We have a fresh sanctions enforcement action to study this week, courtesy of a New Jersey construction company fined $660,000 for its Middle East subsidiary secretly shipping goods to Iran.
The U.S. Office of Foreign Assets Control (OFAC) announced the enforcement action on Wednesday. The company in question, Construction Specialities Inc., will pay the fine and implement a suite of compliance reforms including new policies, expanded training, and new testing and audits of its sanctions compliance program.
So what happened? According to the OFAC settlement order, Construction Specialities operated a Middle East subsidiary (“CSME”) headquartered in Dubai. In the mid-2010s, Construction Specialties possessed what’s known as a General License H — a license from the Treasury Department that allowed overseas subsidiaries of U.S. companies to do business with Iran, so long as those transactions didn’t involve any re-exportation, sale, or supply of any goods or services sourced from the United States.
In other words, CSME could do business with Iran, so long as the deals didn’t involve the U.S. parent company in any way. (General License H was abolished during the Trump Administration, by the way.)
Construction Specialties did adopt a compliance policy and gave written instructions to the general manager of CSME, spelling out how the Middle East subsidiary could and could not engage with Iran. The company even changed its reporting structure so that CSME’s general manager would no longer report to the U.S.-based CEO on anything related to CSME’s business dealings with Iran.
Alas, all that policy and training didn’t take. In 2016 and 2017, the CSME general manager and a lieutenant, sourced $1.1 million worth of materials for an Iranian shopping mall project from Construction Supplies and another vendor in the United States. They also tried to cover up their scheme by stripping mention of Iran from the purchase orders and any mention of the United States from invoices and other related documents.
This all unraveled when a U.S. citizen working at CSME in Dubai discovered what was going on. That employee confronted the CSME managers, who fired him. The employee then flew back to Construction Specialties headquarters in New Jersey and spilled the beans. The U.S. bosses then launched an investigation, fired the CSME general manager, and self-reported the violations to OFAC.
A Compliance Analysis
These violations qualify as egregious under OFAC enforcement standards because they involve a senior executive (the CSME general manager). As such, Construction Specialties had to make a much more extensive set of compliance program improvements (and for the next five years) than we usually see in OFAC enforcement actions. Let’s take a look.
First are a set of management commitments. Senior executives must review and approve the sanctions compliance program, give the compliance team sufficient autonomy and authority to enforce sanctions compliance policies, and then support the compliance team by giving it adequate resources — in the form of human capital, expertise, and IT, among other resources — as appropriate.
Better risk assessments. Construction Specialties needs to conduct a fresh sanctions risk assessment, including risks posed by (prepare yourself, this list is long) the company’s clients, products, services, the supply chain, intermediaries, counterparties, transactions, or geographic locations. The company must also develop a methodology to identify, analyze, and address these risks; and update the risk assessments to account for the root causes of compliance violations or control deficiencies found as a result of, say, routine audits or testing.
Let’s pause here to note just how extensive this description of the risk assessment is. Other companies might want to step back and consider how you would accomplish a risk assessment this exhaustive. Who does it? What technology or tools do they need? How do you incorporate audit findings into an updated risk assessment? Clearly it implies a lot of cooperation between the sanctions team and whatever audit team you have.
Internal controls. Construction Specialties must also implement a suite of internal control, starting with sanctions policies and procedures. Specifically, OFAC says, those policies and procedures must be relevant to the organization, capture day-to-day operations and procedures, [and] be easy to follow.”
Why is that interesting? Because yet again we see a regulator stressing that policies and procedures must be relevant and understandable to employees. You can’t just copy and paste the language of a regulation into your policy manual and declare victory. The Securities and Exchange Commission has harped on this bad habit repeatedly; now it’s OFAC’s turn.
Aside from the updated and relevant policies, Construction Specialties also promised that whenever it discovers a deficient control, it will take “immediate and effective action” to implement compensating controls until the root cause of the weakness can be identified and remediated.
Another interesting item: the settlement also specifies exactly what these internal controls must do: “These internal controls should enable [the company] to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC.”
Among all the verbs in that prior sentence, I’d be most concerned about escalate and report. Let’s remember, that’s how Construction Specialties uncovered this mess in the first place (when the U.S. employee discovered the scheme and brought news of it back to the bosses in New Jersey). The smoother your escalation and reporting processes work, the better.
And Compliance Program Certification!
Jeez, we haven’t hyperventilated about this for a while! But tucked at the bottom of the OFAC settlement order is a promise that every year for the next five years, a “senior-level executive” will certify that the company “has implemented and continued to maintain the sanctions compliance measures as committed above.”
Now, this is a civil proceeding rather than a Justice Department criminal settlement, so the consequences for submitting an erroneous certification are presumably lower — but an erroneous certification could still be unpleasant for the person doing the signing. At the least, any future violations would put the company in a difficult position with OFAC and the board would be on the warpath. Who gets scapegoated then?
Probably the person whose signature is on the form. Isn’t the life of a compliance officer thrilling?