Bloomberg Law
April 16, 2020, 8:01 AM

INSIGHT: OFAC $7.8M Settlement With Swiss Company Expands Tech Enforcement

Eric  Sandberg-Zakian
Eric Sandberg-Zakian
Covington & Burling

The Treasury Department’s Office of Foreign Assets Control’s recent $7.8 million civil settlement with Société Internationale de Télécommunications Aéronautiques SCRL (SITA) serves as a stark reminder for the technology sector that U.S. sanctions enforcement risk is not just a concern for U.S. companies.

The settlement addressed more than $2.4 billion in potential liability stemming from its use of U.S. IT resources when providing services to airlines sanctioned for alleged connections to Iranian and Syrian terrorist activities.

As a Swiss company not constrained by all of the restrictions OFAC imposes on U.S. companies, some of SITA’s dealings with the airlines appear not to have been prohibited under U.S. law, but its use of U.S.-based resources was unlawful.

The settlement shows that non-U.S. technology companies and their customers transacting with countries or parties targeted by U.S. sanctions are at risk of incurring substantial liability for violations of U.S. law.

Non-U.S. Company

SITA is a global IT services provider headquartered in Switzerland and serving the commercial air transportation industry. It is jointly owned by approximately 400 companies, including most large international airlines, and owners previously included Mahan Air and Caspian Air, both of Iran, as well as the Syria-based Syrian Arab Airlines. OFAC penalized SITA for providing services to those three owners, as well as two other airlines with links to Iran.

OFAC sanctions parties it believes are involved in terrorism under the Global Terrorism Sanctions Regulations. Pursuant to those regulations, OFAC has imposed asset blocking sanctions targeting all five airlines at issue in the case. The sanctions prohibit almost all dealings with the airlines when undertaken in the U.S. or by U.S. persons (including U.S. citizens, U.S. lawful permanent residents, persons physically in the U.S., and U.S.-incorporated entities).

As a Swiss company, SITA is not categorically prohibited from dealing with parties sanctioned for terrorism by OFAC. Indeed, even under OFAC’s farther reaching sanctions that prohibit most knowing dealings with Iran by non-U.S. persons owned or controlled by U.S. persons, SITA’s lack of U.S. ownership or control allows it to deal with Iranian airlines without violating the OFAC sanctions targeting that country.

Accordingly, like many non-U.S. companies, it could have provided services to the sanctioned airlines without running afoul of U.S. law.

Computer Servers Based in Atlanta

Why, then, did SITA end up paying a multimillion-dollar penalty and facing billions of dollars in potential liability? The answer lies in the location of computing resources the company used to deliver services to the sanctioned airlines.

The settlement covers three different types of alleged misuse of U.S. computing resources. The first involved a lost baggage management system that SITA provided to or for the benefit of the sanctioned airlines even though it was hosted on U.S. servers and maintained by a SITA subsidiary in the U.S.

The second involved U.S.-origin software for managing check-in, baggage, and other airline processes that SITA provided to or for the benefit of the sanctioned airlines, although OFAC’s penalty announcement is unclear on exactly how SITA procured and delivered the software.

The third involved a messaging service called TBM that enables communications among parties in the air travel industry, with SITA routing messages to, from, or relating to the sanctioned airlines through servers that happened to be located in Atlanta, Ga.

Penalizing SITA for the first two types of violations continues past OFAC enforcement practices targeting non-U.S. companies that serve sanctioned customers by using a U.S. subsidiary to deliver services or by procuring items from the U.S.

In contrast, punishing the routing of TBM messages through U.S. servers appear to be the first time OFAC has penalized the mere routing of information through U.S. computer servers.

Although OFAC has long prohibited using U.S. servers for non-U.S. business with sanctioned countries and parties, the case against SITA represents a new frontier for OFAC. It is the first non-U.S. IT company to be penalized by OFAC for sanctions violations, and the first company to pay a large settlement merely for routing otherwise lawful transactions through U.S. computer servers.

Two Important Lessons

The case thus presents two important lessons. First, OFAC is willing to penalize non-U.S. companies merely for routing transactions with sanctioned countries or parties through U.S. servers, possibly even when those transactions have no other U.S. nexus. The risk of such penalties is relevant to non-U.S. technology companies situated similarly to SITA and also to those companies’ non-U.S. customers, which could face exposure under the same theory of liability.

Non-U.S. technology companies should take stock of their reliance on U.S. computing resources and consider whether they can lawfully serve customers doing business in sanctioned countries or with sanctioned parties.

As a practical matter, the globally interdependent nature of IT infrastructure and cloud services can make it difficult for many non-U.S. technology companies to guarantee total independence from U.S. servers. Likewise, non-U.S. companies cannot expect to operate outside of OFAC enforcement jurisdiction simply by turning to IT service providers based outside the U.S.

Using IT services to conduct business with targets of American sanctions may be risky regardless of where the service provider is headquartered, and companies may find themselves increasingly foregoing such business altogether.

Second, and more broadly, the SITA case is a leading example of OFAC’s recently articulated commitment to bringing enforcement cases against companies in industries that OFAC has not traditionally pursued.

Traditionally, OFAC has targeted financial institutions and oil and gas companies, along with manufacturers, exporters of physical goods, and logistics providers. Last year, however, OFAC publicly acknowledged its interest in pursuing a wider range of targets.

All the more reason, then, for even non-U.S. companies in industries with limited historical exposure to U.S. sanctions to examine their sanctions risk profile. Assessing the risks posed by their use of computing resources, including those delivered by non-U.S. IT companies, would be a good place to start.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Eric Sandberg-Zakian is a partner at Covington & Burling LLP in Washington, D.C. He represents clients in criminal cases, civil enforcement actions, and internal investigations involving national security and international trade. He specializes in defending clients in parallel investigations by regulatory enforcement agencies and criminal prosecutors.