thisisengineering-raeng-8hgmG03spF4-unsplash

Why OFAC Sanctions Compliance Is Important For Software Companies

Sanctions impose restrictions on commerce with specific individuals, entities, and states, and export controls impose limitations on the distribution of particular products and services, including software and applications. This article explains why sanctions compliance is vital for software companies, the best practices in the industry, and examples for software companies that didn’t comply with sanctions regulations.

What Is Sanctions Compliance?

Sanctions compliance is a company’s legal framework for mitigating liability related to illegal financial activities with sanctioned entities and individuals. It is an essential component of foundational and practical financial crime prevention online since there are severe penalties on the line.

Not only should software companies engage in customer screening, but they should also try to identify payment methods from nefarious sources. Compliance with foreign entity sanctions regulations entails much more than checking a list of limited companies and individuals. Leaders should stay updated on the latest regulatory information and pair it with appropriate screening technology.

Two agencies administer United States government sanctions: the Office of Foreign Assets Control (OFAC), which is responsible for licensing and oversight of economic sanctions; and the Bureau of Industry and Security (BIS), which is responsible for licensing certain exports and re-exports of technology and goods originating in the United States, as well as foreign manufactured goods that incorporate United States technology.

Essential Components of Sanctions Compliance Management

OFAC collaborates closely with other federal agencies and the intelligence community to develop sanctions programs, frameworks, and models that advance our foreign policy and national security goals. Let’s take a look at the five essential components of sanctions compliance management as recommended by OFAC and summarized below:

Component 1. Managerial Commitment

Managerial commitment is vital for top-down buy-in. OFAC expects total commitment from senior management by reviewing and approving their software company’s sanctions compliance program. OFAC also encourages companies to foster communication between senior and lower-level management for greater compliance.

The agency also prefers that companies appoint a sanctions compliance officer to understand the technology systems in the organization and sanctions involved. Managers should take measures that promote sanctions compliance and communicate that any violations are severe.

Component 2. Periodic Risk Assessments

OFAC recommends that entities take a risk-based approach to their sanctions compliance program. When conducting a risk assessment, it is vital to identify prospective risks that could cause sanctions violations as they relate to your company’s technological offerings, customers, and payment safeguards. A complete risk assessment program should prevent or limit any potential breaches as the agency believes entities should have a seamless onboarding process for their customers and payments.

Component 3. Internal Controls

Effective sanctions compliance programs should have specific internal controls guided by OFAC rules and regulations. They should also stay relevant and updated for sanctions and Specially Designated Nationals (SDN) list.

Internal controls may include:

  • Identifying witnesses before potential violations
  • Preparing a written sanctions compliance policy
  • Implementing internal enforcement policies
  • Maintaining and retaining records per all sanctions programs
  • Remediating any internal weaknesses and opportunities immediately


For more information about sanctions violations, you can review a complete copy of the full SDN list via OFAC’s website here.

Component 4. Testing and auditing

OFAC also underscores the need for testing and auditing the various parts of the sanctions compliance program. Ensure that your leaders address red flags across the board. These protocols should identify internal and external weaknesses and deficiencies that senior management strategically manages while guiding other key employees along the way toward compliance.

Component 5. In-House and Remote Employee Training

OFAC recommends implementing and maintaining robust training programs based on risk assessments results and organizational profiles. Try customizing training for your industry, especially for employees and managers at a higher risk of potential sanctions violations. Companies should fully commit to adequate training to prevent sanctions violations from occurring in the first place.

You can download a PDF of expanded guidelines from the OFAC website here.

Software Transfers Must Comply with Sanctions

Due to the global nature of information technology, software, websites, and applications are globally distributed and, often, with just a few clicks of a button. Globalization can have unwanted legal consequences for an organization if its software is distributed to a foreign government or individuals sanctioned by the United States government (for US sanctions).

Penalties for Sanctions Violations

The government enforces sanctions against some countries, foreign governments, and SDNs to advance US foreign policy and national security objectives. Congress has the power and authority to enact economic sanctions regulations, while OFAC imposes and enforces relevant laws. OFAC violations can result in several thousand to millions of dollars in civil and criminal penalties with up to 30 years imprisonment.

Here’s a closer look at how these charges add up:

  • Trading with the Enemy Act Violations: Up to $50,000 per civil violation, $1 million in criminal penalties, and 20 years in prison
  • International Emergency Economic Powers Act Violations (IEEPA):  Up to $308,000 per violation
  • Foreign Narcotics Kingpin Designation Act (FNKDA): Up to $10 million in fines, with individuals facing up to ten years imprisonment


The severity of penalties is determined by the nature of the offense and the number of prior convictions. Accused parties must mount an expensive legal defense to fight the charges.

Software Transfer Sanctions Exist on These Products

Software companies should pay special attention to which laws sanctions comply. Technological sanctions exist on the following goods and services:

  • Physical software products (although rare in today’s world)
  • Cloud-based software and applications
  • Mobile phone applications
  • Software-as-a-service (SaaS) products
  • Other software delivery methods

Limitations apply to software transfers against sanctioned nations, including retailers, developers, IT service providers, and customers.

Rules Are Applicable By Location

OFAC regulates software and applications differently, depending on the relevant country’s regulations, resulting in differential treatment for various software transfers to multiple countries. For instance, the Libya Sanction Regulations allow for tangible goods and services, including software, except as specifically outlined in Executive Order (EO) 13566, which prohibits transfers to officials of the Libyan government and central bank.

End-User Screening Is Essential

By implementing an effective end-user screening program, businesses can increase their OFAC compliance. A strong end-user screening program enables a software provider to ensure that the software is not sold to an embargoed country, SDN, blocked individual, or for the government’s benefit of an OFAC- embargoed country.

Perform Due Diligence on Payments

Those subject to US jurisdiction who receive payments from OFAC-designated countries should conduct diligent due diligence to ensure that OFAC permits such payments without requiring a governmental license. If the underlying payment is made by an SDN national or blocked party, costly complications may ensue. Speak with a business lawyer near you if you have specific questions about your situation.

Example of Sanctions Violations by Software Companies

In April 2021, the US government initiated litigation with a German software company, for alleged US sanctions violations, as reported by Reuters.com. According to agency notices, the software company supplied software and cloud-based services from the United States to third parties with reason to believe the offerings would be used or purchased by Iranian users or customers between 2010 and 2018.

The violations took place in two ways:

  1. Sold software licenses in Turkey, the United Arab Emirates, Germany, and Malaysia, who resold them to third parties in Iran
  2. Subsidiaries helped over 2,000 Iranian users to access cloud services hosted in the United States


Ultimately, the company voluntarily disclosed the issues, cooperated with investigators, and significantly improved its export controls and sanctions compliance program. The company paid $8.3 million in fines to resolve the case.

This figure does not account for the total cost of investigating and resolving the issues at hand. The company spent more than $27 million on remediation, which was cited as a significant mitigating factor. The software company also agreed to three years of third-party compliance audits.

Lessons to Learn From This Case

This case is the most recent sanction enforcement action involving the online provision of goods or services. As with previous announcements, there are several takeaways for the technology industry and businesses that conduct business online:

  • Lesson 1. Data Accessed From US Servers Is an Export: Sanctions and export control laws enacted by the United States have a broad reach. This case demonstrates that providing services and downloading software from US servers are considered “exports” and may be subject to approval by OFAC and Commerce.
  • Lesson 2. Always Perform Intermediary Due Diligence: The case demonstrates how intermediaries can expose a business to liability under US sanctions and export control regulations. Appropriate due diligence, controls, and monitoring of distributors and resellers are critical in any industry but are even more critical when a US company lacks complete visibility into the end users’ identities of its goods or services.
  • Lesson 3. Intermediaries Are Not “Risk-Free”:  The software company permitted subsidiaries to operate independently, despite being aware that those subsidiaries lacked adequate sanctions compliance programs. Companies must ensure that non-US affiliates maintain sufficient controls, particularly following the acquisition of new entities.
  • Lesson 4. Compliance teams matter: The company relied on its US-based compliance team. However, the team was underfunded, lacked authority to manage the processes, and ran into resistance from the subsidiaries. OFAC emphasized in its notice that compliance teams must be adequately resourced and empowered to implement compliance controls in response to identified risks.
  • Lesson 5. Train employees adequately: Employees based outside the United States oversaw the sale of US-based offerings and travel to Iran. Corporations with a US presence should educate all relevant employees about red flags to identify and report issues.


Auditors identified the absence of IP address geoblocking as a risk to sanctions compliance in 2006, but the company did not implement adequate controls until 2015. By failing to act on audit findings, OFAC stated that the company was negligent concerning US economic sanctions and cited its failure as an aggravating factor.

Summary and Final Thoughts

With global tensions at an all-time high, it is more critical than ever for software companies to ensure that their products are exported and used only by entities not subject to trade sanctions. Sanctions may be imposed by an international organization or an individual government such as the United States.

An embargoed entity can be an entire nation or a specific organization that has been subjected to trade restrictions for military, economic, or political reasons to exert pressure on the country’s government by prohibiting exports and imports of specific goods and services.

Software Companies Face Unique Challenges

Software companies must contend with the illegal export or transfer of products to sanctioned countries. It is unlawful to sell or transfer US software and hard goods, and other products to them. However, software can be obtained easily via the internet, which means that illicit software in embargoed countries is a serious issue.

Strengthen Your Software License Programs

It is becoming increasingly critical for software vendors to implement a license compliance program to identify and control illegal use of their software in sanctioned countries or entities. A robust program can assist software vendors in identifying and reducing illegal usage of their products and confirming whether or not their software is being used in embargoed countries.

Combating software piracy requires sophisticated tools and capabilities for taking action against infringing entities. Additionally, software vendors must track the location of illegal usage to avoid violating the US or international trade sanctions. Detailed evidence and a well-coordinated investigation strategy can assist in resolving the piracy issue, which may include license transfers or re-export to sanctioned countries. Always seek legal and professional help if you need advice and guidance.



About sanctions.io

sanctions.io is a comprehensive Anti-Money Laundering solution with a simple to integrate API which companies can use to continuously scan their clients and business partners against the most important Sanctions & Crime Lists. Start your 7 Day FREE TRIAL right here.



Photo by ThisisEngineering RAEng on Unsplash

Share this post

Share on twitter
Share on email