The settlement: $134,523
The base penalty: $134,523…. but the statutory maximum was $1,038,206,212
What were the actual violations?
From on or about November 15, 2011, to on or about October 18, 2018, persons located in Crimea, Iran, and Syria placed orders or otherwise conducted business on Amazon’s websites for consumer and retail goods and services where the transaction details demonstrated that the goods or services would be provided to persons in Crimea, Iran, or Syria. Amazon also accepted and processed orders on its websites for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria.
Additionally, Amazon accepted and processed orders from persons listed on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) who were blocked pursuant to the Narcotics Trafficking Sanctions Regulations, the Weapons of Mass Destruction Proliferators Sanctions Regulations, the Transnational Criminal Organizations Sanctions Regulations, the Democratic Republic of the Congo Sanctions Regulations, the Venezuela Sanctions Regulations, the Zimbabwe Sanctions Regulations, the Global Terrorism Sanctions Regulations, and the Foreign Narcotics Kingpin Sanctions Regulations. Overall, the apparent violations consisted primarily of transactions involving low-value retail goods and services for which the total transaction value of the apparent violations was approximately $269,000.
Why did they occur?
These apparent violations occurred primarily because Amazon’s automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to compliance with OFAC’s sanctions regulations. In some instances, orders specifically referenced a sanctioned jurisdiction, a city within a sanctioned jurisdiction, or a common alternative spelling of a sanctioned jurisdiction, yet Amazon’s screening processes did not flag the transactions for review. For example, Amazon’s screening processes did not flag orders with address fields containing an address in “Yalta, Krimea” for the term “Yalta,” a city in Crimea, nor for the variation of the spelling of Crimea. In another example, Amazon failed to interdict or otherwise flag orders shipped to the Embassy of Iran located in third countries. Moreover, in several hundred instances, Amazon’s automated sanctions screening processes failed to flag the correctly spelled names and addresses of persons on OFAC’s SDN List.
But, wait, there’s more:
Finally, Amazon disclosed to OFAC that it failed to report 362 transactions involving Crimea that it had conducted pursuant to General License No. 5, “Authorizing Certain Activities Prohibited by Executive Order 13685 of December 19, 2014 Necessary to Wind Down Operations Involving the Crimea Region of Ukraine” (GL 5), which authorized certain transactions prohibited by E.O. 13685 through February 1, 2015. The terms of GL 5 included a requirement that transactions authorized by GL 5 be reported within 10 days after the wind-down activities concluded. As stated in § 501.801(a) of the Reporting, Procedure and Penalties Regulations, 31 C.F.R. Part 501, “Persons availing themselves of certain general licenses may be required to file reports and statements in accordance with the instructions specified in those licenses. Failure to file timely all required information in such reports or statements may nullify the authorization otherwise provided by the general license and result in apparent violations of the applicable prohibitions that may be subject to OFAC enforcement action.” Amazon previously identified and reported to OFAC 245 transactions involving Crimea undertaken pursuant to GL 5 on February 13, 2015 (within the required reporting period), but did not report an additional 362 such transactions until well after the required reporting period had expired. Because of this reporting failure, the authorization in GL 5 is nullified with respect to those 362 transactions.
The aggravating factors:
(1) Amazon failed to exercise due caution or care when it implemented sanctions screening processes that failed to properly flag transactions involving blocked persons and sanctioned jurisdictions. In particular, Amazon did not properly review or assess addresses, customer names, or common variations of such data as part of its sanctions screening.
(2) While the apparent violations primarily involved the provision of low-value retail and consumer goods and services, some of the apparent violations related to Amazon’s processing of orders for personal security products on behalf of persons located at the Iranian embassies in Tokyo, Japan, and in Brussels, Belgium.
(3) Amazon provides consumer goods and services via its e-commerce websites and processes billions of global transactions annually, and is one of the largest and most commercially sophisticated companies in the world.
The mitigating factors:
(1) Amazon had not received a penalty notice or Finding of Violation from OFAC in the five
years preceding the earliest date of the transactions giving rise to the apparent violations.
(2) Amazon voluntarily self-disclosed the apparent violations to OFAC, cooperated with OFAC’s investigation by providing data analysis of the apparent violations and submitting detailed information in a well-organized manner, and entered into tolling agreements with OFAC. In addition, Amazon conducted an internal investigation without receiving an administrative subpoena and identified and disclosed the circumstances of the transactions that led to the apparent violations.
(3) Upon discovering the apparent violations, Amazon undertook significant remedial measures to address its sanctions screening deficiencies and has also agreed as part of its settlement with OFAC to undertake various additional sanctions compliance commitments designed to minimize the risk of recurrence of similar conduct in the future. Such measures include:
Investing substantial resources to improve Amazon’s overall sanctions compliance program, including by actively engaging senior management on its compliance improvements, adding significant headcount to its compliance teams, and increasing the frequency of its sanctions compliance reviews;
Employing internal and third-party sources to conduct a thorough review of Amazon’s sanctions compliance program and its automated screening systems in order to address the screening failures that gave rise to the apparent violations. In particular, Amazon is incorporating additional automated preventative screening controls designed to scale and operate effectively for its overall retail business;
Developing internally custom screening lists to minimize the risk of processing transactions that raise sanctions compliance concerns;
Enhancing its sanctioned jurisdiction Internet Protocol (IP) blocking controls and implementing automated processes to update continually its mapping of IP ranges associated with sanctioned jurisdictions;
Bolstering its compliance training programs by providing training tailored to the roles of specific teams and specialized ad-hoc training to personnel responsible for sanctions and export control compliance; and
Expanding the use of specific export control and sanctions provisions and the language of those provisions in its agreements.
Our takeaway? In this case, there are two:
This case demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls, including sanctions screening measures appropriate for e- commerce and other internet-based businesses that operate on a global scale. Such large and sophisticated businesses should implement and employ compliance tools and programs that are commensurate with the speed and scale of their business operations. In particular, global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues, such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate. Moreover, companies that learn of a weakness in their internal compliance controls may benefit by taking immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
This case also demonstrates the importance of compliance with all aspects of the terms of OFAC’s general licenses, including the timely fulfillment of any reporting obligations pursuant to those licenses.
How about Mr. Watchlist’s takeaway? I have a few:
- Undoubtedly, each individual retail violation is a pretty petty thing to issue a penalty over. However, because this stretched on for 6-7 years, and involved so many sanctions programs, and so many transactions, I think OFAC needed to flag this. Had it be 10-20 items over the course of a year, maybe this gets a Finding of Violation.
- It’s shocking that a firm of Amazon’s size and commercial sophistication would be so sloppy in doing the paperwork – it’s a real “unforced error.”
- It’s also pretty shocking that Amazon wasn’t searching for geographic references like “Iran.” To be honest, I don’t think it’s reasonable to go out and identify every overseas diplomatic facility (and, logically, where every staffer lives). And I highly doubt that the Embassy made those purchases, but staff at the embassy did. But, certainly, you should be stopping all references to names of countries and major cities. That being said, it can be pretty challenging – if Liberia had had comprehensive sanctions (when you need to look for geographic references, since the restrictions are not just on specific parties), some of the cities there are also really common Western ones – like Greenville and Glendale. Especially when you consider Amazon’s size of operations.
- I think the final settlement was fair-ish. At the end of the day, Amazon had bad software and/or regulatory data – it wasn’t a process of procedure failure. Perhaps one thing OFAC could have suggested is that technology purchases need to have active input from Compliance. A good compliance officer would have noticed that geographic references were not in the installed solution – and could have teased that “Yalta, Krimea” case out in user acceptance testing.
One more thing: look at the categories attached to this post. That gives you a list of all the sanctions programs they ended up violating (not that their conduct was in any way, shape or form related to specific sanctions programs).
Link: