OFAC: Apple’s faulty screening caused 47 sanctions violations

Apple, Inc. agreed Monday to pay $467,000 to settle violations of the Foreign Narcotics Kingpin Sanctions Regulations after its screening tool failed to detect a sanctioned company and its owner.

The Treasury Department’s Office of Foreign Assets Control said Apple dealt with a software company that OFAC had listed as a “significant foreign narcotics trafficker.”

In July 2008, Cupertino-based Apple entered into an app development agreement with a Slovenia company called SIS, d.o.o.

(The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company.)

In February 2015, OFAC designated SIS and Savo Stjepanovic, a director and majority owner of SIS, under the Foreign Narcotics Kingpin Designation Act (21 U.S.C. §§ 1901-1908) and added them to the List of Specially Designated Nationals and Blocked Persons (the SDN List).

Companies subject to OFAC jurisdiction generally can’t do business with any organizations or people on the SDN List.

OFAC’s SDN List entry included SIS’s address, registration number, and tax identification number:

SIS D.O.O., 19 Spruha, Trzin 1236, Slovenia; Registration ID 5919070 (Slovenia); Tax ID No. SI91729181 (Slovenia) [SDNTK].

OFAC publicly linked Stjepanovic to SIS. It published a diagram titled “KARNER Steroid Trafficking Network” that included both Stjepanovic’s photo and SIS’s logo.

On the day when OFAC designated SIS and Stjepanovic, Apple followed its standard compliance procedures and ran a check using its sanctions screening tool.

“During this screening, Apple failed to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked,” OFAC said.

Apple later said its sanctions screening tool failed to match different upper case and lower case letters that appeared in Apple’s system and on the SDN List.

Apple didn’t identify SIS as a blocked company even though the address for SIS that Apple collected matched the address OFAC published.

Apple also missed Stjepanovic’s OFAC designation. He was listed as an “account administrator” in SIS’s App Store developer account but not as a “developer.” At the time, Apple didn’t screen everyone identified in an App Store account against the SDN List, only developers.

Because of the misses, Apple continued to host apps owned by SIS on the App Store. Apple allowed downloads and sales of the blocked SIS apps, received payments from App Store users downloading the SIS apps, permitted SIS to transfer and sell its apps to two other developers, and remitted to SIS each month the revenues produced by the blocked apps.

Apple discovered the misses two years later, in February 2017, when it upgraded its sanctions screening tool. The company’s finance team immediately suspended payments associated with the SIS account, OFAC said. But Apple didn’t suspend payments “for multiple months” to a third party that was processing payments for SIS.

In all, Apple made 47 payments associated with the blocked apps, including payments directly to SIS, after OFAC put SIS on the SDN List.

Apple collected about $1.2 million over 54 months from customers who downloaded SIS apps, OFAC said.

OFAC said it gave Apple credit for a previously clean sanctions compliance record and for responding “to numerous requests for information in a prompt manner.”

OFAC said Apple had “reconfigured” its primary sanctions screening tool and instituted mandatory training for all employees on export and sanctions regulations. It also expanded the role of its “Global Export and Sanctions Compliance Senior Manager in the escalation and review process.”