Settlement Agreement between the U.S. Department of the Treasury’s Office of Foreign Assets Control and Toll Holdings Limited
The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) today announced a settlement with Toll Holdings Limited (“Toll”), an international freight forwarding and logistics company headquartered in Melbourne, Australia. Toll agreed to remit $6,131,855 to settle its potential civil liability for 2,958 apparent violations of the Iranian Transactions and Sanctions Regulations, the North Korea Sanctions Regulations, the Syrian Sanctions Regulations, the Weapons of Mass Destruction Proliferators Sanctions Regulations, and the Global Terrorism Sanctions Regulations. The apparent violations occurred when Toll originated or received payments through the U.S. financial system involving sanctioned jurisdictions and persons. These payments were in connection with sea, air, and rail shipments conducted by Toll, its affiliates, or suppliers to, from, or through the Democratic People’s Republic of Korea, Iran, or Syria, or the property or interests in property of an entity on OFAC’s list of Specially Designated Nationals and Blocked Persons. The settlement amount reflects OFAC’s determination that Toll’s apparent violations were non-egregious and voluntarily self-disclosed.
What Toll did
Between approximately January 2013 and February 2019, Toll originated or caused to be received 2,958 payments in connection with sea, air, and rail shipments conducted by Toll, its affiliates, or providers and suppliers to, from, or through the DPRK, Iran, or Syria, and/or involving the property or interests in property of an entity on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”). The value of payments related to a designated person or made in connection with a sanctioned jurisdiction totaled approximately $48,409,909. These payments were processed through at least four financial institutions in the United States or foreign branches of financial institutions incorporated in the United States, in apparent violation of OFAC sanctions.
Of the payments, 424 involved Mahan Airlines, designated pursuant to Executive Order (“E.O.”) 132241 (accounting for 327 transactions), or Hafiz Darya Shipping Lines Company, designated pursuant to E.O. 138822 (accounting for 97 transactions). The remainder of the transactions — 2,534 funds transfers — comprised payments made for shipments to, from, or transshipping through the DPRK, Iran, or Syria. These payments were generally originated or received by Toll’s overseas units, altogether involving 23 different Toll entities across Asia, Europe, the Middle East, and North America.
In the normal course of operations, Toll businesses would routinely remit and receive payments in settlement of invoices for services performed by Toll for entities within its corporate structure, as well as between Toll and its customers, agents, suppliers, and other outside business partners. Often, Toll initiated or received payments to or from a person for a single shipment settled by one invoice. Toll would also frequently make or receive payments that involved multiple shipments pertaining to a single invoice with a particular affiliate, supplier, or customer, or spread a single shipment charge across several invoices; variations on this basic arrangement were also employed. In these instances, the payment amount associated with the sanctioned country or person was a portion of a larger amount consisting of non-sanctioned country or person payments.
In processing such payments through U.S. financial institutions, Toll failed to adopt or implement policies and controls that prevented it from conducting transactions that involved designated parties or persons in sanctioned jurisdictions. The absence of such policies and controls resulted in part from Toll’s rapid expansion over the preceding period without a requisite increase in compliance resources. Beginning in 2007, Toll began to acquire a number of small, local, or regional freight forwarding companies, including in the Asia Pacific region. By 2017, Toll had almost 600 invoicing, data, payment, and other system applications spread across its various business units. While Toll had a sanctions compliance policy in place, its compliance program, personnel, and associated controls failed to keep up with the pace and complexity of its growing operations, including with respect to the risks associated with the use of U.S. financial institutions to make or receive payments related to U.S.-sanctioned jurisdictions and persons.
By or before May 2015, some Toll personnel knew or had reason to know that the subject payments were in potential violation of U.S. sanctions prohibitions. That month, one of Toll’s banks (the “Bank”) restricted a Toll subsidiary’s use of its U.S. dollar account after identifying a U.S. dollar transaction involving Syria. Concerned that the inclusion of this Syrian-related payment would disrupt a separate, large impending internal transfer, a Toll employee at its headquarters’ treasury office sent an email instructing employees in Toll’s United Arab Emirates and South Korea affiliates to avoid including the names of sanctioned jurisdictions on invoices going forward.
Thereafter, the Bank continued to raise concerns with Toll over its compliance with U.S. sanctions, including potentially violative payments involving U.S. banks. To address these risks, Toll was required to provide supporting documentation to show transactions did not involve a sanctioned interest before the Bank would process funds transfers, and to confirm that its payments did not violate U.S. (and other countries’) sanctions regulations. In July 2015, the CEO of one of Toll’s operating divisions sent an email to its employees reminding them of its international sanctions compliance obligations. Potentially problematic payments and apparent control deficiencies continued to be a concern of the Bank, however, and in June 2016, after evaluating Toll’s controls and deeming them unacceptable, the Bank threatened to terminate its relationship with Toll. To maintain its account, Toll reiterated its commitment to abide by all applicable sanctions laws and requirements and attested to the Bank that Toll did not participate in prohibited transactions with sanctioned jurisdictions.
Effective June 2016, Toll decided to cease all business with U.S.-sanctioned countries, due to ongoing compliance risks. However, despite Toll’s compliance office repeatedly instructing business units that Toll must not be involved with any shipments to U.S.-sanctioned countries thereafter, Toll did not implement the compliance policies and procedures necessary to prevent payments involving sanctioned persons through the U.S. financial system. Neither did Toll test whether shipments involved persons located in U.S.-sanctioned countries.
Ultimately, in February 2017, Toll introduced “hard controls” that disabled the country and location codes for ports and cities in sanctioned countries in its freight management system, thereby preventing shipments to or from sanctioned countries. Of the 2,958 payments that caused the apparent violations, 2,853 occurred before Toll implemented these hard controls. Toll subsequently retained an accounting firm to conduct a detailed forensic examination of its payment practices with respect to sanctioned jurisdictions and persons and disclosed its findings to OFAC.
By causing U.S. financial institutions to export financial services to the DPRK, Iran, or Syria, or to transact in property or interests in property of entities on OFAC’s SDN List, Toll appears to have violated § 510.212 of the North Korea Sanctions Regulations, 31 C.F.R. part 510; § 542.205 of the Syrian Sanctions Regulations, 31 C.F.R. part 542; § 560.203 of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560; § 544.201 of the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. part 544; and § 594.201 of the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (the “Apparent Violations”).
Doing the OFAC math
The statutory maximum civil monetary penalty applicable in this matter is $826,431,378. OFAC determined that Toll voluntarily self-disclosed the Apparent Violations and that the Apparent Violations constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), 31 C.F.R. Part 501, app. A, the base civil monetary penalty applicable in this matter is $15,329,638, equaling one-half the transaction value for each apparent violation, capped at the lesser of $125,000 for transactions on or before November 2, 2015, and at $153,961 for transactions after November 2, 2015, or one-half of the applicable statutory maximum, per each apparent violation.
The settlement amount of $6,131,855 reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines.
OFAC determined the following to be aggravating factors:
(1) Toll acted with reckless disregard for U.S. economic sanctions laws when, over the period of six years, it caused at least 2,958 payments involving shipments from, to, or through sanctioned jurisdictions or the blocked property or an interest in blocked property of entities on the SDN List to be routed through U.S. financial institutions. Toll’s pattern of conduct occurred despite an existing company compliance policy to abide by all applicable sanctions laws, and despite multiple warnings from a U.S. financial institution regarding Toll’s sanctions compliance risks.
(2) Toll knew or had reason to know of the apparent violations, including as a result of concerns raised by Toll’s bank and Toll’s business practice of transacting with U.S.-sanctioned persons and its use of the U.S. financial system.
(3) Approximately 14 percent of the apparent violations were for transactions involving entities blocked by OFAC for terrorism or WMD concerns. Toll’s activities also facilitated the participation of persons in comprehensively sanctioned jurisdictions in international shipments and business, contrary to U.S. policy objectives.
(4) Toll is a commercially sophisticated company and a major global freight forwarder. Its operations at the time of the apparent violations involved a network of approximately 1,200 agents, franchises, offices, and affiliates, procuring and providing commercial freight services worldwide.
(5) Upon first learning in May 2015 of problematic transactions and its initial engagement with the Bank, Toll did not take immediate or adequate steps to address and stop its processing of transactions with sanctioned interests through the U.S. financial system.
OFAC determined the following to be mitigating factors:
(1) Toll has not received a penalty notice or Finding of Violation from OFAC in the five years
preceding the earliest date of the transactions giving rise to the Apparent Violations.
(2) Toll voluntarily self-disclosed the apparent violations to OFAC and cooperated with OFAC’s investigation by conducting a thorough forensic analysis of the transactions giving rise to the apparent violations and submitting detailed information in a well-organized manner, as well as engaging responsively in answering requests for additional information.
(3) Toll ultimately took extensive actions to remedy its compliance gaps, including:
o Conducting a risk-mapping exercise to identify the root causes of the compliance lapses and instituting appropriate remedial measures and targeted controls;
o Developing and implementing an audit plan that has resulted in recommendations and further implementation of changes to its remediation efforts;
o Restructuring its compliance division to address procedural issues and streamline approaches to sanctions screening, and granting elevated sanctions-related responsibilities to its most senior compliance executive;
o Implementing a sanctions compliance training program for all relevant employees, training more than 500 employees across five countries;
o Implementing “hard controls” within its freight management system that disabled the ability to book shipments involving sanctioned jurisdictions;
o Applying its sanctions compliance standards to anyone acting on behalf of Toll, including but not limited to Toll’s representatives, consultants, agents, brokers, and subcontractors;
o Risk-based screening of transactions, third parties, and agents with whom Toll does business against its internal sanctions lists, to include the SDN List as well as other less-restricted parties lists; and
o Ending all franchise relationships, as part of a broader risk-mitigation strategy, and introducing enhanced due diligence measures for on-boarding agents, as well as instituting a due diligence screening process where all third parties adhere to the same compliance standards as Toll.
OFAC’s Lesson of the Day
This enforcement action highlights the importance of instituting strong internal controls and procedures to govern payments involving affiliates, subsidiaries, agents, or other counterparties when any of them conduct business with sanctioned jurisdictions or persons. Complex payment and invoicing arrangements, while normal business conduct, can pose sanctions risks when linkages to sanctioned jurisdictions or persons are obscured, or when mechanisms to preclude their involvement with U.S. financial institutions are absent or not implemented effectively.
Entities should also respond promptly and fully to address compliance weaknesses when issues first arise, identify their full extent and causes, and implement necessary changes to their compliance programs, practices, and procedures. These changes should reflect the specific gaps identified with respect to the applicable sanctions restrictions. Reminders of established compliance policies alone, may not result in concrete changes to conduct that poses risks of apparent violations.
This action further emphasizes the need for entities to identify and implement measures to mitigate sanctions risks when merging with or acquiring other enterprises. The need for such efforts can be particularly acute when expanding rapidly, including when disparate information technology systems and databases are being integrated across multiple entities. In such cases, the need to adequately resource compliance functions, including compliance personnel and sanctions-related technology and systems, is especially important.
In addition, this case illustrates the care non-U.S. persons should take to avoid prohibited transactions involving sanctioned jurisdictions and persons when their activities rely on the use of U.S. financial institutions or otherwise involve U.S. persons or a U.S. nexus. Non-U.S. persons that seek to conduct business involving U.S. persons or the United States, including processing transactions through the U.S. financial system, should ensure their compliance policies contain measures to prevent violative dealings with sanctioned persons or jurisdictions.