This is one you need to read to appreciate the breadth of the problem here. SITA, which is headquartered in Switzerland, settled 9256 violations of the Global Terrorism Sanctions Regulations for $7,829,640 – or more then three times the $2,428,200 it took in for the violating transactions. Simply put, SITA provides “telecommunications network and information technology services to the civil air transportation industry.” Problem is, not only were some of SITA’s owner-members on the SDN List, 3 of its services involved either communication services using servers hosted in the United States, US-origin software, and/or software maintained by SITA’s U.S. subsidiary.
On top of all this, SITA knew it had sanctions liability:
Prior to OFAC’s investigation, SITA knew it was providing services to SDGTs and implemented periodic measures to comply with U.S. economic sanctions laws and regulations. For example, at or shortly after the time of the respective SDGT airlines’ designation by OFAC, SITA terminated many of the services provided to these airlines that it knew were subject to U.S. jurisdiction. In addition, SITA had begun taking steps to mitigate its sanctions compliance associated risks pursuant to a global risk assessment initiated by management in 2016. SITA described its compliance program up until that point as primarily reactive, in that it would address compliance concerns as they arose. The company acknowledged, however, that prior to these reviews it did not maintain a comprehensive and detailed compliance program to address in detail issues regarding compliance with U.S. sanctions laws and regulations. For example, in response to OFAC’s designation of Mahan, SITA reviewed its agreements with Mahan in order to assess its rights to stop providing services pursuant to its contractual obligations and ultimately terminated its ticketing, airfare, e-commerce and other services, but continued to provide TBM, Maestro, and WorldTracer services and software to, or which ultimately benefitted, Mahan. SITA responded similarly to the designations of the other SDGT airlines identified in OFAC’s investigation.
These violations were not self-reported, but were non-egregious. That made the base penalty $13,384,000 – as opposed to $2,433,077,327 had the violations been egregious.
Here is OFAC’s math:
The settlement amount of $7,829,640 reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines. Specifically, OFAC determined the following to be aggravating factors:
(1) SITA had actual knowledge that it was providing services and software directly or indirectly to SDGTs;
(2) SITA harmed the foreign policy objectives of the GTSR by providing services and software that facilitated the operations of, or otherwise benefitted, airlines that were sanctioned for supporting terrorism; and
(3) SITA is a commercially sophisticated entity that operates in virtually every country in the world.
OFAC determined the following to be mitigating factors:
(1) SITA has not received a Penalty Notice or Finding of Violation in the five years preceding the date of the earliest transactions giving rise to the Apparent Violations;
(2) the transactions giving rise to the Apparent Violations represented a small percentage of SITA’s overall business;
(3) SITA implemented extensive remedial efforts and enhancements to its compliance program, customer and supplier screening, and its expulsion of Mahan, Syrian, and Caspian from the organization; and
(4) SITA cooperated with OFAC’s investigation, including by providing detailed, prompt, and well-organized submissions in response to OFAC’s numerous requests for information, and executing multiple tolling agreements.
And SITA’s remediation:
Established a global trade board to expressly monitor and vet compliance risk involving customers, suppliers, and other parties;
Established a trade compliance committee to act as an information sharing and advisory body in relation to trade and sanctions law matters that affect SITA or its members;
Appointed a dedicated global head of ethics and compliance that has focused its efforts on developing and improving the compliance function as a whole;
Implemented new sanctions legal compliance reviews when onboarding new customers and suppliers, and when extending or adding new products or services to existing customers in sanctioned countries;
Updated and created new compliance policies and guidelines to bring awareness of sanctions compliance issues to the business;
Committed to monitoring and auditing its messaging, Maestro, and WorldTracer systems periodically to verify that they are not being used to support SDGT airlines; and
Required all new SITA employees to attend sanctions compliance training; and required sanctions compliance training for all SITA employees every year, and on an annual basis.
And OFAC always has a lesson to teach:
This enforcement action highlights the benefits companies operating in high-risk industries can realize by implementing effective, thorough, and on-going risk-based compliance measures, especially when engaging in transactions concerning the aviation industry. Companies engaging in international transactions more broadly should take note of, and respond accordingly to, sanctions-related warning signs. Additionally, on July 23, 2019, OFAC issued an Iran-Related Civil Aviation Industry Advisory to the civilian aviation industry to warn of deceptive practices employed by Iran with respect to aviation matters. While that advisory was focused on Iran, participants in the civilian aviation industry should be aware that other jurisdictions and persons subject to OFAC sanctions may engage in similar deceptive practices.