Consumer Data Collection Also Creates OFAC Compliance Requirements


Post By:  Ernesto Grijalva

Handling consumer data creates more than privacy obligations. While the application and expansion of privacy laws have been the dominant topic at compliance conferences for many years, compliance officers need to be mindful of the concomitant responsibility to comply with the U.S. Treasury Department’s Office of Foreign Asset Control’s (“OFAC”) regulations to know with whom you are doing business.

Ever expanding customer loyalty programs and online sales make knowledge of your customer’s legal identity an ever-increasing probability for all businesses, even predominantly brick-and-mortar retailers.  Knowing your customer’s identity generates an obligation to use that information in a compliance program designed to prevent transactions with a listed individual, country or entity appearing on OFAC’s Specially Designated Nationals And Blocked Persons List (“SDN list”).

The obligation exists even if your business is strictly domestic, i.e. with no presence, operations, personnel or sales outside the U.S.  While it is true that the focus of OFAC enforcement to date has been on foreign activities and/or financial institutions (where risk is greatest), OFAC regulations do not provide exemptions for strictly domestic operations and transactions.  The regulations also have no monetary threshold.  Therefore, theoretically, if a customer’s name appears on the SDN list or if the person is affiliated with a country or entity on the list, any strictly U.S. business could be prosecuted for selling even a candy bar to a prohibited party.  (Engaging a remote software technician, who is named, is from a country or affiliated with an entity on the SDN list, would be equally prohibited).  Ignorance that the person with whom you conducted a transaction could be found on the SDN list or is a citizen of a country on the list, while possibly extenuating, is not a defense.

Must you consult the SDN list before every transaction?  The short answer for strictly domestic corporations would appear to be “not necessarily.”  But there is little guidance on exactly when you would not need to check.  The trite legal axiom applies here, “depends on the facts.”

Department of Treasury guidelines measure compliance programs proportionate to the risk presented.  For OFAC, an acceptable risk-based sanctions compliance program depends on its assessment of the five essential components of your businesses’, (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.  In a nutshell, it’s an assessment of whether your effort to prevent a violation was proportionate to the potential risk.  Arguably, anyone physically in the U.S. using a credit card or bank account affiliated with a U.S. financial institution would not likely be listed on the SDN List, as that individual would have had to overcome Department of Homeland Security and financial institution developed safe guards in order to be in a position to undertake such a transaction. Therefore, the risks being lower, the steps required to prevent such a prohibited transaction in the U.S. would be lower.  Arguably.

Practically, if you complete an SDN list prohibited transaction, there will have been a sanctionable violation, no matter how many indicia you can point to as indicative of the improbability of a prohibited transaction.  For that reason many U.S. auto dealerships run an SDN list check before any transaction.

For foreign operations the compliance requirements are significantly more complicated.  For example, it is not uncommon for SDN listed individuals and entities to engage surrogates (“prestanombres” or name lenders) to complete an OFAC prohibited transaction; the true ownership of real estate can be disguised behind multiple sham transactions. Because the risk is greater, the requirements are greater and more complex.  There are also ways to ease foreign subsidiary compliance program requirements.  In some cases, OFAC will provide enforcement exceptions to otherwise sanctionable transactions.  For example, OFAC “general licenses” are available for travel to Cuba and for sale of some products such as agricultural commodities.  OFAC “specific licenses” may be available if your foreign subsidiary’s refusal to transact with an SDN listed person or entity violates the laws of the foreign jurisdiction in which a U.S. entity is transacting business (e.g., constitutional prohibition against discrimination because of nationality).  There are no specific guidelines for determining when OFAC Licenses may be granted.  Each request is considered on a “case-by-case” basis.   Licenses only work prospectively, so if you even if you are convinced a specific license is inevitable, apply for the license first.

Ultimately, there is no one-size-fits-all OFAC compliance program.  Most businesses turn to software as the most practical solution, but there is no foolproof method to prevent a violation.  Although checking your customer’s name against the SDN list before every commercial transaction is not expressly stated as a requirement, it is probably the most effective way to ensure compliance. It is also likely the least practical and least fiscally responsible way for all but a very select number of businesses.  Designing a fiscally responsible OFAC compliance program that falls short of that level of scrutiny can be complicated.  If you are not fully familiar and/or fully confident of your existing OFAC compliance program, be prepared to allocate time to reviewing and designing the program that best fits your company’s needs.  Remember, what resources you commit to assessing your company’s needs and designing your company’s program might some day be considered in determining management’s commitment . . . and management commitment is the first factor of an acceptable risk-based sanctions compliance program.


  1. Should the total cost of building permanent databases or data centers be borne and paid directly by the IT business leader to the hosts of the site before or during the migratory periods from temporal databases ? , or that should be left to the business partners and stakeholders to take care of on behalf of the businesses or companies.. Either way, as an IT business leader I think it will be a good idea to have in my possession all the documents and certificates of ownership of such permanent and modern data hubs with copies made available to the hosts of the sites as well if applicable before or during the migratory period. This will boost the confidence and security levels of the business as well as enhance productivity after migrating. Meanwhile the cost of maintaining and building temporal databases as well as payment of monthly salaries and wages of employees should or could be taken care of by the business leader. As always advice, suggestions and views of business partners and stakeholders concerning this issue will be very much expected, welcomed and appreciated.

Comments are closed.