On May 16, 2024, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a final rule amending the Iranian Transactions and Sanctions Regulations, 31 C.F.R Part 560 (“ITSR”), to incorporate OFAC General License (“GL”) D-2 and the preexisting list of items deemed incident to communications that are authorized for export or reexport to Iran under GL D-2, and to concurrently update such list. OFAC also published one new and 26 revised Frequently Asked Questions (“FAQs”). The OFAC press release is available here.
GL D-2
Effective May 17, 2024, OFAC amended the ITSR to incorporate the provisions of GL D-2 and certain additional amendments into the existing authorization at 31 C.F.R. § 560.540. GL D-2 authorizes the exportation or reexportation to Iran of certain no-cost or fee-based services and software that are incident to, and software that enables services incident to, the exchange of communications over the internet, as well as cloud-based services in support of the foregoing services or of any other transactions authorized or exempt under the ITSR, subject to certain conditions. Our prior blog post on GL D-2 is available here.
In addition to incorporating GL D-2 into the ITSR, OFAC introduced several key changes as follows:
- 31 C.F.R. § 560.540(a)(5) authorizes transactions for the importation of hardware or software into third countries, in additional to the United States, provided the items were previously exported to Iran pursuant to an authorization issued under the ITSR.
- 31 C.F.R. § 560.540(a)(7) authorizes the export or reexport of certain services conducted outside Iran to install, repair, or replace hardware or software authorized for exportation, reexportation, or provision to Iran, provided that the service provided the service provider is located outside of Iran (and does not authorize the service provider to engage in such services while in Iran).
- 31 C.F.R. § 560.540(b)(3) excludes the exportation or reexportation of web-hosting services for websites of commercial entities located in Iran or of domain name registration services for or on behalf of the Government of Iran or another person whose property and interests in property are blocked pursuant to 31 C.F.R. § 560.211.
- 31 C.F.R. § 560.540(d) sets forth a case-by-case licensing policy for additional activities that support internet freedom in Iran (e.g., development and hosting of anti-surveillance software by Iranian developers).
Upon publication of this rule, OFAC has archived GL D-2 from its website although GLs D, D-1, and D-2 will continue to be available in the Federal Register.
List of Services, Software, and Hardware Incident to Communication
The List of Services, Software, and Hardware Incident to Communication (“List”) describes items that have been determined to be incident to communications and therefore authorized for export or reexport to Iran under GL D-2. The List was previously found as an annex to ITSR GL D and its amended versions (i.e., GL D-1 and GL D-2). Effective May 17, 2024, the List is available at 31 C.F.R. § 560.540. Concurrently, OFAC published an updated version of the List, which will be effective June 17, 2024. OFAC stated that it is updating the List to restrict the computing power of certain items on the List.
New and Revised FAQs
Lastly, OFAC published a new FAQ 1173 and amended 26 ITSR-related FAQs. FAQ 1173 clarifies that user authentication services for the purposes of 31 C.F.R. § 560.540 are services used to login or verify the identity of a user to a particular software or service such as a user identification account often used to login to email, mobile app stores, or other activities authorized by 31 C.F.R. § 560.540. The amended FAQs replaced references to prior GLs with 31 C.F.R. § 560.540.
