Originally published by the Journal of Commerce in January 2019
One of the topics that consistently makes the top 5 in just about every survey of issues of concern to companies is the cost of regulatory compliance. This is true in large measure because the complexity of the issues covered by those regulations keeps increasing and the cost of compliance moves in the same upward direction.
In looking forward into the new year, looking back is instructive as well to identify at least one consistent theme when it comes to enforcement actions – the quality of the company’s compliance program, which includes the clarity of that compliance program and also the quality of the training given to staff, but then there is also the what were you thinking factor !!!!
In 2015, PayPal paid $7.65 million to settle a series of Office of Foreign Assets Control or OFAC violations. As many will recall, PayPal had screening software in place. Whether it worked as intended or not, what came through loud and clear in the settlement agreement was regardless of how well the software worked, the staff was not properly trained.
OFAC described the situation up to 2013 as one where the company did “not appear to have implemented effective compliance procedures and processes to identify, interdict, and prevent transactions” violating various OFAC sanctions programs. For many, the saga was an old one. The system gave alerts, the staff did not understand the reason for the alerts, and initially ignored them. When there were enough of them, corrective action was taken, but it was insufficient. Eventually, PayPal realized how non-compliant were its operations and took serious remedial action. That action included a voluntary self-disclosure which acknowledged:
A) 98 violations of the Cuba sanctions, involving goods worth $19,344.89;
B) 25 violations of one set of Iran sanctions, goods worth $2,109.82;
C) 100 violations of a different set of Iran sanctions, goods worth $6,147.84;
D) 33 violations of the Sudan sanctions, goods worth $3,314.43;
E) 94 violations of the terrorism sanctions, goods worth $5,925.27; and
F) 136 transactions of the weapons of mass destruction sanctions, worth $7,091.77.
Perhaps equally devastating to PayPal’s circumstances was the violations occurred over a 9 year period! As noted, eventually PayPal resolved the matter by paying a hefty fine, but it was also required within 6 months of settlement to make a presentation to OFAC establishing it had put effective internal controls in place so the problems did not continue.
Looking further back in time and focused on cybersecurity, there is the Target breach case. Readers will remember the Target system was hacked using stolen credentials. The first successful intrusion occurred on November 15, 2013, subsequent intrusions occurred triggering alerts which were not understood or timely acted upon. Target ended up paying $10 million to settle the class action lawsuit, $16.7 million to settle the payment processor/credit card companies litigation, another $18.5 million to settle claims brought by State Attorneys General. Target also reportedly spent more than $100 million to upgrade its system. This all occurred because the internal controls in place were neither precise, tested nor upgraded over time.. Alerts were not understood, timely acted upon and others were ignored, certain functionality had been turned off, the system did not work on a need to have access basis, and worst of all, the corporate (located locally and in a third country) IT staff did not communicate well among themselves or timely agree upon the seriousness of the situation and the first steps to be taken to minimize the damage.
One can look as well at the Equifax data breach case, where the hackers had 76 days to exfiltrate data! That hack was successful because a device meant to assist with detection was misconfigured and a digital certificate had expired. It also did not help that Equifax took approximately six (6) weeks to publicly announce the breach.
Then there is the Uber 2017 breach. Uber paid $148 million to various States to settle litigation. A 2014 breach was reported but with the 2016 breach, Uber sought to conceal it. Uber settled with the Federal Trade Commission which found the Uber system lacked unique access credentials, failure to limit access to a need to know basis, failed to employ multi-factor authentication, failed to store dats in the cloud encrypted. The FTC settlement terms are numerous, but perhaps most notable is the requirement for Uber to issue a yearly compliant report under penalty of perjury.
What the Equifax and Uber cases tell us is it is not enough to have a set of internal controls. First, you have to put them in place., then make sure everyone is adequately trained on those procedures. Then you implement them and then you test them. In reality this is a circular situation. The internal controls should be regularly updated and improved, and so should the training.
All that having been said, there is also the what were you thinking factor? And we have a very recent example of that. Zoltek Corporate and its affiliates settled a case with OFAC at the end of 2018. The company paid $7.772,102 which could have been avoided if only the right questions had been asked of the right people at the right time. The settlement agreement itself can be found at: https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20181220_zoltek_settlement.pdf and is worth reading. What you find is the American management was repeatedly made aware a supplier was listed on a denied parties list associated with the Belarus sanctions. Despite repeated email exchanges and discussions among executives within the firm, Zoltek kept doing business with the sanctioned entity, going so far at one point as to pivot the business to a third party trading company. To his credit, at least one executive questioned whether the trading company was a sham, but the transactions continued. This saga starts when the Belarus oil and chemical entity was put on the sanctions list in November 2007. This listing invoked OFAC’s 50% rule for that supplier, i.e., any entity (the supplier) owned 50% or more by a sanctioned party (the Belarus oil and chemical company) is itself sanctioned. Several years later, the supplier was itself designated as a sanctioned party. However, in the meantime, it had acquired one of Zoltek’s primary suppliers of a specific raw material and the business continued uninterrupted.
While all of this is going on, there are emails exchanged within management about the supplier itself being sanctioned. There are emails about seeking legal advice, which would have been the prudent step to take, but the advice sought was from a lawyer in a third country where Zoltek’s affiliate was located. Not surprisingly, he concluded U.S. law did not apply in that third country. You also have executives within the company refusing to sign any contract with the sanctioned supplier. There are outside third parties explaining repeatedly to Zoltek’s upper management that purchases from the sanctioned supplier are barred under U.S. law. Through it all, Zoltek’s upper management kept saying it was consulting with the U.S. government and never did. In the end, Zoltek made 13 purchases from the affiliate, later sanctioned party, with a total value of $10,390,920. How much more efficient and less costly would it have been for management to call a U.S. lawyer familiar with U.S. sanctions laws?
What these cases reminder us as the new year launches is internal controls continue to be one of the most important tools companies have to manage their risk. At the same time, the best internal controls program works only if staff is properly trained, the program is regularly tested, updated and improved. Even Zoltek could have avoided its problems if it had a robust sanctions program in place. When was the last time your internal controls were tested and upgraded? It’s the new year, now is the time to start!