Sep

4

Lost in Translation

Posted by at 5:24 pm on September 4, 2014
Category: OFACSDN List

By Uris at en.wikipedia [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], from Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACitibank_Chinatown.jpgYesterday the Office of Foreign Assets Control (“OFAC”) announced that it had fined Citigroup $217,841 in connection with its processing certain transactions involving Iran and one involving a Syrian entity on the Specially Designated Nationals and Blocked Persons List (the “SDN List”).

The SDN List issue is particularly interesting because the SDN List had what may be an incorrect name for the SDN involved and Citigroup, which had what appears to be the correct name, failed to block the transaction. At issue is Syria’s Higher Institute for Applied Science and Technology (“HIAST”) which appears on the SDN List as the Higher Institute of Applied Science and Technology. When Citibank ran a computer program to screen the name”Higher Institute for Applied Science and Technology” it didn’t pick up the “Higher Institute of Applied Science and Technology” because it was not an exact match.

Notwithstanding OFAC arguably getting HIAST’s name wrong,* it is fairly clear that screening procedures need to employ at least some fuzzy logic and not insist on exact word-for-word, letter-for-letter matches, particularly where many of the names on the SDN List have been transliterated or translated into English. The OFAC announcement indicated that Citigroup had “implemented a programmatic fix” of some kind, one which would apparently allow “of” to match “for” and vice versa.

*HIAST’s Facebook page uses “Higher Institute for Applied Science and Technology” as does Wikipedia and most other sources. Oddly, HIAST’s webpage uses “Higher Institute of Applied Sciences and Technology.” Only OFAC appears to be using “Higher Institute of Applied Science and Technology.” Given OFAC’s almost comical reliance on AKAs for many other listings, there is no reason for it to fail to add all the known variants in HIAST’s listing. That way even stupid systems would pick up the match

Permalink Comments (1)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Aug

21

Jay-Z and Beyoncé Didn’t Commit a Real Crime

Posted by at 8:23 pm on August 21, 2014
Category: Cuba SanctionsOFAC

Jay-Z and Beyoncé in Cuba via http://iam.beyonce.com/post/50677935277 [Fair Use]
ABOVE: Jay-Z, Beyoncé in Cuba

Back in April 2013, Jay-Z and Beyoncé took a trip to Cuba, which provoked a round of wailing, teeth gnashing and threats of jail time from the usual suspects on the Hill, namely, certain South Florida members of Congress, including Rep. Ileana Ros-Lehtinen and Rep. Mario Diaz-Balart, who exhibit a near Pavlovian response anytime they hear the word Cuba. Jay-Z rapped back something to the effect that going to Cuba wasn’t a real crime like buying a kilo for Chief Keef. (If you don’t get the Chief Keef reference, just remember that Wikipedia is your friend in such matters.)

OFAC agreed with Jay-Z and not with Reps. Ros-Lehtinen and Diaz-Balart.  The trip was, OFAC said, a properly licensed “people-to-people” educational exchange tour and, therefore, violated no U.S. laws.

Apparently, the two representatives kept making a commotion about the trip, perhaps believing  that Beyoncé and Jay-Z didn’t qualify for the license because they either weren’t people or weren’t educational.  So the Treasury Department’s Inspector General was called in to review OFAC’s determination that the the famous couple were both people and educational.

In making the determination that OFAC properly declined to fine Jay-Z and Beyoncé for the trip, the Inspector General actually reviewed what Beyoncé and Jay-Z did in Cuba (your tax dollars at work!) and concluded:

Our review found these activities were consistent with the activities for which OFAC authorized the people-to-people license. For example, one article reported the trip included a visit to a children’s theater group and several clubs, where the couple heard live music and occasionally took to the dance floor. According to the article, they also toured Cuba’s top art school, where they met with young artists, and ate at some of Havana’s privately run restaurants, known as “paladares.” One of the city’s leading architects led the couple on an architectural tour of the Old City of Havana, during which the article stated the couple was mobbed by Cuban spectators.

Okay, so let’s suppose that Jay-Z and Beyoncé did nothing in Cuba but lounge on the beach and sip mojitos. What would be the problem with that? Does anyone believe that a regime that has withstood fifty years of U.S. sanctions was on the verge of crumbling but managed to hang on because two pop music stars vacationed in Cuba instead of, say, Aruba?

Permalink Comments (1)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Aug

20

The Consolidated Screening List Isn’t

Posted by at 9:01 pm on August 20, 2014
Category: BISCompliance Programs and ProceduresDDTCDebarred ListDenied Party ListEntity ListOFACRussia SanctionsSanctionsSDN ListUnverified List

PortShip by USDA (cropped) via https://www.flickr.com/photos/usdagov/9715983721 [CC BY 2.0 https://creativecommons.org/licenses/by/2.0/]The U.S. Government, over at export.gov, provides a so-called Consolidated Screening List, which you might think would be a one-stop shopping list for your screening needs, something that might be useful if you or your company does not subscribe to or implement one of the commercial screening solutions. Unfortunately, the Consolidated Screening List doesn’t consolidate all the lists you should review and has other significant limitations.

The good news is that the list now does include the Foreign Sanctions Evaders List, which was not included for some time after the list was adopted by Treasury back in February of this year. The description of the list still does not mention the FSE list, but the entries on that list have been quietly added.

However, two other Treasury Department lists are still not included. The relatively new Sectoral Sanctions Identifications List is missing as action. U.S. persons are forbidden from engaging certain transactions with entities on this list, including providing credit in excess of ninety days. Part of the reason for this is probably that the “consolidated” list is infrequently updated. The last update of the list was almost two months ago, on June 26, 2014.

In addition, the Palestinian Legislative Council List, adopted back in 2006, is not included. U.S. financial institutions must reject (not block) transactions with people on the PLC list.

Not only is the “consolidated” list not complete or consolidated, but also it is dangerous to rely on it alone for another significant reason. The search page for the list only retrieves literal matches and does not allow address searching. In addition to searching the consolidated list, you should also rely on OFAC’s sanction list search tool. That tool uses, fairly successfully, “fuzzy logic” to retrieve similarly spelled names. Because many of the names on the list are transliterated versions of Arabic names, meaning that there are many alternate spellings, the “fuzzy logic” will be somewhat more successful in identifying alternate spellings.

Permalink Comments (1)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Aug

19

Chinese Hacker Nabbed on Export Charges

Posted by at 9:20 pm on August 19, 2014
Category: Arms ExportCriminal PenaltiesDDTCDeemed Exports

Stephen Su photo taken by CBP during U.S. transit in 2011 via http://www.cbc.ca/news/canada/british-columbia/su-bin-chinese-man-accused-by-fbi-of-hacking-in-custody-in-b-c-1.2705169 [Public Domain]
ABOVE: Stephen Su

Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.

Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience.  Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China.  Last Friday, Su was indicted by a federal grand jury in California.

One of the charges in the indictment is a violation of the Arms Export Control Act.  The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.

The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details.  First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves.   Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC.   Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions.  One wonders if the NSA is training folks in Morse Code and invisible ink.  What’s next?  Microdots?

Permalink Comments Off on Chinese Hacker Nabbed on Export Charges



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Aug

14

What Happens in Nay Pyi Taw Doesn’t Always Stay in Nay Pyi Taw*

Posted by at 8:21 pm on August 14, 2014
Category: Burma SanctionsOFAC

Lake Garden Hotel Lobby via http://www.accorhotels.com/photos/9096_ho_00_p_346x260.jpg [Fair Use]
ABOVE: Lake Garden Hotel Lobby

When John Kerry, while attending the Association of Southeast Asian Nations (ASEAN) Regional Forum hosted by Burma, stayed at the Lake Garden Hotel, a posh French-managed resort in the country’s capital of Nay Pyi Taw, he probably wasn’t expecting it to be a big deal. Of course, that’s probably because no one at State realized that the resort was owned by Burmese tycoon U Zaw Zaw who is on OFAC’s SDN List. Sometimes you really are smarter when you stay at a Holiday Inn Express.

The State Department, however, rushed in to try to put out the public relations fires.

“You can stay at this hotel no matter who you are, you just can’t do business with it. So if you wanted to sell them towels, you could not do that. But you could stay there,” [State Department spokesman Marie] Harf explained.

That’s a fairly clumsy invocation of the travel exemption contained in the International Emergency Economic Powers Act (“IEEPA”), 50 U.S.C. § 1702(b)(4), which exempts from sanctions “any transactions ordinarily incident to travel to or from any country.” Although many exemptions do not extend to dealings with SDN, this statutorily based exemption does. (In case you’re wondering, the travel ban to Cuba is not affected by this exemption because those sanctions are imposed not under IEEPA but under the Trading with the Enemy Act.)

Of course, the problem here is this: what is “ordinarily incident” to international travel? Certainly, Kerry staying in the room, ordering a little room service, buying a miniature of vodka from the room’s minibar, and perhaps even watching a pay-per-view movie would fall within this. But suppose (purely hypothetically, of course) that Secretary Kerry decided to pay for a massage in the hotel spa? Is that “ordinarily incident” to international travel? Or paying the resort its standard greens fee for a round of golf?  As is the case in most sanctions matters, there is no clear answer here and no answers from OFAC.  That Holiday Inn Express is looking smarter and smarter.

*This headline would have been so much better if the military junta had not moved the capital of Burma from Rangoon to Nay Pyi Taw in 2005

Permalink Comments (1)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts | Next posts »