To Pay, or Not to Pay, That is the Question if OFAC is Involved

By: Jeffrey Weinstein and Sara Lilling


That is all her text message says. It flashes across the field director’s phone. The text is from one of his co-workers moments after she has been taken hostage in Somalia, where they have been deployed to provide humanitarian services. He immediately calls her cell phone. The phone rings several times before it goes to voicemail. He is hopeful that the phone is still on so that someone can try to track her location.

The field director immediately calls the company’s CEO in the United States, and then calls the designated crisis management consultants to initiate a case. The company’s CEO advises the field director that the crisis management consultants will serve as the principal strategists and negotiators with the kidnappers.

The crisis management consultants send two field agents to Somalia, and are able to make contact with the kidnappers. Ransom is demanded in the amount of $3,000,000 for the employee’s safe release.

The employer has access to $3,000,000 that can easily be wired to the kidnappers.  In addition, the company has procured a Kidnap Ransom and Extortion insurance policy (“KRE Policy”) that provides coverage up to $10,000,000 for insured events, including a kidnapping. The KRE Policy defines “kidnapping” as “the illegal, actual, alleged, or attempted abduction of one or more insured persons, and the holding of such person by persons who demand money or other consideration in exchange for the release of such captives.” The scenario above seems to fall squarely within this definition. Under the terms of the KRE Policy, the insurer will indemnify the named insured for “Loss,” defined as “the sum of monies or the monetary value of any property, monetary instruments, securities, and/or services surrendered by or on behalf of the insured as an extortion payment.” The policy covers a number of other additional expenses in connection with the insured event, including for example, consultant fees, travel expenses, medical expenses, business interruption losses, and other costs.

This hypothetical raises a number of important questions. For instance:

  • Can the ransom be paid to the kidnappers to secure the employee’s safe release?
  • Can the crisis management consultants negotiate directly with the kidnappers, or should the Government of Somalia be involved?
  • Can the insured be reimbursed by its KRE insurer if the insured pays the ransom monies?
  • Can the consultants put the public/media outlets on notice of the kidnapping incident?

The answers to these questions are not so simple.

Because the kidnapping occurred in Somalia, there are potential political and economic implications that must be considered before any ransom can be paid or any negotiations can occur. This includes possible economic and trade sanctions programs administered by the Office of Foreign Assets Control (“OFAC”) of the United States Department of Treasury.

What is OFAC and what is OFAC’s role as it relates to sanctions programs?

OFAC is the federal agency that administers and enforces economic and trade sanctions and embargoes against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and any other threats to the national security, foreign policy, or economy of the United States.1 The sanctions programs are based on U.S. foreign policy and national security goals, and typically impose controls on certain transactions or freeze assets under U.S. jurisdiction.2

  • Where are the active sanctions programs?

Although there are a number of active sanctions programs, OFAC does not maintain a specific list of countries that U.S. persons cannot do business with.3 This is because U.S. sanctions programs vary in scope, where some programs are comprehensive and include broad-based trade restrictions to a geographic area, and others are more targeted and focus on specific individuals and entities.4 Moreover, OFAC’s programs are dynamic and frequently changing.

As part of its enforcement efforts, OFAC publishes a list of individuals and companies, i.e., the “Specially Designated Nationals and Blocked Persons List” (“SDN List”), which has approximately 6,400 names of companies and individuals connected with sanctions targets.5 U.S. persons are prohibited from dealing with SDNs, regardless of the SDN’s location, and all SDN assets are blocked or frozen. Entities that an SDN owns (i.e., direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.6

  • What are prohibited transactions?

OFAC prohibits certain transactions as part of its sanctions programs. Prohibited transactions mean “trade or financial transactions and other dealings in which U.S. persons may not engage unless authorized by OFAC or expressly exempted by statute.”7 Prohibitions vary between programs because each program is based on different foreign policy and national security goals.8

  • Are there exceptions to the prohibitions?

Yes, there are exceptions to the prohibitions. OFAC regulations often provide general licenses authorizing the performance of certain categories of transactions, or specific licenses on a case-by-case basis under certain limited situations.9

In addition, non-governmental organizations may provide humanitarian assistance in certain sanctioned regions, without the need for a license from OFAC.10

  • What should an insurer do if the insurance policy it issued may benefit an insured in a country where sanctions have been imposed?

To comply with OFAC, insurers and reinsurers are barred from doing business with or providing services to persons and entities on the SDN List. If an insurer receives an insurance application from a person on the SDN List, the insurer is under an obligation not to issue the policy and must contact OFAC. An insurer violates OFAC regulations if it issues a policy, receives premiums, pays claims, facilitates a transaction, or otherwise deals with a person or entity on the SDN List.11 OFAC regulations preempt state insurance statutes, which regulate an insurer’s ability to withhold claim payments, cancel policies, or decline to enter into policies.12 An insurer who violates OFAC regulations may be subject to substantial fines, and civil and criminal penalties, which can exceed several million dollars.13 Insurers are advised to stay well-informed on OFAC’s regulations and frequently updated SDN List.

If an insurer discovers that a policyholder is or becomes an SDN, the insurer should contact OFAC. It is possible that a license could be issued to allow the receipt of premium payments to keep the policy in force.

An insured may receive a license to conduct activities in a sanctioned country (e.g., Somalia or Sudan), including transfer of funds and exportation of goods and services in that country. The insured, however, should refrain from dealing with financial institutions that have been named by OFAC as owned or controlled by the government of such country. In addition, OFAC has the authority, by means of a specific license, to permit a person or entity to engage in a transaction which would otherwise be prohibited.

  • What should an insured do in the event of an insured event, like a kidnapping, in a sanctioned country?

A KRE policy typically designates crisis consultants that should be contacted by, or on behalf of, the insured as soon as possible after any event which may lead to a loss under the policy and before any payment of extortion monies is made. The consultants are trained to strategize and negotiate with the kidnappers or extortionists, and to implement and update appropriate release plans. In addition, government agencies of the victim’s home country and the country of the kidnapping are usually immediately notified in the event of a kidnapping. If there is a kidnapping in a sanctioned country, the consultants will attempt a quick and safe release of the victim without the payment of a ransom. This may include, for example, advising the kidnappers that the employer will not pay a ransom and that the captors must resolve this through talks with the government officials of the host country. Names of hostages are typically not released to minimize media contact and publicity.

Moreover, the existence of KRE coverage is kept strictly confidential for the specific purpose of not encouraging terrorists or other criminals to seek out the insureds as lucrative targets. Indeed, ransom monies have been used by terrorist groups to fund an array of activities, including recruiting and training new members, acquiring weapons, staging attacks, and supporting other extremist groups. Ransom payments also lead to future kidnappings. OFAC regulations try to break this cycle.

  • What happens if the payment of ransom by the insured is unlawful or a criminal act (e.g., it would put money into the hands of a terrorist or violate OFAC sanctions) and how can insurer protect itself?

The key from an insurer’s perspective is that the insurer is not doing business with a targeted foreign country or regime or a terrorist organization. The typical KRE policy provides reimbursement to its insured. Thus, the insurer is not doing business with or paying money to terrorists or other prohibited persons, but in such situations it would be indemnifying its insureds who have been victimized by such persons. The insured must also be aware of prohibited transactions, and the insurer’s obligation to reimburse its insured will depend on whether the payment was lawful in the first place.

If payment of ransom by the insured is unlawful or a criminal act, the insurer would have a basis to decline coverage. However, this might subvert the entire reason to have KRE insurance in the first place and potentially subject the insurer to a lawsuit from its insured.

To avoid OFAC compliance problems, an insurer can protect itself by including a clause in its policies, which makes coverage null and void whenever coverage provided under the policy would be in violation of any U.S. economic or trade sanctions.

Example 1:

U.S. Economic and Trade Sanctions Clause

Whenever coverage provided by this policy would be in violation of any U.S. economic or trade sanctions, including but not limited to sanctions administered and enforced by the United States Treasury Department’s Office of Foreign Assets Control, such coverage shall be null and void.

Example 2:

The Insurer shall neither be deemed to provide cover nor shall the Insurer be liable to pay any claim or provide any benefit hereunder to the extent that the provision of such cover, payment of such claim or provision of such benefit would be contrary to any sanction, prohibition or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the European Union, United Kingdom or United States of America.

Example 3:

Insurer shall not be deemed to provide coverage and will not make any payments nor provide any service or benefit to any insured or any other party to the extent that such cover, payment, service, benefit and/or any business or activity of the insured would violate any applicable trade or economic sanctions, law, or regulation.

Example 4:

In accordance with OFAC regulations, if it is determined that the insured, or any person or entity claiming benefits of this insurance, has violated U.S. sanctions law or is a Specially Designated National and Blocked Person, as identified by OFAC, this insurance will be considered a blocked or frozen contract and all provisions of this insurance are immediately subject to OFAC. No payments or premium refunds may be made without authorization from OFAC.

In the hypothetical kidnapping scenario above, Somalia is subject to OFAC regulations, which could certainly affect the kidnapping negotiations and any ransom monies paid. It is likely that the organization providing humanitarian relief efforts received OFAC registration, authorizing it to conduct activities in Somalia in connection with its humanitarian operations. However, the registration likely advised the organization to refrain from dealing with financial institutions in Somalia that could divert funds to major terrorist organizations.

If payment of the ransom would put money directly into the hands of a terrorist group on the SDN List, and thus violate OFAC sanctions, then the coverage under the KRE policy would likely be deemed null and void pursuant to a “U.S. Economic and Trade Sanctions” clause, assuming the policy had one. Moreover, the organization itself, by virtue of its assumption of risk in Somalia, would need to seek the assistance of OFAC as well as the host country involved, prior to the payment of any ransom payments to secure its employee’s safe release.


Insurers can protect themselves from potential OFAC violations by including a clause in their KRE policies that nullifies the policy if a claim payment violates any U.S. economic and trade sanctions. A KRE insurer may also decline to issue a policy to someone on OFAC’s SDN List, or if the policy was properly issued, declining to make any payments under such policy.

Insureds that travel to or conduct business in or provide humanitarian relief in sanctioned countries assume larger risks and are the likely market for KRE insurance; however, they also assume the risk of losing their insurance coverage if such coverage would violate economic or trade sanctions. Such insureds must balance their moral obligation to secure the freedom and safety of any employee taken hostage, and the U.S. national security objectives of depriving financial aid to terrorists. Any payments to kidnappers must comply with OFAC regulations, and the insured must work with OFAC in deciding whether to pay or not to pay a ransom.


  1. See
  2. See id.
  3. See
  4. See OFAC’s Sanctions Programs and Country Information page available at
  5. See FN 3 and
  6. See FN 3.
  7. See
  8. See id.
  9. See id.
  10. See
  11. See
  12. See id.
  13. See