Sometimes that third-party risk is a party mighty close to you. Such was the case with an Oklahoma steel manufacturer, which just paid $435,000 to settle charges that its chief engineer sub-contracted design work to an Iranian engineering company owned by the man’s brother.
The company, Alliance Steel, agreed to pay the fine to the Office of Foreign Assets Control. According to the settlement order posted by OFAC on Monday, Alliance engaged with the Iranian engineering firm more than 60 times from 2013 to 2018. So even though Alliance conducts no business overseas and doesn’t even market itself beyond U.S. borders, its sub-contracting practices still ran afoul of U.S. sanctions law.
As described in the OFAC order, Alliance did most of its engineering and design work internally during the 2010s — but when the company did have more design work than it could handle, it outsourced that work to third parties. The company’s then-chief engineer oversaw that sub-contracting process, and as OFAC blandly phrased it: “Alliance outsourced a significant portion of its engineering work to an Iranian engineering company that was owned by his brother.” In total, the engineer directed about $1.45 million worth of business to his brother.
Even worse: at least 12 other senior executives at Alliance knew about this arrangement, and that the subcontractor firm was an Iranian business. Several of those other executives were even involved in approving and issuing checks to the Iranian firm.
How did that lack of judgment come to pass? Alliance says that because the company otherwise operated entirely within the U.S. market, those senior executives “were not attuned to the laws and regulations administered by OFAC.” Oh dear.
Anyway, a new CEO arrived at Alliance Steel in October 2018. He did understand U.S. sanctions law, immediately understood the hot water Alliance was in, and cut ties with the Iranian firm. (Alliance has also subsequently hired a new chief engineer.)
Fines, Factors, and Compliance
The statutory maximum potential fine for sanctions violations like these is $17.3 million. As usual, however, numerous factors led to Alliance paying far less — only 2.5 percent of that potential maximum. So let’s do the math on how Alliance won such a favorable outcome.
First, Alliance self-reported its violations to OFAC, and the violations themselves qualified as a non-egregious case. Right away, that knocked down the potential maximum penalty to only $725,000.
Alliance still had several aggravating factors:
- The company failed to exercise even a minimal degree of caution, by failing to conduct basic due diligence on the Iranian engineering firm — its only overseas business partner.
- Senior management at Alliance knew the company was outsourcing work to an Iranian firm, and those executives were even involved in approving invoices and issuing checks to the firm.
- The problematic business relationship lasted at least five years.
Then we have several mitigating factors:
- Alliance had no previous trouble with OFAC violations. (No surprise there: the company had no overseas business relationships at all, except for the Iranian engineering firm.)
- The company had self-reported the violations and then cooperated with OFAC’s investigation, “providing detailed information in a well-organized and timely manner.”
- The company took remedial measures that included firing the chief engineer; and drafting an export compliance policy that required training for managers and approval from the company president for all overseas contracts.
Add those factors all together, and you net out at a penalty of $435,000.
Sanctions and Best Practices
What strikes me most about this case is that it isn’t a teachable moment about export compliance, really. It’s a teachable moment about basic compliance program hygiene.
For example, the chief engineer sending business to his brother. Yes, that was a sanctions violation because the brother’s firm was based in Iran — but more broadly, that’s a conflict of interest regardless of anyone’s nationality.
Perhaps the Alliance executive team did know about the brother conflict, even if they missed the significance of the Iran connection. The lesson for the rest of us generally is that you need a strong conflicts of interest policy because such policies can bring all sorts of potential risks to the surface. Then you can give those threats their proper attention.
The second issue here is about management’s understanding of risk. The Alliance team simply didn’t define their compliance risks broadly enough. They only saw export risk in terms of customers, and ignored the risk from vendors. That was a narrow interpretation of the risk, which ended up biting them in the rear.
It was interesting to see the new CEO arrive in 2018, and he immediately saw the problem afoot. As usual, strong, competent leaders are your best defense against corporate compliance trouble.
Alliance didn’t have proper policies and procedures in place, because it didn’t understand what its compliance risks were, because it didn’t have managers sufficiently knowledgeable about the risks their operations generated.
That’s the trap we all need to avoid.