RECOMMENDATIONS REGARDING OFAC AND RELATED SANCTIONS ISSUES

BACKGROUND

The Subgroup has considered several related issues under the common topic of the effect of government sanctions on ICANN’s operations and accountability.  In particular, these issues have been raised in relation to U.S. government sanctions administered by the Office of Foreign Asset Control (OFAC).

OFAC is an office of the U.S. Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted individuals and entities. [1]   Where a nation is subject to sanctions, the sanctions may extend to its citizens, regardless of their personal character or activities.  OFAC has been delegated responsibility by the Secretary of the Treasury for developing, promulgating, and administering U.S. sanctions programs.  Many of these sanctions are based on United Nations and other international mandates; therefore, they are multilateral in scope, and involve close cooperation with allied governments. Other sanctions are specific to the national security interests of the United States.

OFAC acts under executive and legislative authority to impose controls on transactions and to freeze assets under U.S. jurisdiction.

OFAC also enforces apparent violations of its regulations, based on its Economic Sanctions Enforcement Guidelines. [2]   Enforcement may result in civil penalties up to $250,000 per violation or twice the amount of a transaction, whichever is greater.

Persons Subject to Compliance Obligations

According to the OFAC website, “U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.” [3]

Covered Persons

OFAC maintains a list of specially designated nationals (SDNs) that U.S. persons cannot transact with.  These are individuals who are singled out for sanctions. However, where a sanction applies to a country, citizens of that country who are not SDNs often cannot freely transact with U.S. persons, without regard to their personal character or activities.

Prohibited Transactions

Under OFAC, certain transactions may be prohibited. Such transactions cannot be consummated unless there is either a specific license or a general license permitting the transaction.

OFAC Licenses

OFAC has the authority, through a licensing process, to permit certain transactions that would otherwise be prohibited under its regulations. OFAC can issue a license to engage in an otherwise prohibited transaction when it determines that the transaction does not undermine the U.S. policy objectives of the particular sanctions program, or is otherwise justified by U.S. national security or foreign policy objectives. OFAC can also promulgate general licenses, which authorize categories of transactions, without the need for case-by-case authorization from OFAC. General licenses are actually regulations, which must be adopted and then can be found in the regulations for each sanctions program [4] and may be accessed from OFAC’s Web site.  The regulation covering a general license will set forth the relevant criteria of the general license, including the classes of person and category or categories of transactions covered by the general license.

Specific licenses are applied for by one of the parties to the transaction and issued on a case-by-case basis.  A specific license is a written document issued by OFAC authorizing a particular transaction or set of transactions generally limited to a specified time period. To receive a specific license, the person or entity who would like to undertake the transaction must submit an application to OFAC. If the transaction conforms to OFAC's internal licensing policies and U.S. foreign policy objectives, the license generally is issued.

ISSUES AND RECOMMENDATIONS

         ICANN and U.S. Sanctions

         ICANN Contractual Language in RAA Relating to OFAC Licenses

         Applicability of OFAC to Non-US Registrars

         Approval of gTLD Registries

         Application of OFAC Restrictions by Non-US Registrars

         General Licenses

ICANN and U.S. Sanctions

There is a tension between ICANN’S goal of administering the Internet as a neutral global resource and the imposition of sanctions by the U.S. on other countries. [5] [GS1] Sanctions laws and policies, when applied to domain name registrars and registries, can hamper access to the domain name system by innocent users and businesses, simply based on their nationality. For these persons to transact with ICANN, they or ICANN will need to apply for an OFAC license.

I CANN Contractual language in RAA Relating to OFAC Licenses

Currently, the Registrar Accreditation Agreement states that “ICANN is under no obligation to seek [a license for a transaction with a non-SDN resident of a sanctioned country] and, in any given case, OFAC could decide not to issue a requested license.” 

This is not an encouraging policy for potential registrars from sanctioned countries, even though ICANN has informed the Subgroup that it has sought such licenses in the past and has been successful in doing so.  If ICANN chose to exercise its discretion and not seek a license in any given case, this would have the effect of hampering ICANN’s ability to provide services, inconsistent with the spirit if not the letter of ICANN’s Mission.  ICANN likely could not be held accountable for this decision under the current contract, because the contractual language gives ICANN unfettered discretion to decline to seek a license, without any indication of the criteria ICANN would use to make that determination. 

This uncertainty and lack of transparency may deter potential registrars domiciled in sanctioned countries from pursuing registrar accreditation.  This is not a good result.  Instead, ICANN should seek to minimize the hurdles for residents of sanctioned countries seeking registrar accreditation.  In turn, this should encourage the growth of the Internet in these countries.

Recommendation

Currently, the RAA reads as follows:  

  4. Application Process.

Applicant acknowledges that   ICANN   must comply with all U.S. laws, rules, and regulations. One such set of regulations is the economic and trade sanctions program administered by the Office of Foreign Assets Control ("OFAC") of the U.S. Department of the Treasury. These sanctions have been imposed on certain countries, as well as individuals and entities that appear on OFAC's List of Specially Designated Nationals and Blocked Persons (the "SDN List").   ICANN   is prohibited from providing most goods or services to residents of sanctioned countries or their governmental entities or to SDNs without an applicable U.S. government authorization or exemption.   ICANN   generally will not seek a license to provide goods or services to an individual or entity on the SDN List. In the past, when ICANN has been requested to provide services to individuals or entities that are not SDNs, but are residents of sanctioned countries,   ICANN   has sought and been granted licenses as required.   However, Applicant acknowledges that   ICANN   is under no obligations to seek such licenses and, in any given case, OFAC could decide not to issue a requested license. ” [Emphasis Added]

The last sentence should be amended to require ICANN to apply for and use best efforts to secure an OFAC license if the other party is otherwise qualified to be a registrar (and is not on the SDN List).  During the licensing process, ICANN should be helpful and transparent with regard to the licensing process and ICANN’s efforts, including ongoing communication with the potential registrar.

Approval of gTLD Registries

In the 2012 round of the New gTLD Program, it proved to be difficult for residents from countries subject to U.S. sanctions to file and make their way through the application process.  The AGB (Applicant Guidebook) states, in language highly reminiscent of the RAA: “In the past, when ICANN has been requested to provide services to individuals or entities that are not SDNs (specially designated nationals) but are residents of sanctioned countries, ICANN has sought and been granted licenses as required. In any given case, however, OFAC could decide not to issue a requested license.” [6]

It is the Subgroup’s understanding that new gTLD applicants from sanctioned countries who are not on the SDN list found that the process for requesting that ICANN apply for an OFAC license is not transparent, and that response times for ICANN replies felt quite lengthy.  In particular, ICANN apparently did not provide any indication that it had applied for an OFAC license.  Furthermore the process is quite lengthy, even if ICANN is proceeding with speed.  As a result, applicants may have felt they were in limbo.

Recommendation

ICANN should commit to applying for and using best efforts to secure an OFAC license for all such applicants if the applicant is otherwise qualified (and is not on the SDN list).  ICANN should also be helpful and transparent with regard to the the licensing process, including ongoing communication with the applicant.

Application of OFAC Limitations by Non-US Registrars

It appears that some registrars might be following the rules of OFAC sanctions in their dealings with registrants and potential registrants, even when they are not based in the U.S and it would appear they are not required to do so.  In particular, it seems that some non-US registrars may be applying OFAC restrictions even when they are not obliged to do so, merely based on an assumption that because they have a contract with ICANN, they have to apply OFAC sanctions.  If registrars that are not based in the U.S. and do not have OFAC compliance obligations are nonetheless prohibiting registrants in sanctioned countries from using their services based on a mistaken belief that OFAC sanctions apply, that raises concerns with the availability of Internet resources on a global and neutral basis.  

There may be other ways that non-U.S. registrars give the impression that these registrars are following OFAC sanctions.  For example, the Subgroup was pr I find [2] o vided examples of two non-US registrars with registrant agreements that stated that persons located in sanctioned countries could not use their services due to OFAC sanctions. [7]   Both registrars apparently used a registrant agreement “cut and pasted” from other sources. [8]   One of the two registrars (Gesloten) has since revised its registrant agreement significantly, and removed any mention of OFAC restrictions.

 

OFAC restrictions  could have been included in these registrant agreements as a “cut and paste” error or because the registrar believed (rightly or wrongly) that OFAC sanctions applied to it.  In either case, the conclusion is the same: registrars should understand which laws apply to their businesses, and they should make sure that their registrant agreements accurately reflect those laws.

ICANN cannot provide legal advice to registrars.  Each registrar must make their own legal determination of how and whether OFAC restrictions apply.  However, ICANN could provide a clarification to registrars that registrars do not have to follow OFAC sanctions solely based on the existence of their contract with ICANN. 

ICANN is not a party to the registrant agreements, so there is nothing that ICANN can do directly.  Nonetheless, non-U.S. registrars could also be encouraged to seek advice on applicable law and to accurately reflect the applicable law in their registrant agreements.

Recommendation

ICANN needs to bring awareness of these issues to registrars.  ICANN should clarify to registrars that the mere existence of their RAA with ICANN does not cause them to be required to comply with OFAC sanctions. ICANN should also explore various tools to remind registrars to understand the applicable laws under which they operate and to accurately reflect  those laws in their customer relationships.

General Licenses

In contrast to specific licenses, a general license covers classes of persons and types of transactions.  ICANN could consider seeking one or more general licenses to cover particular classes of persons and types of transactions that are an integral part of ICANN’s role in managing the DNS and in contracting with third parties to provide Internet resources.  Broadly speaking, these licenses could apply to registries and registrars entering into RAs and RAAs, respectively, and to other transactions that may be core functions for ICANN (e.g., Privacy/Proxy Accreditation, support for ICANN funded travelers, etc.).

An OFAC “general license” is actually a regulation.  Creation of a general license involves a regulatory process, which is in the purview of the executive branch (more specifically, the U.S. Treasury, of which OFAC is a part). Indeed,   31 CFR § 595.305 defines a general license as “any license or authorization the terms of which are set forth in this part.”   In other words, the general license is a part of the OFAC regulations.

As such, one does not merely “apply” for a general license.  One must determine the desired parameters of the general license(s) and work with the U.S. Department of the Treasury and provide appropriate reasoning, support, etc. so that the Treasury undertakes the regulatory effort to bring the general license into being.

The Subgroup believes that one or more general licenses could make future transactions with “covered persons” easier to consummate.  Individual transactions would no longer require specific licenses, as long as the persons and transaction types were covered by the general license   Thus, the Subgroup believes that one or more general licenses would be highly desirable.  However, this may be a significant undertaking in terms of time and expense. As such, it would be prudent for ICANN to ascertain the costs, benefits, timeline and specifics of seeking and securing one or more general licenses for DNS-related transactions.  ICANN would also need to determine the specific classes of persons and types of transactions that would be covered by each license.  ICANN would then begin the process of seeking these general licenses, unless significant obstacles were uncovered in the preparatory process.  If obstacles are revealed, ICANN would need to find ways to overcome them.  Failing that, ICANN would need to pursue alternate means to enable transactions involving residents of sanctioned countries to be consummated with a minimum of complication and uncertainty.  If ICANN does secure general licenses covering DNS-related transactions, ICANN should make the Internet community aware of this.

Recommendation

ICANN should take steps to pursue one or more OFAC “general licenses” with the U.S. Department of Treasury in connection with DNS-related transactions.  Initially, ICANN should make it a priority to study the costs, benefits, timeline and details of seeking and securing one or more general licenses for DNS-related transactions.  ICANN should then pursue one or more OFAC general licenses at the earliest possible time , unless significant obstacles were discovered in the “study” process. If there are significant obstacles, ICANN should report them to the [empowered] community and seek its advice on how to proceed.  If unsuccessful, ICANN would need to find other ways to accomplish the ultimate goal -- enabling transactions between ICANN and residents of sanctioned countries to be consummated with a minimum of “friction.”   It is critical that ICANN communicate regularly about progress toward securing general licenses, in order to raise awareness in the ICANN community and with affected parties.


[1]   Target individuals and entities may include foreign countries, regimes, terrorists, international narcotics traffickers and those engaged in certain activities such as the proliferation of weapons of mass destruction or transnational organized crime.

[2] See OFAC Final Rule, "Economic Sanctions Enforcement Guidelines," November 9, 2009.  The Guidelines outline various factors used by OFAC in taking enforcement decisions, which may include how compliance programs within an institution are working to comply with OFAC regulations.  https://www.treasury.gov/resource-center/sanctions/Documents/fr74_57593.pdf .

[5] Several participants of the Subgroup The Subgroup recognize s that many countries impose sanctions regimes and cooperate in the creation and enforcement of sanctions.  As a practical matter, the effect of sanctions other than US sanctions has not been a concern for ICANN operations. Therefore, this report focuses on concerns raised by US sanctions.  However, the concerns and recommendations in this report , where appropriate, could be considered and applied in the context of other jurisdictions’ sanctions regimes if there are effects from those regimes. Several participants of the Subgroup contend expressly recognise that the country where ICANN is incorporated is in a unique position to enforce its sanctions regime against ICANN’s DNS management, which take place in that country’s territory and are subject to that country’s territorial sovereignty, notably its exclusive enforcement jurisdiction. Other participants in the Subgroup disagree with that contention and do not think that the country of incorporation is in a unique position to enforce sanctions against ICANN. [DRAFTING NOTE: Orange changes suggested by Thiago Jardim. Purple changes suggested by Paul Rosenzweig.]

[6] New gTLD Applicant Guidebook, 1-25.

[7] One was   Gesloten.cw ( http://www.gesloten.cw/support/legal.php?requestfor=registraragreement&from=agree_page ), a Curacao (Netherlands Antilles) registrar; the other was Olipso ( https://www.olipso.com/en/domain-registration-agreement ),   a Turkish registrar (Atak Domain Hosting).   For 

[8] For example, both agreements used “Mumbai time” as a standard even though neither is in India, located in that time zone, or has any particular contacts with India.


[GS1] COMMENTS ON REVISIONS IN FOOTNOTE: This first sentence is a statement of fact, which is seemingly non-controversial. As settled fact, it would be inappropriate to preface it with "Several participants of the Subgroup recognize..." This implies that (many/most) participants do not recognize that many countries impose sanctions regimes and cooperate in the creation and enforcement of sanctions. I have seen no evidence of this.

 

In contrast with the first statement, this newly added text is a statement of a series of opinions admittedly held only "several participants." This document will be part of a Report of the Subgroup as a whole -- essentially a consensus document. As such, statements about the views of a small group of participants would not be part of this document.

[2] I don't understand this change.  Please explain.