It is hard to argue that Apple and Amazon do not have the resources to implement state-of-the-art OFAC compliance programs. After all, the two largest companies in the world should stand as beacons of compliance with the full support of senior management, robust compliance departments, and sophisticated automated systems to support their compliance efforts. 

Apple

Even the mighty can fall – Apple agreed to pay OFAC $467k for violations of the Foreign Narcotics Kingpin Sanctions regulations.

In 2008, Apple entered into an applications development agreement with SIS, a Slovenian company.  SIS and its director and majority owner, Savo Stjepanovic, were designated under the Foreign Narcotics Kingpin Designation Act and added to the SDN List. 

Apple’s screening tool failed to identify SIS and Stjepanovic.  According to Apple, its screening tool failed to match different upper case and lower case letters that appeared in Apple’s system and the SDN List.  Specifically, Apple claimed that its screening software failed to match the upper case name “SIS DOO” with the lower case name “Sis d.o.o.”   The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company.

Two months after OFAC’s designation of Stjepanovic, Apple facilitated the transfer of a portion of SIS’s applications to a second software company, which several months later, transferred the ownership of SIS’s remaining applications to a third company.  The owner of the company substituted its banking information for payments.  Apple failed to re-screen the parties to these transactions. 

Apple acknowledged that the address in its system matched the address listed in the SDN designation.  Apple also incorrectly listed Stjepanovic as an “account administrator” rather than as a “developer,” and only screened developers rather than account administrators.

Apple hosted a number of applications in its Application Store, and allowed downloads and sales of the blocked SIS applications, received payments from the Application Store users who downloaded the locked SIS applications, permitted SIS to transfer and sells its applications to two other developers, and remitted to SIS each month the revenues produced by the locked SIS applications.

Apple discovered the violations in February 2017 when it upgraded its sanctions screening tool.  Apple’s finance team immediately suspended payments to the SIS account.  However, it took Apple multiple months to suspend payments to a third party that processed payments for SIS.

In total, Apple made 47 payments to SIS in violation of OFAC sanctions.  Apple collected about $1.2 million over 54 months from customers who downloaded SIS applications.

Apple voluntarily disclosed the matter and promptly cooperated with OFAC requests for documents and further information.

As part of its remediation effort, Apple re-configured its primary sanctions screening tool and instituted mandatory training for all employees on export and sanctions regulations.

Amazon

On July 8, 2020, Amazon settled with OFAC for $134,523 for violations of multiple OFAC sanctions programs.  Amazon’s violations stemmed from deficiencies from its sanctions screening processes. 

Between November 15, 2011 to October 18, 2018 persons in Crimea, Iran and Syria placed orders on Amazon’s websites for consumer and retail goods and services.  The transaction information confirmed that the persons were located in Crimea, Iran and Syria.  In addition, Amazon accepted and processed orders for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan and Syria.  Overall, the violations involved low-value retails goods and services for which the total transaction value was around $269,000.

Amazon’s screening system failed to fully analyze all transaction and customer data.  In some cases, customer orders referenced a sanctions jurisdiction, a city within a sanctioned jurisdiction or a common alternative spelling for a sanctioned jurisdiction.  For some reason, Amazon’s screening program failed to flag these transactions.

OFAC cited several examples, which are helpful to understand the screening failures: (1) Amazon did not flag orders with address fields containing an address in “Yalta, Krimea” for the term “Yalta,” a city in Crimea nor the variation of the spelling of Crimea; (2) Amazon did not flag or prevent shipments to the Embassy of Iran located in other countries; and (3) in several hundred instances, Amazon failed to flag the correctly spelled names and addressed of persons on OFAC’s SDN List.

OFAC cited Amazon’s lack of due caution or care when it implemented sanctions screening processes because Amazon did not properly review or assess addresses, customer names or common variations of data as part of its sanctions screening.

Amazon undertook significant remedial measures to address its sanctions screening deficiencies.  Amazon also agreed to employ internal and third-party sources to conduct a thorough review of Amazon’s sanctions compliance programs and its automated screening system.  To this end, Amazon enhanced its sanctioned jurisdiction Internet Protocol (IP) blocking controls and implemented automated processes to update continually its mapping of IP ranges associated with sanctioned jurisdictions.

In commenting on the case and lessons learned, OFAC noted that:

Global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues, such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate.