On May 14, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the U.S. Department of State, and the U.S. Coast Guard issued a long-awaited “Sanctions Advisory for the Maritime Industry, Energy and Metals Sectors, and Related Communities” (the “Advisory”). The Advisory substantially expands on previous shipping advisories that OFAC and other U.S. agencies have issued that were specific to the Iran, Syria, and North Korea programs (see our previous summary) by not only offering global guidance, but also by issuing more than a dozen pages of detailed industry-specific recommendations across 10 sectors that touch the maritime industry. In many cases, these recommendations go substantially beyond the compliance expectations that OFAC or its peers had previously articulated.
The Advisory consolidates the list of “deceptive shipping practices” that were identified in previous advisories and adds several new practices:
- Disabling or Manipulating the Automatic Identification System (AIS) on Vessels;
- Physically Altering Vessel Identification;
- Falsifying Cargo and Vessel Documents;
- Ship-to-Ship (STS) Transfers;
- (New) Voyage Irregularities;
- (New) False Flags and Flag Hopping; and
- (New) Complex Ownership or Management.
To identify these deceptive practices and mitigate these risks, the Advisory recommends that all industry actors should “implement appropriate due diligence and compliance programs based on their risk assessments,” but then proceeds to offer a list of suggested compliance steps that “may assist in more effectively identifying potential sanctions evasion.” These are:
- Institutionalize Sanctions Compliance Programs;
- Establish AIS Best Practices and Contractual Requirements;
- Monitor Ships Throughout the Entire Transaction Lifecycle;
- Know Your Customer and Counterparty;
- Exercise Supply Chain Due Diligence;
- Contractual Language; and
- Industry Information Sharing.
The suggested practices are consistent with previous guidance that OFAC issued with respect to North Korea (in February 2018 and updated in March 2019) and Iran and Syria (November 2018 and March 2019). The Advisory goes substantially further than the prior guidance, however, by including an Annex in which it provides specific compliance recommendations for each of the following industries touching on the maritime sector:
- Maritime Insurance Companies;
- Flag Registry Managers;
- Port State Control Authorities;
- Shipping Industry Associations;
- Regional and Global Commodity Trading, Supplier, and Brokering Companies;
- Financial Institutions;
- Ship Owners, Operators, and Charterers;
- Classification Societies;
- Vessel Captains; and
- Crewing Companies.
We will not repeat the 14 single-spaced pages of recommendations, but the following are a few of the key features or implications of these recommendations:
- Establishes the New Compliance Baseline: The Advisory goes out of its way to repeat that the recommendations are not legal requirements, for example, by having 11 separate footnotes that all state that the recommendations are not intended to be and should not be interpreted as “imposing requirements under U.S. law or otherwise addressing any particular requirements under applicable law.” Nevertheless, they will likely be treated as doing exactly that. While OFAC does not formally require a compliance program, as articulated in its Compliance Framework, OFAC expects all companies to implement a “risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP),” including through the implementation of internal controls that are “capable of adjusting rapidly to changes published by OFAC.” Having now published the Advisory, OFAC will almost certainly evaluate companies in, or engaging with, the maritime sector against these new recommendations when determining the reasonableness of a company’s compliance program in an enforcement context. In cases where these controls could prove practically or commercially impossible (e.g., continuous AIS monitoring), companies may find themselves in the position of having to convince OFAC to agree with this position and to find their programs otherwise reasonable without them.
- Extends AIS Monitoring Recommendations to “Continuous” Monitoring: OFAC’s previous guidance had focused heavily on use of AIS monitoring, encouraging companies to utilize it to identify potential evasion activity. This is something many companies had implemented when signing contracts or renewals, or processing related payments. OFAC had only recommended companies “monitor” AIS when vessels were operating in high-risk areas (e.g., the East China Sea, around the Korean peninsula, or in the Gulf of Tonkin). The Advisory goes further. While the general language recommends that companies should be monitoring on a risk-based approach, in several places in the sector-specific recommendations, OFAC recommends that, for example: (a) ship owners, managers, and charterers should “continuously monitor vessels,” and (b) flag registries should have the “capability to monitor AIS transmissions continuously,” and (c) insurers should monitor for “any significant time period with non-transmission that is not consistent with the International Convention for the Safety of Life at Sea” (SOLAS) or any “suspicious deviations in routes,” which effectively assumes continuous monitoring. If implemented in full, this recommendation would flip many compliance programs from using AIS reactively (e.g., reviewing historical data when a claim arises or prior to entering into a new relationship or renewal) to requiring that it be proactively monitored throughout the lifecycle of a relationship.
- Requires Access to AIS Monitoring Tools: Implicit in the above recommendation is a requirement for companies to have the ability to research AIS history. The Advisory makes this recommendation explicit for maritime insurers providing cover for ship owners, suppliers, buyers, charterers, and managers, as well as for flag registries, recommending that they have the ability to “research the AIS history for all the vessels under the ownership or control of such parties,” a recommendation that likely requires the use of subscription tracking tools to access vessels’ historic AIS data.
- Requires Substantially More Detailed Ownership Checks: Generally speaking, in the United States only companies that are subject to U.S. anti-money laundering (AML) obligations (i.e., financial institutions) are legally required to acquire ultimate beneficial ownership (UBO) information on their counterparties. However, given how difficult it is to manage sanctions risk without knowing UBO information, and in light of OFAC’s 50 Percent Rule, OFAC has increasingly recommended that all parties conduct “know your customer” (KYC) analyses, which would include acquiring UBO information. The Advisory, however, goes further, specifically recommending that for vessels determined to be operating in areas at high risk for sanctions evasion not only do (a) marine insurers and (b) classification societies acquire UBO information, but that they acquire, as appropriate, “a color photocopy of the passports, names, business and residential addresses, phone numbers, email of all individual owners of the vessel…” (emphasis in original). The Advisory goes further to recommend that marine insurers seek adequate release in their contracts to allow this personally identifiable information (PII) to be shared with competent authorities if illegal activities are identified, “as allowed by applicable laws and regulations.” This concept overlaps with expectations under U.S. AML requirements, which by contrast apply only to financial institutions.
- Creates an Implied “Know Your Customer’s Controls (KYCC) Obligation: Finally, the Advisory extends these KYCC obligations even further by specifically recommending that (a) ship owners, operators, charterers, and (b) classification societies require that counterparties maintain an “adequate and appropriate” compliance policy. This would include: (1) conducting activities consistent with sanctions; (2) adequate resourcing to ensure sanctions compliance; (3) ensuring sanctions compliance by affiliates and subsidiaries; (4) having controls to monitor AIS; (5) having controls to assess loading or unloading of cargo in high risk locations; (6) having controls to verify the authenticity of bills of lading; and (7) having controls to operate consistent with the Advisory. While OFAC has increasingly commented on the risks that downstream customers can create for companies, this is its most explicit recommendation that these parties implement a KYCC type system, a concept that again overlaps with expectations under U.S. AML requirements.
While the Advisory arguably substantially raises the publicly articulated compliance recommendations across the industry, OFAC is likely to begin using it almost immediately in its communications with industry. This could be in the licensing, policy, or enforcement context. We therefore recommend that all companies with marine sector exposure closely review the recommendations contained in the Advisory and assess whether their current compliance program meets the standards expressed and, if not, be able to articulate a risk-based reason why the particular recommendations are not appropriate to the company, prior to any OFAC-facing engagement.
Note on AIS
The Automatic Identification System (AIS) is an automated tracking system that transmits a vessel’s identification and navigational positional data via high frequency radio waves. The IMO Convention for the Safety Of Life At Sea (SOLAS) Regulation V/19.2.4 requires all vessels with a gross tonnage of 300 and above engaged on international voyages and all passenger ships irrespective of size to carry AIS onboard. The AIS onboard must be switched on at all times unless the Master considers that it must be turned off for security reasons (such as in areas at high risk for piracy) or anything else.
AIS is intended to enhance safety of life at sea; the safety and efficiency of navigation; and the protection of the marine environment. Using AIS to detect potential illicit or sanctionable activities is a fairly recent phenomenon and while it can provide helpful data, like any electronic equipment, AIS has limitations including that the accuracy of the data received depends on the accuracy of date transmitted (i.e., errors with the positioning system can provide inaccurate locations), not all vessels are fitted with AIS, or AIS might be turned off for legitimate reasons (e.g., in high-risk piracy locations) or be defective.