Compliance for Internet, Web Based Activities, and Personal Communications

72. Can I send money to a sanctioned country using a third-country company’s website? Can I buy gifts for someone in a sanctioned country over the internet? The websites tell me that it’s ok because they themselves are not sanctioned parties.

You cannot do something indirectly that you would not be able to do directly. Therefore, these sites can be used to facilitate authorized transactions, but you cannot use them to perform a transaction which would be in violation of U.S. law. For example, the Cuban Assets Control Regulations (CACR) authorize any U.S. person to send $1,000 per quarter to close relatives in Cuba, provided that the recipient is not a prohibited official of the Government of Cuba, as defined in § 515.337 or a prohibited member of the Cuban Communist Party, as defined in § 515.338, or a close relative of such persons, as defined in § 515.339. See 31 CFR § 515.570(a) and (j) for additional applicable conditions. Subject to those conditions, the U.S. remitter can use a third-country provider to send these funds to Cuba. If the person attempts to send more than $1000 per quarter to any one individual, however, he or she may be in violation of U.S. law and subject to penalties. Another example is booking unauthorized travel to Cuba using an internet travel service provider in a third country. Spending money on unauthorized travel-related transactions involving Cuba is prohibited by the CACR, regardless of how the travel is booked or how it is paid for. The fact that the trip was booked through a third-country company, either in person or over the internet, is irrelevant.

73. My company provides money remittance and account services via the Internet. Does OFAC have any compliance guidance for this type of business?

Complying with United States sanctions policy presents unique challenges to institutions that operate exclusively on the Internet. The Internet has often been thought of as an "anonymous venue" in that e-commerce transactions can be conducted in relative privacy with little or no face-to-face contact among the parties in a transaction. This anonymity creates a significant challenge for Internet businesses that wish to satisfy their due diligence requirements.

In order to be compliant with OFAC-governed sanctions regulations, US jurisdiction entities must ensure that they are not:

A. Engaging in trade or transaction activities that violate the regulations behind OFAC’s country-based sanctions programs, and;

B. Engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons (SDN's).

A number of Internet-based financial service companies already developed Internet Protocol (IP) address blocking procedures. These companies use publicly available data to maintain tables of IP addresses based on geographic region. Users attempting to initiate an online transaction or access an account from a sanctioned country are blocked based on their IP address. While this approach is effective, it does not fully address an Internet firm’s compliance risks. The fact that international distribution authorities can reassign IP blocks makes the geographic location of an IP potentially dynamic.

The anonymous character of Internet-based transactions often places obstacles in the path of rigorous compliance practices. Firms that facilitate or engage in e-commerce should do their best to know their customers directly. In order to minimize their liabilities, Internet remittance and account service firms should attempt to gather authentic identification information on their customers before a new account is opened or new transaction is initiated. This information will help confirm the customer’s identity and help the e-commerce firm ensure it is not conducting business with a sanctions target. Currently many Internet remittance companies use credit card authentication as the primary method of confirming a customer's identity. While this method is technologically expedient, it does not meet the standards of due diligence normally found in the non-Internet-based financial community. A company cannot rely on another firm’s compliance program in order to mitigate risk.

It is recommended that e-commerce firms gather and record "purpose of payment" information on each transaction they process. In the non-Internet sector, financial institutions are able to stop in-process transactions and gather more information on them. Due to the level of automation found within the Internet financial sector, this type of in-process information gathering is not always possible. Collecting information on the purpose of payments up front will allow Internet firms to better screen outgoing and incoming transactions for potential violations.

434. Are all applications designed to run on mobile operating systems (“apps”) covered by General License (GL) D-2?

The exportation to Iran of apps that are designated EAR99 or classified under export control classification number (ECCN) 5D992.c, as specified in category (8) of the Annex to GL D-2, is authorized under the GL D-2, including apps downloaded via online app stores.

Date Updated: January 11, 2023

435. Is the exportation of anti-virus, anti-malware, anti-tracking, and anti-censorship software authorized under General License (GL) D-2?

Yes.  Paragraph (a)(3) of GL D-2 authorizes the exportation of certain anti-virus, anti-malware, anti-tracking, and anti-censorship software, as specified in categories (6), (7), and (9) of the Annex to GL D-2.

Date Updated: January 11, 2023

436. What do Secure Socket Layers (SSLs), listed in the Annex to General License (GL) D-2 encompass?

SSLs, as described in category (11) of the Annex to GL D-2 encompass “provisioning and verification software for Secure Socket Layer (SSL) certificates designated EAR99 or classified under ECCN 5D992.c, and services necessary for the operation of such software.”  Additional provisioning and verification software not subject to the EAR may be included under GL D-2’s authorization for, in relevant part, software not subject to the EAR that is exported or reexported, directly or indirectly, by a U.S. person located outside the United States, that is of a type described in the Annex to GL D-2, provided that it would be eligible for classification under an ECCN listed in the Annex (ECCN 5D992.c), or designated as EAR99, if it were subject to the EAR.

Date Updated: January 11, 2023

437. Are mobile phone accessories and computer accessories and peripherals authorized for export under General License (GL) D-2?

Yes.  Accessories for use in conjunction with hardware specified in categories (1) and (5) of the Annex to GL D-2 , and peripherals for use in conjunction with hardware specified in category (5) of the same are authorized for export to Iran under GL D-2.  Authorized accessories for mobile phones include headsets, cases, holsters, mounts, chargers, docks, display protectors, cables, adapters, and batteries.  Authorized accessories for computers include keyboards and mice; authorized peripherals for computers include consumer disk drives and other data storage devices.  As set forth in a note to the Annex to GL D-2, for the purposes of the Annex, the term “consumer” refers to items that are: (1) generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: (a) over-the-counter transactions; (b) mail order transactions; (c) electronic transactions; or (d) telephone call transactions; and (2) designed for installation by the user without further substantial support by the supplier.

Date Updated: January 11, 2023

438. Is the exportation of parts or components for authorized hardware, such as microprocessors, authorized under General License (GL) D-2?

No.  While the exportation of certain accessories and peripherals specified in categories (1) and (5) of the Annex to GL D-2 , is authorized under paragraph (a)(3) of GL D-2, the exportation of hardware parts or components is not.  Requests for specific licenses to export parts or components, including replacement parts, will be considered on a case-by-case basis.

Date Updated: January 11, 2023

439. Does General License (GL) D-2 authorize the export of bundled software that includes both software authorized by GL D-2 and software that is not authorized by GL D-2?

No.  To qualify for GL D-2, all individual software items in a bundled package must fall within one of GL D-2 authorizations.  If some software in a bundled package is authorized by GL D-2 but other software is not, the portion of the software falling outside the authorizations in GL D-2 would need to be otherwise exempt or authorized or would require a specific license for export.  A bundle of software that included exclusively software authorized by GL D-2 and by 31 CFR § 560.540 could be exported.  Please see FAQs 1087–1088 for guidance on certain types of cloud-based software authorized by GL D-2. 

Date Updated: January 11, 2023

440. Does General License (GL) D-2 authorize the exportation to Iran of fee-based desktop publishing software and productivity software suites used to publish documents, presentations, spreadsheets, charts, music, movies, and digital images?

Yes.  Fee-based desktop publishing software and productivity software suites have been determined to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in paragraph (a)(2) of GL D-2, provided that the software meets the additional criteria in those paragraphs (e.g., for software subject to the EAR, the software is designated EAR99 or is classified by the U.S. Department of Commerce on the Commerce Control List, 15 CFR part 774, supplement No. 1 (“CCL”) under ECCN 5D992.c).  By contrast, enterprise management software has been determined not to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in paragraph (a)(2) of GL D-2.

Date Updated: January 11, 2023

441. Does General License (GL) D-2 authorize the exportation of fee-based cloud computing services to Iran?

Yes.  Paragraph(a)(1) of GL D-2 authorizes the exportation to Iran of fee-based cloud computing services that support the exchange of communications over the internet.  In addition, paragraph (a)(2)(i) authorizes software that is incident to, or enables services incident to, the exchange of communications over the internet, and paragraph (a)(3) authorizes software described in the Annex to GL D-2 and services necessary for the operation of such software, in both cases provided that such software is designated EAR99 or classified by the U.S. Department of Commerce on the CCL under ECCN 5D992.c or, in the case of software that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5D992.c if it were subject to the EAR.  Please see FAQ 1087–1089 for additional guidance. 

Date Updated: January 11, 2023

442. For purposes of category (5) of the Annex to General License (GL) D-2, what would be considered “software required for effective consumer use” of personal computing devices, laptops, and tablets?

“Software required for effective consumer use” consists of software essential to the operation of the hardware listed in category (5) of the Annex to GL D-2 , including, for example, drivers and patches. Operating systems are separately authorized in category (5) of the Annex to GL D-2.

Date Updated: January 11, 2023

443. What are “residential consumer” satellite terminals and transceiver equipment for the purposes of category (4) of the Annex to General License (GL) D-2?

Satellite terminals and other equipment listed in category (4) of the Annex to GL D-2, shall be deemed “residential consumer” if the equipment is designated EAR99 or classified under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 or, in the case of equipment that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 if it were subject to the EAR. 

Date Updated: January 11, 2023