Frequently Asked Questions
Compliance for Internet, Web Based Activities, and Personal Communications
You cannot do something indirectly that you would not be able to do directly. Therefore, these sites can be used to facilitate authorized transactions, but you cannot use them to perform a transaction which would be in violation of U.S. law. For example, the Cuban Assets Control Regulations (CACR) authorize any U.S. person to send $1,000 per quarter to close relatives in Cuba, provided that the recipient is not a prohibited official of the Government of Cuba, as defined in § 515.337 or a prohibited member of the Cuban Communist Party, as defined in § 515.338, or a close relative of such persons, as defined in § 515.339. See 31 CFR § 515.570(a) and (j) for additional applicable conditions. Subject to those conditions, the U.S. remitter can use a third-country provider to send these funds to Cuba. If the person attempts to send more than $1000 per quarter to any one individual, however, he or she may be in violation of U.S. law and subject to penalties. Another example is booking unauthorized travel to Cuba using an internet travel service provider in a third country. Spending money on unauthorized travel-related transactions involving Cuba is prohibited by the CACR, regardless of how the travel is booked or how it is paid for. The fact that the trip was booked through a third-country company, either in person or over the internet, is irrelevant.
Complying with United States sanctions policy presents unique challenges to institutions that operate exclusively on the Internet. The Internet has often been thought of as an "anonymous venue" in that e-commerce transactions can be conducted in relative privacy with little or no face-to-face contact among the parties in a transaction. This anonymity creates a significant challenge for Internet businesses that wish to satisfy their due diligence requirements.
In order to be compliant with OFAC-governed sanctions regulations, US jurisdiction entities must ensure that they are not:
A. Engaging in trade or transaction activities that violate the regulations behind OFAC’s country-based sanctions programs, and;
B. Engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons (SDN's).
A number of Internet-based financial service companies already developed Internet Protocol (IP) address blocking procedures. These companies use publicly available data to maintain tables of IP addresses based on geographic region. Users attempting to initiate an online transaction or access an account from a sanctioned country are blocked based on their IP address. While this approach is effective, it does not fully address an Internet firm’s compliance risks. The fact that international distribution authorities can reassign IP blocks makes the geographic location of an IP potentially dynamic.
The anonymous character of Internet-based transactions often places obstacles in the path of rigorous compliance practices. Firms that facilitate or engage in e-commerce should do their best to know their customers directly. In order to minimize their liabilities, Internet remittance and account service firms should attempt to gather authentic identification information on their customers before a new account is opened or new transaction is initiated. This information will help confirm the customer’s identity and help the e-commerce firm ensure it is not conducting business with a sanctions target. Currently many Internet remittance companies use credit card authentication as the primary method of confirming a customer's identity. While this method is technologically expedient, it does not meet the standards of due diligence normally found in the non-Internet-based financial community. A company cannot rely on another firm’s compliance program in order to mitigate risk.
It is recommended that e-commerce firms gather and record "purpose of payment" information on each transaction they process. In the non-Internet sector, financial institutions are able to stop in-process transactions and gather more information on them. Due to the level of automation found within the Internet financial sector, this type of in-process information gathering is not always possible. Collecting information on the purpose of payments up front will allow Internet firms to better screen outgoing and incoming transactions for potential violations.
The exportation to Iran and Sudan of apps that are designated EAR99 or classified under export control classification number (ECCN) 5D992.c, as specified in category (8) of the Annex to GL D-1 and in Appendix A to § 538.533, respectively, is authorized under the Personal Communications GLs, including apps downloaded via online app stores.
SSLs, as described in category (11) of the Annex to GL D-1 and Appendix A to § 538.533, respectively, encompass “provisioning and verification software for Secure Socket Layer (SSL) certificates designated EAR99 or classified under ECCN 5D992.c, and services necessary for the operation of such software.” Additional provisioning and verification software not subject to the EAR may be included under the Personal Communications GLs’ authorization for, in relevant part, software not subject to the EAR that is exported or reexported, directly or indirectly, by a U.S. person located outside the United States, that is of a type described in the Annex to GL D-1 and Appendix A to § 538.533, respectively, provided that it would be eligible for classification under an ECCN listed in the Annex or Appendix (here, ECCN 5D992.c), or designated as EAR99, if it were subject to the EAR.
Yes. Accessories for use in conjunction with hardware specified in categories (1) and (5) of the Annex to GL D-1 and Appendix A to § 538.533, respectively, and peripherals for use in conjunction with hardware specified in category (5) of the same are authorized for export to Iran and Sudan under the Personal Communications GLs. Authorized accessories for mobile phones include headsets, cases, holsters, mounts, chargers, docks, display protectors, cables, adapters, and batteries. Authorized accessories for computers include keyboards and mice; authorized peripherals for computers include consumer disk drives and other data storage devices. As set forth in a note to the Annex to GL D-1 and Appendix A to § 538.533, respectively, for the purposes of the Annex and Appendix, the term “consumer” refers to items that are: (1) generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: (a) over-the-counter transactions; (b) mail order transactions; (c) electronic transactions; or (d) telephone call transactions; and (2) designed for installation by the user without further substantial support by the supplier.
No. While the exportation of certain accessories and peripherals specified in categories (1) and (5) of the Annex to GL D-1 and Appendix A to § 538.533, respectively, is authorized under paragraphs (a)(3) of the Personal Communications GLs, the exportation of hardware parts or components is not. Requests for specific licenses to export parts or components, including replacement parts, will be considered on a case-by-case basis.
No. To qualify for the Personal Communications GLs, all individual software items in a bundled package must fall within one of the Personal Communications GL authorizations. If some software in a bundled package is authorized by the Personal Communications GLs, but other software is not, the portion of the software falling outside the authorizations in the Personal Communications GLs would need to be otherwise exempt or authorized or would require a specific license for export. For example, a bundle of software that included exclusively software authorized by GL D-1 and by 31 CFR § 560.540 could be exported.
Yes. Fee-based desktop publishing software and productivity software suites have been determined to fall within the scope of fee-based software necessary to enable services incident to the exchange of personal communications as described in paragraphs (a)(2) of the Personal Communications GLs, provided that the software meets the additional criteria in those paragraphs (e.g., for software subject to the EAR, the software is designated EAR99 or is classified by the U.S. Department of Commerce on the Commerce Control List, 15 CFR part 774, supplement No. 1 (“CCL”) under ECCN 5D992.c). By contrast, enterprise management software has been determined not to fall within the scope of fee-based software necessary to enable services incident to the exchange of personal communications as described in paragraphs (a)(2) of the Personal Communications GLs.
Yes. Paragraphs (a)(1) of the Personal Communications GLs authorize the exportation to Iran and Sudan of fee-based cloud computing services incident to the exchange of personal communications over the Internet. In addition, paragraphs (a)(2)(i) and (a)(3) authorize software necessary to enable such services, provided that such software is designated EAR99 or classified by the U.S. Department of Commerce on the CCL under ECCN 5D992.c or, in the case of software that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5D992.c if it were subject to the EAR.
“Software required for effective consumer use” consists of software essential to the operation of the hardware listed in category (5) of the Annex to GL D-1 and Appendix A to § 538.533, respectively, including, for example, drivers and patches. Operating systems are separately authorized in category (5) of the Annex to GL D-1 and Appendix A to § 538.533.
Satellite terminals and other equipment listed in category (4) of the Annex to GL D-1 and Appendix A to § 538.533, respectively, shall be deemed “residential consumer” if the equipment is designated EAR99 or classified under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 or, in the case of equipment that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 if it were subject to the EAR. [02-17-2015]