Another week, another eye-popping enforcement action in sanctions compliance! This time around it’s British American Tobacco, paying $630 million to settle charges that the company engaged in a long-running scheme to evade U.S. sanctions and sell goods into North Korea.
The Justice Department and the Office of Foreign Assets Control (OFAC) announced the settlement jointly earlier this week. BAT will pay the fine and enter a three-year deferred prosecution agreement, while its Singapore subsidiary pleaded guilty to criminal bank fraud and sanctions violations.
The misconduct in question began in 2007. As described by the Justice Department, that’s when BAT spun off its North Korea business to a supposedly independent company, and published a statement declaring that BAT no longer did business there. Behind the scenes, however, BAT still exercised control over that North Korea spin-off, and funneled those North Korea revenues back into BAT coffers through its Singapore subsidiary.
The tobacco buyers in North Korea used front companies to hide their true identities, and conducted their transactions through a complicated network of banks in China and Singapore before the money eventually landed in the foreign branches of U.S. banks. Altogether the scheme caused 12 U.S. banks to process $251.1 million in transactions from 2009 to 2016. Figure 1, below, is a U.S. Treasury Department schematic of how it all worked.
According to OFAC’s settlement order, BAT senior management was well aware of the misconduct here. For example, internal BAT memos and emails demonstrate that BAT managers in Asia-Pacific knew as far back as 2005 that U.S. sanctions could prohibit banks from processing payments that involved North Korea; that’s what led the company to its murky divestment operation in 2007.
Even after the divestment, however, BAT managers kept accepting payments that traced back to North Korea — despite knowing that two banks involved in the deals had been sanctioned by OFAC. BAT and its subsidiaries also sought to conceal their conduct from Western banks, such as by letting a wire transfer expire rather than respond to a question from a bank that would have revealed the payment’s connection to North Korea. In total BAT netted about $415 million from its North Korea operation over seven years.
The Regulators Were Not Happy
OFAC’s portion of the penalty against BAT is $508.6 million — the maximum amount allowed by statute. We almost never see OFAC impose the maximum amount. Typically the agency starts by stating the maximum possible penalty, and then adjusts that number dramatically downward based on numerous mitigating factors.
None of that happened here. On the contrary, OFAC listed numerous aggravating factors in BAT’s conduct that led to the agency starting with that maximum possible penalty and then sticking with it. Among those factors:
- BAT and its subsidiaries knew that U.S. sanctions barred the sort of conduct they were doing, and then willfully conspired to do it anyway, transferring hundreds of millions of dollars through U.S. banks;
- BAT misled the public by announcing in 2007 that it had exited North Korea, then cooked up that scheme of front companies and complicated banking processes to hide their true activities;
- Management, right up to BAT’s executive committee, had actual knowledge regarding the scheme from its inception to its end;
- BAT is a sophisticated, global business ($34.5 billion in revenue last year) and should have known better;
- BAT’s violations helped North Korea to reap big money from cigarette sales to its citizens (as much as $1 billion a year, according to Western estimates), which Pyongyang then uses to fund its weapons programs.
The $508 million penalty is the largest that OFAC has ever imposed on a non-financial institution. The remaining $121 million goes to the Justice Department, and officials there had stern words to say, too.
“The United States is steadfast in its commitment to enforcing sanctions and withholding revenue for dictator Kim Jong-un,” U.S. attorney Matthew Graves said in a statement. “The charges unsealed today illustrate that the Department of Justice will hold North Korean facilitators accountable for their illegal efforts to prop up the North Korean regime, and assist it in obtaining funds to develop nuclear weapons.”
This is the second significant sanctions enforcement action we’ve seen lately. Just last week the Commerce Department fined Seagate Technologies $300 million for shipping prohibited hard drive components to China. In both cases, we saw management either recklessly unaware of sanctions rules (Seagate) or knowingly violating the rules (BAT).
And in both cases, we also saw the relevant regulators impose the largest fines they could. That tells you something.
BAT’s Compliance Obligations
As part of its settlement, BAT also agreed to a raft of “compliance commitments,” which seem to be improvements to the compliance program that BAT has already made, and that it promises to maintain for at least the next five years. We can group those commitments into a few categories.
Management commitments. Senior management has reviewed and approved BAT’s overhauled sanctions compliance program, and provided the sanctions compliance team adequate resources (defined as human capital, expertise, IT, and other resources) given the company’s overall risk profile. Management also promised that it will “promote a culture of compliance throughout the organization,” whatever that means.
Risk assessments. BAT has overhauled its risk assessment program to consider risks from its clients, customers, services, supply chain, intermediaries, and counterparties. Risk assessments will also need to be updated as necessary to account for any new issues BAT might find during the routine course of business, such as through controls testing or audits. (Side note: this is exactly what the Justice Department recommends for risk assessments in its guidelines for effective compliance programs.)
Internal controls, Part I. BAT needs to maintain a complete set of internal controls, from written policies and procedures to IT controls to internal and external audits. Whenever the company discovers a weakness in internal controls, it must take “immediate and effective action” to address the problem. That means compensating controls introduced immediately to stop the harm, followed up by a root cause analysis and more permanent corrective controls.
Internal controls, Part II. BAT must communicate its sanctions compliance program policies and procedures to all relevant personnel, including gatekeepers and external parties that might handle sanctions compliance duties for BAT. The company also needs to integrate its sanctions compliance policies and procedures “into daily operations” — which sounds somewhat vague, but also sounds somewhat like the Three Lines of Defense model that Microsoft implemented for its sanctions compliance program in a settlement announced earlier this month.
BAT also committed to extensive employee training, controls testing and audits, and annual certification of the sanctions compliance program for the next five years. The certifications must be signed by a “senior-level executive or manager,” which sounds vague to me, but I’ll look into it.
Anyway, that is this week’s big sanctions enforcement news. Deputy attorney general Lisa Monaco did say earlier this year that “sanctions is the new FCPA.” Clearly we should take her at her word.