Ask most executives or compliance officers if their companies are exporting to Iran or other sanctioned countries, and the answer is "of course not."  Unfortunately, we know that this is not always the case.  There is a long list of employees (and companies for that matter) who have been prosecuted for violating the Iranian Transactions Regulations.^[1]

The penalties for shipping to a third country knowing that the products are destined for Iran are steep.^[2]  Even being investigated for this activity presents significant costs.  As a federal prosecutor, I investigated numerous companies whose employees violated, or attempted to violate, the Iranian embargo. One of the first steps I took as part of the criminal investigation is one that also should be a routine step in your company's compliance efforts: double-checking the location of your customers through their IP addresses.  Taking this simple step will significantly improve your compliance.   

Let me provide an example.  I investigated two employees of a major distributor who had arranged to sell a significant amount of equipment to a customer who claimed to be located in a third country not subject to sanctions.  The employees had exchanged numerous emails with the customer, who used a Gmail account.  Early in the investigation, the agents with whom I worked obtained the header information for the customer's emails.  A quick check of that information revealed that the customer was sending his emails from an internet protocol address assigned to a service provider in Iran.  In other words, despite the customer's claim that he was located in a third country, he, in fact, was located in Iran.  Further investigation revealed that this customer planned to have an associate receive the goods in the third country and immediately forward the equipment to Iran.  While the employees claimed not to have realized that the customer was located in Iran, the company incurred significant expense in responding to the government investigation.

Exporters consistently receive the guidance "know your customer," but not enough companies take the necessary steps to carry through on this message.  Obtaining the header information for an incoming email is incredibly simple.  In the Gmail example, simply clicking on "show original" will reveal the header information that contains the internet protocol address of the sender.  Entering the IP address into any one of the numerous publicly available websites will provide the location of the sender.  The entire process takes less than a minute and costs nothing.  Of course, there are more sophisticated criminals who utilize proxy servers or other means to conceal their true locations.  But even knowing a potential customer is using a proxy server provides the impetus to ask more questions.

Taking this and other simple steps to ensure compliance has never been more important.  Under the "Iran Threat Reduction and Syria Human Rights Act," a United States parent company is now liable for its foreign subsidiaries' transactions with the Government of Iran or persons subject to the jurisdiction of Iran if such transactions violate IEEPA. Further, the Act requires a public company to report to the SEC if it or one of its foreign affiliates has knowingly engaged in certain specified activities involving contact with Iran.^[3]

_{[2] The International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §1701-1706 authorizes up to 20 years' imprisonment and a fine of up to $1 million for criminal violations.  Further, IEEPA authorizes civil fines of up to $250,000 or twice the value of the transaction, whichever is greater.  There are, of course, other potential ramifications.  For example, section 11(h) of the Export Administration Act renders any company or individual convicted of a violation ineligible to receive any export license for a period of up to 10 years following the date of conviction.}