OFAC Asserts Sanctions Jurisdiction Over Foreign Transactions Involving U.S. Origin Software and Telecommunications Hardware Located in the United States
SITA, the Switzerland-based provider of ICT systems and services to the global air transport industry, penalized for U.S. sanctions violations related to transactions commercially detached from the United States but involving U.S.-origin software and telecommunications hardware located in the United States.
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) on February 26 announced civil penalties against SITA (Société Internationale de Télécommunication Aéronautique SCRL), the global provider of computing, communications, and other technology systems and services to the air transport industry. Headquartered in Switzerland, SITA is a Belgium limited liability cooperative company (an SCRL) with over 400 members, including international and regional private and state-owned airlines, and 2,800 government, airlines, and airport customers. SITA is a key part of the global air transport network infrastructure, and appears to be an air travel industry analogue to SWIFT, the Belgium-based provider of financial messaging systems and services essential to global banking.
The SITA enforcement is significant because OFAC (1) appears to have effectively imposed primary sanctions compliance obligations on a non-U.S. Person and (2) premised sanctions jurisdiction on the involvement in foreign transactions of U.S.-origin software and technology and telecommunications hardware located in the United States. OFAC also reminded readers that its guidance should not be read technically (or hyper-technically).
Primary Sanctions Compliance Obligations Effectively Applied to a Non-U.S. Person; Jurisdiction Based on U.S.-Origin Software and Technology and Telecommunications Hardware in the United States
SITA agreed to a penalty of $7,829,640 to settle its potential civil liability for 9,256 apparent violations of the Global Terrorism Sanctions Regulations at 31 C.F.R. part 594 (GTSR). SITA apparently violated the GTSR by providing goods, services, or technology to or for the benefit of Syrian Arab Airlines, Caspian Air (Iran), and Mahan Air (Iran), Meraj Air (Iran), and Al-Naser Airlines (Iraq), all of which were designated by the United States as Specially Designated Global Terrorists (SGDTs) pursuant to Executive Order 13224. “OFAC initiated its investigation of SITA after identifying Syrian Arab Airlines, Caspian Air, and Mahan Air as member-owners of SITA that may have “received or benefitted from SITA’s goods, services, or technology that were subject to United States jurisdiction because they were provided from or through the United States or were U.S.-origin.”
SITA was aware of the airlines’ SGDT status prior to engaging in transactions with them. By providing goods, services, or technology to the SDGTs, SITA apparently violated two provisions of the GTSR, 31 C.F.R. §§ 504.201 and 504.204. These provisions, inter alia, prohibit U.S. Persons from engaging in transactions with SDGTs and mandate the blocking of SDGT property by U.S. Persons and within the United States. Unlike other sanctions programs, the GTSR do not exempt “transactions ordinarily incident to travel” pursuant to the International Emergency Economic Powers Act (IEEPA). Nevertheless, SITA—again, a Switzerland-based entity organized under Belgian law—is not a U.S. Person, and is therefore not obligated to comply with primary U.S. sanctions. OFAC, however, stated that SITA’s transactions with the SDGTs “were subject to U.S. jurisdiction because they were provided from, or transited through the United States or involved the provision of U.S.-origin software with [SITA’s] knowledge that customers designated as SDGTs would benefit from the use of that software.”
Specifically, SITA provided to the SDGTs:
- messaging software and services, through the “TBM” messaging system, that were routed through SITA’s “mega switches” in Atlanta and originated from or were destined for an SDGT airline;
- access to or benefits of a “U.S.-origin software application,” Maestro DCS Local, for passenger and baggage processing and management; and,
- access to or benefits of WorldTracer, “a global lost baggage tracing and matching system that is hosted on SITA’s servers in the United States, and maintained by SITA’s subsidiary located in the United States.”
The Enforcement Information did not explain how Maestro DCS Local is a “U.S.-origin software application,” such as whether or to what extent it is based on or incorporates U.S. technology. However, OFAC premised sanctions jurisdiction, with respect to some transactions, on SITA’s provision of U.S.-origin technology to one or more SDGTs. OFAC’s jurisdictional analysis here is significant, as it appears to add U.S.-origin technology as an independent basis for U.S. sanctions jurisdiction over foreign persons in connection with transactions that are otherwise detached from the United States.
OFAC’s jurisdictional reliance on the routing of TBM messages through Atlanta is also significant. In sanctions enforcement cases involving foreign banks, U.S. sanctions jurisdiction has been predicated wholly or partly on the clearing of financial transactions through U.S. financial institutions. The predication in the SITA case of sanctions jurisdiction on the routing of the TBM messages utilizing networking hardware in the United States is analogous to the clearing of financial transactions through the U.S. financial system, and the SITA enforcement appears to explicitly extend the rationale applied in foreign bank cases to a wider, non-financial services context.
OFAC’s reliance on the location of SITA’s servers is also significant, as it suggests that the location of servers within the United States– even if not maintained by a U.S. subsidiary or affiliate of a foreign party—is likely sufficient to support sanctions jurisdiction over largely foreign transactions involving non-U.S. Persons acting outside of the United States.
Companies Engaged in International Business Should Interpret OFAC Guidance Thematically, Not Technically
In the SITA Enforcement Information, OFAC reminded readers of its Iran-Related Civil Aviation Industry Advisory issued in July 2019 and warning of “deceptive practices employed by Iran with respect to aviation matters.” OFAC advised that although the Advisory “focused on Iran, participants in the civilian aviation industry should be aware that other jurisdictions and persons subject to OFAC sanctions may engage in similar deceptive practices.” Parties engaged in international business should read OFAC guidance thematically, rather than technically.
Sanctions Regulation and Compliance Takeaways for Foreign Companies and U.S. Providers of IT and Communications Services
The SITA enforcement comes during a period of robust and sustained OFAC enforcement of U.S. sanctions regulations against U.S. and foreign parties and across a range of industries. A number of recent OFAC sanctions enforcement actions, like the SITA enforcement, have involved comparatively modest penalties but are significant because they have yielded new or otherwise important information about OFAC’s thinking and enforcement posture.
The key takeaways of the SITA enforcement are the following:
- OFAC appears to have imposed primary sanctions compliance obligations—and non-compliance consequences—on a non-U.S. Person (SITA) in relation to transactions largely detached from the United States because the transactions involved U.S.-origin software and technology and telecommunications hardware located in the United States.
- The enforcement action against SITA is strategic, as it targeted an industry utility—a provider of technology and services essential to global air transport with over 400 international and regional private and state-owned airline members and 2,800 airline, airport, and government customers. As when the United States threatened sanctions on SWIFT and caused SWIFT to exclude Iranian banks from its network, the effects of the SITA enforcement are likely to be far-reaching, across the air transport industry and with potential impacts on the industry’s technology and related services providers and arrangements.
- OFAC guidance should be read thematically, rather than technically.
- Foreign companies engaged in international business that is commercially detached from the United States but involves or U.S.-origin software or technology or telecommunications hardware located in the United States may be within OFAC’s jurisdiction (as interpreted by OFAC) to enforce primary U.S. sanctions. Foreign companies, and their U.S. providers of IT and communications software, systems, and services, should assess their sanctions exposure and ensure that their risk assumptions and compliance protocols are well-calibrated.
For more information about MassPoint Legal and Strategy Advisory’s sanctions and related international business counseling and compliance services, contact the author, Hdeel Abdelhady. View related MassPoint sanctions insights and news here.
 Executive order 13224 of September 25, 2001, Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism.
 SITA Enforcement Information, at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20200226_sita.pdf. Related to Mahan Air, in 2018 OFAC sanctioned Mahan Travel and Tourism Sdn Bhd, a Malaysian company, for its provision of support and services to Mahan Air. See MassPoint PLLC, OFAC Sanctions Malaysia’s Mahan Travel for Iran Business, Specially Designated National Status, July 2019.
 IEEPA grants the President authority to, inter alia, block or otherwise prohibit a range of transactions involving property “subject to the jurisdiction of the United States” and in which a foreign country or foreign national has “any interest.” 50 U.S.C. § 1702. However, IEEPA, as amended by the “Berman Amendments,” expressly denies the President authority to block or prohibit, inter alia, “transactions ordinarily incident to travel to o from any country.” Id. But the GTSR, unlike regulations implementing other sanctions programs, do not expressly exempt travel from their prohibitions. 31 C.F.R. § 594.207. In 2017, OFAC clarified that SDGTs designated pursuant to Executive Order 13224 “may not avail themselves of the so called ‘Berman exemptions’ under the . . . [IEEPA] relating to personal communication, humanitarian donations, information or informational materials, and travel.” OFAC clarification, Oct. 13, 2017.
 SITA Enforcement Information.
 OFAC’s apparent reliance on the involvement of U.S.-origin software as a jurisdictional basis is noteworthy in the sanctions context and, potentially, to U.S. export controls. The Trump Administration is reportedly considering expanding expand export controls jurisdiction, such as by reducing the de minimis U.S. content threshold for foreign made items subject to U.S. export controls and imposing controls on microchips produced overseas using U.S. manufacturing equipment, to prohibit sales of chips and other technology to Huawei.
 Sanctions compliance obligations and jurisdiction are tied to nationality and territory. Nationality jurisdiction applies to U.S. Persons—citizens and lawful permanent residents wherever located; foreign persons while in the United States; U.S. companies and, in the case of the Cuba Assets Control Regulations and, apparently, the Reporting, Procedures, and Penalties Regulations, the foreign subsidiaries of U.S. companies; and, U.S. banks and their foreign branches. Territorial jurisdiction applies to conduct and events occurring in the United States including the clearing of U.S. dollar denominated financial transactions in the United States originated by foreign persons outside of the United States and for the benefit of foreign persons outside of the United States. See MassPoint PLLC, OFAC’s Expanded Sanctions Reporting Rules Apply to Financial Institutions, Businesses, Nonprofits, Individuals, and Foreign Entities Owned by U.S. Persons; Issues for Public Comment, July 16, 2019.
 For example, in the case of BNP Paribas. See, e.g., Hdeel Abdelhady, Emerging Trade and Finance Channels Led by Non-Western Nations Could Curtail the Global Reach of U.S. Law, MassPoint PLLC, July 2015. The same rationale has applied in non-sanctions cases, such as those involving violations of the Foreign Corrupt Practices Act (FCPA) and money laundering offenses where payments of bribes originated and were received outside of the United States but were routed through the U.S. financial system and therefore subject to U.S. jurisdiction. See, e.g., United States v. Chi Ping Patrick Ho, at https://www.justice.gov/opa/press-release/file/1012531/download.
 FCPA and other non-sanctions enforcement actions have premised U.S. territorial jurisdiction on the use of the “instrumentalities of interstate commerce,” such as the mail, email, and fax transmissions. Telecommunications hardware, such as switches, in the United States are very likely instrumentalities of interstate commerce.
 OFAC stated that a U.S. subsidiary of SITA maintained the U.S. servers on which the WorldTracer system is hosted. But OFAC did not rely, as it could have, on the subsidiary’s existence or role to establish or bolster jurisdiction.
 SITA Enforcement Information.
 For example, a case involving a comparatively modest penalty (in OFAC sanctions penalty terms) clarified the scope of “debt” transactions subject to Sectoral Sanctions prohibitions is an example of a case that involved comparatively modest financial penalties but provided new or clarifying information. MassPoint PLLC, OFAC Clarifies: Russia-Ukraine Sectoral Sanctions Prohibitions on “Debt” Apply to Credit Sale and Licensing Transactions, MassPoint PLLC, May 2019 (republished in Thomson Reuters Accelus).
 Hdeel Abdelhady, Reimposed U.S. anti-Iran sanctions leverage American economic power, Reuters, Nov. 15, 2018.