Compliance for Internet, Web Based Activities, and Personal Communications

You cannot do something indirectly that you would not be able to do directly. Therefore, these sites can be used to facilitate authorized transactions, but you cannot use them to perform a transaction which would be in violation of U.S. law. For example, the Cuban Assets Control Regulations (CACR) authorize any U.S. person to send $1,000 per quarter to close relatives in Cuba, provided that the recipient is not a prohibited official of the Government of Cuba, as defined in § 515.337 or a prohibited member of the Cuban Communist Party, as defined in § 515.338, or a close relative of such persons, as defined in § 515.339. See 31 CFR § 515.570(a) and (j) for additional applicable conditions. Subject to those conditions, the U.S. remitter can use a third-country provider to send these funds to Cuba. If the person attempts to send more than $1000 per quarter to any one individual, however, he or she may be in violation of U.S. law and subject to penalties. Another example is booking unauthorized travel to Cuba using an internet travel service provider in a third country. Spending money on unauthorized travel-related transactions involving Cuba is prohibited by the CACR, regardless of how the travel is booked or how it is paid for. The fact that the trip was booked through a third-country company, either in person or over the internet, is irrelevant.


Complying with United States sanctions policy presents unique challenges to institutions that operate exclusively on the Internet. The Internet has often been thought of as an "anonymous venue" in that e-commerce transactions can be conducted in relative privacy with little or no face-to-face contact among the parties in a transaction. This anonymity creates a significant challenge for Internet businesses that wish to satisfy their due diligence requirements.

In order to be compliant with OFAC-governed sanctions regulations, US jurisdiction entities must ensure that they are not:

A. Engaging in trade or transaction activities that violate the regulations behind OFAC’s country-based sanctions programs, and;

B. Engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons (SDN's).

A number of Internet-based financial service companies already developed Internet Protocol (IP) address blocking procedures. These companies use publicly available data to maintain tables of IP addresses based on geographic region. Users attempting to initiate an online transaction or access an account from a sanctioned country are blocked based on their IP address. While this approach is effective, it does not fully address an Internet firm’s compliance risks. The fact that international distribution authorities can reassign IP blocks makes the geographic location of an IP potentially dynamic.

The anonymous character of Internet-based transactions often places obstacles in the path of rigorous compliance practices. Firms that facilitate or engage in e-commerce should do their best to know their customers directly. In order to minimize their liabilities, Internet remittance and account service firms should attempt to gather authentic identification information on their customers before a new account is opened or new transaction is initiated. This information will help confirm the customer’s identity and help the e-commerce firm ensure it is not conducting business with a sanctions target. Currently many Internet remittance companies use credit card authentication as the primary method of confirming a customer's identity. While this method is technologically expedient, it does not meet the standards of due diligence normally found in the non-Internet-based financial community. A company cannot rely on another firm’s compliance program in order to mitigate risk.

It is recommended that e-commerce firms gather and record "purpose of payment" information on each transaction they process. In the non-Internet sector, financial institutions are able to stop in-process transactions and gather more information on them. Due to the level of automation found within the Internet financial sector, this type of in-process information gathering is not always possible. Collecting information on the purpose of payments up front will allow Internet firms to better screen outgoing and incoming transactions for potential violations.


The exportation to Iran of apps that are designated EAR99 or classified under export control classification number (ECCN) 5D992.c, as specified in category (8) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, is authorized under 31 CFR § 560.540(a)(3), including apps downloaded via online app stores, to the extent not authorized under 31 CFR § 560.540(a)(1) or (2) or exempt.

Date Updated: May 16, 2024


Yes.  Section 560.540(a)(3) authorizes the exportation of certain anti-virus, anti-malware, anti-tracking, anti-censorship software, and related services, as specified in categories (6), (7), and (9) of the31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications.

Date Updated: May 16, 2024


SSLs, as described in category (11) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications (“31 CFR § 560.540 List”) encompass “provisioning and verification software for Secure Socket Layer (SSL) certificates designated EAR99 or classified under ECCN 5D992.c, and services necessary for the operation of such software.”  Additional provisioning and verification software not subject to the EAR may be included under 31 CFR § 560.540’s authorization for, in relevant part, software not subject to the EAR that is exported, reexported, or provided, directly or indirectly, by a U.S. person located outside the United States, that is of a type described in the 31 CFR § 560.540 List, provided that it would be designated as EAR99 or would meet the criteria for classification under the relevant ECCN specified therein if it were subject to the EAR.

Date Updated: May 16, 2024


Yes.  Accessories for use in conjunction with hardware specified in categories (1) and (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications (the “31 CFR § 560.540 List), and peripherals for use in conjunction with hardware specified in category (5) of the same are authorized for export to Iran under 31 CFR § 560.540.  Authorized accessories for mobile phones include headsets, cases, holsters, mounts, chargers, docks, display protectors, cables, adapters, and batteries.  Authorized accessories for computers include keyboards and mice; authorized peripherals for computers include consumer disk drives and other data storage devices.  As set forth in a note to the 31 CFR § 560.540 List, for the purposes of the 31 CFR § 560.540 List, the term “consumer” refers to items that are: (1) generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: (a) over-the-counter transactions; (b) mail order transactions; (c) electronic transactions; or (d) telephone call transactions; and (2) designed for installation by the user without further substantial support by the supplier.

Date Updated: May 16, 2024


No.  While the exportation of certain accessories and peripherals specified in categories (1) and (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications is authorized under 31 CFR § 560.540(a)(3), the exportation to Iran of hardware parts or components is not.  Hardware that requires repair or replacement may be repaired or replaced outside Iran pursuant to 31 CFR § 560.540(a)(5) or (a)(7).  Requests for specific licenses to export to Iran parts or components, including replacement parts, will be considered on a case-by-case basis.

Date Updated: May 16, 2024


No.  To qualify for 31 CFR § 560.540, all individual software items in a bundled package must fall within one of the 31 CFR § 560.540 authorizations.  If some software in a bundled package is authorized by 31 CFR § 560.540 but other software is not, the portion of the software falling outside the authorizations in 31 CFR § 560.540 would need to be otherwise exempt or authorized or would require a specific license for export.  A bundle of software that included exclusively software authorized by 31 CFR § 560.540 could be exported.  Please see FAQs 1087–1088 for guidance on certain types of cloud-based software authorized by 31 CFR § 560.540.

Date Updated: May 16, 2024


Yes.  Fee-based desktop publishing software and productivity software suites have been determined to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in 31 CFR § 560.540(a)(2), provided that the software meets the additional criteria in those paragraphs (e.g., for software subject to the EAR, the software is designated EAR99 or is classified by the U.S. Department of Commerce on the Commerce Control List, 15 CFR part 774, supplement No. 1 (“CCL”) under ECCN 5D992.c).  By contrast, enterprise management software has been determined not to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in 31 CFR § 560.540(a)(2).

Date Updated: May 16, 2024


Yes.  Section 560.540(a)(1) of the ITSR authorizes the provision to Iran of fee-based cloud computing services that support the exchange of communications over the internet.  In addition, paragraph (a)(2)(i) of 31 CFR § 560.540 authorizes the provision to Iran of software that is incident to, or enables services incident to, the exchange of communications over the internet, and paragraph (a)(3) authorizes the provision to Iran of software described in the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications and services necessary for the operation of such software, in both cases provided that such software is designated EAR99 or classified by the U.S. Department of Commerce on the CCL under ECCN 5D992.c or, in the case of software that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5D992.c if it were subject to the EAR.  Please see FAQs 1087–1089 for additional guidance. 

Date Updated: May 16, 2024


“Software required for effective consumer use” consists of software essential to the operation of the hardware listed in category (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, including, for example, drivers and patches.  Operating systems are separately authorized in category (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications.

In addition, effective June 16, 2024, OFAC is amending the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications to exclude laptops, tablets, and personal computing devices with an “Adjusted Peak Performance” (“APP”) exceeding 1 Weighted TeraFLOP (WT).  After this change is effective, the only laptops, tablets, and other computing devices that may be exported to Iran are ones with an APP of 1 WT or less.

Date Updated: May 16, 2024


Satellite terminals and other equipment listed in category (4) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, shall be deemed “residential consumer” if the equipment is designated EAR99 or classified under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 or, in the case of equipment that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 if it were subject to the EAR. 

Date Updated: May 16, 2024


User authentication services are services used to login or verify the identity of a user to a particular software or service, such as a user identification account often used to login to email, mobile app stores, or other activities authorized by 31 CFR § 560.540.