What kind of due diligence is required for the exportation of fee-based services, software, or hardware authorized by 31 CFR § 560.540?
OFAC's answer
Due diligence programs should be tailored to the particular risks encountered by exporters. As a general matter, companies selling fee-based services, software, or hardware authorized by [31 CFR § 560.540](https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/part-560) should undertake reasonable, risk-based measures designed to ensure that they do not export their products to persons whose property and interests in property are blocked pursuant to any sanctions program administered by OFAC, regardless of whether the Government of Iran or other end-user appears on OFAC’s [Specially Designated Nationals and Blocked Persons List](https://ofac.treasury.gov/specially-designated-nationals-list-data-formats-data-schemas) or any of [OFAC's other sanctions lists](https://ofac.treasury.gov/other-ofac-sanctions-lists). See [FAQ 1088](https://ofac.treasury.gov/faqs/1088) for more information regarding OFAC’s due diligence expectations for cloud-based service or software providers whose services and software support communications tools are authorized by 31 CFR § 560.540. Date Updated: May 16, 2024