The expanding global economy and reliance on digital channels for conducting business are driving the need to ensure all U.S. businesses comply with OFAC regulations—which are becoming increasingly stringent. In response to Russia’s 2022 invasion of Ukraine, OFAC has ratcheted up sanctions. The resulting regulatory scrutiny, paired with the AML Act of 2020 and its heightened focus on technology, make it critical that institutions revisit their OFAC compliance programs. When assessing your overall OFAC compliance posture, pay special attention to OFAC’s 50 Percent Rule, as complex ownership structures pose compliance challenges.

The Vast Extent of OFAC’s Reach

All U.S. persons and entities, no matter their industry or size, are subject to OFAC compliance and are prohibited from doing business with anyone OFAC has placed on its Specially Designated Nationals and Blocked Persons (SDN) list. Financial institutions were historically the most exposed to OFAC compliance risk until the 2001 passage of the USA PATRIOT Act, which broadened the definition of financial institution beyond traditional banks to include the following industries at a higher risk for money laundering and OFAC violations:

• Casinos
• Import/export
• Insurance
• Jewelry/precious gems
• Money service businesses
• Mortgage/real estate
• Nonprofits
• Travel/tourism

In addition, OFAC has issued numerous and costly enforcement actions against these other sectors: energy, technology, electronic payments, transportation, logistics and supply chain.

What should regulated organizations know about this critical compliance rule? Read our white paper for a deep dive into OFAC’s 50 Percent Rule.

What is OFAC’s 50 Percent Rule?

OFAC’s 50 Percent Rule imposes sanctions on businesses with combined ownership of blocked parties of 50 percent or more. While first addressed in 2008, OFAC released an amended version of its regulations for multiple sanctions programs in December 2022. This update states that an entity’s property and interests in property are blocked if one or more persons own—whether individually or in aggregate, directly or indirectly—a 50 percent or greater interest in the entity.

How does this differ from previous regulations? OFAC’s regulations previously stated that any entity must be considered blocked if it is “50 percent or more owned by” a blocked person. However, new language specifies that an entity is blocked if it is “directly or indirectly owned, whether individually or in aggregate, 50 percent or more by one or more persons” who are blocked. This is not a significant change, but this update formally cements OFAC’s previous interpretation of the rule.

6 Ways to Violate OFAC’s 50 Percent Rule

On its face, the 50 Percent Rule appears straightforward, but complying with it is quite complicated, in large part because OFAC does not publish a list of majority SDN-owned entities. That leaves the legwork to compliance teams to determine.

Here are six ways that a bank, credit union, money services business or any other business can get tripped up by OFAC’s 50 Percent Rule:

1. Fifty Percent Ownership by One or More SDN

Exactly as the rule states, if your organization conducts a transaction with an entity that is owned 50 percent or more by one or more SDNs, it has violated the 50 Percent Rule. Barclays Bank was fined $2.4 million by OFAC for doing just that. According to the OFAC enforcement action against Barclays, the activity took place between 2008 and 2013 and involved 159 transactions with an entity that was “owned 50 percent or more, directly or indirectly, by a person identified” on the OFAC SDN list.

This case highlights the difficulty in following the rule to the letter of the law. The enforcement action emphasized that, despite multiple attempts by the bank to improve its OFAC compliance program, Barclays screening system “had several limitations” and its “Know Your Customer (KYC) procedures were ambiguous and difficult to follow with respect to the requirement to identify related parties and/or beneficial owners of corporate customers.”

Consider this when evaluating your risk of violating OFAC’s 50 Percent Rule: In 2011, the majority of OFAC fines were less than $25,000. By comparison, 84% of OFAC fines imposed in 2021 exceeded $100,000, 47% were greater than $500,000 and 32% topped $1 million. Violations of the 50 Percent Rule were no exception—with all but two of the 50 Percent Rule-related fines found between 2016 and 2021 exceeding $2 million.

2. SDN-Controlled Entities

While majority ownership can be problematic, entities controlled by an SDN proves even trickier. According to OFAC, “an entity that is controlled (but not owned 50 percent or more) by one or more blocked persons is not considered automatically blocked pursuant to OFAC’s 50 Percent Rule.” However, it warns that such an entity could eventually be placed on the SDN List.

Regarding its 50 Percent Rule, OFAC specifically states that, “U.S. persons should be careful when conducting business with non-blocked entities in which blocked individuals are involved.” Further, they may not “enter into contracts that are signed by a blocked individual.” With the rise of complex ownership structures—including fractional shares specifically intended to obscure ownership of sanctioned persons, legal entities or countries—financial institutions and other organizations must ensure they conduct vendor due diligence to mitigate risk of violating OFAC’s rule.

In 2019, Standard Chartered Bank was fined a whopping $657 million for processing transactions for “parties owned 50% or more, directly or indirectly, by persons on the SDN list at the time the transactions occurred,” among other violations. This case involved multiple law enforcement agencies, including the Department of Justice.

3. Significant but Non-Majority Ownership by an SDN

Consider an entity owned 49 percent or even 40 percent by one or more SDNs. It is less than 50 percent ownership, so you can do business with it, right? Not so fast. OFAC “urges caution” whenever an SDN has significant ownership under 50 percent, although it does not provide a specific number. And again, it stresses future possibility, noting that, “such non-blocked entities may become the subject of future designations or enforcement actions by OFAC.”

Dow Jones’ Risk and Compliance unit, which compiles its own Sanctions Ownership Research (SOR) list—a list of entities with 10 percent or more ownership by an SDN, also notes that blocked persons have been known to structure their ownership to avoid triggering the 50 Percent Rule.

4. Russian-Based Entities

Given recent geopolitical and cyber activity, doing business with anyone located in or associated with Russia inherently increases OFAC risk. The U.S. Department of Treasury continues to ramp up sanctions against Russian entities, especially following Russia’s 2022 invasion of Ukraine. OFAC has designated various Russian oligarchs, Russian companies owned or controlled by those oligarchs and senior Russian government officials for sanctions.

In addition, it is important to note that not all Russian persons and entities that have been designated for sanctions have been placed on the SDN List yet. This complicates OFAC compliance.

Finally, it is imperative that U.S. financial institutions understand from whom they are acquiring technology services, as well as with whom their third-party vendors might be interacting. OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s 2018 Joint Statement on the same warns that, “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organization, keep in mind that Russian technology firms span the globe, and their connection to their U.S. subsidiaries is often opaque.

5. Majority-Owned by a Sanctioned Government

In addition to avoiding business with entities that are 50 percent or more owned by SDNs, organizations must also be on the lookout for entities that are majority-owned by a government or country that is subject to a sanctions program.

In November of 2018, the French bank Société Genéralé was fined $54 million for activity occurring between 2007 and 2012 that included, among other things, doing business with a company majority-owned by the government of Sudan.

6. Past Violations and OFAC Enforcement Actions

Keep in mind that even if your organization’s current OFAC compliance program is fully in line with the 50 Percent Rule, it can still be penalized for past interactions that violated it, as evidenced by the enforcement actions described above.

If your organization is aware or becomes aware that a past violation occurred, it is wise to voluntary self-disclose it to OFAC, because that will typically count as a mitigating factor in reducing the base fine. On the other hand, failing to self-disclose is often cited as an aggravating factor that negatively impacts the final amount of any fine.

Incorporate OFAC’s 50 Percent Rule into Your Compliance Program

Holland & Hart, which provides legal services for financial institutions, describes OFAC’s 50 Percent Rule as “a logical extension of the prohibition on transactions and dealings involving blocked property.” However, “it also adds the substantial burden of an enhanced due diligence exercise.”

No matter if your organization is a traditional bank, money service business, insurance firm or other entity, here are some ways to effectively handle that burden:

• Conduct routine risk assessments of your OFAC exposure.
• Review customer onboarding, ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
• Review third- and fourth-party vendor management policies and procedures, specifically to include an assessment of their OFAC exposure and compliance programs.
• In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of both customers and vendors.
• Upgrade your watch list screening process to cross reference a database, such as the Dow Jones SOR list, that identifies entities that are owned by sanctioned persons or jurisdictions.

Complying with OFAC’s 50 Percent Rule

While complex, complying with OFAC’s 50 Percent Rule is an effective way to avoid a fine related to the latest sanctions on Russia or any other countries, jurisdictions or persons. Further, OFAC knows that organizations have technology tools at their disposal to screen. As the regulatory environment grows increasingly harsh, make sure you have a firm understanding of compliance risks and ways to avoid violating OFAC sanctions.

To learn more about OFAC’s 50 Percent Rule and its implications for your institution, download our white paper.

GET YOUR COPY

Amber Goodrich is a compliance analyst at CSI.