A blue fingerprint with a padlock on it.

Cyber-Related Sanctions Program


The cyber-related sanctions were first enacted by President Obama via Executive Order (E.O.) 13694 in 2015 wherein he “declared a national emergency to deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States constituted by the increasing prevalence and severity of malicious cyber-related activities originating from, or directed by persons located, in whole or in substantial part, outside of the United States.† (The Department of the Treasury OFAC Brochure, 2017)  The legal authority undergirding this action was derived from the International Emergency Economic Powers Act (IEEPA) and National Emergencies Act both of title 50 U.S.C., § 212(f) of the Immigration and Nationality Act of 1952 (8 U.S.C. 1182(f)), § 301 of 3 U.S.C., along with Presidential powers vested by the Constitution. (Executive Order No. 13694, 2015)

E.O. 13694 was later amended by President Obama through E.O. 13757 issued December 28, 2016.  The update to the E.O. added an Annex listing sanctions persons and expanded the scope of cyber-related activities subjection to sanctions measures.  Persons designated under this authority are added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).  E.O. 13694 also included a travel ban for SDN listed persons.

OFAC issued the Cyber-Related Sanctions Regulations, 31 C.F.R. part 578 (hereafter “Regulationsâ€) to implement E.O. 13694.  As the Regulations were issued in haste, OFAC intended to supplement the Regulations with additional interpretive and definitional guidance; for instance, “defining ‘cyber-enabled’ activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices.†(The Department of the Treasury, Frequently Asked Questions) To-date, promulgation of more comprehensive regulations has not occurred.

Generally, this sanctions program blocks the property and interests in property of persons meeting prescribed criteria and may not be transferred, paid, exported, or withdrawn for their direct or indirect use.  The malicious cyber-enabled activities, and extent of involvement and relation to those activities by persons or entities, are explicitly described in the E.O.  E.O. 13757 added to the listed activities of E.O.13694, cyber-enabled activities “with the purpose or effect of interfering with or undermining election processes or institutions…â€. (The Department of the Treasury OFAC Brochure, 2017)


The sanctions measures prohibit transactions by U.S. persons, or in or involving the U.S, that involve transferring, paying, exporting, withdrawing, or otherwise dealing in the property or interests in property of persons/entities identified on the SDN List.  Exemptions may be authorized by OFAC, which are made available through the issuance of general licenses that are published in the Regulations or on OFAC’s website.  OFAC does issue specific licenses on a case-by-case basis that authorize “the limited release of blocked funds for the payment of legal fees and costs incurred in seeking administrative reconsideration or judicial review of the designation of a U.S. person or the blocking of the property and interests in property of a U.S. person under the authority of Executive orders and regulations administered by OFAC…, where alternative funding sources are not available.†(Office of Foreign Assets Control, 2010)

It is very important to note that “the property and interests in property of an entity that is 50 percent or more directly or indirectly owned, whether individually or in the aggregate, by one or more blocked persons are also blocked, regardless of whether the entity itself is listed or identified on the SDN List.†(The Department of the Treasury OFAC Brochure) The reach of this sanctions program is quite extensive and presents a potential risk.


If a business is involved in online commerce and financial investments, it must take steps to ensure that its employees do not inadvertently engage in unauthorized transactions or dealings with persons identified on the SDN List. Further, the company should have controls in place to avoid operating in jurisdictions targeted by comprehensive sanctions programs.  It would be prudent to engage outside counsel to assist the company with developing a tailored, risk-based compliance program.  A company should also incorporate a sanctions screening system into its vetting processes of clients, vendors, and other business parties with whom the company is in relationships.  The company must institute procedures that demonstrate that it is exercising due diligence when engaging third-party service providers or other business actors in its value chain.


For this sanctions program, violations could be against one or more of the legislative acts identified in above overview section, the main one being IEEPA.  Appendix A to Part 501 of the Regulations – Economic Sanctions Enforcement Guidelines (hereafter “Guidelinesâ€)—provides a general framework for the enforcement of all OFAC sanctions programs to be applied when alleged violations occur.  Violators are subject to civil and/or criminal penalties if proven guilty.  These Guidelines provide for the voluntary disclosure, to OFAC, of a self-discovered potential violation of the sanctions measures.  The Guidelines set forth rules and conditions to determine if the self-initiated notification to OFAC is considered a self-disclosure for the purposes applying the appropriate enforcement response. 

If OFAC launches an investigation to determine if a prohibited activity has occurred, the facts and circumstances of the case will determine the actions that follow.  Listed below are the types of actions OFAC may render according to the Guidelines:

  • No action – i.e., OFAC determines that there is insufficient evidence to conclude that a violation has occurred
  • Request additional information – OFAC determines additional information regarding the apparent violation is needed
  • Cautionary letter – inclusive determination, but OFAC believes that the underlying conduct could lead to a violation in other circumstances
  • Finding of violation – OFAC determines that a violation has occurred and concludes that the Subject Person’s conduct most appropriately warrants an administrative response
  • Civil monetary penalty – OFAC determines that a violation has occurred and concludes that the Subject Person’s conduct most appropriately warrants an administrative response
  • Criminal referral – OFAC refers the matter to appropriate law enforcement agencies for criminal investigation and/or prosecution
  • Other administrative actions – i.e., license denial, suspension, or revocation

Civil penalties can range between $1,000 to over $250,000 “or twice the amount of the underlying transaction may be imposed administratively against any person who violates, attempts to violate, conspires to violate, or causes a violation of any license, order, regulation or prohibition issued under IEEPA.†(The Department of the Treasury OFAC Brochure)  If convicted criminally, penalties can be assessed in amounts up to $1,000,000.  Imprisonment for up to 20 years, or with monetary penalties, “may be imposed on any person who willfully commits, willfully attempts to commit, or willfully conspires to commit, or aids or abets in the commission of a violation of any license, order, regulation, or prohibition issued under IEEPA†(The Department of the Treasury OFAC Brochure)

References cited:

The Department of the Treasury (2017) Office of Foreign Assets Control (OFAC): Cyber-Related Sanctions Program (Brochure) (July 3, 2017) extracted from: https://home.treasury.gov/system/files/126/cyber.pdf

The Department of the Treasury. Frequently Asked Questions: Cyber-Related Sanctions. Available at:  https://home.treasury.gov/policy-issues/financial-sanctions/faqs/topic/1546/print

Executive Order No. 13694 (2015) Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, 80 FR 18077 (April 1, 2015)

National Archives eCFR System.  Title 31 Code of Federal Regulations – Appendix A to Part 501 – Economic Sanctions Enforcement Guidelines.  Available at:  https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/part-501/appendix-Appendix%20A%20to%20Part%20501

Office of Foreign Assets Control (2010). “Guidance on the Release of Limited Amounts of Blocked Funds for Payment of Legal Fees and Costs Incurred in Challenging the Blocking of U.S. Persons in Administrative or Civil Proceedings†(July 23, 2010) Available at:https://home.treasury.gov/system/files/126/legal_fee_guide.pdf