Datanamix | AML Sanctions Screening

Compliance for Software Companies

While sanctions impose restrictions on commerce with specific individuals, entities and states, export controls impose limitations on the distribution of products and services, including software and applications.

Essential components of sanctions compliance management

The Office of Foreign Assets Control (OFAC) collaborates closely with other federal agencies – and the intelligence community – to develop sanctions programmemes, frameworks, and models that advance foreign policy and national security goals.

Let’s look at the five essential components of sanctions compliance management, as recommended by OFAC:

Component 1:
Managerial commitment

  • Managerial commitment is vital for top-down buy-in.
  • OFAC expects total commitment from senior management by reviewing and approving their software company’s sanctions compliance programmeme.
  • OFAC also encourages companies to foster communication between senior and lower-level management for greater compliance.
  • OFAC prefers that companies appoint a sanctions compliance officer to understand the technology systems in the organisation, and sanctions involved.
  • Managers should take measures that promote sanctions compliance and communicate any violations.

Component 2:
Periodic risk assessment

  • OFAC recommends that entities take a risk-based approach to their sanctions compliance programme.
  • When conducting a risk assessment, it is vital to identify prospective risks that could cause sanctions violations as they relate to your company’s technological offerings, customers, and payment safeguards.
  • A complete risk assessment programme should prevent or limit any potential breaches.
  • OFAC believes entities should have a seamless onboarding process for their customers and payments.

Component 3:
Internal controls

  • Effective sanctions compliance programmes should have specific internal controls guided by OFAC rules and regulations.
  • They should also stay relevant and updated for sanctions and Specially Designated Nationals (SDN) lists.

Internal controls may include:

  • Identifying witnesses before potential violations
  • Preparing a written sanctions compliance policy
  • Implementing internal enforcement policies
  • Maintaining and retaining records per all sanctions programmes
  • Remediating any internal weaknesses and opportunities immediately

Component 4:
Testing and auditing

  • OFAC stresses the need for testing and auditing the various parts of the sanctions compliance programme.
  • Companies must ensure their your leaders address red flags across the board.
  • These protocols should identify internal and external weaknesses and deficiencies, which senior management strategically manages while guiding other key employees along the way toward compliance.

Component 5:
In-house and remote employee training

  • OFAC recommends implementing and maintaining robust training programmes based on risk assessments results and organisational profiles.
  • Companies should try customising training for their industry, especially for employees and managers at a higher risk of potential sanctions violations.
  • Companies should fully commit to adequate training to prevent sanctions violations from occurring in the first place.

You can download a PDF of expanded guidelines from the OFAC website here.

Software Transfers Must Comply with Sanctions

Due to the global nature of information technology, software, websites, and applications are globally distributed – often with just a few clicks.

Globalisation can have unwanted legal consequences for an organisation if its software is distributed to a foreign government or individuals sanctioned by the United States government (for US sanctions).

Penalties for sanctions violations

The US government enforces sanctions against some countries, foreign governments, and SDNs to advance US foreign policy and national security objectives.

Congress has the power and authority to enact economic sanctions regulations, while OFAC imposes and enforces relevant laws. OFAC violations can result in several thousand to millions of dollars in civil and criminal penalties with up to 30 years imprisonment.

Here’s a closer look at how harsh these charges can be:

  • Trading with the Enemy Act Violations: Up to $50 000 per civil violation, $1 million in criminal penalties, and 20 years’ imprisonment
  • International Emergency Economic Powers Act Violations (IEEPA): Up to $308 000 per violation
  • Foreign Narcotics Kingpin Designation Act (FNKDA): Up to $10 million in fines, with individuals facing up to ten years’ imprisonment

The severity of penalties is determined by the nature of the offense and the number of prior convictions. Accused parties must mount an expensive legal defence to fight the charges.

Software transfer sanctions exist on these products

Software companies should pay special attention to which laws’ sanctions comply.

Technological sanctions exist on the following goods and services:

  • Physical software products (although rare in today’s world)
  • Cloud-based software and applications
  • Mobile phone applications
  • Software-as-a-service (SaaS) products
  • Other software delivery methods

Limitations apply to software transfers against sanctioned nations, including retailers, developers, IT service providers, and customers.

Rules are applicable by location

OFAC regulates software and applications differently, depending on the relevant country’s regulations, resulting in differential treatment for various software transfers to multiple countries.

For instance, the Libya Sanction Regulations allow for tangible goods and services, including software, except as specifically outlined in Executive Order (EO) 13566, which prohibits transfers to officials of the Libyan government and central bank.

End-user screening is essential

Businesses can increase their OFAC compliance by implementing an effective end-user screening programme.

A strong end-user screening programme enables a software provider to ensure that the software is not sold to an embargoed country, SDN, blocked individual, or for the government’s benefit of an OFAC- embargoed country.

Perform due diligence on payments

Those subject to US jurisdiction who receive payments from OFAC-designated countries should conduct diligent due diligence to ensure that OFAC permits such payments without requiring a governmental license.

If the underlying payment is made by an SDN national or blocked party, costly complications may ensue.

Companies should consult business lawyer should they have specific questions about their situation.

Example of a sanctions violation by a software company

In April 2021, the US government initiated litigation with a German software company for alleged US sanctions violations, as reported by

According to agency notices, the software company supplied software and cloud-based services from the United States to third parties with reason to believe the offerings would be used or purchased by Iranian users or customers between 2010 and 2018.

The violations took place in two ways:

  1. Sold software licenses in Turkey, the United Arab Emirates, Germany, and Malaysia, who resold them to third parties in Iran
  2. Subsidiaries helped over 2 000 Iranian users to access cloud services hosted in the United States

Ultimately, the company voluntarily disclosed the issues, cooperated with investigators, and significantly improved its export controls and sanctions compliance programme. The company paid $8.3 million in fines to resolve the case.

This figure does not account for the total cost of investigating and resolving the issues at hand. The company spent more than $27 million on remediation, which was cited as a significant mitigating factor. The software company also agreed to three years of third-party compliance audits.

Lessons to learn from this case

This case is the most recent sanction enforcement action involving the online provision of goods or services.

As with previous announcements, there are several takeaways for the technology industry and businesses that conduct business online:

Data accessed from US servers is an export

Sanctions and export control laws enacted by the United States have a broad reach. This case demonstrates that providing services and downloading software from US servers are considered “exports” and may be subject to approval by OFAC and Commerce.
Always perform intermediary due diligence
This case demonstrates how intermediaries can expose a business to liability under US sanctions and export control regulations. Appropriate due diligence, controls, and monitoring of distributors and resellers are especially critical when a US company lacks complete visibility into the end users’ identities of its goods or services.
Intermediaries are not “risk-free”
The software company permitted subsidiaries to operate independently, despite being aware that those subsidiaries lacked adequate sanctions compliance programmes. Companies must ensure that non-US affiliates maintain sufficient controls, particularly following the acquisition of new entities.
Compliance teams matter
The company relied on its US-based compliance team. However, the team was underfunded, lacked authority to manage the processes, and ran into resistance from the subsidiaries. OFAC emphasised in its notice that compliance teams must be adequately resourced and empowered to implement compliance controls in response to identified risks.
Train employees adequately
Employees based outside the United States oversaw the sale of US-based offerings and travel to Iran. Corporations with a US presence should educate all relevant employees about red flags to identify and report issues.
Auditors identified the absence of IP address geo-blocking as a risk to sanctions compliance in 2006, but the company did not implement adequate controls until 2015. By failing to act on audit findings, OFAC stated that the company was negligent concerning US economic sanctions and cited its failure as an aggravating factor.

Summary and final thoughts

With global tensions at an all-time high, it is more critical than ever for software companies to ensure that their products are exported and used only by entities not subject to trade sanctions.

  • Sanctions may be imposed by an international organisation or an individual government such as the United States.
  • An embargoed entity can be an entire nation or a specific organisation that has been subjected to trade restrictions for military, economic, or political reasons to exert pressure on the country’s government by prohibiting exports and imports of specific goods and services.

Software companies face unique challenges

Software companies must contend with the illegal export or transfer of products to sanctioned countries. It is unlawful to sell or transfer US software and hard goods, and other products to them. However, software can be obtained easily via the internet, which means that illicit software in embargoed countries is a serious issue.

Strengthen your software license programmes

It is becoming increasingly critical for software vendors to implement a license compliance programme to identify and control illegal use of their software in sanctioned countries or entities.

A robust programme can assist software vendors in identifying and reducing illegal usage of their products and confirming whether their software is being used in embargoed countries.

Combating software piracy requires sophisticated tools and capabilities for taking action against infringing entities. Additionally, software vendors must track the location of illegal usage to avoid violating the US or international trade sanctions.

Detailed evidence and a well-coordinated investigation strategy can assist in resolving the piracy issue, which may include license transfers or re-export to sanctioned countries.

Always seek legal and professional help if you need advice and guidance.

Please contact us for more information on our range of services