Recently an American digital travel conglomerate agreed to pay over US$320,000 to U.S. regulators for travel sanction breaches related to Cuba, committed by its foreign subsidiaries.
Identifying sanction-related risks can be daunting especially for entities with global operations and a large network of affiliates. More so, if the sanctions appear to be applicable or enforceable in a single jurisdiction. For instance, in this case the U.S. company was fined because its foreign subsidiaries breached travel sanctions due to a misguided understanding that the sanctions applied to Americans travelling to Cuba. On the surface, the sanctions appeared to target Americans when in reality, they were applicable to Cubans traveling into the United States and other parts of the world.
In its voluntary disclosure to the Office of Foreign Assets Control (OFAC), the conglomerate, which owns travel websites and mobile apps in and outside the United States, disclosed that its foreign subsidiaries and employees were not familiar with U.S. economic sanctions law hence they breached the Cuba travel sanctions.
Although in this case the fine received was fairly low, it could have been avoided entirely had the following been considered:
- A cascading of its global compliance programme, policies, codes of conduct and ethics to all its local and foreign subsidiaries
- certification that all its subsidiaries and its employees understood and adhered to its global compliance programme and related policies
- ensuring that all employees in its subsidiaries were trained on a standard curriculum as adopted from its global compliance training manual
- the implementation of periodic ongoing compliance training for employees (especially those in high-risk roles)
- the provision of timely and periodic updates on any changes to the laws and regulations in the U.S. (same should be considered if there are changes in laws at regional level)
- the use of a database screening programme for wider access to lists of countries, companies and people who are specifically targeted.
Failing to implement a holistic culture of compliance across your operations is not only a recipe for financial losses and penalties, but also leads to reputational/brand damage. Even though the sanctions were breached by a foreign subsidiary of an American conglomerate, it’s brand name that’s shammed in the press and courts of public opinion.
Thus, it’s important to have processes and procedures that can easily be cascaded to your entire business.
Training manuals, codes of conduct and all compliance-related policies implemented at HQ must be implemented in all your affiliates. Regional policies must be supplemented by local requirements applicable in markets you do business to ensure total compliance with international and local laws.