OFAC Settlement with Swiss ICT Service Provider Reinforces Message to Foreign Companies: Beware Any US Nexus
Geneva-based Société Internationale de Télécommunications Aéronautiques SCRL (“SITA”) has agreed to pay the US Office of Foreign Assets Control (“OFAC”) nearly $8 million to settle its potential civil liability for apparent violations of US sanctions laws, despite taking steps to ensure compliance. The new enforcement action—the latest in a series against information and communications technology (“ICT”) companies—highlights two key messages: (i) that OFAC views virtually any US nexus as sufficient for OFAC to assert its jurisdiction and (ii) that the failure to implement what OFAC refers to as “comprehensive and detailed” risk-based compliance to properly identify and manage sanctions risk can create substantial exposure for non-US companies. This message is particularly important for non-US companies whose provision of goods or services abroad is tied to US-based ICT infrastructure or support services to process data or transactions.
SITA is headquartered in Switzerland and provides commercial telecommunications network and information technology services to the civilian air transportation industry, including both member and non-member airlines. The settlement announcement notes that the SITA group includes US subsidiaries that develop, host and support certain SITA group products, though it is not clear that the existence of a US subsidiary was essential to the assertion of US jurisdiction.
At issue in the enforcement action was the provision of services by SITA to several airlines that had been designated by OFAC under the Global Terrorism Sanctions Regulations (“GTSR”)—Mahan Air, Syrian Arab Airlines, Caspian Air, Meraj Air and Al-Naser Air. Pursuant to the GTSR, all interests in property of such designated entities that are in the United States are blocked, 31 C.F.R. § 594.201(a), and US persons are prohibited from providing any goods or services to such designated entities, id. §594.204(a). OFAC interprets these prohibitions as applying to the provision of any services to designated parties from the United States. 31 C.F.R. § 594.406. SITA itself, being a Swiss entity, is not a US person and so is not directly subject to these prohibitions.
Nevertheless, OFAC determined that SITA’s provision of services to the designated airlines was “subject to U.S. jurisdiction.” The basis for this conclusion, in OFAC’s words, was the fact that SITA provided the airlines services and software (described below) that “were provided from, or transited through, the United States or involved the provision of U.S.-origin software with knowledge that customers designated as SDGTs would benefit from the use of that software.”
The services and software at issue were the following. First, SITA provided the airlines access to a messaging service that enables users to communicate with others in the industry, for example, to order aircraft maintenance, refuel planes, arrange and change routes, facilitate baggage transfers, and book passengers. The messages are routed through SITA’s “megaswitches” located in Atlanta, Georgia, and Singapore, and OFAC determined that the routing of messages through Atlanta to, from or on behalf of the designated airlines was a sufficient nexus to assert its jurisdiction. Second, SITA provided the designated airlines access to a “global lost baggage tracing and matching system that is hosted on SITA’s servers in the United States, and maintained by SITA’s subsidiary located in the United States.” Because the system is hosted in the United States, providing access to the system constituted a prohibited exportation of services from the United States.
Lastly, and most controversially, OFAC alleged that SITA provided the designated airlines access to a US-origin software application that allows shared users of a common terminal to manage processes such as check-in and baggage management. OFAC did not allege that this software was hosted in the United States, downloaded from a US server or had any other nexus to the United States apart from its US origin. Instead, in explaining its jurisdiction, OFAC noted that the alleged violations “involved the provision of U.S.-origin software with knowledge that customers designated as SDGTs would benefit from the use of that software.” Presumably, the “provision” of such software occurred abroad, and was engaged in by SITA, a non-US person. It is not clear why such conduct is “subject to US jurisdiction,” as the GTSR do not prohibit the re-export of US-origin goods or services to designated parties. OFAC’s reference to “knowledge that customers designated [under the GTSR] would benefit from the use of that software” suggests that perhaps OFAC was focusing on the original exportation of that software from the United States, but there is no statement that the airlines were designated at the time the software was exported or any other statement articulating how the use of US-origin software abroad can violate the GTSR.
Considerations for Non-US Entities
SITA’s settlement reinforces a long line of enforcement actions in which OFAC has brought enforcement actions against non-US entities for conduct abroad that somehow touches the United States. As demonstrated by this action, the breadth of OFAC’s assertion of jurisdiction is expansive and includes the provision of back-office functions, such as hosting software on a server in the United States or routing messages through the United States.
The case is also noteworthy for what it highlights about the perils of failing, in OFAC’s words, to adequately “vet compliance risk” based on a “comprehensive and detailed compliance program.” OFAC makes clear that SITA undertook sanctions reviews upon designation of the airlines, and that while it took steps to terminate “ticketing, airfare, e-commerce and other service” in response to those designations, it continued to provide benefits to these airlines through the messaging service, baggage tracking system and US-origin software. OFAC uses these facts to emphasize SITA’s acknowledgement that its compliance efforts were “primarily reactive” and perhaps not comprehensive in nature. Although OFAC does not elaborate on the reasons for SITA’s disparate treatment of these services, the facts suggest that SITA either did not identify, or did not fully evaluate, the potential sanctions issues raised by its software, technology and IT infrastructure.
Finally, the case highlights OFAC’s continued scrutiny and emphasis on robust risk-based compliance programs, as well as the mitigation credit it affords for remedial compliance measures. Although SITA did not voluntarily disclose the apparent violations and had “actual knowledge” it was providing services to these designated entities, OFAC afforded substantial mitigation to the company and emphasized the “extensive remedial efforts and enhancements to its compliance program” undertaken in response to the matter. Notably, these included the establishment of a global trade board “to expressly vet compliance risk” associated with the company’s operations on an ongoing basis. More broadly, the trade board sits within a formal compliance organization with defined roles and responsibilities, including a trade compliance advisory committee to address legal issues and a dedicated global head of ethics and compliance to develop and improve the compliance function, as well as a number of other policies and procedures to manage the company’s compliance.
Non-US companies that rely on back-office services provided in the United States, or that provide services that otherwise touch the United States, should consider taking steps to ensure that they carefully identify, evaluate and manage their sanctions exposure and have in place an appropriate risk-based OFAC compliance program to mitigate the risk of an OFAC enforcement action.