Oxebridge has filed a formal report with the US Treasury Department’s Office of Foreign Asset Control (OFAC) alleging violations of OFAC sanctions related to the Russian defense conglomerate Rostec. At the same time, Oxebridge has filed a formal complaint with the US Internal Revenue Service (IRS) alleging IAF has generated revenue from its relationship with Rostec.

Rostec is under US sanctions since 2014 for its role in the Russian invasion of Ukraine. Despite this, the IAF has continued to allow its logo and accreditation oversight to be sold to multiple Rostec companies, including subsidiaries that are also listed on the OFAC list of “designated entities.”

While managed largely by Chinese executive Xiao Jianhua from Beijing, the IAF is a registered 501(c)(3) not-for-profit organization operating out of a Delaware address. This brings it under the control of US law.

Multiple ISO 9001 and As9100 certificates have been found issued to Rostec companies, often using other Rostec firms as their certification body, through licensing agreements with Quality Austria. Because the IAF generates its revenue through payments made through the ISO accreditation pyramid, Oxebridge argues that IAF is materially benefitting from its relationship with Rostec. Likewise, for the IRS filing, Oxebridge argues that IAF is promoting a sanctioned entity by allowing its logo and authority to be used by Rostec to promote its businesses.

The OFAC violations can result in criminal penalties including fines of $1M and 20 years in prison per violation for IAF executives. Civil penalties include fines of $55,000 per OFAC violation. Oxebridge alleges multiple violations, given the number of Rostec companies certified under the IAF scheme.

Executives from the US accreditation body ANAB are also implicated, as ANAB routinely files the IAF’s annual IRS tax returns on its behalf. The last known filings were signed by then-ANAB president Keith Greenaway. It is not clear who has signed the IAF’s most recent return.

The filings are complicated, however, by the complex web of companies and international bodies through which the Rostec money must flow before it arrives on US shores and into the IAF’s bank account. Typically a Rostec company would pay a regional registrar who then pays fees to the IAF’s regional body EA. Eventually, a portion of EA’s revenue reaches IAF.

Oxebridge argues the IAF could shut the problem down with a single advisory memo, directing its member accreditation bodies and regional groups to immediately withdraw certification from any sanctioned company.

ISO 17011, for which IAF accreditation bodies are accredited, requires each body to be a “legal” organization, in compliance with all applicable laws.┬áThe IAF regional bodies EA and APAC have routinely ignored this requirement, and have allowed the world’s accreditation bodies to support illegal activities with impunity.

The revelations have a knock-on effect on the CMMC cybersecurity scheme, as the DOD has mandated that the CMMC Accreditation Body become ISO 17011 accredited itself, with that accreditation granted by the IAF and its regional body IAAC in Mexico. The DOD has been alerted that the optics of having the CMMC-AB assessed by the IAF, with Chinese leadership and ties to Russian sanctioned firms, may be poor.

UPDATE 14 June 2021. The IAF has written to Oxebridge indicating they have opened a formal complaint file related to the report that Akkreditierung Austria and Quality Austria are providing certifications to Rostec companies. The move is unexpected because Oxebridge filed a formal complaint on the matter with Akkreditierung Austria, and not the IAF. IAF rules require the Accreditation Body to exhaust its complaints process before a matter can be escalated to it, and even then it must be escalated to the IAF’s regional body, not the IAF directly. It thus appears the IAF is trying to be proactive on the matter due to the filings with IRS and OFAC referenced above.

The notice to Oxebridge was signed with the generic name “IAF General Inquiries.” The IAF adopted a practice years ago of refusing to identify its staff members, and sending formal notices while hiding the names of those involved. By doing so, there is no way to ensure the IAF is not engaged in conflicts of interest itself.


Surviving ISO 9001 Book

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.