The Mighty Amazon Falls to the OFAC Sanctions Sword
How the Mighty Have Fallen – Old Testament (2 Samuel 1:19)
Amazon joins the exclusive club of high-tech OFAC violators. Last year, Apple settled with OFAC for sanctions violations. This year, we can add Amazon to the list of OFAC violators.
On July 8, 2020, Amazon settled with OFAC for $134,523 for violations of multiple OFAC sanctions programs. Amazon’s violations stemmed from deficiencies from its sanctions screening processes. As a result, Amazon provided goods and services: (1) to persons sanctioned by OFAC located in Crimea, Iran and Syria; (2) to individuals located in or employed by the foreign missions of the countries sanctioned by OFAC. In addition, Amazon failed to timely report several hundred transactions conducted pursuant to a general license issued by OFAC.
Between November 15, 2011 to October 18, 2018 persons in Crimea, Iran and Syria placed order on Amazon’s websites for consumer and retail goods and services. The transaction information confirmed that the persons were located in Crimea, Iran and Syria. In addition, Amazon accepted and processed orders for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan and Syria. Also, Amazon accepted and processed orders from persons on OFAC’s Specially Designated Nationals List and several of the prohibited lists for narcotics traffickers, weapons of mass destruction, transnational criminal organizers, Democratic Republic of Congo, Venezuela, Zimbabwe, and foreign narcotics kingpins. Overall, the violations involved low-value retails goods and services for which the total transaction value was around $269,000.
Amazon’s screening system failed to fully analyze all transaction and customer data. In some cases, customer orders referenced a sanctions jurisdiction, a city within a sanctioned jurisdiction or a common alternative spelling for a sanctioned jurisdiction. For some reason, Amazon’s screening program failed to flag these transactions.
OFAC cited several examples, which are helpful to understand the screening failures: (1) Amazon did not flag orders with address fields containing an address in “Yalta, Krimea” for the term “Yalta,” a city in Crimea nor the variation of the spelling of Crimea; (2) Amazon did not flag or prevent shipments to the Embassy of Iran located in other countries; and (3) in several hundred instances, Amazon failed to flag the correctly spelled names and addressed of persons on OFAC’s SDN List.
Finally, Amazon failed to report 362 transactions involving Crimea that it conducted pursuant to General License No.5, which authorized various transactions during a wind-down period. General License No. 5 required that all transactions had to be reported within 10 days after the wind down period. Prior to this reporting failure, Amazon previously identified and reported to OFAC 245 transactions involving Crimea but failed to report the additional 362 transactions until well after the reporting period had expired.
Amazon’s earned a significant discount from the prescribed penalty primarily because of its voluntary disclosure and remediation efforts.
The statutory maximum penalty for the violations was $1.038 million. OFAC awarded credit for Amazon’s voluntary disclosure and its determination that the violations constituted a non-egregious case. As a result the penalty amount equals one-hal of the total transaction amount or $134,523.
OFAC assigned the following aggravating factors:
- Amazon’s lack of due caution or care when it implemented sanctions screening processes because Amazon did not properly review or assess addresses, customer names or common variations of data as part of its sanctions screening.
- While most of the violations involved low-value retail and consumer goods, some of the transactions involved orders for personal security products for persons located at the Iranian embassies in Tokyo, Japan and in Brussels, Belgium.
- Amazon is one of the largest and most commercially sophisticated companies in the world.
On the other side of equation, OFAC cited the following mitigating circumstances:
- Amazon had not received a penalty notice or Finding of Violation from OFAC in the five years preceding the intial date of the prohibited transactions.
- Amazon voluntarily disclosed the violations to OFAC, cooperated with OFAC’s investigation and submitted detailed information and entered into tolling agreements with OFAC. Amazon conducted an internal investigation without receiving an administrative subpoena and disclosed the circumstances of the transactions.
- Amazon undertook significant remedial measures to address its sanctions screening deficiencies and also agreed to undertake additional sanctions compliance commitments.
Amazon’s sanctions compliance commitments included investing substantial resources to improve Amazon’s sanctions compliance program by actively engaging senior management on its compliance improvements, adding significant headcount to its compliance teams and increasing the frequency of its sanctions compliance reviews.
Amazon also agreed to employ internal and third-party sources to conduct a thorough review of Amazon’s sanctions compliance programs and its automated screening system. To this end, Amazon enhanced its sanctioned jurisdiction Internet Protocol (IP) blocking controls and implemented automated processes to update continually its mapping of IP ranges associated with sanctioned jurisdictions.
Finally, Amazon committed to: (1) enhance its compliance training programs by providing training tailored to the roles of specific teams and specialized ad hoc training to personnel responsible for sanctions and export control compliance; and (2) incorporate and expand specific export control and sanctions provisions in its commercial agreements.
In commenting on the case and lessons learned, OFAC noted that:
Global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues, such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate. Moreover, companies that learn of a weakness in their internal compliance controls may benefit by taking immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.