Archive for October, 2015


Oct

30

A Scary Halloween Post on Another Obscure List for Exporters to Check


Posted by at 3:41 pm on October 30, 2015
Category: Criminal PenaltiesOffice of Diversion Control

Taminco HQ via Google Maps [Fair Use]
ABOVE: Taminco HQ


BUT FIRST A WORD FROM OUR SPONSOR …

I still have some invitations for free food and drink at the Bryan Cave reception at 6:00 pm on November 3 for people in town attending the BIS Update Conference (or anyone else for that matter). Email me at [email protected] if you want one. It won’t be as much fun as that cruise that somebody else is doing for people attending the BIS Update 2015, but at least you can leave our event when you want to.

NOW BACK TO OUR REGULARLY SCHEDULED PROGRAMMING

As if there weren’t enough lists to check and agencies to fuss with and other requirements before exporting stuff, did you know about this list? Otherwise known as the Schedule of List I Chemicals, all the chemicals on that list are chemical precursors for the manufacture of methamphetamine. (Yes, apparently iodine and red phosphorus are used for that. Who other than Walter White a/k/a Heisenberg had any idea?)

If you are going to export anything on that list, the rules of the DOJ Office of Diversion Control require that you verify the identity and end user of the chemical pursuant to the procedures set forth in 21 C.F.R. § 1310.07. If part of a shipment goes missing, or if the exporter learns that an end-user might be cooking meth, section 1310.05 requires the exporter to report this “at the earliest practicable opportunity.”

Taminco, a Pennsylvania-based producer of chemical amines used as components in manufacturing everything from agrochemicals to fuel additives and animal feed did not verify the identity of its customers or report missing shipments in connection with exports of 100 tons of monomethylamine to Mexico. As a result, according to this report (subscription required), it has now been forced by DOJ to agree to pay $1.3 million in criminal and civil penalties. According to the DOJ Sentencing Memorandum the chemicals were worth only $210,234.07

The only consolation here is that nobody went to jail. I think that used to be called cold comfort.  Once again, the moral of the story is this: export stuff at your own peril, something that has been known since the early days of the Roman Empire and nicely expressed in that well-known maxim: Caveat Exportor.

Permalink Comments Off on A Scary Halloween Post on Another Obscure List for Exporters to Check

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Oct

29

Free Food and Drink


Posted by at 11:56 pm on October 29, 2015
Category: BIS

Update 2015

If you are attending BIS Update 2015 and would like to get together for some free food and drink, please drop me an email at [email protected]. I have some invitations for a reception being held at Bryan Cave on the evening of November 3 which I can send to you. I’ll be there but, more importantly, so will be things to eat and drink.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Oct

23

Keeping A List, Not Checking It Twice


Posted by at 9:13 am on October 23, 2015
Category: Iran SanctionsOFAC

Red Rug by Christopher Sessums [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/x7H2Dp [cropped]

BMO Harris Bank on Wednesday escaped an OFAC fine, even though it admitted to having processed six funds transfers totaling $67,357 representing payment by a customer of sums to an Iranian entity from which the customer had purchased Persian rugs. The customer, apparently a retailer that purchased and resold Persian rugs from Iran, had been a bank customer since 2009 when the importation of rugs from Iran was still legal. Because the customer’s name contained the word “Persian,” the bank’s somewhat overzealous interdiction software had been resulting in hits for each transaction by the customer, so the bank put the customer on a false hits list to prevent transactions by the customer from being flagged each time.

On September 29, 2010, OFAC banned the importation of Iranian rugs but, apparently, the bank’s customer didn’t get the message. (That’s what you get for not reading the Federal Register cover-to-cover each morning!) The customer continued to import Iranian rugs and the bank continued to process related wire transactions. In 2011, a suspicious downstream bank in the transaction requested additional information. A Harris Bank employee apparently then learned that the payment was to Iran for Persian rugs but, because the customer was on the false hit list, did not do anything and, as a result, Harris processed five additional transactions for payments to Iran.

Normally such a scenario is a sure-fire guarantee that the company involved will get walloped with an OFAC fine, but in this case OFAC decided to show a little mercy, apparently feeling that the false-hit list was to blame and stating that the bank “may have been unaware of the risks associated with a false hit list that was not reviewed and updated regularly.” This is a bit strange given that the issue here had nothing to do with reviewing and updating the list. The customer, which was on the false hit list, was still a false hit. It had not become an SDN, and the violation did not result from an error in the list.

The violation occurred not because the bank did not review the list but because it did not review the transaction. And this reveals an all-too-common misunderstanding by front line employees about OFAC sanctions. They often see it merely as a list-checking exercise. Is the customer on the list? Nope. Okay, then, everything’s good to go. And this appears to be exactly what happened here. The front line bank employee saw that the customer wasn’t on the SDN list and was instead on the “false hit” list and that was the end of the inquiry

Even though this case really isn’t about a bad false hit list, OFAC used it as an opportunity to issue a “False Hits List Guidance.” The new guidance, if it can really be called that, states the obvious: namely, that false hit lists are a “legitimate” practice as long as you check them periodically to make sure that someone who was not an SDN two weeks ago did not suddenly become an SDN yesterday. Oddly, OFAC does not say anything in the guidance about the glaring lesson from the case at hand, so I’ll say it for them: just because a customer is on the false hit list does not mean that the transaction itself need not be reviewed. (Your welcome, OFAC.)

Of course, I can’t leave the guidance without reference to a tiny bit of silliness in it. The guidance says that a review of the list should be triggered by any “meaningful change” in the customer’s information such as “a change in ownership status, business activity, address, date of birth, place of business, etc.” Wait a second. Does this mean you can change your birth date? Really? Please tell me how you do that. My birthday comes really close to Christmas and I’ve always wanted to move it back into a more present-friendly zone such as June. Also, I bet a number of us would like to shave a few years off that birth date as well.

Permalink Comments (3)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Oct

20

And The Jackpot Winner Is … New York!


Posted by at 4:41 pm on October 20, 2015
Category: Iran SanctionsOFAC

All in a Day's Work by Damian Gadal [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/5xQkWj [cropped]

Crédit Agricole just agreed to pay $787.3 million to settle charges that it violated the U.S. sanctions on Iran and other countries by stripping references to those countries in communications sent to U.S. banks to process dollar-based transactions. And to quote Yogi Berra: “It’s déjà vu all over again.”

The payment is divided up as follows: $385 million to the New York State Department of Financial Services, $156 million to the U.S. Attorney’s Office for the District of Columbia, $156 million to the Manhattan District Attorney’s Office, and $90.3 million to the Federal Reserve. Once again the biggest chunk of change goes to the NYDFS which, as you probably know, doesn’t have the power to enforce any U.S. sanctions inasmuch as it’s just a state agency, notwithstanding its own delusions of grandeur.

But wait a minute. Where is OFAC in all this? I mean, after all, the last time I checked the Iran, Cuba and Sudan sanctions all had OFAC’s name written all over them. Well, OFAC announced today at the same time a $329.5 million fine against Crédit Agricole. Is that on top of the $787.3 million, pushing the fine over $1 billion? Nope. Read the fine print at the end of the OFAC press release:

CA-CIB’s $329,593,585 settlement with OFAC will be deemed satisfied by the bank’s payment of that amount to DOJ, DANY, and the Board of Governors for the same pattern of conduct.

As noted above, out of the $787.3 million, $402.3 million dollars is going to DOJ (through the U.S. Attorney for the District of Columbia), the DANY and the Federal Reserve, more than enough to satisfy the OFAC penalty under this somewhat odd arrangement. But it is not completely insignificant that OFAC did not say that payments to the NYDFS would discharge the OFAC penalty, perhaps indicating a bit of pique by OFAC with NYDFS trying to cash in on violations of OFAC rules.

In this context, an email that Reuters obtained back in June from OFAC to NYDFS in reference to an unnamed investigation of a foreign bank (presumably Crédit Agricole) by NYDFS was not very nice at all.

Given the ongoing negotiations, the situation regarding Iran is extremely sensitive at the moment. As a result, any actions that are taken in connection with sanctions violations pertaining to Iran may have serious impacts on the ongoing negotiations and U.S. foreign policy goals and objectives. The Iranians are not going to distinguish between enforcement actions taken at the state level versus enforcement actions taken at the federal level.”

One has to assume that the NYDFS, driven to feed its addiction to federal sanctions money, gave a terse and impolite response to OFAC that can’t be printed in a family blog, which explains the oddity of OFAC settlement in this case. I think we can safely assume that NYDFS isn’t being invited to OFAC’s holiday party this year.

Permalink Comments Off on And The Jackpot Winner Is … New York!

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Oct

19

Beijing’s Review of U.S. Software Risks Export Woes for Those Who Allow It


Posted by at 10:43 pm on October 19, 2015
Category: BISChinaEncryption

140515-D-VO565-003 by Chief of Joint Chiefs of Staff via Flickr https://flic.kr/p/nkMLsf [Public Domain - Work of U.S. Government]

An article that appeared last Friday in the Wall Street Journal suggests that at least one U.S. company is providing the Chinese government with access to proprietary U.S. source code as a condition for access to the Chinese market. What could possibly go wrong with that??

Just as a burglar, who normally suspects everyone else of having his own larcenous motives, puts extra bars on his own doors and windows, the Chinese seem to be worried that U.S. software might have backdoors that allow the U.S. to hack into Chinese systems. Imagine that.

IBM has begun allowing officials from China’s Ministry of Industry and Information Technology to examine proprietary source code—the secret sauce behind its software—in a controlled space without the ability to remove it from the room, the people said. It wasn’t clear which products IBM was allowing reviews of or how much time ministry officials can spend looking at the code. The people said the practice was new and implemented recently.

The Wall Street Journal suggests that this access, which is designed to quell Chinese fears that the U.S. will do unto China what China has done unto the U.S., is largely symbolic because the Chinese are not being given sufficient time to comb through thousands of line of code looking for back doors.

The problem here, however, is that most software programs these days, particularly ones that might have “back door” entry concerns, will have encryption; and the EAR poses special restrictions on exporting certain types of encryption source code to certain government end-users. Encryption source code that is classified as ECCN 5D002 (i.e., is not mass market) and is not publicly available is classified under section 740.17(b)(2)(i)(B) of license exception ENC. Under paragraphs (1) and (2) of the Note to 740.17(b)(2), such encryption source code can, after a classification request, be immediately exported under license exception ENC to any end-user (including a government end-user) in a Supplement 3 country and to non-government end-users in countries, such as China, which are not a Supplement 3 country. However, exports of 5D002 encryption source code that is not publicly available, i.e., that is not available by download or otherwise to members of the public, can only be exported to a government end-user outside Supplement 3, such as the Chinese government, with a license from the Bureau of Industry and Security.  (A very good chart explaining the baroque complexities of  license exception ENC  can be found here.)

Now, here’s the catch. Most encryption algorithms are publicly available, but the code used by specific software to implement that algorithm is not. Indeed, if that code were publicly available, the Chinese wouldn’t need to review it, and the reviewing company would not insist that the code be examined in a “controlled space.” Indeed, you have to imagine that it is precisely the non-public code implementing the public algorithm which would be of most interest to Chinese reviewers concerned about U.S. software having back doors for Uncle Sam to come snooping.

Let me be clear: I’m not saying that IBM has broken any laws here. We don’t know whether the software being examined is 5D002 software or, if it is, that IBM hasn’t applied for and received a license. Rather my point is this: companies that consider giving source code access to the Chinese should only move ahead with a great deal of caution if the software utilizes encryption.

Permalink Comments Off on Beijing’s Review of U.S. Software Risks Export Woes for Those Who Allow It

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)