Apple fined for OFAC screening violations
AML AND COMPLIANCE NEWS |
As the White House discusses the imposition of additional sanctions in the Middle East, the necessity of a strong sanctions program for all businesses is more critical than ever. Per the U.S. Treasury site, the Office of Foreign Asset Control (OFAC) serves to administer and enforce sanctions on individuals, firms, and nations that the United States has deemed “threats to the national security, foreign policy or economy of the United States.” While financial institutions are often the focus of sanctions screening due to the nature of its business and its role in the detection and prevention of money laundering and terrorist financing, all U.S. businesses are responsible for determining whether anyone they do business with appear on sanction lists. From 2014-18, nonbank institutions were fined approximately $466 million or 5% of all fines. The importance of nonbanks maintaining a sanctions program was highlighted by the recent OFAC action against a company many of us are affected by each day—Apple.
In November of last year, OFAC fined Apple nearly half a million dollars for the failure of its screening program to flag a sanctioned company and its owner in the App Store. Apple entered an application development agreement with the firm before its addition to OFAC’s Specially Designated Nationals (SDN) List. Following its addition to the list, Apple’s screening tool failed to match the name due to how lowercase and uppercase letters were coded in the system. Additionally, Apple did not screen for address matches, despite the address published by OFAC matching the address Apple collected. OFAC also noted that the owner of the firm was “listed as an ‘account administrator’ in its App Store developer account, though he was not listed as a ’developer.’ At the time, Apple’s compliance process screened individuals identified as developers, but did not screen all of the individual users identified in an App Store account against the SDN List.” These issues compounded to result in Apple failing to identify this sanctioned individual and his firm to conduct illegal transactions on its platform and pay the firm monthly for over two years.
We often expect tech giants such as Apple to have the most sophisticated screening tools in place to avoid these regulatory violations; however, the tools in place are only as effective as the teams that implement, monitor and audit their results. Independent model validations conducted by experts outside the organization affords firms an outside perspective on how to manage an effective sanctions program. These issues are not unique to Apple and the complexity of the screening parameters to review, the frequency of SDN updates, and the increased globalization of business present challenges for many firms. By bringing in experts who have seen how industry leaders and competitors have tackled these issues previously, firms can stay ahead of potential violations.
As an industry best practice, it is recommended that firms receive an annual, independent audit of their sanctions program. In the case of Apple, these violations could have continued without internal detection indefinitely; per OFAC, it was not until Apple enhanced its sanctions screening tool and related processes that the sanction violations were discovered, and a look back revealed the extent of the issue. By effectively transitioning to a sufficient screening tool, discovering the violation and immediately self-reporting, Apple avoided the statutory maximum civil monetary penalty of $74 million and settled for a fraction of it. While the costs and hours necessary for the development, maintenance and audit of a strong sanctions program can seem steep, it pales in comparison to the associated penalties of noncompliance.