Tuesday, December 10, 2019
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) today announced a $466,912 settlement with Apple, Inc. (“Apple”). Apple, a corporation based in Cupertino, California, has agreed to settle its potential civil liability for apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations, 31 C.F.R. part 598 (FNKSR).
Apple appears to have violated § 598.203 of the FNKSR by dealing in the property or interests in property of SIS, d.o.o. (“SIS”), a Slovenian software company previously identified on OFAC’s List of Specially Designated Nationals and Blocked Persons as a significant foreign narcotics trafficker. Specifically, from on or about February 24, 2015 to on or about May 9, 2017, Apple hosted, sold, and facilitated the transfer of SIS’s software applications and associated content. OFAC determined that Apple voluntarily disclosed the apparent violations, and that the apparent violations constitute a non-egregious case.
On July 18, 2008, Apple entered into an app development agreement with SIS, a software company located at 19 Spruha, Trzin 1236, Slovenia. On February 24, 2015, OFAC designated SIS and Savo Stjepanovic (“Stjepanovic”), a director and majority owner of SIS, pursuant to the Foreign Narcotics Kingpin Designation Act, 21 U.S.C. §§ 1901-1908, and added them to the SDN List. OFAC’s public announcement of the designation included SIS’s address, registration number, and tax identification number, and further noted that SIS was linked to Stjepanovic. The SDN List provided the following identifying information for SIS:
SIS D.O.O., 19 Spruha, Trzin 1236, Slovenia; Registration ID 5919070 (Slovenia); Tax ID No. SI91729181 (Slovenia) [SDNTK].
OFAC also published a diagram titled “KARNER Steroid Trafficking Network,” which included a photograph of Stjepanovic, SIS, and a SIS logo.
On the same day that OFAC designated SIS and Stjepanovic, Apple, in accordance with its standard compliance procedures, screened the newly designated SDNTKs against its app developer account holder names using its sanctions screening tool. During this screening, Apple failed to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked. Apple later attributed this failure to its sanctions screening tool’s failure to match the upper case name “SIS DOO” in Apple’s system with the lower case name “SIS d.o.o.” as written on the SDN List. The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company. In addition, even though the address for SIS collected by Apple matched the address for SIS identified and published by OFAC, Apple failed to identify SIS as an SDNTK for over two years after the designation.
On the day of designation, Apple was in possession of Stjepanovic’s full name in its records since he was listed as an “account administrator” in its App Store developer account, though he was not listed as a “developer.” At the time, Apple’s compliance process screened individuals identified as “developers,” but did not screen all of the individual users identified in an App Store account against the SDN List. Apple therefore failed to identify Stjepanovic as an SDNTK.
On the day of designation, any property in which SIS or Stjepanovic had an interest became blocked, and any transactions or dealings in such property by Apple, a U.S. person, were prohibited. Nonetheless, Apple continued to host software applications and associated content (“apps”) owned by SIS on the App Store, allowed downloads and sales of the blocked SIS apps, received payments from App Store users downloading the blocked SIS apps, permitted SIS to transfer and sell its apps to two other developers, and remitted funds on a monthly basis to SIS for the sales of the blocked SIS apps.
On or about April 17, 2015 — approximately two months after the designations — Apple facilitated the transfer of a portion of SIS’s apps to a second software company (the “Second Company”). The Second Company was incorporated several days after OFAC’s designation of SIS. Separately, on or about September 14, 2015, SIS entered into an agreement with a third software company (the “Third Company”) and transferred the ownership of SIS’s remaining apps to the Third Company. The owner of the Third Company took over the administration of SIS’s App Store account and replaced SIS’s App Store banking information with his own banking information. These actions were all conducted without personnel oversight or additional
screening by Apple. After enhancing its sanctions screening tool and related processes, Apple identified SIS as a potential SDNTK in February 2017. Apple’s finance team immediately suspended further payments associated with the SIS account, which was being administered by the Third Company,
and whose owner was receiving payments from Apple. However, Apple continued to make payments to the Second Company for the blocked SIS apps that had been transferred to the Second Company in April 2015, after OFAC’s designation of SIS as a SDNTK.
Apple made 47 payments associated with the blocked apps, including payments directly to SIS, during the period of time that SIS was listed on the SDN List. In total, over 54 months, Apple collected $1,152,868 from customers who downloaded SIS apps.
The statutory maximum civil monetary penalty applicable in this matter is $74,331,860. OFAC determined, however, that Apple voluntarily self-disclosed. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), the base civil monetary penalty
amount applicable in this matter is $576,434.
The settlement amount of $466,912 also reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines. Specifically, OFAC determined the following to be aggravating factors:
(1) Based on the number of Apparent Violations, the length of time over which the Apparent Violations occurred, and the multiple points of failure within the company’s sanctions compliance program, policies, and procedures, the conduct demonstrated reckless disregard for U.S. sanctions requirements;
(2) Apple’s payments to SIS and for the blocked apps conferred significant economic benefit to SIS and its owner, as Apple’s App Store appears to have been the main business for SIS around the time it was designated; and
(3) Apple is a large and sophisticated organization operating globally with experience and expertise in international transactions.
OFAC found the following to be an aggravating factor with respect to three Apparent Violations that occurred after Apple identified SIS as an SDNTK in February 2017:
(4) Apple failed to take corrective actions in a timely manner after identifying SIS as an SDNTK, and continued to make payments for the download of blocked apps for multiple months.
OFAC determined the following to be mitigating factors:
(1) The volume and total amount of payments underlying the Apparent Violations was not significant compared to the total volume of transactions undertaken by Apple on an annual basis;
(2) Apple has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the transaction giving rise to the Apparent Violations; and
(3) Apple responded to numerous requests for information in a prompt manner.
Additionally, Apple has confirmed that it has terminated the conduct that led to the Apparent Violations and has undertaken the following measures as part of its compliance commitments to minimize the risk of recurrence of similar conduct in the future:
• Increased the role of the Global Export and Sanctions Compliance Senior Manager in the escalation and review process;
• Reconfigured the primary sanctions screening tool to fully capture spelling and capitalization variations and to account for country-specific business suffixes, and implemented an annual review of the tool’s logic and configuration;
• Expanded sanctions screening to include not only app developers, but also their designated payment beneficiaries and associated banks;
• Updated the instructions for employees to review potential SDN List matches flagged by the primary sanctions screening tool; and
• Implemented mandatory training for all employees on export and sanctions regulations.