OFAC Enforcement and the monitoring of IP addresses
Written by Don Lee
I read through OFAC’s Enforcement Information for November (https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20151124_Barracuda.pdf) and found this interesting and a different twist to OFAC regulations from what I’m used to seeing. OFAC fined Barracuda Networks for violating sanctions against Iran, Sudan, and Syria for the sale and distribution of its products to persons in these nations. For those of you that have not used Barracuda’s services, they provide email filtering content services to essentially help keep your junk mail out of your inbox.
The enforcement action was written in the standard ‘enforcement style’ where not all of the facts are stated, but they did state that “Barracuda acted with reckless disregard for sanctions requirements by: (a) permitting distributors and resellers to sell its products and updates to SDNs and to customers in sanctioned countries when it knew or had reason to know that the products were located in sanctioned countries or with SDNs, in potential violation of US sanctions requirements, and (b) distributing its products or technology to more than 17,000 resellers and distributors worldwide without implementing any written sanctions compliance policies or procedures, and failing to provide training to its employees regarding export controls and sanctions.” This is interesting in that Barracuda is expected to monitor its resellers and distributors and where they distribute. They also didn’t have policies and procedures and training for its staff for export controls or sanctions, even though it seems that the SDN sales were done indirectly by resellers and distributors. The enforcement action went on to state that Barracuda should have known about the sanction violation because of the IP addresses associated with the countries subscribing, and Barracuda did not screen IP addresses used to contact Barracuda’s servers. Most of us in the financial communities are used to trade based money laundering, wire fraud or other AML infractions resulting in our analysis of money movements and transaction patterns to identify red flags; however this case is requiring Barracuda and other technology companies to monitor their IP address traffic and their resellers to ensure they are not dealing with SDNs. In retrospect this is a good idea, however I never considered monitoring requirements for non-financially related firms.
This highlights the changing world we live in. AML does not live only in the financial sector but also the technology sector where IP addresses are expected to be monitored by the provider to ensure they are not violating US sanctions.
About FinWebTech
FinWebTech is a service as a software (SaaS) development company creating web applications to solve the growing needs of financial services firms. FinWebTech’s first product is Catalyst, an automated compliance solution for the securities industry. Catalyst provides firms with: Transaction Surveillance for AML and Suitability; Risk Assessments and Management; Supervisory Controls and Audit Logs, KYC, Document Repository and other tools to assist compliance departments manage their programs and reduce risk. Catalyst is priced to give small to medium sized firms access to compliance technology.
For more information on FinWebTech and Catalyst, please contact Don Lee at
don.lee@finwebtech.com or 305-409-1307