Consumer Electronics Daily was a Warren News publication.

OFAC Fines Apple After Internal Screening Doesn't Catch Customer's Addition to SDN List

Apple was fined about $465,000 for violations of the Foreign Narcotics Kingpin Sanctions Regulations after it hosted, sold and “facilitated the transfer” of software applications and content belonging to a sanctioned company, the Treasury’s Office of Foreign Assets Control said in a Nov. 25 notice. Apple allegedly dealt in “the property and interests” of SIS d.o.o., a Slovenian software company added to OFAC’s Specially Designated Nationals List in 2015.

On the same day that OFAC added SIS to its SDN List, Apple’s sanctions screening tool did not discover SIS was added to the SDN list, the notice said. Apple said this was due to its sanctions screening tool’s “failure to match the upper case name ‘SIS DOO’ in Apple’s system with the lower case name ‘SIS d.o.o.’” Apple’s screening system also did not catch Savo Stjepanovic, the director and majority owner of SIS, because he was listed as an “account administrator” in Apple’s system, and its screening tool only identified individuals labeled as “developers.” Although Apple’s listed address for SIS matched the address published by OFAC, Apple did not “identify” SIS as a sanctioned company until two years later, OFAC said.

After SIS was sanctioned, Apple continued to “host software applications and associated content (‘apps’) owned by SIS on the App Store,” allowing downloads, sales and receiving payments from App Store downloaders. The downloads and sales allowed SIS to sell its apps to two other developers, which OFAC called the “Second Company” and the “Third Company.” The owner of the Third Company “took over the administration of SIS’s App Store account and replaced SIS’s App Store banking information with his own banking information,” OFAC said. “These actions were all conducted without personnel oversight or additional screening by Apple.”

Apple discovered that SIS was a sanctioned party after improving its sanctions screening tool in 2017, OFAC said. Apple stopped all payments related to SIS, which was “administered by the Third Company, and whose owner was receiving payments from Apple,” the agency said. But Apple continued to make payments to the Second Company for the “blocked SIS apps” it had received in 2017, the notice said. Apple made 47 payments associated with the blocked apps, earning more than $1.15 million over 54 months.

Apple voluntarily disclosed the violations, which constituted a non-egregious case, OFAC said. Mitigating factors included that the “volume and total amount of payments” was “not significant” compared to Apple’s annual transactions, the fact that Apple had not committed a violation within the last five years, and the fact that Apple responded to OFAC requests in a “prompt manner.” Apple also improved its compliance measures, including increasing the role of its sanctions compliance senior manager in the “escalation and review process”; reconfiguring its primary sanctions screening tool to “fully capture spelling and capitalization variations and to account for country-specific business suffixes”; and expanding sanctions screening to app developers, their “designated payment beneficiaries” and associated banks. Apple also updated its sanctions compliance employee instructions and introduced mandatory employee training on export and sanctions regulations.

Aggravating factors included the number of violations, the “multiple points of failure within the company’s sanctions compliance program,” Apple’s “reckless disregard” for U.S. sanctions, and the fact that Apple’s payments “conferred significant economic benefit” to SIS and its owner. OFAC also considered Apple a “large and sophisticated organization” with experience in international transactions and said that, in certain instances, Apple “failed to take corrective actions in a timely manner” after discovering SIS was a sanctioned party.

OFAC said the penalty highlighted the benefits of a comprehensive SDN screening list that “utilizes all of the information on the SDN List.” The agency also said companies should “anticipate potential vulnerabilities” in their compliance programs and “include preventative measures that alert and react to sanctions evasion warning signs.”