Best Practices

On Tuesday, OFAC issued an advisory about Iran’s Civil Aviation industry and the deceptive practices it uses. Here are some highlights – the introductory section:

Subject: Deceptive Practices by Iran with respect to the Civil Aviation Industry

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this Advisory to highlight for the civil aviation industry, including parties providing services to the industry, Iran’s deceptive practices with respect to aviation matters. Industry parties who engage in or support unauthorized transfers of U.S.-origin aircraft or related goods, technology, or services to Iran, or who conduct business with designated Iranian airlines, risk OFAC enforcement or sanctions actions.

In particular, both U.S. and non-U.S. persons1 operating in the civil aviation industry face potential civil and criminal consequences for violating OFAC’s sanctions programs, including by engaging in unauthorized transfers of U.S.-origin aircraft or related goods, technology, or services to Iran. Additionally, non-U.S. persons could be designated or made subject to other sanctions actions for engaging in unauthorized activities with persons designated in connection with Iran’s proliferation of weapons of mass destruction, support for international terrorism, or human rights abuses (collectively, “designated Iran-related persons”)—including, as of the date of this Advisory: Mahan Air, Caspian Air, Meraj Air, Pouya Air, Dena Airways, Al-Naser Airlines, Syrian Air, Dart Airlines, Khors Aircompany, Kyrgyz Trans Avia, Qeshm Fars Air, and UM Air—as well as any Iranian individual or entity on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List)2 (other than a non-designated Iranian depository institution), such as Iran Air.3

Persons considering continued aviation business with Iran need to understand the role that many Iranian commercial airlines play in supporting the Iranian regime’s efforts to foment regional violence through terrorism, its weapons programs, and other destabilizing activity to include exploiting its own people through brutal human rights abuses against women, political opponents, and others. Iran has routinely relied upon Iranian commercial airlines to fly fighters and materiel to international locations in furtherance of Iranian state-sponsored terror operations. In conducting these flights, certain Iranian commercial airlines enable Iran’s military support for the Assad regime by delivering lethal materiel including weapons shipments, prolonging the brutal conflict and the suffering of millions of Syrians.

Iran employs deceptive schemes—as described in this advisory—to illicitly procure U.S.- origin aircraft parts from across the world. These efforts, often directed by senior level Iranian officials, constitute a deliberate and persistent pattern to deceive and exploit legitimate businesses, financial institutions, and governments.

Treasury is committed to continued action to target the resources Iran uses to suppress its people, sponsor terrorism, and engage in human rights abuses and other destabilizing activities. General sales agents4 and other entities that continue to provide services to U.S.-designated Iranian airlines like Mahan Air remain at risk of sanctions actions. Potentially sanctionable activities—when conducted for or on behalf of a designated person—could include:

• Financial services

• Reservations and ticketing

• Freight booking and handling

• Procurement of aircraft parts and

• • •

Airline ground services

Catering

Interline transfer and codeshare agreements

Refueling contracts

equipment • • Maintenance

Since early 2018, the United States has designated 10 entities that have provided support to Mahan Air, including front companies procuring spare aircraft parts;5 general sales agents providing services in Malaysia,6 Thailand,7 and Armenia;8 and Qeshm Fars Air,9 which helps Mahan Air facilitate the IRGC-QF’s malign activities.

The civil aviation industry should be alert to deceptive practices used by some Iranian persons, designated airlines, and their agents or affiliates to acquire unauthorized U.S.- origin aircraft or related goods, technology, or services subject to U.S. jurisdiction in violation of U.S. sanctions prohibitions.

Maintenance and Temporary Sojourn Licensing:

Maintenance of the Safety of Flight Statement of Licensing Policy and Temporary Sojourn General License. OFAC will continue to evaluate civil aviation-related license applications under the safety of flight statement of licensing policy found in the ITSR at 31 C.F.R. § 560.528. To the extent exporters believe that proposed transactions qualify for the safety of flight statement of licensing policy in 31 C.F.R. § 560.528, exporters may submit applications pursuant to that provision and must clearly describe how the proposed activities fall within its parameters. Applications should include a complete listing of all goods (including, for example, parts, components, accessories, attachments, systems, and equipment), technology, and services being proposed for export. Please note that General License J-1, which authorizes the reexportation to Iran of certain civil aircraft on temporary sojourn remains in effect.11 In addition, exporters should review the Export Administration Regulations to determine whether a BIS license is required in addition to OFAC authorization.

Deceptive Practices:

Deceptive Practices Used To Acquire Aircraft and Related Goods, Technology, or Services in Violation of the ITSR, GTSR, or WMDPSR. Some of the deceptive practices that Iranian persons and their agents and affiliates have used to acquire U.S.- origin aircraft or related goods, technology, or services in violation of the ITSR, GTSR, or WMDPSR include the following:

• Using front companies and other pass-through entities in third countries in Europe, the Middle East, Africa, and Asia to conceal or obfuscate the ultimate Iranian beneficiary of U.S.-origin aircraft and aviation-related materials or foreign-made aircraft containing 10 percent or more U.S.-controlled content by value. For example, on May 24, 2018, Treasury designated an illicit network concealed by Turkish front companies that surreptitiously procured U.S.-origin parts for Mahan Air. This network purchased airline aviation parts from foreign vendors, with delivery to Istanbul, and then forwarded those parts, including U.S.- origin, export-controlled goods, to Mahan Air.

• Iranian persons continue to circumvent U.S. sanctions and procure U.S.-origin aircraft parts through third-party suppliers from multiple jurisdictions in Europe, East Asia and the Middle East, with many parts originating from suppliers in North America and Europe. In certain cases, European suppliers maintain offices in Tehran and have instructed Iranian airlines to remit payments to accounts in third countries.

• Misrepresenting to suppliers, dealers, brokers, re-insurers, and other intermediaries that sanctions against Iran have been lifted.

• Claiming activities are authorized by OFAC without providing copies of any OFAC licenses purportedly held by the parties.

• Sourcing U.S.-origin aircraft, non-U.S.-origin aircraft containing 10 percent or more U.S.-controlled content by value, and U.S.-origin goods, technology, or services from third countries known to have strong reputations for aircraft maintenance, repair, and overhaul operations, but limited export control or sanctions enforcement capabilities.

• Using general trading firms located in free trade zones, which do not ordinarily appear to deal in aviation goods, to place orders for U.S.-origin aircraft parts or components.

• Placing orders for U.S.-origin aircraft parts or components from firms in one country for delivery to freight forwarding or logistics firms in a second country.

Intermediaries, such as escrow companies and brokers, should remain vigilant for possible falsified or fabricated documentation relating to OFAC licenses, aircraft registration information, insurance data, overflight movements, use of front companies, and other deceptive practices intended to conceal the ultimate end-users of aircraft or related goods, technology, or services. Such intermediaries should also be on heightened alert for concealed or obscured end-users when delivery of aircraft involves overflight of or stopovers in Iran.

And Treasury issued the following press release:
Treasury Advisory Highlights Iranian Airlines’ Support of Destabilizing Activity

OFAC Outlines Risks to Civil Aviation Industry of Dealing with Iranian Airlines

Washington – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Iran-related Advisory to inform the civil aviation industry of potential exposure to U.S. Government enforcement actions and economic sanctions for engaging in or supporting unauthorized transfers of aircraft or related goods, technology, or services to Iran or to designated Iranian airlines.

“The Iranian regime uses commercial airlines to further the destabilizing agenda of terror groups like the Islamic Revolutionary Guards Corps (IRGC) and its Qods Force (IRGC-QF), and to fly fighters from their proxy militias across the region.  The international civil aviation industry, including service providers like general sales agents, brokers, and title companies, need to be on high alert to ensure they are not complicit in Iran’s malign activities,” said Sigal Mandelker, Under Secretary of the Treasury for Terrorism and Financial Intelligence.  “Lack of adequate compliance controls could expose those operating in the civil aviation industry to significant risks, including civil or criminal enforcement actions or economic sanctions.”

The advisory provides information on the role many Iranian commercial airlines play in supporting the Iranian regime’s efforts to foment regional violence through terrorism, supplying weapons to its proxy militias and the Assad regime, and other destabilizing activity.  Iran has routinely relied upon certain Iranian commercial airlines to fly fighters and materiel to international locations in furtherance of Iranian state-sponsored terror operations.  In conducting these flights, these Iranian commercial airlines enable Iran’s military support for the Assad regime by delivering lethal materiel including weapons shipments, prolonging the brutal conflict and the suffering of millions of Syrians.

For example, the advisory highlights Mahan Air, which plays an integral role supporting the IRGC-QF and its regional proxies by transporting foreign fighters, weapons, and funds.  Mahan Air has also transported IRGC-QF Commander Qasem Soleimani, who is sanctioned under United Nations Security Council Resolution 2231 and subject to a United Nations travel ban.  Since 2018, the United States has imposed economic sanctions on 11 entities and individuals that have provided support to, or acted for or on behalf of, Mahan Air, including a bank providing financial services, front companies procuring spare aircraft parts, and general sales agents providing services in Malaysia, Thailand, and Armenia.  The United States also designated Qeshm Fars Air, a commercial cargo airline controlled by Mahan Air and a key facilitator of the IRGC-QF’s malign activities in Syria, in early 2019 under terrorism authorities.

Treasury

General sales agents and other entities that continue to provide services to U.S.-designated Iranian airlines like Mahan Air remain at risk of sanctions actions.  Potentially sanctionable activities — when conducted for or on behalf of a designated person — could include:

  • Financial services
  • Reservations and ticketing
  • Freight booking and handling
  • Procurement of aircraft parts and equipment
  • Maintenance
  • Airline ground services
  • Catering
  • Interline transfer and codeshare agreements
  • Refueling contracts
  •  

The advisory also describes various deceptive practices employed by the Iranian regime to evade sanctions and illicitly procure aircraft and aircraft parts ranging from the use of front companies and unrelated general trading companies to falsifying or fabricating documentation relating to end-use or OFAC licenses.  Intermediaries should be on heightened alert to the practices highlighted in this advisory.

Links:

OFAC Notice

Civil Aviation Advisory

Treasury Press Release

From the “Risk Assessment” section of OFAC’s “A Framework for OFAC Compliance Commitments”:

OFAC recommends that organizations take a risk-based approach when designing of updating an SCP.

That flies in the face of everything OFAC has said over the years about sanctions being a strict liability regime. So, now imagine… if you have some level of risk-based flexibility, how might you run your sanctions compliance program differently?

Just sayin’…

VI. Sanctions Screening Software or Filter Faults

Many organizations conduct screening of their customers, supply chain, intermediaries, counter- parties, commercial and financial documents, and transactions in order to identify OFAC- prohibited locations, parties, or dealings. At times, organizations have failed to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties—particularly in instances in which the organization is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.),

VII. Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.)

One of the fundamental components of an effective OFAC risk assessment and SCP is conducting due diligence on an organization’s customers, supply chain, intermediaries, and counter-parties. Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counter-parties, and transactions, as well as their knowledge and awareness of OFAC sanctions.

VIII. De-Centralized Compliance Functions and Inconsistent Application of an SCP

While each organization should design, develop, and implement its risk-based SCP based on its own characteristics, several organizations subject to U.S. jurisdiction have committed apparent violations due to a de-centralized SCP, often with personnel and decision-makers scattered in various offices or business units. In particular, violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.

IX. Utilizing Non-Standard Payment or Commercial Practices

Organizations subject to U.S. jurisdiction are in the best position to determine whether a particular dealing, transaction, or activity is proposed or processed in a manner that is consistent with industry norms and practices. In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement non-traditional business methods in order to complete their transactions.

X. Individual Liability

In several instances, individual employees—particularly in supervisory, managerial, or executive-level positions—have played integral roles in causing or facilitating violations of the regulations administered by OFAC. Specifically, OFAC has identified scenarios involving U.S.- owned or controlled entities operating outside of the United States, in which supervisory, managerial or executive employees of the entities conducted or facilitated dealings or transactions with OFAC-sanctioned persons, regions, or countries, notwithstanding the fact that the U.S. entity had a fulsome sanctions compliance program in place. In some of these cases, the employees of the foreign entities also made efforts to obfuscate and conceal their activities from others within the corporate organization, including compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider using its enforcement authorities not only against the violating entities, but against the individuals as well.

Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions

Since its publication of the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, App. A (the “Guidelines”), OFAC has finalized numerous public enforcement actions in which it identified deficiencies or weaknesses within the subject person’s SCP. These items, which are provided in a non-exhaustive list below, are provided to alert persons subject to U.S. jurisdiction, including entities that conduct business in or with the United States, U.S. persons, or U.S.-origin goods or services, about several specific root causes associated with apparent violations of the regulations it administers in order to assist them in designing, updating, and amending their respective SCP.

I. Lack of a Formal OFAC SCP

OFAC regulations do not require a formal SCP; however, OFAC encourages organizations subject to U.S. jurisdiction (including but not limited to those entities that conduct business in, with, or through the United States or involving U.S.-origin goods, services, or technology), and particularly those that engage in international trade or transactions or possess any clients or counter-parties located outside of the United States, to adopt a formal SCP. OFAC has finalized numerous civil monetary penalties since publicizing the Guidelines in which the subject person’s lack of an SCP was one of the root causes of the sanctions violations identified during the course of the investigation. In addition, OFAC frequently identified this element as an aggravating factor in its analysis of the General Factors associated with such administrative actions.

II. Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations

Numerous organizations have committed sanctions violations by misinterpreting OFAC’s regulations, particularly in instances in which the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. For example, several organizations have failed to appreciate or consider (or, in some instances, actively disregarded) the fact that OFAC sanctions applied to their organization based on their status as a U.S. person, a U.S.-owned or controlled subsidiary (in the Cuba and Iran programs), or dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods and technology.

With respect to this specific root cause, OFAC’s administrative actions have typically identified additional aggravating factors, such as reckless conduct, the presence of numerous warning signs that the activity at issue was likely prohibited, awareness by the organization’s management of the conduct at issue, and the size and sophistication of the subject person.

III. Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)

Multiple organizations subject to U.S. jurisdiction—specifically those with foreign-based operations and subsidiaries located outside of the United States—have engaged in transactions or activity that violated OFAC’s regulations by referring business opportunities to, approving or signing off on transactions conducted by, or otherwise facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons. In many instances, the root cause of these violations stems from a misinterpretation or misunderstanding of OFAC’s regulations. Companies and corporations with integrated operations, particularly those involving or requiring participation by their U.S.-based headquarters, locations, or personnel, should ensure any activities they engage in (i.e., approvals, contracts, procurement, etc.) are compliant with OFAC’s regulations.

IV. Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC- Sanctioned Persons or Countries

Non-U.S. persons have repeatedly purchased U.S.-origin goods with the specific intent of re- exporting, transferring, or selling the items to a person, country, or region subject to OFAC sanctions. In several instances, this activity occurred despite warning signs that U.S. economic sanctions laws prohibited the activity, including contractual language expressly prohibiting any such dealings. OFAC’s public enforcement actions in this area have generally been focused on companies or corporations that are large or sophisticated, engaged in a pattern or practice that lasted multiple years, ignored or failed to respond to numerous warning signs, utilized non- routine business practices, and—in several instances—concealed their activity in a willful or reckless manner.

V. Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries

Many non-U.S. persons have engaged in violations of OFAC’s regulations by processing financial transactions (almost all of which have been denominated in U.S. Dollars) to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned country, region, or person. Although no organizations subject to U.S. jurisdiction may be involved in the underlying transaction—such as the shipment of goods from a third-country to an OFAC-sanctioned country—the inclusion of a U.S. financial institution in any payments associated with these transactions often results in a prohibited activity (e.g., the exportation or re- exportation of services from the United States to a comprehensively sanctioned country, or dealing in blocked property in the United States). OFAC has generally focused its enforcement investigations on persons who have engaged in willful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-U.S. or U.S. financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization’s management, caused significant harm to U.S. sanctions program objectives, and were large or sophisticated organizations.

TRAINING

An effective training program is an integral component of a successful SCP. The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.

General Aspects of an SCP: Training

An adequate training program, tailored to an entity’s risk profile and all appropriate employees and stakeholders, is critical to the success of an SCP.

I. The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support the organization’s OFAC compliance efforts. Such training should be further tailored to high-risk employees within the organization.

II. The organization commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.

III. The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile.

IV. The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel.

V. The organization’s training program includes easily accessible resources and materials that are available to all applicable personnel.

TESTING AND AUDITING

Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.

General Aspects of an SCP: Testing and Auditing

A comprehensive, independent, and objective testing or audit function within an SCP ensures that entities are aware of where and how their programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as appropriate. Testing or audit, whether conducted on a specific element of a compliance program or at the enterprise-wide level, are important tools to ensure the program is working as designed and identify weaknesses and deficiencies within a compliance program.

I. The organization commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.

II. The organization commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.

III. The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

INTERNAL CONTROLS

An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.

Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC. These include the following: (i) updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions- related lists; (ii) new, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions; and (iii) the issuance of general licenses.

General Aspects of an SCP: Internal Controls

Effective OFAC compliance programs generally include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that is prohibited by the sanctions programs administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance, and minimize the risks identified by an entity’s OFAC risk assessments. Policies and procedures should be enforced, and weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated in order to prevent activity that might violate the sanctions programs administered by OFAC.

I. The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct.

II. The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.

III. The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.

IV. The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.

V. The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

VI. The organization has clearly communicated the SCP’s policies and procedures to all relevant staff, including personnel within the SCP program, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization.

VII. The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation. This process includes consultations with relevant business units, and confirms the organization’s employees understand the policies and procedures.