Sanctions: Australian Freight Forwarder slapped with $6M civil liability for OFAC violations

If you thought US Sanctions only applied to US companies or US persons think again:

Toll Holdings Limited, an international freight forwarding and logistics company
based in Melbourne, Australia, will pay $6,131,855 to settle its potential civil
liability for causing at least 2,958 payments to violate multiple OFAC sanctions programs.

This latest enforcement action reflects the US authorities’ determination to hold accountable foreign companies who use the US financial system to engage in commercial activities with OFAC’s list of sanctioned countries and persons.

If you think the penalty amount is low, just remember this amount doesn’t include the legal, investigative and other remediation costs involved.

The company, which has never publicly disclosed the investigation, has reportedly spent more than $200 million on cases brought by OFAC, and other law-enforcement agencies, as reported by the Financial Review in 2020, including dealing with allegations of bribery, customs evasion, corporate collusion and breaching UN Security Council sanctions.

Sanction Violations

As per OFAC Toll acted with reckless disregard for US economic sanctions laws when, over the period of six years, it caused at least 2,958 payments involving shipments from, to, or through
sanctioned jurisdictions or the blocked property or an interest in blocked property of entities
on the SDN List to be routed through US financial institutions.

Toll’s pattern of conduct occurred despite an existing company compliance policy to abide by all applicable sanctions laws, and despite multiple warnings from a US financial institution regarding Toll’s sanctions compliance risks.

Use of USD with Sanctioned entities

Between January 2013 and February 2019, Toll originated or caused to be received
2,958 payments (totaling approx. $48,409,909) in connection with sea, air, and rail shipments to, from, or through the DPRK, Iran, or Syria, or on the SDN List.

These payments were in connection with sea, air, and rail shipments conducted by Toll, its affiliates, or suppliers. The payments were processed through at least four financial institutions in the United States or foreign branches of financial institutions incorporated in the United States (presumably in USD)

The payments involved OFAC designated parties or sanctioned nations:

  • Mahan Airlines ( privately owned Iranian airline)
  • Hafiz Darya Shipping Lines Company ( which acts on behalf of Islamic Republic of Iran Shipping Lines; according to the U.S. Department of the Treasury)
  • The remainder of the transactions comprised payments made for shipments to, from, or transshipping through the DPRK, Iran, or Syria.

Invoicing sanctioned and non sanctioned entities

The payments were handled by Toll’s 23 overseas units spread across Asia, Europe, the Middle East, and North America.

The Toll businesses would routinely remit and receive payments in settlement of invoices for services performed by Toll for entities, as well as between Toll and its customers, agents, suppliers, and other outside business partners.

Often, Toll initiated or received payments to or from a person for a single shipment settled by one
invoice.

Toll would also frequently make or receive payments that involved multiple shipments
pertaining to a single invoice with a particular affiliate, supplier, or customer, or spread a single
shipment charge across several invoices; variations on this basic arrangement were also employed.

In these instances, the payment amount associated with the sanctioned country or person was a portion of a larger amount consisting of non-sanctioned country or person payments.

Complex payment and invoicing arrangements, can pose sanctions risks when linkages to sanctioned jurisdictions or persons are obscured, or when mechanisms to preclude their involvement
with US financial institutions are absent or not implemented effectively.

Insufficient Sanction Policies and Controls for its Size

OFAC found that on processing such payments through U.S. financial institutions, Toll failed to adopt or implement policies and controls that prevented it from violating US Sanctions.

Over the years, Toll substantially expanded its operations. While Toll had a sanctions compliance policy in place, its compliance program, personnel, and associated controls failed to keep up with the pace and complexity of its growing operations.

With approximately 1200 agents, franchises, offices, and affiliates, procuring and providing commercial freight services worldwide, Toll is considered a commercially sophisticated company and a major global freight forwarder.

OFAC emphasizes here the importance of putting in place strong internal controls and procedures to govern payments involving affiliates, subsidiaries, agents, or other counterparties
when any of them conduct business with sanctioned jurisdictions or persons.

Sanctions Prior Knowledge & Obscuring of Transactions

Some Toll personnel knew that the payments were in potential violation of U.S. sanctions. By 2015, one of Toll’s banks  restricted a Toll subsidiary’s use of its US dollar account after identifying a US dollar transaction involving Syria.

Concerned that the inclusion of this Syrian-related payment would disrupt a separate, large impending internal transfer, a Toll employee at its headquarters’ treasury office sent an email instructing employees in Toll’s UAE and South Korea affiliates to avoid including the names of sanctioned jurisdictions on invoices going forward.

Thereafter, the Bank continued to raise concerns with Toll over its compliance with U.S. sanctions,
including potentially violative payments involving U.S. banks.

To address these risks, Toll was required to provide supporting documentation to show transactions did not involve a sanctioned interest before the Bank would process funds transfers, and to confirm that its payments did not violate U.S. (and other countries’) sanctions regulations.

OFAC found it an aggravating factor that upon learning of problematic transactions and entering into its initial engagement with the Bank, Toll did not take immediate or adequate steps to address and stop its processing of transactions with sanctioned entities via the US financial system.

The Final Straw

In July 2015, the CEO of one of Toll’s operating divisions sent an email to its employees reminding them of its international sanctions compliance obligations. Potentially problematic payments and apparent control deficiencies continued to be a concern of the Bank, however, and in June 2016, after evaluating Toll’s controls and deeming them unacceptable, the Bank threatened to terminate its relationship with Toll.

To maintain its account, Toll reiterated its commitment to abide by all applicable sanctions laws and requirements and attested to the Bank that Toll did not participate in prohibited transactions with sanctioned jurisdictions.

Effective June 2016, Toll decided to cease all business with U.S.-sanctioned countries, due to
ongoing compliance risks. However, despite Toll’s compliance office repeatedly instructing
business units that Toll must not be involved with any shipments to U.S.-sanctioned countries
thereafter, Toll did not implement the compliance policies and procedures necessary to prevent
payments involving sanctioned persons through the U.S. financial system.

Neither did Toll test whether shipments involved persons located in U.S.-sanctioned countries.

Ultimately, in February 2017, Toll introduced “hard controls” that disabled the country and location codes for ports and cities in sanctioned countries in its freight management system, thereby preventing shipments to or from sanctioned countries.

Mitigating Factors

Of the 2,958 payments that caused the apparent violations, 2,853 occurred before Toll implemented these hard controls. Toll subsequently retained an accounting firm to conduct a detailed forensic examination of its payment practices with respect to sanctioned jurisdictions and persons and disclosed its findings to OFAC. OFAC considered this case a non-egregious case, partly because Toll voluntarily self-disclosed the Apparent Violations and extensively cooperated with OFAC.

The additional actions Toll took to remedy its compliance gaps are frankly a textbook case of what conduct a company should be doing:

o Conducting a risk-mapping exercise to identify the root causes of the compliance
lapses and instituting appropriate remedial measures and targeted controls;
o Developing and implementing an audit plan that has resulted in recommendations
and further implementation of changes to its remediation efforts;
o Restructuring its compliance division to address procedural issues and streamline
approaches to sanctions screening, and granting elevated sanctions-related
responsibilities to its most senior compliance executive;
o Implementing a sanctions compliance training program for all relevant employees,
training more than 500 employees across five countries;
o Implementing “hard controls” within its freight management system that disabled the
ability to book shipments involving sanctioned jurisdictions;
o Applying its sanctions compliance standards to anyone acting on behalf of Toll,
including but not limited to Toll’s representatives, consultants, agents, brokers, and
subcontractors;
o Risk-based screening of transactions, third parties, and agents with whom Toll does
business against its internal sanctions lists, to include the SDN List as well as other
less-restricted parties lists; and
o Ending all franchise relationships, as part of a broader risk-mitigation strategy, and
introducing enhanced due diligence measures for on-boarding agents, as well as
instituting a due diligence screening process where all third parties adhere to the
same compliance standards as Toll.

Sanctions Compliance Program Reminders:

This enforcement action reminds us that non-U.S. persons should adopt a sanctions compliance program when their activities rely on the use of U.S. financial institutions or otherwise involve U.S. persons or a U.S. nexus.

This was abundantly detailed in OFAC’s Framework for Compliance Commitments.

“OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities
that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing,
and routinely updating a sanctions compliance program (SCP).”

Non-U.S. persons that seek to conduct business involving U.S. persons or the United States, including processing transactions through the U.S. financial system, should ensure their compliance policies contain adequate measures to prevent violations.

Having your management issue reminders of compliance policies is not enough, and may not result in concrete changes as highlighted in this example.

Particular attention ought to be paid when merging with or acquiring other entities, especially, when a group is expanding rapidly, and disparate information technology systems and databases are being integrated across multiple entities.

In such cases, the need to adequately resource compliance functions, including compliance personnel and sanctions-related technology and systems, is especially important.

 

Need Export Controls or Sanctions Assistance?

Does your company have export compliance or sanction risks, but you are understaffed, lacking the necessary expertise, or unsure of what is the most appropriate course of action?

Compliantly’s consultants & partners will help you reduce the risk of potential EAR, ITAR, and OFAC violations.

Tap into our expertise, when needed, through:

  • a retainer for on-call services
  • assistance with your risk assessment and analysis
  • due diligence of your clients, third parties, and beneficial owners
  • Virtual or In-person compliance training and development

We keep a close eye on regulatory and legal developments to provide you with the export & sanction compliance answers when you need them.

For more details feel free to contact us.

 

 

 

Leave a Reply

%d bloggers like this: