OFAC Issues Cyber-Related Sanctions RegulationsAnthony Rapa, Ed Krauland, Stewart Baker, Michael Vatis, and Alan Cohn
January 7, 2016
On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578. The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015 and are effective immediately.
On April 1, 2015, President Obama issued EO 13694, and OFAC concurrently released Frequently Asked Questions (FAQ) providing interpretative guidance. As we have previously advised, this EO for the first time imposes sanctions on persons engaged in “significant malicious cyber-enabled activities” that harm US interests. The new sanctions can be imposed against any person involved in the activity specified in the EO, which could include both US and non-US persons. In order to trigger sanctions, the “cyber-enabled activities” (not defined in the EO) must originate from, or be directed by persons located, outside the United States. Interestingly, this activity need not be directed at the United States or a US person in order to be sanctionable, but rather it must pose a significant threat to US interests, including national security, foreign policy, economic health, or financial stability.
The EO authorizes OFAC, in consultation with the Attorney General and the Secretary of State, to block the property and interests in property of designated persons—whereby the person’s assets in the United States or in the possession or control of “US persons” anywhere worldwide are frozen, and “US persons,” wherever located, are restricted from engaging in transactions or dealings with the person. Such blocked persons are designated as Specially Designated Nationals (SDNs). Notably, the EO itself does not designate any SDNs, nor has OFAC designated any person under this sanctions program to date.
Cyber-Related Sanctions Regulations
The CRSR formally implement EO 13694 at 31 C.F.R. Part 578, but do not elaborate upon the EO or provide detailed interpretive guidance. Section 578.201 provides that “[a]ll transactions prohibited pursuant to Executive Order 13694 of April 1, 2015, are also prohibited pursuant to this part.”
Section 578.406 formally implements OFAC’s “50% rule,” which provides that any entity owned 50% or greater by any combination of SDNs is blocked, even if OFAC has not publicly designated the entity as an SDN.
The CRSR also set forth general licenses authorizing certain activity, including:
- Transfer of funds between blocked accounts held in the same name, provided the transfers are within the United States (§ 578.504).
- Debit from a blocked account by a US financial institution for certain service charges (§ 578.505).
- Provision of certain legal services to sanctioned persons, including counseling on sanctions compliance and representation in legal, arbitral, or administrative proceedings. Any other type of legal services requires a specific license issued by OFAC (§ 578.506). Section 578.507 authorizes receipts of payment (or reimbursement) for authorized legal services and does not require US attorneys, law firms, or legal services organizations to send OFAC a letter of engagement or intent prior to receiving payment, unlike other sanctions regimes such as the Ukraine-Related Sanctions Regulations (URSR), for example. US persons who receive payments for authorized legal services must submit annual reports providing information on the funds received—another provision that differs somewhat from other regimes such as the URSR, which require quarterly reports.
The CRSR also contain certain interpretative provisions typical of other sanctions regimes, including provisions noting that property is no longer blocked after it is transferred away from a sanctioned person pursuant to a licensed or authorized transaction (§ 578.403(a)); property transferred or attempted to be transferred to a sanctioned person is blocked (§ 578.403(b)); transactions ordinarily incident to licensed transactions are authorized (§ 578.404); and setoffs against blocked property are prohibited (§ 578.405).
Other sections of the CRSR incorporate standard provisions and definitions typically found in other OFAC sanctions regimes. It should be noted that the CRSR do not include certain exemptions found in some other sanctions regimes, such as exemptions for humanitarian donations or trade in informational materials.
In the Federal Register notice issuing the CRSR, OFAC notes that it intends to issue a more complete set of regulations in the future, which could include additional interpretative guidance and definitions, as well as additional general licenses and statements of licensing policy. While the CRSR do not include the definitions and interpretative guidance from OFAC’s earlier FAQ, which, defined “malicious cyber-enabled activities” among other things, OFAC specifically declared its intent to issue supplemental guidance regarding cyber-enabled activities. It is likely that future regulations will provide definitions and guidance along the lines of those suggested by the OFAC FAQ.
The CRSR formally implement the cyber-related sanctions that had previously been effective pursuant to EO 13694. The regulations establish a framework within which OFAC may issue interpretive guidance and general licenses, which could authorize certain types of activity that are currently restricted.
While OFAC has yet to designate any person under this sanctions program, these regulations suggest that designations may be forthcoming. We will continue to monitor developments in economic sanctions related to malicious cyber activities. If you have questions about these developments, please contact Anthony Rapa at +1 202 429 8120, Edward Krauland at +1 202 429 8083, Stewart Baker at +1 202 429 6402, or Alan Cohn at +1 202 429 6283 in our Washington office, or Michael Vatis in our New York office at +1 212 506 3927.