Sanctions and Anti-Corruption Enforcement in 2017: Lessons for the Pharma Industry in 2018 and Beyond

With the potential for significant penalties resulting from violations of U.S. sanctions and anti-corruption laws and regulations, ensuring compliance with such laws and regulations is a critical part of conducting business in today’s global economy. For example, violations of U.S. sanctions can result in potential civil penalties of up to a maximum of $295,141 or twice the value of the transaction per violation. Violations have resulted in companies being assessed penalties in the hundreds of millions of dollars. In addition to the potential for significant penalties, violations can also result in costs associated with responding to requests from governmental authorities, a loss of export or government contracting privileges, and reputational damage.

The pharmaceutical industry is not insulated from these risks, and certain aspects of the industry magnify these risks. For example, diligence on sales agents and representatives can be imperative to guard against risks of such persons engaging in transactions with sanctioned parties or destinations or engaging in corrupt activities. In addition, screening and due diligence regarding distributors and end-users to identify red flags associated with U.S. sanctions and for corruption is also important; this includes being aware of any connections of customers and end users to governments and government entities (e.g., individuals employed by state-owned hospitals). The availability of certain general licenses under U.S. sanctions for transactions involving medicines and medical devices can also create risks, as persons relying on a general license must ensure that all requirements of and conditions for the use of the general license are met. Ensuring that a compliance program addresses the risks associated with the company’s activities and with the industry is an important step for protecting against potential liability.

However, maintaining an effective compliance program is an ongoing process. A truly effective compliance program requires updates to account for revisions to the relevant regulations, changes to the business or business activities, and risks based on the enforcement priorities of the relevant agencies. Understanding enforcement actions can provide valuable insights into an agency’s priorities, as well as the expectations of the regulators.

The table below, in the online version, describes, in broad terms, the U.S. Treasury Department, Office of Foreign Assets Control’s (“OFAC”) settlement actions between 2012 and 2017.

In 2017, OFAC published information related to its entry into 15 settlement agreements and its issuance of one penalty assessment. Although this number is nearly twice that of 2016, in which OFAC published information related to nine settlements, the number of settlements in 2017 is consistent with the number of settlements in 2015 and 2012 and less than the number of settlements in 2013 and 2014. On average, OFAC entered into 18 settlements per year over this six year period.

In addition, OFAC continued to impose significant penalties for violations of the sanctions, with the highest settlement amount being over $100 million. Further, while the combined total amounts of settlements in 2017 ($119,527,845) was significantly greater than in 2016 ($21,609,315), it was less than in 2012, 2013, 2014, and 2015.

It is important to understand, however, that neither the number of settlement agreements or total settlement amounts in a given year provides a determinative assessment of the attention paid to enforcement activities in that year. One of the reasons for this is that settlements entered into a given year often reflect investigation and enforcement activities that occur over one or more preceding years. Second, the settlement amounts reflected in the table above reflect amounts paid to OFAC and do not in all cases reflect the total penalties paid. Companies will in some cases enter into global settlements with OFAC and other agencies in connection with identified violations; penalties paid to such other agencies are not reflected in the above table. In 2017, for instance, OFAC, the U.S. Commerce Department, and the U.S. Justice Department entered into a global settlement with a total penalty of more than $892 million, of which OFAC’s portion was over $100 million.

Even when unaccompanied by penalties from other agencies, OFAC’s penalties are significant. Since 2012, OFAC has entered into eight settlement agreements of which each levied penalties in excess of $100 million, with the largest penalty in excess of $963 million.

In addition to the 16 settlement actions, OFAC issued three findings of violation, in which OFAC determined that violations of U.S. sanctions regulations occurred but imposed no monetary penalty.

It should be noted that healthcare is among the industries frequently impacted. For example, in the past five years, more than 10 enforcement actions involved companies in the healthcare sector, including medical device and equipment companies. Overall, the financial services, healthcare, shipping, and oil and gas industries remain high-risk areas, with 13 of the 19 settlements and findings of violation in 2017 involving those industries. Companies in these industries, in particular, should ensure that they have in place compliance programs that address sanctions compliance risks for those industries.

Among the themes from OFAC’s published settlement actions in 2017 are the following:

  1. Continued focus on Iran;
  2. Screening remains critical;
  3. Compliance programs should address risks associated with facilitation, evasion, and causing a violation of the sanctions;
  4. OFAC asserts broad jurisdiction; and
  5. Compliance programs should address considerations related to actions by non-U.S. subsidiaries of U.S. companies.

1. Continued focus on Iran: Companies should ensure that their compliance programs address risks related to dealings involving Iran and the Government of Iran.

Ten settlements and each of the findings of violation issued by OFAC in 2017 involved violations of the Iranian sanctions, including:

Settlements with U.S. Companies

  • Sale or supply of items to third parties with knowledge or reason to know that those items were intended for Iran
  • Provision of insurance for shipments of goods and materials destined for Iran
  • Import of Iranian origin services
  • Approval or facilitation of payments to providers of Iranian origin services
  • Transshipment of items to a third country via Iran
  • Dealing in property or property interests of the Government of Iran

Settlements with Non-U.S. Companies

  • Re-export of U.S. origin goods to Iran
  • Processing accounts through the United States on behalf of Iranian entities
  • Evading, avoiding, and conspiring to violate the sanctions against Iran and causing violations of the U.S. sanctions against Iran

Companies should ensure that their compliance programs address risks associated with potential dealings involving Iran. While the secondary sanctions relief that accompanied the implementation of the Joint Comprehensive Plan of Action (“JCPOA”) may create some additional opportunities for the pharmaceutical industry, the primary sanctions against Iran remain in place and certain secondary sanctions triggers remain. Companies should ensure that they conduct due diligence on buyers and distributors and have in place processes that will flag and hold sales of goods that involve red flags indicating that the ultimate recipient may be located in a sanctioned destination. In addition, companies should ensure that they have in place mechanisms to prevent their shipments transiting through sanctioned destinations on their way to their final destination and to identify whether any transaction (including any financial services, insurance, or other services to be provided) may have a nexus to a sanctioned destination.

Risks are not limited to U.S. companies. Non-U.S. companies should ensure that their compliance programs address risk areas such as the resale of U.S.-origin goods to Iran or dealing with third parties on behalf of entities or persons in sanctioned destinations.

2. Screening remains critical: Companies should ensure that they are screening their business partners and transactions.

Additionally, OFAC’s settlements reflect the agency’s expectation that companies screen transactions and parties for individuals or destinations subject to sanctions.

Several of the settlements explicitly cited screening lapses that led to the violation. In one case, the failure to screen included the failure to identify a possible nexus to a sanctioned destination or individual prior to processing transactions through the U.S. financial system. OFAC also took the position that the prohibition on dealing with an SDN applies to any dealings involving the SDN, regardless of whether the SDN is acting in a personal or professional capacity. Under this interpretation, the entry by a U.S. person into a contract signed by an SDN would constitute a prohibited dealing in the service of an SDN. This position creates an expectation for screening to be conducted of the entities with which a company is doing business and of the individuals with whom a company deals, including the individuals who will sign contractual documents.

Companies should consider conducting the following types of screening:

  • Screening the names of business partners against restricted parties lists
  • Screening the names of individuals who will countersign legal documents against restricted parties lists
  • Conducting due diligence for any indication that the business partner is located in or organized under the laws of a sanctioned destination
  • Conducting due diligence regarding the ownership of business partners to confirm whether the flow-down of blocking requirements applies
  • Conducting due diligence regarding the activities of business partners to identify any secondary sanctions risks

Companies may also wish to ensure that their screening process includes due diligence to identify any red flags involving sanctioned parties or destinations and with respect to corruption. This can be particularly important in the pharmaceutical industry, since dealings may be with hospitals (or the doctors or other personnel employed by such hospitals) that are state-owned or controlled. The anticorruption Pilot Program announced by the Justice Department in 2016 and made permanent in November 2017 places great emphasis on the importance of an effective due diligence program. Several of last year’s enforcement actions under the Foreign Corrupt Practices Act (“FCPA”) alleged liability related to the actions of third parties. Two of those actions were based solely on payments made to business partners without proper documentation or company understanding of how the money would be utilized. There was no allegation that the funds in question were paid to foreign officials—rather, the government alleged that the companies failed to vet and/or monitor the activities of their third-party agents. In those instances, a comprehensive due diligence program would have raised red flags about the business partners at the outset. Even if an enforcement action was unavoidable, evidence of robust due diligence might have earned the companies mitigation credit in the form of reduced fines, a reduced chance of a compliance monitor, or a possible declination of prosecution altogether.

3. Risks associated with facilitation, evasion, and causing a violation: Companies should ensure that their compliance programs address considerations related to facilitation, evasion and causing a violation of U.S. sanctions.

Many of the U.S. sanctions programs prohibit U.S. persons from approving, financing, facilitating, or guaranteeing a transaction by a foreign person where the transaction by that foreign person would be prohibited if performed by a U.S. person or within the United States. Facilitation is interpreted broadly by OFAC and provides an avenue by which OFAC can impose liability on a person or entity based on actions that directly or indirectly support a transaction or activity involving a sanctioned destination or a sanctioned person.

Companies should ensure that their compliance processes include provisions to ensure that they are not directly involved in, and do not approve or facilitate a third party’s involvement in, an activity prohibited under the sanctions. For instance, approving or financing payments for services originating in Iran or assisting or arranging export transactions to a sanctioned destination would be considered prohibited facilitation. In addition, because the prohibition on facilitation applies to U.S. persons wherever located, non-U.S. companies that employ U.S. persons should ensure that their compliance programs address the obligations of U.S. persons.

Examples of risk areas with respect to facilitation include the following:

  • Handling sales inquiries that appear to originate from or involve a sanctioned destination
  • The provision by U.S. persons or U.S. affiliates of administrative or other support to non-U.S. companies
  • Requirement for approval of activities or transactions by U.S. parent company (or an employee of a U.S. parent company) or by U.S. person senior management or board members
  • Involvement by company lawyers in the United States or who are U.S. persons in structuring or approving transactions, changing compliance processes, or negotiating or drafting legal documents

It is also prohibited under U.S. sanctions to evade or avoid, to cause a violation of, to attempt to violate, or to conspire to violate any of the prohibitions under U.S. sanctions. These prohibitions apply to U.S. and non-U.S. entities. Companies should ensure that they have in place processes to guard against employees omitting, obscuring, or otherwise concealing information about a transaction, as such activities could be viewed as a violation of the prohibitions where the transaction involves a sanctioned destination or person.

4. OFAC asserts broad jurisdiction: When analyzing whether a transaction or activity implicates U.S. sanctions, companies must be mindful of any nexus to the United States.

Even if a transaction on its face may not appear to be subject to U.S. sanctions, OFAC asserts broad jurisdiction, particularly under the U.S. sanctions programs against Iran and Cuba. For example, OFAC determined that a vessel owned by a Taiwanese company was within the scope of the Iranian sanctions by virtue of the vessel having been present in the United States for bankruptcy proceedings when the transaction occurred. While this finding involved a specific set of circumstances, it indicates that OFAC will review and consider any nexus to the United States when determining whether it will assert jurisdiction over a particular activity, transaction, or company.

Similarly, the U.S. Justice Department takes a broad view of its jurisdiction under the FCPA, aided by the increasing cooperation between foreign governments in their anticorruption efforts. Since 2001, the United States has seen a 150% increase in the annual requests it receives from foreign prosecutors related to bribery and corruption investigations. Conversely, there has been a 75% increase in annual requests from the U.S. to its foreign partners. In May 2017, the Justice Department announced that it will send a prosecutor on detail to the U.K.’s Financial Conduct Authority. This marked the first time a Criminal Division employee will work within a foreign regulatory agency on issues of white-collar crime, and clearly is intended to foster information exchange and greater collaboration with foreign nations.

This growth in global enforcement efforts and multi-jurisdictional investigations resulted in multi-jurisdictional resolutions, some of which were accompanied by hefty fines. The top settlement of 2017 involved a joint investigation by anticorruption authorities in the United States, the Netherlands and Switzerland, all of which will share in the more than $965 million fine ultimately levied against the corporation.

Companies should ensure that they have in place mechanisms to identify any potential nexus of a transaction or activity to the United States, including the following:

  • Involvement of U.S. person or entity
  • Involvement of U.S.-origin goods
  • Some or all of the activity occurs in the United States
  • Involvement of a U.S. financial institution (including foreign branches)
  • Denomination of the transaction in U.S. Dollars (if it will pass through a U.S. financial institution)
  • Involvement of a non-U.S. subsidiary of a U.S. company, under the Iran and Cuba sanctions programs

In cases where a general license is available (e.g., the general license authorizing the export or re-export of medicine and medical devices), companies should ensure – in addition to ensuring that all requirements associated with the use of the general license have been satisfied – that the general license is cited on documentation related to the transaction and in payment instructions associated with the transaction.

In addition, with the increase in potential criteria for the imposition of secondary sanctions, companies should ensure that their compliance programs address the activities that may trigger the imposition of secondary sanctions, along with risks that may result from a business partner being designated as a target of secondary sanctions.

5. Risks for U.S. companies with non-U.S. subsidiaries: Compliance programs should address considerations for U.S. companies related to actions by their non-U.S. subsidiaries.

Under the U.S. sanctions against Cuba and Iran, the prohibitions that apply to U.S. persons also extend to their non-U.S. subsidiaries. Companies should ensure that their compliance programs address such considerations, including considerations related to the use of authorizations such as General License H. Several settlements by OFAC in 2017 involved violations based on actions of non-U.S. subsidiaries of a U.S. company. For example, OFAC imposed liability on a U.S. company for the actions of a subsidiary in which the U.S. company indirectly owned a 50 percent interest, citing the failure of the parent company to implement controls to prevent violations of the U.S. sanctions against Cuba. Even for those sanctions programs under which separately incorporated non-U.S. subsidiaries of U.S. companies are not subject to the prohibitions, U.S. companies remain liable any actions they take related to activities by those non-U.S. subsidiaries, including approval, financing, facilitation, negotiation, or other direct or indirect participation in an activity involving a sanctioned party or destination.

OFAC’s settlement actions in 2017 provide insights into the agency’s expectations and priorities with respect to sanctions compliance. Companies should consider each of the above themes when reviewing, updating, or creating their compliance programs. This is particularly true for companies in the pharmaceutical industry, as they must navigate the complexities associated with complying with the terms of general licenses, conducting due diligence, and addressing other risk areas under U.S. sanctions.

Megan Barnhill, a Partner with Bryan Cave LLP in the firm’s Washington office, counsels foreign and domestic clients on regulatory matters related to international business transactions. She can be reached at

Kristin Robinson, an Associate with the firm and a member of its White Collar Defense and Investigations group, defends individuals and corporations under investigation by government agencies, including the Department of Justice. She can be reached at