Earlier this month, e-commerce, retail, and data giant Amazon.com, Inc. ("Amazon") agreed to a settlement with the Office of Foreign Assets Control ("OFAC") for apparent violations of U.S. sanctions programs.

According to OFAC, Amazon violated multiple U.S. sanctions: the company provided goods and services to individuals sanctioned by OFAC, to people located in sanctioned regions, and to people located in or employed by the embassies of countries sanctioned by OFAC. In addition, the company also failed to inform OFAC in a timely fashion of several hundred transactions that were made under a general license that included a mandatory reporting requirement.

Amazon's Apparent Violations

According to OFAC, Amazon violated U.S. regulations for nearly seven years, allowing orders for consumer and retail goods and services to be placed by persons on OFAC's List of Specially Designated Nationals and Blocked Persons (the "SDN List)," individuals located in Crimea, Iran, and Syria, and people working for the sanctioned embassies of Cuba, Iran, North Korea, Sudan, and Syria.

OFAC determined the source of the apparent violations to be faulty screening procedures: Amazon's automated processes failed to analyze all data required for compliance with OFAC sanctions. For example, the company's screening system did not flag several hundred transactions that involved individuals whose names appeared on the SDN List, even when the name on the order was an exact match with that on the list. Nor did it identify and stop orders involving alternative spellings of sanctioned locations ("Krimea" for "Crimea"), cities in sanctioned locations ("Yalta," a city in Crimea), or embassies of sanctioned countries located in third countries (the Embassy of Iran, in particular).

In addition, Amazon disclosed that it had not fully complied with the terms of General License No. 5 ("GL 5"), which authorized certain transactions normally prohibited by sanctions provided that the company report those transactions to OFAC within ten days. Amazon processed more than 600 orders covered by GL 5, successfully identifying and reporting nearly 250 of them, but failing to report within the required period an additional 362 transactions.

Elements of Successful Compliance Programs

The $134,523 penalty imposed by OFAC – quite mild by OFAC standards, which could have fined Amazon more than $1 billion for the improper transactions valued at $269,000 – reflects the both the agency's determination that Amazon's apparent violations were "non-egregious and voluntarily self-disclosed," and also the significant remedial measures the company implemented when it discovered the apparent violations.

Nevertheless, the settlement sends an important message to global online retailers [and smaller merchants alike]. Compliance systems must contain the following elements:

  1. Effective screening measures. E-commerce companies must have robust automated screening systems that compare data in all customer information fields, including in particular the name, city, and address fields, with the names and regions that have been sanctioned by OFAC. In addition, the screening measures must account for common misspellings so that they flag, for example, orders destined for "Krimea."

  2. Routine testing. OFAC recommends regular testing of screening processes to detect flaws in internal controls. This is especially important for companies like Amazon that process millions of dollars of orders per day.

  3. Swift remedies. When errors are discovered and internal compliance controls found to be lacking, companies must act quickly to not only identify and remedy the existing violations, but also implement measures that prevent further infractions from occurring. After the deficiencies that led to the apparent violations were discovered, Amazon invested in tailored training for its sanctions personnel, internal and third-party reviews of its compliance program, and enhanced Internet Protocol blocking controls, all of which were taken into consideration by OFAC when setting fines.

  4. Strict compliance with licensing obligations. Amazon's failure to meet the reporting requirements of GL 5 was an important component of the apparent violations. According to OFAC, because they were not reported within the required time period, "the authorization in GL 5 [was] nullified with respect to those 362 transactions."

  5. Self-disclosure of potential violations. OFAC considered Amazon's voluntary self-disclosure of the apparent violations and cooperation with the agency's investigation to be a mitigating factor in the settlement. OFAC also commended Amazon for conducting an internal investigation without receiving an administrative subpoena and identifying and disclosing the circumstances that led to the apparent violations.

OFAC's settlement with Amazon sends an important reminder to all online retailers and e-commerce companies that effective compliance programs – including systematic, in-depth screening and reporting procedures – are critical to prevent sanctions violations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.