The US Government Increases Pressure on Industry to "Know-Your-Customers" and "Know-Your-Suppliers" While Separately Acknowledging This Is Difficult

On November 25, 2019, the United States both issued an enforcement action against a private company for, in part, failing to identify a prohibited counterparty in a commercial transaction and at the same time acknowledged—in a government accountability report—the difficulties that government agencies themselves are facing in precisely the same area. In a year of record-high fines against companies that, even inadvertently, deal with prohibited parties, the message was clear: notwithstanding the difficulties associated with robust compliance procedures, the US government expects companies to screen, identify, and refuse to deal with prohibited parties, or else risk large civil, or even criminal, fines.

More specifically, the first of these two actions was announced by the US Department of Treasury, Office of Foreign Assets Control (OFAC). That day, OFAC issued an enforcement action against Apple, Inc. (Apple) based, in part, on the company's failure to properly screen a commercial counterparty that had restructured itself several times, apparently to hide its connection to an OFAC-sanctioned owner.¹ As a result, Apple apparently implicated OFAC sanctions regulations that prohibit companies from doing business with certain Specially Designated Nationals (SDN) (in this case, designated narcotics traffickers), and entered into a settlement agreement that included a $466,912 civil penalty. Later that same day, the Government Accountability Office (GAO) published a report recognizing that even the US government is facing difficulty in understanding the sometimes opaque ownership structure of its own contractors.² Nevertheless, and although the US government appears to recognize the difficulty of screening certain counterparties, these dual actions and high enforcement activity throughout 2019 continue to suggest that the US government expects end-to-end visibility into suppliers, customers, and any other counterparties for compliance with many regulatory regimes.

GAO's Report: Difficulty of Understanding Opaque Ownership Structures

On November 25, 2019, GAO published a public version of the report titled Defense Procurement: Ongoing DOD Fraud Risk Assessment Efforts Should Include Contractor Ownership. The report discusses the national security threat posed by companies that use shell companies with opaque ownership structure to disguise the beneficial owner, who own, control, or benefit financially from the business.

In the report, GAO discusses the challenges that Department of Defense (DOD) faces in identifying and verifying contractor ownership. GAO specifically notes the lack of centralized information source or registry on company ownership information in the United States. Although some states collect information during company formation, they are generally minimal. As a result, DOD contracting officers face "challenges in time-consuming efforts to verify contractor ownership."³ GAO also notes that "workload and resource constraints limit the extent to which they can verify contractor ownership."⁴ Moreover, the difficulty in identifying and verifying contractor ownership may be amplified when "the contractor is actively seeking to misrepresent its ownership."⁵

Even beyond the US government's direct contractors, the GAO's report further notes that there is additional risk involved with supply chain, given that a contractor's suppliers may use prohibited suppliers even when the contractor itself is an entirely permissible counterparty. Indeed, during this past year, OFAC, too, has highlighted potential supply chain risks in the sanctions area.⁶

Ultimately, the GAO's report recommends the DOD to assess the "risks related to contractor ownership as part of its ongoing efforts to plan and conduct a department-wide fraud risk assessment."⁷ GAO's report further recommends that DOD "involve relevant stakeholders with knowledge of emerging risks and use this information to help inform other types of risk assessments across the department, including for national security concerns."⁸

Although the scope of GAO's report (and its recommendations) is limited to government agencies and does not extend to private entities, it is notable that the US government itself is facing the same difficulties as private companies when dealing with compliance issues; and the GAO's report provides some indication to private companies as to what the US government expects generally. For example, the lack of centralized information source or registry on company ownership information affects not just government agencies, but also private entities. Yet, the GAO's report illustrates that the US government expects its agencies to dig into ownership even in the absence of such centralized information. This sends a message to companies, too, both small and large—that they must engage in "time-consuming efforts"⁹ to verify the ownership structure of their counterparties. This will undoubtedly pose challenges for small companies whose "workload and resource constraints" limit their efforts to verify counterparty ownership,¹⁰ but in a year of record-high OFAC enforcement, for instance, the risk of any company implicating US regulatory regimes by failing to undertake such efforts has become all-too-clear.

OFAC Settlement with Apple: More Enforcement for Failure to Identify and Verify Ownership Structures

Despite recognizing the difficulty of identifying and verifying ownership structure, the announcement of OFAC's settlement with Apple, on the same day the GAO's report was released, was a message that the US government continues to expect extensive screening of counterparties whose connection to an OFAC prohibition may not be immediately obvious.

As noted above, on the same day the GAO's report was published, OFAC announced a $466,912 settlement agreement with Apple for alleged violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR), 31 C.F.R. Part 598. According to OFAC, Apple violated the FNKSR by hosting, selling, and facilitating the transfer of software applications and associated content of SIS, d.o.o. (SIS), a Slovenian software company that was identified as a significant foreign narcotics trafficker (SDNTK) on OFAC's List of Specifically Designated Nationals and Blocked Persons (SDN List) after Apple had already been dealing with that company for many years. Because of certain alleged weaknesses in Apple's screening systems, in addition to SIS's subsequent efforts to alter its corporate structure to mask its connection to the SDN List, Apple continued to deal with the prohibited party for several years following OFAC's designation.

More specifically, prior to the designation of SIS as SDNTK, Apple had entered into an app development agreement with SIS. On February 24, 2015, OFAC designated SIS and its majority owner, Mr. Savo Stjepanovic (Stjepanovic), as SDNTK.¹¹ However, according to the enforcement information, Apple's compliance screening process did not catch that certain of its existing counterparties had been added to the SDN List. With respect to SIS, and although Apple did have an OFAC screening system in place that screened all existing developers against any new SDNs, Apple indicated that its system failed to catch the SIS designation because SIS was in Apple's customer database with upper-case letters (i.e., SIS DOO), which prevented its screening software from identifying any match to SIS with its lower-case suffix (i.e., "SIS d.o.o."), as written on the SDN List. With respect to Stjepanovic, whose full name was stored in Apple's customer records because Stjepanovic was an "account administrator" in Apple's "App Store development account," OFAC determined that Apple failed to identify him upon the February 2015 designation because Apple's "compliance process screened individuals identified as ‘developers,' but did not screen all of the individual users" against the SDN List at the time.¹² Because Apple's screening tools were not set up in a way that identified either of these new SDNs, the company continued to deal with them despite being prohibited to do so under the FNKSR.

In addition to Apple's initial screening tool issues, the enforcement action against Apple incorporated a separate component, stemming from SIS's later efforts to alter its corporate structure, thereby seeking to evade US sanctions laws, and Apple's failure to identify such evasion. Specifically, according to OFAC, on two separate occasions in 2015 after OFAC's addition to SIS to the SDN List, SIS set up two new software companies, transferring the ownership of SIS's apps to those entities. These are precisely the type of opaque ownership risks that had been identified in the GAO's report discussed above.

In Apple's case, OFAC stated that one of these new companies "took over the administration of SIS's App Store account and replaced SIS's App Store banking information with his own banking information," but that those "actions were all conducted without personnel oversight or additional screening by Apple."¹³ Thus, Apple continued to process payments associated with these entities' blocked apps, including 47 payments directly to SIS, over a period of 54 months after SIS's designation; in total, collecting $1,152,868 from customers who downloaded SIS apps during that period. In reducing the potential base fine ($576,434) to the settlement amount of $466,912, OFAC cited as a mitigating factor the fact that Apple has since expanded its compliance screening to include designated payment beneficiaries and associated banks of the app developers.

* * *

OFAC's enforcement action against Apple, together with the GAO report released the same day, make clear that the US government expects, even for itself, comprehensive and effective screening against restricted party lists, including of beneficial owners and related parties, to determine where a counterparty may be subject to sanctions. Nor are these actions the first indication of the US government's expectations in these areas. Other recent regulatory developments have similarly demanded careful supply chain diligence, such as the actions the government has taken to limit the use of certain Chinese-made equipment in the government contracting supply chain,¹⁴ as well as other enforcement actions from earlier this year, focused on OFAC's expectations for companies' comprehensive screening and end-to-end visibility into their supply chain and customer base.¹⁵ In a year of such aggressive enforcement, companies should assess their current screening and diligence processes and consider whether additional and more powerful diligence is "due" in light of the government's continued focus on know your supply chain and know your customer requirements.

*Junghyun Baek contributed to this Advisory. Mr. Baek is a graduate of Harvard Law School and is employed at Arnold & Porter's Washington, DC office. He is not admitted to the practice of law.