International Trade Today is a Warren News publication.

Cloudflare Discloses Possible Sanctions Violations in SEC Filing

A U.S. website infrastructure company said it may have violated U.S. sanctions and export reporting requirements, according to its regulatory filing with the Securities and Exchange Commission. Cloudflare, based in California, told the SEC it voluntarily disclosed possible export and sanctions violations to the Bureau of Industry and Security and the Office of Foreign Assets Control this year. The violations included submitting “incorrect information” about hardware exports to Commerce and receiving payments from people and entities on OFAC’s Specially Designated Nationals List.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

“There is no guarantee that we will not inadvertently provide our products to additional individuals, entities, or governments prohibited by U.S. sanctions in the future,” the company said.

Earlier this year, Cloudflare discovered it "may have failed to comply with certain U.S. export-related filing and reporting requirements” and began an “internal review.” The company said it submitted disclosures to BIS and the Census Bureau in May and took “remedial measures” to prevent future violations. BIS and Census are currently reviewing the potential violations, the company said.

Cloudflare also submitted in May a disclosure to OFAC about possible violations of “certain economic and trade sanctions programs” after discovering their products were used by people and entities on the SDN List, the filing said. The company said it received payments from “a small number” of parties subject to OFAC’s counter-terrorism and counter-narcotics trafficking sanctions programs. OFAC is currently reviewing Cloudflare’s disclosure, the company said.

The company said it sells products to “certain OFAC-sanctioned regions” through the use of general licenses issued by OFAC, but did not specify the licenses. “We continue to review the OFAC sanctions and our practices to verify compliance,” Cloudflare said.

The company said it could face “substantial” penalties for these violations, “including costs related to government investigations, financial penalties and harm to our reputation.” The company could also face restrictions from other countries that could restrict imports from Cloudflare or “limit our customers’ ability to access or use our platform and products.”