Case study: Millions in fines to US authorities for IT services to airline

Apparent violations and OFAC's assessment of the conduct

Between 2013 and 2018, SITA violated the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (GTSR) (§§ 594.201 and 594.204), a total of 9,256 times.

OFAC found that SITA did not voluntarily report its apparent violations, but at least did not act in an "exceptionally serious" manner. This is an assessment that is critical in terms of consequences for SITA.

SITA provided commercial services and software subject to US jurisdiction to Iranian airlines. These airlines were declared "specially designated global terrorists" (SDGTs) by OFAC under Executive Order 13224, and SITA's business therefore constituted a violation of US sanctions.

The services provided included reservation-related services, network and connectivity services, flight planning and dispatch services, border management services, messaging services, and ancillary travel services (baggage collection, cargo movement, emissions tracking, etc.).

Fabrication of US jurisdiction and SITA's insufficient knowledge regarding US sanctions.
Specifically, the violations included:

Service messages routed through the US,
the provision of US software and services hosted on SITA's
services hosted on SITA's servers in the US (operated by a US subsidiary).
These services and software were subject to US jurisdiction because "they were provided from or routed through the United States or involved the provision of software from the United States knowing that customers designated as SDGTs would benefit from them".

According to OFAC, SITA even knew it was providing services to sanctions targets and was trying to avoid sanctions violations. However, SITA failed to understand and implement the necessary policies.

"For example, at or shortly after the time of the respective SDGT airlines' designation by OFAC, SITA terminated many of the services provided to these airlines that it knew were subject to U.S. jurisdiction. In addition, SITA had begun taking steps to mitigate its sanctions compliance associated risks pursuant to a global risk assessment initiated by management in 2016. SITA described its compliance program up until that point as primarily reactive, in that it would address compliance concerns as they arose." - OFAC

Overall, SITA lacked a comprehensive, effective sanctions compliance programme.

OFAC's Calculation of Potential Civil Sanctions and Settlement Amount

OFAC applied the "General Factors Affecting Administrative Action under OFAC's Economic Sanctions Enforcement Guidelines" (31 C.F.R. Part 501, Appendix A), considering the following aggravating and mitigating factors and circumstances:

Aggravating factors

From OFAC's perspective, the aggravating factors were:

• the actual knowledge of the sanction status of the airline's customers;
• the damage to US foreign policy objectives by supporting airlines linked to terrorism.
• the fact that SITA is a commercially sophisticated and global company.

Mitigating factors

To SITA's advantage, OFAC was able to include the following factors:

• There were no prior OFAC violations by SITA (five years prior to the violations),
• The violations represent a small percentage of SITA's total business,
• The response and level of cooperation with OFAC during the investigation,
• The cessation of related conduct, the extensive "remedial actions and improvements to the compliance programme, and the review of customers and suppliers". In addition, the termination of the contracts with the airlines in question, including the following compliance obligations:
  • Establish a Global Trade Committee to monitor and review compliance risks with customers, suppliers and other parties,
  • Establish a Trade Compliance Committee to act as an information-sharing and advisory body on trade and sanctions-related matters affecting SITA or its members,
  • Appointment of a dedicated global ethics and compliance lead to focus on developing and improving the overall compliance function,
  • Implementing new sanctions compliance reviews when adding new customers and suppliers, and when expanding or introducing new products or services to existing customers in sanctioned countries,
  • Update and expand compliance policies and regulations to raise awareness of sanctions compliance within the company,
  • Commit to regular monitoring and auditing of messaging, Maestro and WorldTracer systems to ensure they are not being used to support SDGT carriers; and
  • Mandate sanctions compliance training for all new SITA employees and annual sanctions compliance training for all SITA employees.

Main conclusions

In summary, the following conclusions can be drawn from the case study described: It is obvious that the legal and factual risks were underestimated. This is a common mistake made by many European companies, as they classify their services as "unobjectionable" and therefore assume that they are less affected by sanctions programmes. Implementing risk-based compliance measures should be a top priority for cross-border business. OFAC places great emphasis on the implementation of effective, thorough and continuous risk-based compliance measures. This case illustrates how such a programme was implemented after the investigation (see section 3.2 above).

Author: Olivier Scherlofsky, Sanctions Lawyer