As the third month of the second Trump administration comes to a close, the lack of any public enforcement action by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctions watchers wondering about the status of enforcement under the Trump administration and whether shifting sanctions priorities will have an impact on the focus or volume of future OFAC enforcement actions. As we wait for OFAC public enforcement activity to resume in the near future – assuming it will following the expected transition period of briefing the new administration on pending cases – it is worth reiterating the key trends and lessons from the past year’s public enforcement actions and contemplating what we might expect in terms of enforcement efforts and priorities from the new administration this year.
Despite another year of steady designations and significant sanctions developments, OFAC issued noticeably fewer public enforcement actions in 2024 than in years past; the agency issued 12 public enforcement actions in 2024 (with nine of those 12 published in the second half of the year), compared to 17 in 2023 and 16 in 2022. OFAC assessed roughly $48.8 million in civil monetary penalties from these 12 actions, which is a fraction of 2023’s record-breaking $1.5 billion total, but on par with the penalties assessed in 2022 (approximately $42.7 million). OFAC’s 2024 public enforcement actions related to apparent violations of seven different OFAC sanctions programs, with half of the enforcement actions involving apparent violations of U.S. sanctions on Iran. Although most focused – as is typical for OFAC – on the actions of U.S. and non-U.S. companies, OFAC targeted individual U.S. persons for their conduct in two cases as well. OFAC also issued two public enforcement actions in the first weeks of 2025, days before President Trump’s inauguration, both involving apparent violations of OFAC’s Ukraine-/Russia-Related Sanctions Regulations.
Although the number of public enforcement actions in 2024 was lower than in recent years, and the three-month gap since the last actions in early 2025 is somewhat unusual, even in the context of a transition in administrations, it is not yet clear whether this dip will be short-lived or indicative of a broader agency enforcement slow-down. In early 2023, OFAC underwent core organizational changes that saw the transfer of all investigations and enforcement relating to the financial services and insurance industries from OFAC’s Sanctions Compliance and Evaluation Division to OFAC’s Enforcement Division, which was until that point responsible for investigations and enforcement concerning all other industries and persons. The lower number of enforcement actions over the past year may partly be the result of this internal reshuffling and reallocation of resources. Given (i) the high volume of designations and other non-enforcement-related actions taken by OFAC over the past year, (ii) the extension of the statute of limitations for most U.S. sanctions violations from five to 10 years, and (iii) the fact that eight out of the 12 public enforcement actions were issued in the last three months of 2024 alone (with two more in the opening weeks of 2025), the recent lower number of public enforcement actions may simply be the result of the agency working through its case load, taking stock of its resources, working within a new administration, and digesting the flurry of potential enforcement activity resulting from the onslaught of U.S. sanctions imposed following Russia’s full-scale invasion of Ukraine in 2022. As a result, we anticipate that OFAC will resume issuing enforcement actions in the near term.
Below we discuss the significant trends and lessons learned from OFAC’s 2024 and early 2025 enforcement actions that we believe the private sector should heed. Although Morrison Foerster’s National Security practice anticipates that the Trump administration will shift certain sanctions priorities, and may pursue enforcement priorities that differ in some respects from those of the Biden administration, it is worth remembering that sanctions generally have been a bipartisan tool used and built upon by both Democratic and Republican presidents alike, such that the sanctions compliance pitfalls and recommended risk mitigation measures discussed in this client alert remain relevant.
1. OFAC Actively Enforced Apparent Violations of Both New and Old Russia Sanctions During the Last Year (and Days) of the Biden Era
In 2024, OFAC brought its first public enforcement actions for apparent violations of the U.S. sanctions imposed against Russia pursuant to Executive Order (E.O.) 14024 – the main authority used for U.S. sanctions following Russia’s full-scale invasion of Ukraine in February 2022. Whether we see more enforcement involving E.O. 14024 and other Russia-related sanctions authorities in 2025 likely depends on whether such enforcement is consistent with the Trump administration’s national security and foreign policy priorities with respect to Russia and the latitude that the administration provides to OFAC to enforce such violations.
On the last day of last year, December 31, 2024, OFAC announced its $22,172 penalty against New York-based aviation product supplier SkyGeek Logistics, Inc. (SkyGeek), for neglecting to screen and prevent two attempted refunds and four shipments to two sanctioned aircraft parts suppliers. Both suppliers were based in the United Arab Emirates (UAE) and designated pursuant to E.O. 14024 for operating in Russia’s aerospace and technology sectors. The apparent violations occurred between mid-January and mid-March 2024; the relative speed with which OFAC investigated this conduct and brought a public enforcement action is indicative of how seriously the agency took apparent violations of its Russia-related sanctions program (during the Biden administration), especially where, as here, OFAC found that the activity “undermined U.S. sanctions objectives and may have contributed to Russian military capabilities,” despite the fact that “the value of the shipments was relatively low.”
In another example of Russia-related enforcement, OFAC also fined Swiss banking group EFG International AG (EFG) $3,740,442 in March 2024 for apparent violations of multiple sanctions programs, including transactions in which EFG caused U.S. securities firms to issue at least five dividend payments related to security positions held by an individual designated pursuant to E.O. 14024.
Other enforcement actions over the course of 2024 and early in 2025 involved violations of the earlier Ukraine-/Russia-Related Sanctions, including the two actions issued days before President Trump’s inauguration for approximately $1 million per action: Haas Automation, Inc. (Haas) and Family International Realty LLC and its owner, a U.S. person individual (Family Realty). Given the lack of enforcement activity since those two matters were issued, it remains unclear whether Russia sanctions evasion will remain an area of enforcement focus during the Trump era, or pivot – as the administration’s public statements suggest – to a focus on Iran and counterterrorism sanctions programs and other key areas of interest for the Trump administration.
2. Lack of Familiarity with U.S. Sanctions Is No Defense to Liability
OFAC highlighted in several 2024 public enforcement actions that a lack of sophistication and familiarity with U.S. sanctions – while a consideration in determining the appropriate administrative response to an apparent violation – is not a defense that avoids a public enforcement action. U.S. sanctions are primarily a strict liability regime, and there are generally no knowledge or intent requirements to meet before liability is triggered (although OFAC focuses public enforcement on individuals and entities (persons) that do not make adequate efforts to comply with U.S. sanctions requirements).
In one example, OFAC settled with a U.S. person individual (the Individual) for $45,179 after the Individual executed six payments on behalf of a business partner sanctioned pursuant to OFAC’s Global Magnitsky Sanctions Regulations, which target human rights violations and corruption. The Individual knew of but did not appreciate the impact of the sanctions on the company that the Individual and the sanctioned person operated together or the impact on the Individual’s own conduct vis-à-vis the company. In its web post, OFAC emphasized that “all U.S. persons, including individuals, are required to comply with U.S. sanctions, regardless of their familiarity with sanctions-related issues,” particularly “gatekeepers” – professional service providers such as investment advisors, attorneys, and accountants – that “serve crucial financial and legal functions that place them at heightened risk of knowingly or unwittingly furnishing access by blocked persons or other illicit actors to the licit financial system.”
This takeaway was further borne out by OFAC’s $41,591 settlement with Córdoba Music Group LLC (Córdoba), a California-based musical instrument manufacturer with fewer than 100 employees, in which OFAC determined that Córdoba knowingly sold musical instruments ultimately destined for an Iranian company because of a lack of knowledge and training on U.S. sanctions requirements, as well as OFAC’s $860,000 settlement with Vietnam Beverage Company Limited (Vietnam Beverage), whose subsidiaries caused U.S. financial institutions to process U.S. dollar transactions related to the export of alcoholic beverages to customers in or connected to North Korea. Neither Vietnam Beverage nor its subsidiaries had a sanctions compliance program in place at the time of the apparent violations that was designed to identify and prevent or mitigate the risks of engaging in transactions with North Korea where U.S. services or U.S. persons may be involved.
3. Willfulness and Sanctions Evasion Lead to Severe Monetary Penalties
The recent public enforcement actions demonstrate that OFAC continues to impose harsher penalties on persons that knowingly violate U.S. sanctions and attempt to conceal their conduct. In each of OFAC’s significant settlements with SCG Plastics Co., Ltd. (SCG), Aiotec GmbH (Aiotec), a U.S. person individual (U.S. Person-1), and Family Realty, OFAC characterized the apparent violations as willful and found them to be “egregious” (a determination mandating harsher enforcement outcomes), and none of the parties voluntarily self-disclosed all the apparent violations to OFAC, which would have otherwise served as the basis for substantially mitigated penalties.
OFAC settled with SCG, a Thai company, for $20 million in connection with sales of high-density polyethylene resin (HDPE), after OFAC determined that SCG attempted to conceal the Iranian origin of the HDPE by transshipment through the UAE and through shipping and documentation practices that obfuscated the product’s Iranian origin and the involvement of Iranian parties. Similarly, OFAC settled with Aiotec, a German company, for approximately $14.6 million after determining that Aiotec conspired to purchase a decommissioned polypropylene plant in Australia from a U.S. company and move it to Iran under false pretenses – a scheme that involved manipulating documents, making false statements, and sending Euro payments to a U.S. financial institution and one of its foreign branches. In the U.S. Person-1 action, involving a settlement for $1.1 million in connection with apparent violations of U.S. sanctions on Iran, OFAC noted that U.S. Person-1 at all times had actual knowledge of the relevant conduct and attempted to evade U.S. sanctions by using intermediary companies, omitting sanctions-related references in check memo lines, and reducing funds transfer amounts to lower the risk that its U.S. financial institution would investigate the transactions. Finally, Family Realty, which resulted in an OFAC settlement of approximately $1.1 million as well as a U.S. Department of Justice forfeiture action, involved a Miami real estate company and its U.S. person owner engaging in a willful scheme to evade sanctions by transferring nominal ownership of luxury condominiums from two sanctioned Russian oligarchs to their non-sanctioned family members (and related shell companies).
4. Companies Continue to Be Responsible for the Information in Their Possession
Over the past year, OFAC continued to drive home the message that companies are responsible for leveraging the information in their possession to prevent dealings in violation of U.S. sanctions. OFAC expects companies to holistically and timely incorporate, review, and escalate (as needed) the information they collect on their counterparties using systematic risk-based procedures and controls, and these controls should be tested and audited to ensure proper function and adaption to the changing sanctions landscape.
OFAC made this lesson clear in its action against SkyGeek, which attempted two refunds and made four shipments to two sanctioned aircraft parts supplier customers in the UAE that were onboarded before the customers were sanctioned. At the time of the apparent violations, SkyGeek did not rescreen previously approved customers before issuing customer refunds (or, it appears, before certain shipments); however, if rescreening had been conducted, SkyGeek should have been able to identify the sanctions nexus given the existing information in its customer records. In a separate action, OFAC fined American Life Insurance Company (ALICO) $178,421 for apparent violations of U.S. sanctions against Iran that included ALICO’s issuance of insurance coverage to a number of UAE-based schools and entities that were owned or controlled by the Government of Iran, when at least one such entity’s application had previously been rejected for sanctions concerns. Although the ALICO matter involved a UAE-based sales agent that knowingly facilitated the Iranian business in a non-transparent manner, OFAC highlighted that it is important for companies to have an internal process for flagging when a certain type of transaction – be it an application, money transfer, or other action – has been previously rejected based on sanctions compliance concerns. Additionally, OFAC’s settlement with EFG concerned, among other conduct, EFG subsidiaries causing U.S. securities firms to process hundreds of transactions on behalf of customers in Cuba that OFAC determined EFG had reason to know were associated with Cuba (based on, e.g., receipt of residency cards).
5. Sanctions Risks in the Mergers and Acquisitions Context Remain a Focus
We have showcased the lessons learned from enforcement actions focused on mergers and acquisitions in past alerts, and this theme continues to hold a spot in our list of key takeaways from the past year. In State Street Bank and Trust Company (State Street), which settled for approximately $7.5 million, OFAC highlighted the problematic activity of the bank’s recently acquired subsidiary, Charles River Systems, Inc., which had been redating and reissuing invoices to sectorally sanctioned Russian entities (i.e., Russian entities at the time subject to limited debt and equity sanctions under the Ukraine-/Russia-Related Sanctions program) and receiving late payments despite concerns raised and explicit guidance from its U.S. financial institution. OFAC emphasized the importance for acquiring companies, “[e]ven after onboarding is complete,” to “closely monitor [companies’] new business relationships for sanctions-related issues that may require preventative or remedial measures.”
Similarly, OFAC settled with C.H. Robinson International Inc. (CHR), a Minnesota-based transportation and logistics company, for $257,690 for apparent violations that occurred after the company acquired several overseas subsidiaries that engaged in post-acquisition prohibited transactions involving Iran and Cuba. OFAC flagged that the subsidiaries’ operating systems were not integrated into CHR’s systems – which had sanctions compliance controls in place – for years after the acquisitions. OFAC cautioned in that action that U.S. companies acquiring foreign companies must be vigilant about incorporating newly acquired subsidiaries into existing compliance programs, promptly training employees, and implementing interim controls to mitigate sanctions risks while integration is underway.
6. Beware of Transactions Involving High-Risk Industries and Jurisdictions
OFAC’s recent enforcement actions also highlight the heightened sanctions risks in engaging with high-risk industries and jurisdictions. For example, the conduct at issue in the SCG action involved the transshipment of Iranian-origin HDPE through the UAE, a jurisdiction historically posing higher risk of sanctions evasion. The UAE also featured in the ALICO action, as ALICO’s customers were based in the UAE but were ultimately owned by the Government of Iran, as well as the SkyGeek action, as the aviation supplier’s two (designated) customers were both located in the UAE. When Vietnam Beverage’s subsidiaries sold alcohol to companies in or connected to North Korea, they received payment from intermediaries in Hong Kong, China, Turkey, Singapore, and the Seychelles, all sensitive jurisdictions for money laundering and sanctions concerns.
As OFAC noted in the SkyGeek action, “[t]his case underscores the sanctions risks to companies operating in sensitive industries and jurisdictions, and how such risks can be compounded when operating in both. Companies operating in any of the sectors Treasury has determined enable Russia’s ability to wage war on Ukraine – including aerospace and technology – should exercise vigilance in ensuring they are not dealing with sanctioned persons. Such care is all the more critical when operating in high-risk jurisdictions.”
These enforcement actions also serve as useful reminders of what sanctions-related red flags can look like. Employees should be trained to promptly identify these red flags, mitigate any related impact, and escalate the situation (as appropriate) in accordance with written, risk-based sanctions compliance policies and procedures, particularly when the company is operating in a high-risk environment. As OFAC stated in the Córdoba action, “[a]s geographic reach expands, so does possible risk.”
7. Non-U.S. Persons Engaged in Conduct Involving the U.S. Financial System or U.S. Persons Must Stay on Top of Compliance
OFAC continues to emphasize that non-U.S. persons engaged in prohibited conduct directly or indirectly involving the U.S. financial system or U.S. persons (or another U.S. nexus) are ripe targets for enforcement. In 2024, OFAC fined multiple non-U.S. persons for causing U.S. persons to violate U.S. sanctions through use of the U.S. financial system. The typical fact pattern involves a non-U.S. person making a payment denominated in or converted through U.S. dollars, which virtually always requires involvement of a U.S. financial institution or its foreign branch, for transactions that are prohibited under U.S. sanctions.
Settlements with non-U.S. companies made up five of the 12 enforcement actions last year. OFAC settled with Mondo TV, S.p.a. (Mondo), an Italian animation company, for $538,000 after Mondo outsourced some of its work to a North Korean state-owned animation studio and paid through various intermediaries, including a U.S. company, to the intermediaries’ bank accounts at U.S. financial institutions. In the actions against Mondo and Vietnam Beverage, both companies either initiated or received payments involving North Korea that were processed by or settled at U.S. financial institutions or a foreign branch of a U.S. financial institution, causing apparent violations of U.S. sanctions. Similarly, SCG received U.S. dollar payments processed by U.S. financial institutions for sales of Iranian-origin HDPE, and it also initiated U.S. dollar wire transfers to pay the debts of a joint venture SCG operated with the National Petrochemical Company of Iran that were processed by U.S. financial institutions. This trend is further illustrated by OFAC’s action against Aiotec, which OFAC determined conspired to cause a U.S. company to sell a decommissioned polypropylene plant to Iran and initiated payments through U.S. financial institutions, as well as OFAC’s action against #EFG, which caused U.S. securities firms and U.S. market participants to process securities transactions on behalf of sanctioned persons.
Needless to say, non-U.S. persons must take care to comply with U.S. sanctions prohibitions when engaged in transactions that fall within OFAC’s jurisdiction, i.e., when those transactions directly or indirectly involve the United States, such as through U.S. persons, U.S. financial institutions, or even – under certain circumstances – U.S. IT infrastructure and back-office services. Enforcement against non-U.S. persons for this type of conduct is a pattern we do not see losing steam anytime soon, especially after the U.S. Departments of Commerce, the Treasury, and Justice made it clear in their March 2024 Tri-Seal Compliance Note that compliance with U.S. sanctions and export control laws by non-U.S. persons abroad is a top U.S. foreign policy priority.
8. Tone From the Top Really Matters
OFAC emphasized in several recent enforcement actions the awareness of and/or involvement by senior management in the underlying conduct, serving as a critical reminder of just how important OFAC considers “tone from the top” in promoting company-wide sanctions compliance. In each of the examples below, the awareness of and/or involvement by senior management was categorized by OFAC as an “aggravating factor,” which is grounds for an increased penalty.
In its action against Córdoba, OFAC stressed that “[t]here was a clear understanding among Córdoba employees that these products were ultimately destined for Iran; Córdoba’s then CEO also was aware of the sales to Iran.” OFAC also called out in its action against Aiotec that the company’s senior management furthered the underlying conspiracy, including by negotiating and signing the sales agreement, signing several false end-user certificates, and making other false representations. In OFAC’s action against Mondo, OFAC asserted that the company’s “senior management knew that it was engaging a [North Korean] entity and making payments to [North Korea] through intermediaries with accounts in the United States.” Similarly, in Vietnam Beverage, OFAC identified as an aggravating factor that senior management of the company’s subsidiaries knew or had reason to know that they were doing business with North Korea and receiving payments through U.S. financial institutions, although OFAC credited the subsidiaries’ new senior management for identifying and ending the concerning transactions with North Korea.
9. OFAC Expects Screening and Sufficient Diligence Throughout a Transaction’s Life Cycle
In SkyGeek, the company screened its UAE counterparties at the start of the customer relationships but “[b]ecause its compliance protocol at the time was not to re-screen previously approved parties,” it failed to catch that the two companies were subsequently sanctioned before attempting to send them refunds and/or completing previous orders. OFAC noted that the case “highlights the importance of implementing appropriate risk-based controls over the course of a transaction’s ‘life cycle’ to ensure compliance with OFAC sanctions.” Failure to re-screen was also cited as a reason for one of the apparent violations in the Haas matter.
The Haas action was also notable as one of the few OFAC enforcement actions where a U.S. company was penalized for failing to identify entities subject to sanctions as a result of greater than 50 percent ownership by sanctioned parties rather than individual designation and listing on OFAC’s public sanctions list. OFAC noted in that case that, “[f]or seven of the eight blocked entity customers, Haas failed to conduct sufficient due diligence regarding the blocked entities’ ownership structures.” Similarly, ALICO involved a U.S. company’s activity involving entities owned or controlled by the Government of Iran but not necessarily named on any sanctions list. With these cases, OFAC has made it clear that it expects companies to identify parties subject to sanctions through reasonable diligence and that screening alone may be insufficient to guard against sanctions risks.
10. Meaningful Remediation Regularly Results in Reduced Penalties
OFAC made it clear throughout its enforcement actions last year that significant and meaningful remediation is considered a mitigating factor that can and will result in reduced penalties. OFAC noted, for example, that “SkyGeek and its parent company undertook significant remedial efforts, including a comprehensive business review of SkyGeek’s sales to jurisdictions that may present a higher risk for sanctions evasion and accordingly have ceased all SkyGeek sales to 45 jurisdictions.” SkyGeek also implemented enhanced screening controls. Significant remedial actions that impacted penalties also were cited in the State Street, Haas, Aiotec, and Vietnam Beverage matters, among others.
11. Consider How Your Risk Appetite Compares to That of Your Counterparties
Another key takeaway is that, aside from maintaining an effective, risk-based sanctions compliance program, companies also should be aware of the risk appetites of their counterparties and calibrate compliance strategies accordingly. Specifically, in OFAC’s action against ALICO, the insurance company outsourced administration of certain products to a third party in the UAE. This third-party administrator helped facilitate ALICO’s issuance of insurance policies to entities owned or controlled by the Government of Iran, and the third-party administrator also paid out claims after ALICO suspended the policies, including by backdating claims so that they could be paid from the third-party administrator’s batch processing system. OFAC cautioned that “companies should consider risks arising from arrangements involving business partners and other third parties, who may differ in their approach to compliance” and that “[w]hen outsourcing parts of the business, it is important to have effective controls that prevent further activity with blocked or otherwise sanctioned persons upon discovery.” Accounting for third-party risk preferences in periodic risk assessments and incorporating questions about risk appetite into third-party KYC and onboarding procedures should help to further minimize risks.
12. Even Where Apparent Violations Occur, OFAC Picks Its Enforcement Targets Carefully
If the preceding 11 lessons learned are not enough incentive to invest in sanctions compliance in 2025, let this final takeaway be the one to tip the scales. Over the past year, there were several public enforcement actions in which U.S. persons took part in the apparently violative conduct but OFAC did not fine them, and in our view, the proactive steps they took to comply with U.S. sanctions is likely a key reason why. Although U.S. sanctions are strict liability, OFAC has tremendous enforcement discretion, such that even if a company is caught up in apparent violations, action to prevent and mitigate the potential harm may help insulate the company from liability (or at least a public enforcement action and penalty).
For example, in OFAC’s settlement with State Street, Charles River accepted late invoice payments from sanctioned Russian entities that were processed by Charles River’s U.S. financial institution. However, OFAC highlighted that this U.S. financial institution, in addition to scrutinizing, delaying, and rejecting other late payments, sent multiple guidance documents to Charles River to educate the company about relevant U.S. sanctions risks and compliance obligations. As of now, OFAC has not separately fined this unnamed U.S. financial institution for processing these payments. In OFAC’s settlement with Aiotec, Aiotec’s U.S. counterparty took numerous steps to mitigate the risk that the sale of the plant would violate U.S. sanctions, including by incorporating sanctions clauses into the sales agreement and requesting end-user certificates and other documents evidencing the plant’s end-use and ultimate destination; that U.S. counterparty similarly has not been subject to separate public OFAC enforcement. In OFAC’s action against U.S. Person-1, one of the U.S. financial institutions involved investigated suspicious payments, identified the Iranian nexus, and exited U.S. Person-1 as a customer (U.S. Person-1 then took steps to further conceal the Iranian nexus for the payments in dealings with its new U.S. financial institution). Although these U.S. financial institutions appear to have technically been party to the apparent violations and OFAC was aware of their role, we believe that the sanctions compliance steps the U.S. financial institutions took helped to turn the enforcement bullseye in a different direction.
Conclusion
OFAC’s 2024 and early 2025 public enforcement actions affirm the importance of implementing and maintaining risk-based sanctions compliance programs for companies of all sizes and operations and for individuals in their commercial dealings, and we expect these themes to continue to be a focus under the second Trump administration. Organizations should tailor their internal controls to ensure that they are commensurate with the sanctions risks posed by their business activities and jurisdictions of operation – and the risk appetites of their counterparties – and proactively resolve sanctions-related concerns, which can be identified and mitigated even before issues arise through the use of periodic risk assessments, tests, and audits. Empowering employees to raise questions and concerns by providing regular trainings and fostering a strong culture of compliance serves as a formidable defense to common sanctions pitfalls as well. Given that U.S. sanctions are strict liability, taking stock of sanctions compliance now – to ensure that compliance programs are working as designed and resilient to sanctions policy changes – is strongly recommended, as potentially seismic U.S. sanctions shifts could be imminent and may happen quickly under the second Trump administration.
[View source.]
