Banks may be too big to fail but their employees, apparently, aren’t too small to nail.

After taking a boatload of abuse during Senate Banking Committee hearings in December that no individuals were held civilly or criminally liable for the HSBC violations, OFAC has started waving a big stick at bank employees who might play some role in sanctions violations

As reported by Brett Wolf at Reuters, Treasury spokesman John Sullivan had this to say last week:

Although sanctions enforcement cases involving financial institutions have typically concluded with civil penalties at the corporate level, individuals can and do face liability … when they are personally responsible for sanctions violations, and Treasury’s Office of Foreign Assets Control will take appropriate enforcement action in these circumstances.

Of course the issue here will be which employees will be “personally responsible” if illegal transactions for Iran are cleared by a bank. Are we talking about the people in the wire room who process the transactions or are we talking about the folks with keys to the executive washrooms? I am probably not being overly cynical to suggest that it will be the wire clerks and not the VPs who will pay here.

Last Friday, there were news reports, like this one in the BBC, that the Twitter account of Somali terrorist group Al-Shabaab, had been suspended by Twitter. Apparently, some of its more outrageous tweets violated the Twitter terms of service. Of course, my first thought ran along these lines: how did Al-Shabaab, which is listed on the Office of Foreign Assets Control’s List of Specially Designated Entities and Blocked Persons as a Specially Designated Global Terrorist (“SDGT”) get a Twitter account in the first place? And why are they just now getting booted off the service?

One of the sections of the regulations under which Al-Shabaab was designated, 31 C.F.R. 594.201, explicitly forbids any U.S. person from providing any “technological support for, or financial or other services to” anyone designated as an SDGT. A Twitter account is certainly a “technological” or “other” service, and Twitter, headquartered in San Francisco, is clearly a U.S. person subject to the rules. And there is no provisions in the regulations for SDGTs, as there are in the Iran and Cuba sanctions regulations, permitting “services incident to the exchange of personal communications over the Internet.”

Part of the explanation for what may have happened is that the group used the Twitter handle @HSMPress and not @Al-Shabaab or something that might have given its identity away to the computers that screen new accounts for Twitter. Of course, this raises an interesting question. As we all know, there is no intent or knowledge requirement needed to violate OFAC’s economic sanctions regulations. Even if Twitter didn’t know that HSMPress was Al-Shabaab, it was still providing services to Al-Shabaab in violation of the rules and potentially liable. But with that in mind, what was Twitter supposed to do? Is it supposed to read every tweet and try to figure out who might be an SDN?

Another issue, I suppose, would be proving that @HSMpress was, in fact, Al-Shabaab. Again, it’s doubtful that the account was registered in such a way as to indicate that connection even if this was the official account of Al-Shabaab rather than, say, the account of someone who was merely sympathetic to the group. It reminds me of the famous New Yorker cartoon with one dog, seated at a computer, telling another dog sitting on the floor nearby: “On the Internet, nobody knows you’re a dog.”

The new owners of Ellman International Inc., a New Jersey supplier of medical devices, agreed to pay the Office of Foreign Assets Control (“OFAC”) $191,700 to settle charges that the prior owners of the company exported medical devices to Iran and hired a physician in Iran without authorization from OFAC. Allegedly the medical devices were shipped to Iran through a middleman in Dubai with the knowledge and participation of senior management of the old owners. When the new owners of Ellman discovered the violations after the acquisition, they voluntarily disclosed the violations to OFAC.

Sadly, at least for the new owners, OFAC held that the voluntary disclosure wasn’t a voluntary disclosure under OFAC’s Enforcement Guidelines. In holding that the voluntary disclosure wasn’t a voluntary disclosure, OFAC had this to say:

[T]he submission was determined not to be a voluntary disclosure as defined by OFAC’s Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, App. A (“the Enforcement Guidelines”). OFAC had previously been notified of a rejected transaction between Ellman and a customer located in Iran but did not at that time learn the full scope of the activity because Ellman’s prior owners failed to properly respond to OFAC’s inquiry.

Now, of course, there is a good argument that the one rejected transaction wasn’t eligible for treatment as a voluntary disclosure because OFAC had already been informed of it by the rejecting third party. But it seems more of a stretch to say that everything else in the new management disclosure wasn’t a voluntary disclosure simply because prior management did not respond to an earlier OFAC inquiry on the rejected transaction. Let’s look at the actual language of the Enforcement Guidelines which, shocking as that  may sound, should control here:

Notification to OFAC of an apparent violation is not a voluntary self-disclosure if: a third party is required to and does notify OFAC of the apparent violation or a substantially similar apparent violation because a transaction was blocked or rejected by that third party (regardless of when OFAC receives such notice from the third party and regardless of whether the Subject Person was aware of the third party’s disclosure); the disclosure includes false or misleading information; the disclosure (when considered along with supplemental information provided by the Subject Person) is materially incomplete; the disclosure is not self-initiated (including when the disclosure results from a suggestion or order of a federal or state agency or official); or, when the Subject Person is an entity, the disclosure is made by an individual in a Subject Person entity without the authorization of the entity’s senior management.

Nope. Nothing there at all about failing to respond to an OFAC inquiry as forever barring any future disclosure from being given credit as a voluntary disclosure.

Of course, the moral here is not just that OFAC often doesn’t pay attention to its own regulations. The more important moral, because it’s something that you can do something about, is that acquiring parties need to conduct adequate due diligence and discover export violations before the deal closes, i.e., before it’s too late. Perhaps the new owners did conduct such due diligence, in which case it is likely that there is a hold-back on the purchase price that will be used to pay this fine. But if they didn’t, that was an expensive mistake.