What Did OFAC Change in Its Regulations?
While OFAC modified several of its regulations, its modification of 31 C.F.R. § 501.604 to expand reporting requirements for rejected transactions is the change likely to have the broadest impact. Whereas historically OFAC regulations have only required financial institutions such as banks to report transactions rejected due to sanctions, the modified regulations now require all U.S. persons (including both individuals and organizations) and those subject to U.S. jurisdiction to report any “transaction” that the person “rejects” due to sanctions.
The regulations define “transaction” broadly to “include transactions related to wire transfers, trade finance, securities, checks, foreign exchange, and goods or services.” The regulations do not explicitly define what it means to “reject” a transaction. Historically, however, OFAC has distinguished between “blocked” transactions—in which property must be held by the recipient—and “rejected” transactions—in which property is simply returned to the sender and reported to OFAC.
By its terms, the amendment greatly expands the pool of those responsible for reporting rejected transactions.
What Does This Mean in Practice for U.S. Businesses?
In the wake of this amendment, U.S. companies must now take steps to comply with the new reporting requirements. But how will this work in the real world? Although OFAC has not yet released any of its usual FAQs to clarify how it intends the regulations to apply in practice, existing FAQs that apply to financial institutions provide some guidance on how OFAC is likely to interpret the new requirement.
In clarifying when banks are required to block or reject transactions, OFAC FAQ 53 provides guidance in the context of wire transfers. As OFAC explained, if a bank receives “concrete instructions from its customer” to send funds to a Specially Designated National (SDN), then the transaction must be blocked. In contrast, if the customer simply asks “Can I send money to Cuba?” then the bank can simply explain to the customer this is not permitted. As OFAC explained, this latter example is not considered a “reject” by the bank because it has not received instructions from its customer to send the funds.
Applying this guidance to the new regulation, it is likely that OFAC will take a somewhat practical approach to determining whether a transaction is deemed to have been “rejected,” triggering a reporting requirement. For example, if an Iranian citizen contacts a U.S. manufacturing company to ask whether the Iranian can purchase products, the company can likely tell the person that it is not permitted to do business with Iran without triggering a reporting requirement. In contrast, if an Iranian citizen (non-SDN) sends a purchase order to the U.S. manufacturing company requesting the purchase of specified goods for shipment to Iran, the company would need to reject the request and report it to OFAC within 10 days.
Although the precise scope of obligations under the new regulations is subject to some debate, what is certainly clear is that virtually all U.S. companies should take immediate action to implement procedures to record and report transactions rejected due to sanctions. Failure to do so can have significant consequences. Although OFAC has not yet used its authority to impose penalties for failing to meet reporting requirements, Appendix A to 31 C.F.R. § 501 implies that the same penalties applicable to executing a transaction in violation of sanctions would apply to a failure to make a required report. Theoretically, this means that persons could be fined as much as twice the value of the underlying transaction for not reporting. However, the more likely scenario is that, once OFAC suspects reporting requirements are not being met, a broader investigation into the compliance program and other possible violations could be launched. Such investigations invite scrutiny, introduce increased risk, and can be very expensive.
What Will OFAC Do with All of This Data?
OFAC has clearly greatly expanded reporting requirements for rejected transactions. As U.S. businesses take the necessary steps to implement reporting procedures, OFAC is likely to see a significant influx of new rejected transaction reports. It is not yet clear that OFAC fully appreciates the potential size of the wave of new data that may soon arrive at its offices. It is also not clear that OFAC has any concrete plans to take any meaningful action to utilize these new reports. Indeed, given that OFAC is reportedly struggling with understaffing and overwhelming workloads, one cannot help but wonder whether these new reports will simply collect dust on OFAC desks once submitted.
One thing that is clear, however, is that OFAC does not intend to consider rejected transaction reports confidential. The amended regulations state that rejected transaction reports are subject to the Freedom of Information Act (FOIA). Such reports “generally will be released upon the receipt of a valid FOIA request, unless OFAC determines that such information should be withheld in accordance with an applicable FOIA exemption.” Companies submitting reports will need to carefully consider whether to take steps to protect any confidential business information submitted.
As a U.S. Company, What Should I Do Next?
U.S. companies of all sizes may have reporting obligations under the amended regulation. To help meet these obligations, our International Trade & Regulatory Group can assist companies in conducting a sanctions risk assessment, developing reporting policies and procedures, and providing real-time guidance on whether a business opportunity declined for sanctions concerns is a “rejected” transaction that must be reported.