Sanctions Screening Software Isn’t Foolproof

Last week the Treasury Department’s Office of Foreign Assets Control (OFAC) announced that it had reached an agreement with Apple, Inc., to resolve apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations (“FNKSR”). Apple allegedly violated the FNKSR by hosting, selling, and facilitating the transfer of software applications developed by SIS, d.o.o. (“SIS”), a Slovenian software company. While the $470,000 settlement is the equivalent of a rounding error for the trillion-dollar company, the interesting part of the settlement agreement was the level of detail regarding Apple’s sanctions screening missteps and their resulting commitments to improve. The settlement highlights the importance of detailed screening procedures for the use of sanctions screening software and adequate employee training to resolve potential red flags.

Apple entered into an app development agreement with SIS in 2008. On February 24, 2015, OFAC added SIS and its director/majority owner, Savo Stjepanovic, to its List of Specially Designated Nationals and Blocked Persons (the SDN List) for their role in an international steroid trafficking ring led by a Mihael Karner. As part of the announcement, OFAC provided SIS’s address, registration number, tax ID number, Mr. Stjepanovic’s date of birth and passport number as well as a diagram titled “KARNER Steroid Trafficking Network” linking SIS and Mr. Stjepanovic. Apple used its sanctions screening tool to screen app developer account holder names, but the tool failed to identify SIS as a blocked entity. According to Apple, the tool failed to match the upper case “SIS DOO” in Apple’s system with the SDN List’s lower-case version of “SIS d.o.o.” even though the system did match an address for SIS. Note that the term “d.o.o.” is a standard corporate suffix in Slovenia to identify limited liability corporations.

In addition to missing SIS, ties to Mr. Stjepanovic went undetected by Apple’s screening software tool. Mr. Stjepanovic was listed as an “account administrator” in SIS’s App Store developer account and not as a “developer.” According to Apple, the company’s compliance procedures in place at the time did not screen all individual users identified in an App Store account but limited its search to those identified as “developers.” As a result, Apple continued to host SIS’s apps in the App store, allowed downloads and sales, received payments from App Store users downloading the app, permitted SIS to transfer and sell its apps to two other developers, and remitted funds on a monthly basis. It was not until February 2017 that Apple identified SIS as a potential hit following enhancements to its sanctions screening tool. In that two-year period, Apple had made 47 payments associated with the blocked apps and collected a little over $1.1 million from App Store customers who had downloaded SIS apps.

As part of the enforcement announcement, OFAC highlighted various measures that Apple has undertaken to minimize risks in the future, including:

• An increased role for the Global Export and Sanctions Compliance Senior Manager in the escalation and review process;

• Reconfiguration of its primary sanctions screening tool to fully capture spelling and capitalization variations and to account for country-specific business suffixes;

• Annual review of the tool’s logic and configuration;

• Expanded sanctions screening to include app developers as well as their designated payment beneficiaries and associated banks;

• Updated employee instructions to review potential SDN matches flagged by the primary sanctions tools; and

• Mandatory training for all employees on export and sanctions regulations.

Apple isn’t the only company to have software screening issues come to light before OFAC. Earlier this fall, General Electric Company (“GE”), on behalf of three current and former GE subsidiaries [Getsco Technical Services, Inc.; Bentley Nevada; and GE Betz (collectively, the “GE Companies”)], agreed to settle potential civil liability for alleged violations of the Cuban Assets Control Regulations for accepting payment from the Cobalt Refinery Company (“Cobalt”) for invoices issued to GE’s Canadian customer. Although Cobalt had appeared on the SDN List since June 1995, the company’s status as an SDN went undetected by sanctions screening software used by the GE Companies because the software had been screening for an acronym used by Cobalt (“Corefco”), rather than its full legal entity name as listed on the checks received by the GE Companies and listed on the SDN List.

Similarly, in 2018, JP Morgan Chase Bank also received a Finding of Violation from OFAC for violations of the FNKSR and the Syrian Sanctions Regulations when it processed transactions and maintained accounts for six customers identified on the SDN List. The software screening system they had in place from 2007 to 2013 failed to identify customer names with hyphens, initials, or additional middle or last names as potential matches to similar or identical names on the SDN List. Additionally, employees failed to further investigate the potential red flags despite similarities in names, addresses, and dates of birth.

Each of these cases provides a snapshot as to how minor breakdowns in the sanctions screening software and/or accompanying employee procedures can result in potential violations going undetected. As described in its Framework for OFAC Compliance Commitments published on May 2, 2019, root causes of screening software deficiencies arise when organizations fail to update their screening software to incorporate updates to the SDN List or the Sectoral Sanctions Identifications List, fail to include pertinent identifiers like SWIFT Business Identifier Codes for financial institutions, or did not account for alternative spellings of prohibited parties or countries (i.e., Habana instead of Havana). When selecting a screening software solution, it’s important to ensure that the solution is capable of recognizing each data element and is able to conduct fuzzy logic searches to identify potential matches.

However, even with these features added, a screening software tool will only be as effective as the accompanying procedures used to implement the software. Companies should screen customers, intermediaries, or other parties involved in the transaction, including those mentioned in commercial and financial documents in order to identify sanctioned destinations, parties, or dealings. Further, procedures should detail a process for employees to escalate a hit for further review to resolve potential matches. This requires training employees on the importance of sanctions screening as well as the company’s specific policies and procedures to vet information and react to potential red flags.

In short, while most screening software tools are comprehensive, the human element is key. Operators have to be adept at operating the screens, analyzing the results, and following up with additional scrutiny when warranted.  Otherwise, the right tool may produce the wrong outcome.