Compliance for Software Companies
Essential components of sanctions compliance management
The Office of Foreign Assets Control (OFAC) collaborates closely with other federal agencies โ and the intelligence community โ to develop sanctions programmemes, frameworks, and models that advance foreign policy and national security goals.
Letโs look at the five essential components of sanctions compliance management, as recommended by OFAC:
Component 1:
Managerial commitment
- Managerial commitment is vital for top-down buy-in.
- OFAC expects total commitment from senior management by reviewing and approving their software companyโs sanctions compliance programmeme.
- OFAC also encourages companies to foster communication between senior and lower-level management for greater compliance.
- OFAC prefers that companies appoint a sanctions compliance officer to understand the technology systems in the organisation, and sanctions involved.
- Managers should take measures that promote sanctions compliance and communicate any violations.
Component 2:
Periodic risk assessment
- OFAC recommends that entities take a risk-based approach to their sanctions compliance programme.
- When conducting a risk assessment, it is vital to identify prospective risks that could cause sanctions violations as they relate to your companyโs technological offerings, customers, and payment safeguards.
- A complete risk assessment programme should prevent or limit any potential breaches.
- OFAC believes entities should have a seamless onboarding process for their customers and payments.
Component 3:
Internal controls
- Effective sanctions compliance programmes should have specific internal controls guided by OFAC rules and regulations.
- They should also stay relevant and updated for sanctions and Specially Designated Nationals (SDN) lists.
Internal controls may include:
- Identifying witnesses before potential violations
- Preparing a written sanctions compliance policy
- Implementing internal enforcement policies
- Maintaining and retaining records per all sanctions programmes
- Remediating any internal weaknesses and opportunities immediately
Component 4:
Testing and auditing
- OFAC stresses the need for testing and auditing the various parts of the sanctions compliance programme.
- Companies must ensure their your leaders address red flags across the board.
- These protocols should identify internal and external weaknesses and deficiencies, which senior management strategically manages while guiding other key employees along the way toward compliance.
Component 5:
In-house and remote employee training
- OFAC recommends implementing and maintaining robust training programmes based on risk assessments results and organisational profiles.
- Companies should try customising training for their industry, especially for employees and managers at a higher risk of potential sanctions violations.
- Companies should fully commit to adequate training to prevent sanctions violations from occurring in the first place.
You can download a PDF of expanded guidelines from the OFAC website here.
Software Transfers Must Comply with Sanctions
Due to the global nature of information technology, software, websites, and applications are globally distributed โ often with just a few clicks.
Globalisation can have unwanted legal consequences for an organisation if its software is distributed to a foreign government or individuals sanctioned by the United States government (for US sanctions).
Penalties for sanctions violations
The US government enforces sanctions against some countries, foreign governments, and SDNs to advance US foreign policy and national security objectives.
Congress has the power and authority to enact economic sanctions regulations, while OFAC imposes and enforces relevant laws. OFAC violations can result in several thousand to millions of dollars in civil and criminal penalties with up to 30 years imprisonment.
Hereโs a closer look at how harsh these charges can be:
- Trading with the Enemy Act Violations: Up to $50 000 per civil violation, $1 million in criminal penalties, and 20 yearsโ imprisonment
- International Emergency Economic Powers Act Violations (IEEPA): Up to $308 000 per violation
- Foreign Narcotics Kingpin Designation Act (FNKDA): Up to $10 million in fines, with individuals facing up to ten yearsโ imprisonment
The severity of penalties is determined by the nature of the offense and the number of prior convictions. Accused parties must mount an expensive legal defence to fight the charges.
Software transfer sanctions exist on these products
Software companies should pay special attention to which lawsโ sanctions comply.
Technological sanctions exist on the following goods and services:
- Physical software products (although rare in todayโs world)
- Cloud-based software and applications
- Mobile phone applications
- Software-as-a-service (SaaS) products
- Other software delivery methods
Limitations apply to software transfers against sanctioned nations, including retailers, developers, IT service providers, and customers.
Rules are applicable by location
OFAC regulates software and applications differently, depending on the relevant countryโs regulations, resulting in differential treatment for various software transfers to multiple countries.
For instance, the Libya Sanction Regulations allow for tangible goods and services, including software, except as specifically outlined in Executive Order (EO) 13566, which prohibits transfers to officials of the Libyan government and central bank.
End-user screening is essential
Businesses can increase their OFAC compliance by implementing an effective end-user screening programme.
A strong end-user screening programme enables a software provider to ensure that the software is not sold to an embargoed country, SDN, blocked individual, or for the governmentโs benefit of an OFAC- embargoed country.
Perform due diligence on payments
Those subject to US jurisdiction who receive payments from OFAC-designated countries should conduct diligent due diligence to ensure that OFAC permits such payments without requiring a governmental license.
If the underlying payment is made by an SDN national or blocked party, costly complications may ensue.
Companies should consult business lawyer should they have specific questions about their situation.
Example of a sanctions violation by a software company
In April 2021, the US government initiated litigation with a German software company for alleged US sanctions violations, as reported by Reuters.com.
According to agency notices, the software company supplied software and cloud-based services from the United States to third parties with reason to believe the offerings would be used or purchased by Iranian users or customers between 2010 and 2018.
The violations took place in two ways:
- Sold software licenses in Turkey, the United Arab Emirates, Germany, and Malaysia, who resold them to third parties in Iran
- Subsidiaries helped over 2 000 Iranian users to access cloud services hosted in the United States
Ultimately, the company voluntarily disclosed the issues, cooperated with investigators, and significantly improved its export controls and sanctions compliance programme. The company paid $8.3 million in fines to resolve the case.
This figure does not account for the total cost of investigating and resolving the issues at hand. The company spent more than $27 million on remediation, which was cited as a significant mitigating factor. The software company also agreed to three years of third-party compliance audits.
Lessons to learn from this case
This case is the most recent sanction enforcement action involving the online provision of goods or services.
As with previous announcements, there are several takeaways for the technology industry and businesses that conduct business online:
Data accessed from US servers is an export
Summary and final thoughts
With global tensions at an all-time high, it is more critical than ever for software companies to ensure that their products are exported and used only by entities not subject to trade sanctions.
- Sanctions may be imposed by an international organisation or an individual government such as the United States.
- An embargoed entity can be an entire nation or a specific organisation that has been subjected to trade restrictions for military, economic, or political reasons to exert pressure on the countryโs government by prohibiting exports and imports of specific goods and services.
Software companies face unique challenges
Software companies must contend with the illegal export or transfer of products to sanctioned countries. It is unlawful to sell or transfer US software and hard goods, and other products to them. However, software can be obtained easily via the internet, which means that illicit software in embargoed countries is a serious issue.
Strengthen your software license programmes
It is becoming increasingly critical for software vendors to implement a license compliance programme to identify and control illegal use of their software in sanctioned countries or entities.
A robust programme can assist software vendors in identifying and reducing illegal usage of their products and confirming whether their software is being used in embargoed countries.
Combating software piracy requires sophisticated tools and capabilities for taking action against infringing entities. Additionally, software vendors must track the location of illegal usage to avoid violating the US or international trade sanctions.
Detailed evidence and a well-coordinated investigation strategy can assist in resolving the piracy issue, which may include license transfers or re-export to sanctioned countries.