFAC embargoes are in effect for Cuba, Iran, Libya, and Sudan, with more limited embargoes placed against Burma (Myanmar), Iraq, Liberia, North Korea, Sierra Leone, and Syria.

OFAC also maintains a list of terrorist organizations and persons, and narcotics traffickers called the “Specially Designated Nationals and Blocked Persons” list or “SDN” list. The SDN list also includes individuals and entities associated with the Taliban, Al Qaeda, unrest in the Balkans, or associated with the Milosevic regime.

Jurisdictional Reach of U.S. Embargo Laws and Regulations

Generally, U.S. embargo restrictions do not apply to non-U.S. entities. Most of the OFAC regulatory regimes, including those with respect to terrorist organizations, apply only to "U.S. persons.” The Cuban embargo is broader and applies to U.S.-owned and controlled foreign subsidiaries.[1]

Barred Transactions/Facilitation

Currently, the U.S. economic embargoes ban virtually all transactions, imports, or exports from Cuba, Iran, Libya, and Sudan, and with persons and entities identified on the SDN List. Virtually any participation by a U.S. person in any type of transaction directly with a barred entity would be a violation of embargo regulations, absent a license. As discussed below, OFAC holds companies strictly liable for dealing with such entities.

In addition, a U.S. company cannot indirectly "facilitate" a transaction by a foreign company with a barred entity. "Facilitation" generally means providing financial assistance, advice, consulting services, goods, or any other support in connection with the transaction with the barred entity.[2] While U.S. companies cannot play a role in a transaction, they are not barred from engaging in transactions with foreign entities that do business with barred entities. For example, OFAC has stated that independent transactions with Libya by foreign subsidiaries of U.S. firms are permitted if no U.S. person or permanent resident has a role.[3] Further, mere “knowledge” by a U.S. company of a transaction between the foreign company and a barred entity would not, in and of itself, cause the U.S. parent company to violate OFAC regulations.[4]

OFAC Due Diligence Requirements

Although OFAC Regulations do not prescribe due diligence requirements for companies, OFAC encourages U.S. entities, particularly financial institutions, to develop compliance programs that allow transactions and clients to be screened against the SDN List.

USA Patriot Act and Executive Order 13224

As a result of the events of September 11, 2001, President Bush issued Executive Order 13324 blocking terrorist property and designating certain individuals and entities.[5] In October 2001, Congress enacted the USA Patriot Act,[6] which gives additional powers to the U.S. Government to identify terrorists and block transactions that could be used to benefit terrorists. This Act and the regulations implemented by various government agencies place additional due diligence requirements on U.S. financial institutions and other businesses. Some of these requirements are:

Executive Order - Designation of Terrorists

Under Executive Order 13324, the United States has expanded its designation of terrorists and organizations supporting terrorists. While certain terrorists and terrorist organizations were already on the SDN list prior to September 11, changes to the SDN list were infrequent. Now changes are often made several times a month. Further, pursuant to this order, the government is seeking to identify and freeze assets of entities owned or controlled by terrorists. The Executive Order contains no guidance with respect to due diligence. However, because the Executive Order has been implemented through and under OFAC Regulations, the discussion above provides guidance for both OFAC and the Executive Order.

Patriot Act – Anti-Money Laundering Provisions

Terrorist groups have used multiple wire transactions, offshore accounts, and other means to disguise transfers of funds intended to support terrorist activities. The U.S. is taking various steps to curb the flow of funds, in particular through broadened criminal “money laundering” statutes and regulations. The USA Patriot Act requires banks, brokers, securities dealers, and other “financial institutions” to take steps to detect and prevent money laundering. Although the statutory definition of “financial institutions” is broad, see 31 U.S.C. § 5312(a)(2), differing requirements have been placed on different types of institutions.

Mandatory Anti-Money Laundering Programs and Customer Identification Programs

Pursuant to Section 352 of the Patriot Act, the Treasury Department issued regulations requiring certain types of financial institutions, such as banks and savings and loan associations, to implement anti-money laundering compliance programs. Regulations for other financial institutions have been issued as well. Internal screening procedures are a key element of such a program.[7]

Section 326 of the USA Patriot Act requires the U.S. Treasury Department to issue regulations setting minimum standards for identification and verification of account holders/customers by financial institutions to the extent "reasonable and practicable." In conjunction with other agencies with jurisdiction over financial institutions,[8] the Treasury Department has issued requirements for banks and certain other financial institutions (including credit unions, savings associations, broker dealers, mutual funds, and futures commissions merchants). These regulations require those designated financial institutions to incorporate a Customer Identification Program (CIP) into their anti- money laundering programs.

One element of such a program is procedures for checking customers against the SDN list. The proposal indicates that because transactions and institutions vary, verification procedures should be "risk-based" (i.e., tailored to the level of risk associated with the particular type of transaction or entities involved).

Enhanced Due Diligence

For financial institutions, additional due diligence that may include determination of beneficial owners of a customer is required or suggested in certain circumstances.

Under the Patriot Act, special due diligence is required by financial institutions regarding correspondent or private banking accounts. In particular, the institutions are required to ascertain the beneficial owners of private banking accounts. Patriot Act, § 312(a)(3). Similarly, under Section 311, the U.S. Treasury is given authority to require financial institutions to take special measures, including reasonable and practical measures ascertaining the beneficial ownership of foreign entities in transactions it deems high risk.

Further, the Financial Act Task Force on Money Laundering (FATF) has identified certain countries that are considered "non cooperative" with respect to enforcing anti-money laundering, and where enhanced diligence is suggested for financial institutions.

Civil and Criminal Penalties

In general, OFAC will impose civil penalties for unintentional or inadvertent violations and may refer cases of intentional violations to the Justice Department for criminal prosecution.

The civil penalties for doing business with prohibited persons, groups or nations are significant. Under anti-terrorism regulations, penalties include civil penalties of up to $11,000 per violation or more, [9] seizure of funds or goods, and suspension of export privileges. Further, a single transaction can result in multiple violations raising penalties exponentially.

Criminal penalties for willful violations are up to $50,000 per violation and imprisonment of up to 10 years for any officer, director, or agent of any corporation who knowingly participates in a violation. Moreover, in recent years, it has become common for the government to initiate a criminal investigation in conjunction with a civil penalty proceeding. Not only does this increase the costs of defense, but the government can leverage the threat of criminal indictment to force settlement of civil penalties.

The most effective method for reducing or altogether avoiding the imposition of the range of potential penalties is to have an effective compliance system in place which checks customers against the terrorist lists. In the event of an inadvertent violation, having such a compliance system in place has proven to be the most significant factor in mitigating or even avoiding the imposition of civil penalties against the company, or criminal charges against the company and its officers and directors.

Developing Compliance Procedures

Developing effective compliance procedures involves a number of elements, and a cost/benefits analysis of what measures will be most effective to prevent inadvertent violations of the above laws. Key elements of such a program include:

Barred Entity Screening

Each company should have a method for screening potential clients, business partners, distributors, etc., against the various government barred entity lists. Screening is mandatory for certain financial institutions as part of their anti-money laundering programs. The various government lists are difficult to use and contain thousands of names of persons and entities, some of which are common Hispanic and Arabic names. Outside of the financial industry, companies must weigh the costs of setting-up screening versus the risk of inadvertent violations. In particular, we recommend that companies screen entities based on the perceived risk and develop reasonable and practical policies to that effect. For example, the risk and severity of a violation in low value domestic consumer products sales may be lower than sales to a foreign distributor.

There are a number of third-party software vendors that can assist in setting up an integrated or non-integrated system for screening.

Procedures and Staff for Vetting Potential Matches

Because the various government lists contain common names, screening will likely generate a certain volume of potential matches to persons on the SDN list. Companies need to identify staff and procedures for resolving these matches, which often turn out to be false. When screening employees against the lists, companies must be cognizant of employment/discrimination law issues that may arise if inquiries are made into citizenship, nationality, etc., in resolving matches.

Related Procedures

In addition to the above, a company should:

  • Draft guidance on identifying suspicious activity or evidence of money-laundering. This often takes the form of "red flags" to look for, tailored for the industry.
  • Prepare procedures for internal/external reporting of violations and seizure of funds (if required).
  • Procedures for certain reportable "cash" transactions.

This publication is intended to summarize points of interest in the material discussed herein. It is not intended to be exhaustive or to be legal advice with respect to the matters discussed.


[1] The embargoes against Cuba and North Korea cover "Person Subject to the Jurisdiction of the U.S." This definition includes, inter alia, "any corporation, partnership, or association, wherever organized or doing business, that is owned or controlled by" a U.S. citizen, U.S. resident, or U.S. entity. 31 C.F.R. § 515.229 (emphasis added). Also the Cuban Liberty and Democratic Solidarity (LIBERTAD) Act of 1996, 22 U.S.C. §§ 6021 et seq. seeks to impose sanctions on non-U.S. entities and persons who engage in transactions involving property of U.S. citizens expropriated by Cuba.

The embargoes against Cuba and North Korea cover "Person Subject to the Jurisdiction of the U.S." This definition includes, , "any corporation, partnership, or association, wherever organized or doing business, that is or by" a U.S. citizen, U.S. resident, or U.S. entity. 31 C.F.R. § 515.229 (emphasis added). Also the Cuban Liberty and Democratic Solidarity (LIBERTAD) Act of 1996, 22 U.S.C. §§ 6021 . seeks to impose sanctions on non-U.S. entities and persons who engage in transactions involving property of U.S. citizens expropriated by Cuba.

[2] R. Richard Newcomb, Office of Foreign Assets Control, in COPING WITH U.S. EXPORT CONTROLS, (Practicing Law Institute, 1999, at 230, 234).

[3] Available on the Internet at: http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx.

[4] While the economic sanctions regulations administered by OFAC do not contain a definition of “knowledge,” the Export Administration Regulations (EAR) have defined the meaning of “knowledge” in the context of the ban on the export of controlled items or of items the exporter “knows” are going to a specified proliferation related end-use or end-user. 15 C.F.R. Part 772. “Knowledge” of a circumstance requires “positive knowledge that the circumstance exists or is substantially certain to occur, . . . [or] an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts.” Id.

[5] E.O. 13324 (Sept. 24, 2001).

[6] USA Patriot Act, Pub. L. 107-56 (Enacted Oct. 26, 2001).

[7] The four key elements of an anti-money laundering compliance program are: (1) internal policies, procedures, and controls to ensure against money laundering and terrorist financing; (2) designation of a compliance officer; (3) ongoing training for employees; and (4) an independent audit of the program. See, e.g., Financial Crimes Enforcement Network; Anti-Money Laundering Programs for Operators of Credit Card Systems, 67 Fed. Reg. 21121 (Apr. 29, 2002).

[8] These agencies included the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Commodities Futures Trading Commission (CFTC), and the Securities Exchange Commission (SEC).

[9] Penalties for violations of other specific embargo regimes carry even more significant statutory penalties. For example, a violation of the Trading with the Enemy Act, 40 U.S.C. App. 16, such as for breach of the Cuban embargo, carries corporate fines of up to $1,000,000 per violation, and individual fines of $100,000. Officers and directors who knowingly participate may be subject to up to $100,000 in criminal fines as well as imprisonment.

Related Insights