Apple Inc.’s recent settlement with the Treasury Department’s Office of Foreign Assets Control (OFAC) has exposed a potentially costly wrinkle in complying with international trade regulations. While sanctions screening technologies may help a company catch and report errors, this software alone will not absolve faults and shortcomings in a company’s overall export compliance programs.

The compliance woes at Apple serve as a signal to businesses of all sizes that rely on third-party sanction screening software. Ultimately, it’s not one technology but a company’s entire compliance program – collective policies, trainings, technology, efforts to address vulnerabilities and corrective responses – that will be accountable if a failure occurs.

Overreliance on Sanctions Screening Tech

On November 25, 2019, OFAC announced a $467,000 settlement with Apple, Inc. for apparent violations of international sanctions regulations. The apparent violations stem from errors in Apple’s sanction screening software and from Apple’s failure to take timely and complete corrective actions.

Apple entered into an app development agreement with Slovenian software company, SIS, d.o.o. (SIS), in July 2008. On February 24, 2015, OFAC identified SIS and its principal, Savo Stjepanovic, on its List of Specially Designated Nationals and Blocked Persons (SDN List).

On the same day as the designation, Apple screened its existing app developers against the updated SDN List, but failed to identify SIS or Stjepanovic. Apple later determined that its sanctions screening software failed to match the lower-case of the Slovenian corporate designation “d.o.o.” with the upper-case “DOO” contained in Apple’s systems, and that Stjepanovic’s name appeared in an un-reviewed “account administrator” field. In February 2017, Apple enhanced its sanctions screening tools and discovered SIS’s identification on the SDN List. Apple immediately suspended all payments to SIS’s account, but continued to permit payments to an entity to which SIS had transferred a portion of its apps in 2015. In all, Apple made 47 payments totaling more than $1 million to SIS after the company was placed on the SDN List.

OFAC identified several aspects of Apple’s response which mitigated the civil penalties against it, including:

  • Apple undertook various measures to enhance its compliance program, including: improving escalation and review processes; reconfiguring the search capabilities in its sanctions screening tool; expanding the scope of sanctions screening; and updating instructions and training provided to employees relating to export and sanctions.
  • Apple promptly responded to OFAC’s post-disclosure requests for information.
  • Apple voluntarily self-disclosed its potential violations in what OFAC determined to be a non-egregious case.
  • Apple had not received a penalty notice of Finding of Violation from OFAC in the five years prior to the transactions at issue.
  • The total amount of violative payments was not significant compared to Apple’s total annual volume of transactions.

The following aggravating factors increased Apple’s civil penalties:

  • Apple’s conduct demonstrated “multiple points of failure” in its compliance program.
  • Apple is a “large and sophisticated organization operating globally with experience and expertise in international transactions.”
  • Apple failed to take timely corrective actions when it continued to send payments to an affiliated entity after learning of its error.
  • Apple failed to “anticipate potential vulnerabilities” in its compliance programs.

The failure of the compliance software at a technology giant is disconcerting for many businesses. However, both the aggravating and mitigating factors identified in OFAC’s announcement of the settlement offer meaningful insights into what companies should do if they find that their compliance tools have failed them.

For Apple, its efforts to update its sanctions screening software allowed it to discover its error and voluntarily disclose its conduct. But its compliance program as whole failed to prevent transactions with SDNs. The settlement demonstrates that companies cannot rely on any one technological aspect of their compliance programs to ensure export compliance. A company should aim to have a healthy compliance program that integrates trainings, technologies, response policies and risk mitigation efforts.