Recent OFAC Enforcements Demonstrate the Importance of IP Address Geolocation Screening

Is it possible to tell if a customer—who claims to be emailing from France—is actually sending the electronic message from there and not from a sanctioned country? The answer is a definitive ‘yes’. With IP address geolocation screening that forms part of any robust denied party screening application.

The question is being increasingly asked due to the growing number of enforcement actions by the U.S. Commerce Department’s Office of Foreign Assets Control (OFAC) against companies found doing business with sanctioned and embargoed countries over the past 18 months. By the latest count, at least six organizations were fined more than US$4 million for entering into deals with Iran, Syria, Sudan, Cuba, and North Korea, as well as the region of Crimea in Ukraine. The maximum collective penalty could have totaled a whopping $2.4 billion, but the fines were significantly reduced because the companies self-disclosed the breaches and implemented major remedial measures, including IP address screening and blocking, as part of the settlement with the government.

The six consisted of a 3D animation hardware and software systems developer, an online money transmitter, a digital currency payment processing solution maker, a digital assets security enabler, an ERP application provider, and an ecommerce platform.

While they had various forms of export control processes in place at the time of the violations, there were two problem areas: 1) they were not collecting IP address data all; or 2) they were tracking the data, but not using it as part of their compliance strategy.

In very simplified terms, each computer has its own IP address, represented by a unique string of characters. It’s akin to cars and their Vehicle Identification Number (VIN). The IP address’ primary purpose is for device identification in order to facilitate computer-to-computer communication. It also reveals the user’s approximate geolocation. For example, in the city of Paris, but nothing more detailed than that, because of privacy laws.

Thus, screening in this sense means to identify and vet the location of a person or organization to make sure they are where they say they are, and not ‘masking’ or hiding their IP address in an effort to intentionally circumvent sanctions and embargoes as they try to transact business.

With the six penalized companies broadly representing a cross section of industries, including financial services and online technology, OFAC assessed that they should deploy available means to minimize compliance risks. This included steps such as thoroughly understanding relevant sanctions regulations, establishing or strengthening export controls and procedures, ensuring staff training, and having effective and ongoing denied party screening in place. The relatively new item, which is becoming more prevalent, is the emphasis on IP address geolocation screening and blocking.

This development is in line with other government moves aimed at pushing companies to be more detailed and accurate in their due diligence prior to ratifying a business deal. Other examples include OFAC’s 50 percent rule, the equivalent rules in the European Union, and the Military End User (MEU) regulations where official guidance is more directional rather than through explicit instructions. In a nutshell, it is about going deeper and wider in assessing potential third-party risks.

Descartes has sanctioned and restricted party screening solutions that include IP address geolocation search capabilities so that organizations can be made aware the instant a certain IP address is found to be located in a sanctioned country, allowing compliance teams to take the appropriate actions.

Our solutions help companies manage their export compliance risk more effectively – restricted party screening, export classification, license determination and management, and sanctioned party ownership screening. Effective compliance processes not only mitigates the risk of penalties, adverse media, reputational damage, they also help organizations enable business growth.

For other articles related to IP address geolocation screening, check out Three Denied Parties Screening Red Flags You Should Be On the Lookout For, and An Introduction to Restricted Party Screening.