Anyone looking for systemic failures in sanctions compliance and how a company might rectify those issues, look no further than Toll Holdings and the settlement it reached with U.S. regulators on Monday.
Toll, a freight forwarding and logistics business based in Australia, agreed to pay $6.1 million to the Office of Foreign Assets Control to settle charges that it repeatedly violated U.S. sanctions law in the 2010s by shipping goods to or from North Korea, Iran, Syria, and various persons on sanctions watch lists. The details in OFAC’s settlement order paint an unflattering picture: Toll rapidly expanded through Asia-Pacific by acquiring local freight forwarding companies, but never followed up with adequate sanctions controls and procedures. End result: $48.4 million worth of transactions that violated U.S. sanctions.
Corporate growth outpacing your compliance program’s capabilities is a tale we’ve heard many times before, but there are lessons to be learned in every example. So let’s take a close look at the allegations against Toll and see what we can find.
As recounted in the OFAC settlement order, Toll’s misconduct ran from 2013 to 2019, when the company handled more than 2,900 transactions with parties in North Korea, Syria, Iran, or with others on U.S. sanctions lists. The transactions were generally managed by Toll’s overseas units, involving 23 subsidiaries across Asia, Europe, the Middle East, and North America. Payments were processed through at least four U.S. financial firms, so there’s your sanctions violation.
The root problem was that while Toll did have a sanctions policy, it had little in the way of an actual compliance program to enforce that policy across its sprawling enterprise. As OFAC said:
Beginning in 2007, Toll began to acquire a number of small, local, or regional freight forwarding companies, including in the Asia Pacific region. By 2017, Toll had almost 600 invoicing, data, payment, and other system applications spread across its various business units. While Toll had a sanctions compliance policy in place, its compliance program, personnel, and associated controls failed to keep up with the pace and complexity of its growing operations…
We’ve heard similar woes many times before in FCPA enforcement actions: rapid international expansion, with no commensurate scaling of the compliance program. We even heard it as recently as last week, when Stericycle agreed to pay $84 million to settle FCPA charges over widespread bribery in Latin America.
Toll just reminds us that the same lackadaisical approach can plague sanctions compliance too — perhaps to an even greater extent, since sanctions compliance can be so complex and overseas businesses might not understand their exposure to U.S. law.
You Need a Program, People
At Toll, matters escalated in the mid-2010s. By 2015, one of Toll’s banks had restricted a subsidiary’s use of its U.S. dollar account after identifying a dollar transaction involving Syria. That prompted an employee at Toll’s headquarters to warn other employees in the company’s South Korea and UAE affiliates to avoid including the names of sanctioned jurisdictions on invoices going forward. Meaning, Toll knew it had a sanctions issue and at least some employees were trying to evade sanctions rather than correct the problem.
In July 2015, the CEO of one of Toll’s operating divisions sent an email to employees reminding them of the company’s international sanctions compliance obligations, but violations persisted. In 2016, Toll decided to cease all business with U.S.-sanctioned countries due to the compliance risks — but despite Toll’s compliance team “repeatedly instructing business units” not to deal with sanctioned countries, Toll never followed up with the compliance policies and procedures necessary to prevent payments involving sanctioned persons.
Only in 2017 did Toll take dramatic action. It implemented “hard controls” in its freight management system that disabled the country and location codes for ports and cities in sanctioned countries. That finally prevented shipments to or from sanctioned countries.
By then, of course, the damage was done. Toll subsequently self-reported the violations to OFAC and implemented a flock of compliance program reforms to knock down its potential penalties.
Calculating the Compliance Factors
According to statute, the maximum civil penalty Toll would face for violations like this is (gulp) $826.4 million. But because Toll voluntarily self-disclosed the violations and because the violations themselves weren’t egregious, OFAC guidelines specify that the penalties should be capped at $15.33 million.
So how did we get from $15.33 million down to the $6.1 million that Toll will actually pay? As usual, OFAC listed a few aggravating factors and a few mitigating ones.
Among the aggravating factors making things worse:
- Toll acted with reckless disregard, because it had a sanctions policy and executives knew violations were happening. Specifically, one of Toll’s U.S. banks warned the company. The transactions continued into early 2017 anyway.
- Roughly 14 percent of the transactions involved parties sanctioned for weapons of mass destruction, a big no-no in OFAC world.
- Upon first learning in 2015 of its sanctions troubles Toll did not take immediate or adequate steps to stop processing the problematic transactions.
The mitigating factors making things better mostly related to the steps Toll took starting in 2017 to build a true sanctions compliance program. Those steps:
- Conducting a risk-mapping exercise to identify the root causes of the compliance lapses and instituting remedial measures and controls;
- Performing an audit that resulted in recommendations and further implementation of changes to its remediation efforts;
- Restructuring the compliance division to address procedural issues and streamline approaches to sanctions screening; and granting elevated sanctions-related responsibilities to its most senior compliance executive;
- Implementing a sanctions compliance training program for more than 500 employees across five countries;
- Implementing “hard controls” within its freight management system that disabled the ability to book shipments involving sanctioned jurisdictions;
- Applying its sanctions compliance standards to anyone acting on behalf of Toll, including consultants, agents, brokers, and subcontractors;
- Risk-based screening of transactions, third parties, and agents with whom Toll does business against its internal sanctions lists, to include the SDN List as well as other less-restricted parties lists; and
- Ending all franchise relationships and introducing enhanced due diligence measures for on-boarding agents, as well as instituting a due diligence screening process where all third parties adhere to the same compliance standards as Toll.
Those are a lot of steps to stand up a compliance program. At an abstract level, they aren’t much different from what you’d implement for an anti-corruption program. Policies and procedures, a sufficiently strong compliance leader, due diligence for third parties, employee training — that’s all straight from the Sentencing Guidelines, the Justice Department guidance on compliance programs, and the FCPA Resource Guide.
The true lesson here is to implement those steps from the very start of your global expansions, so you can scale them up properly as business expands. Otherwise, your compliance risks race along with business expansion, while your compliance program staggers far behind — which, alas, is another tale we’ve heard time and again, too.