Sanctions compliance & enforcement
April 2017 | ROUNDTABLE | GLOBAL TRADE
Financier Worldwide Magazine
April 2017 Issue
The sanctions arena is complex and challenging, with a host of nuanced statutes, executive orders and country-specific regulations being implemented and modified across the globe. Among the most visible are the Ukraine-related sanctions that US and EU authorities have imposed on Russia, as well as longstanding US sanctions regimes concerning Cuba and Iran. Moreover, with the impact of the new US presidential administration and the impact of Brexit yet to be fully felt, the burdens of international sanctions compliance could increase exponentially.
FW: Could you provide an overview of the challenges and issues facing businesses when it comes to sanctions compliance? To what extent is the screening process for business partners, suppliers and customers becoming more complex?
Bittner: Sanctions are complex and challenging because they derive from many different types of law. They come in multiple variations and are more abstract than the export control laws. First, unlike the International Traffic in Arms Regulations (ITAR) which comprise one set of regulations authorised by one statute, the Arms Export Control Act, US sanctions laws are based on a host of statutes, executive orders, country-specific regulations and now, with Iran, an international ‘plan of action’ implemented through licensing statements and frequently asked questions. It is often difficult to find the right answer or even to know where to look. Second, sanctions consist of full embargoes, limited restrictions that outlaw certain activities with a country but not others and list-based prohibitions that restrict all activities with just certain individuals of a country. With the implementation of the Russian sanctions, screening is even more difficult because the mere fact that an entity is listed does not necessarily mean that you cannot do business with them, if the business in question is not a prohibited activity. Sanctions often involve complex financial transactions and abstract concepts like facilitation that can be difficult to comprehend due to their intangible nature.
Lee: With an increasingly global landscape of sanctions policymaking and regulation, companies face a complicated balancing act of complying with EU, UK, UN and US sanctions, among others, in addition to the complicated domestic regimes of sanctions regulation and enforcement involving various legislative and regulatory bodies in each of these jurisdictions. Sanctions in the US, UK, EU and the UN are increasingly used as a response to a number of foreign policy problems. This complexity and uncertainty has been exacerbated in 2016 by the presidential administration in the US and the impact of Brexit. With the breadth of sanctions programmes, the correspondingly complex and changing number of designations of entities and individuals presents significant challenges for businesses seeking to maintain robust screening processes in light of their global supply chains and customer base.
Brown: The comprehensive trade embargo that was in place against Cuba, Iran and Sudan for many years was easier to comply with given that there were few exceptions to doing business with these sanctioned countries. However, as a result of the recent changes to sanctions regulations and policy with regard to these countries, global businesses face new compliance challenges. The easing of sanctions in these countries means that evaluating a potential business opportunity or engagement for regulatory compliance is highly fact dependent and may or may not be permissible. Businesses have to dedicate more resources to educating and training personnel so these critical determinations can be determined. Furthermore, since sanctions are a foreign policy tool, they are often rapidly deployed or modified in response to world events, such as a presidential election, the annexation of Crimea or a cyber attack on critical infrastructure. This uncertainty makes it difficult for businesses to anticipate or predict how sanctions might impact them. Businesses have to demonstrate flexibility in the type of opportunities they pursue and plan for contingencies. For example, clauses may have to be added to customer agreements involving sanctioned countries to ensure that a sudden change in events or sanctions policy enables a business to stop engaging in certain transactions without incurring liability for a breach of contract.
Goodale: Sanctions compliance has become increasingly complex for companies and financial institutions during the past year. This can be attributed to three main factors. First, major changes have been made to several sanctions regimes. For example, sanctions against Cuba, Iran, Russia, Burma and Sudan. Second, hundreds of entities have been added to or removed from various sanctions lists, but the lists often vary significantly depending on the sanctions authorities that maintain them. Third, various sanctions regimes have been amended in ways that require companies to screen not only the names of customers, but what industries they are in, where they are located, and who their owners may be. The combination of these factors has made it extremely challenging for companies and financial institutions to comply with all applicable sanctions regimes and has necessitated that they regularly evaluate and modify their compliance programmes.
Matthews: There are two closely related key issues for businesses. One is the absence of clarity, and only very limited guidance, as to the extent to which targeted sanctions apply to entities which are not themselves listed. In the EU, these are the concepts of ownership and control. The other issue is the absence of any reliable indicators as to the level of due diligence which sanctions authorities would regard as proportionate. The combination of these makes it very hard for businesses to have policies which can really ensure that they are sanctions compliant. A further issue at present is the increasing tendency for financial institutions, notably banks, to require of their clients different – usually higher and more cautious – standards than applicable law requires, thereby expanding the effective depth and scope of sanctions beyond what lawmakers may have intended.
Gatti: The challenges associated with sanctions compliance have become multi-dimensional, on both vertical as well as horizontal levels, and have evolved to such an extent that sanctions compliance procedures must now be equal parts art and science. It is no longer sufficient to rely exclusively on ad hoc or routine automated screenings of the names of business partners. Businesses also need to screen the addresses of their business partners while also attempting to discern and screen the beneficial owners of their business partners. Further, businesses must simultaneously evaluate the significance of the relevant sanction regimes, since not all sanctions regimes are equal – some involve prohibitions on all dealings with specific business partners whereas others merely trigger licensing requirements. Additional complexity is added to sanctions compliance when a transaction is subject to multiple international sanction regimes which often forces businesses to analyse sanctions at the least common denominator level.
“The loosening of US sanctions against Iran was a huge change in US policy that had existed for nearly 40 years.”
FW: What do you consider to be the key developments and trends to have arisen regarding sanctions over the past 12 months?
Lee: The significant changes made to Iran, Cuba and Russia sanctions programmes have dominated the sanctions landscape in recent years. Tensions in the relationship between the US and Russia intensified in 2016, as did the sanctions imposed by the US against Russia, including the recent cyber sanctions targeting Russian actors associated with the alleged interference in the US election through cyber operations. With the election of Donald Trump in November 2016, the questions and uncertainties with respect to the sanctions landscape became quite pressing.
Brown: The sudden and surprising changes to the regulations and sanctions policy with regard to Sudan is a key development in the last 12 months. If Sudan continues to make progress in its cooperation with the US on counterterrorism and other areas identified in the recent executive order, then OFAC sanctions may be permanently removed in July 2017. OFAC in the meantime has issued a general licence authorising most transactions involving Sudan. The changes to the regulations and sanctions policy represent a trend under the Obama administration to engage directly with sanctioned countries, such as Cuba and Iran. The reopening of diplomatic relations with the government of Cuba and the negotiation of the JCPOA with Iran and other parties represent the most significant examples of this type of engagement. Though constrained by various statutes, the Obama administration eased Cuba and Iran sanctions by issuing general and specific licences authorising certain transactions involving these sanctioned countries. The real question is whether the Trump administration will continue this trend of engaging directly with sanctioned countries or reverse it.
Goodale: During the past 12 months, the continuing trend of compliance authorities to modify sanctions regimes on a frequent basis to reflect new or evolving policies has resulted in several key developments. On one end of the spectrum, new and more favourable policies of the US government toward Burma and Sudan have resulted in the termination of the US sanctions against Burma and the establishment of a general licence that permits many kinds of transactions with Sudanese entities. On the other end of spectrum, the adoption of more hard-line policies against North Korea and Russia resulted in a significant expansion of sanctions against those countries. In between those two ends of the spectrum, evolving policies towards Cuba and Iran resulted in the easing of certain US sanctions against those countries. Given this continuing trend, companies must be vigilant in monitoring sanctions developments.
Matthews: The JCPOA – and the consequent gulf between the requirements of EU and US sanctions – has served to highlight the issue of banks setting compliance requirements for their clients different from, and broader than, applicable laws outside of the US, to the apparent exasperation of those who agreed the JCPOA deal. In the UK, a notable further development has been the establishment of the Office of Financial Sanctions Implementation (OFSI) – and the likely forthcoming weaponisation of it in the form of administrative monetary penalties, with liability to be assessed to a civil, rather than criminal, standard. These developments significantly increase the enforcement risk for business subject to UK jurisdiction.
Gatti: From strictly a US perspective, a key development has been the much heralded sanctions relaxation that has been enacted with respect to Cuba and Iran. In both instances, the regulatory relaxation that has occurred is rather limited in scope but this limitation is widely misunderstood. Considerable confusion regarding the remaining Cuba and Iran sanctions exists among businesses that must comply with US sanctions. Further compounding this problem is the fact that the regulatory changes that have been enacted are not only limited in scope but also not very user friendly. Consider OFAC’s General License H for Iran, which authorises the foreign subsidiaries of US companies to sell products not subject to US jurisdiction to Iran, provided that such sales are not made to OFAC SDNs, with the exception of those SDNs listed in Executive Order 13599.
Bittner: In the last 12 months, OFAC has issued multiple general licences and responses to frequently asked questions to clarify the JCPOA with Iran, which was implemented in January of 2016. The loosening of US sanctions against Iran was a huge change in US policy that had existed for nearly 40 years. While significant restrictions are still in place for US companies, and it would be helpful for OFAC to further clarify key aspects of the agreement, such as the scope of ‘commercial passenger aircraft’, General License H has allowed many foreign subsidiaries of US companies to conduct new business with customers in Iran. For months after the JCPOA and General License H were announced, many international banks were reluctant to conduct business in Iran, and it seems that financial institutions are becoming more and more comfortable with the law as time goes by and companies like Airbus and Boeing secure large transactions.
FW: How would you characterise current enforcement trends adopted by sanctions agencies? How are these being applied to global businesses?
Brown: The current enforcement trends adopted by sanctions agencies can be characterised as aggressive. In particular, OFAC has put industry on notice that it will not limit its enforcement actions to transactions involving financial transactions or financial institutions. The agency has devoted increased resources and attention to investigating alleged violations of its sanctions programmes by companies in industries outside of the financial sector. For example, the Trump administration has signalled that it will rigorously enforce non-nuclear sanctions – terrorism, ballistic missiles and human rights – in the Iran sanctions programme. In conducting a risk-based analysis for an engagement potentially involving a sanctioned country or person, entity or individual, global businesses should take the agency’s recent enforcement actions into account.
Gatti: With respect to US sanctions, OFAC enforcement remains steadfast, although many of the monetary penalties levied recently appear to be more modest in amount than years past when fines of hundreds of millions of US dollars were rather common. A review of OFAC’s published enforcement notices suggests that three global businesses have been fined since the start of 2017. This level of enforcement is noteworthy, given that total published enforcement actions against global businesses during 2016 and 2015 amounted to one and five, respectively.
Matthews: The US – notably OFAC – remains the most feared and most active sanctions enforcer. An interesting facet of its sanctions enforcement is that much of it has been by way of settlement agreements rather than court decisions. Outside of the US, sanctions enforcement is patchy at best. It is more rigorous in the context of export restrictions than in the financial sanctions context, where the main route by which sanctions compliance is ensured is that banks and other financial services businesses require it of their clients. However, at least for the UK, the establishment of OFSI and the application of the new penalties, expected in April 2017, may cause the UK to become a more robust enforcer of sanctions – and certainly tougher for now than the other EU member states.
Goodale: In recent years, two major enforcement trends have manifested themselves. The first trend relates to inter-agency cooperation on enforcement matters. The second pertains to the willingness of enforcement authorities to conduct extremely thorough investigations over multiple years and to impose massive penalties for sanctions violations. These trends can be seen most recently in the enforcement action that US authorities brought against Chinese-based Zhongxing Telecommunications Equipment Corporation and ZTE Kangxun Telecommunications Ltd., known collectively as ZTE. On 7 March 2017, US authorities announced that ZTE had agreed to a record-high combined civil and criminal penalty of $1.19bn. This enforcement action, which took place over several years, involved numerous US agencies that investigated illegal shipments of telecommunications equipment to Iran and North Korea by ZTE in violation of US export control and sanctions regulations and numerous false and misleading statements made by ZTE to US authorities.
Bittner: According to OFAC, in 2016, the agency entered into nine settlement agreements totalling $21.6m, and in the first two months of 2017 prior to the ZTE settlement, there were only four settlements for just over $1m. Despite ZTE’s record penalties, the trend has been a sharp decline from 2014 and 2015 which saw 23 enforcement actions for $1.2bn and 15 enforcement actions for just under $600m, respectively. I can only speculate about the causes of the decline, but I would say it is a combination of increased awareness, training and dedication of resources to sanctions compliance, mixed with a healthy amount of fear.
Lee: Although 2016 was a busy year for sanctions-related policy, it was a light year for OFAC enforcement actions, with under $22m in collective civil enforcement penalties in nine enforcement actions. This might be explained by the significant turnover in personnel in the enforcement units of OFAC and the political factor of the US presidential election. However, history suggests that there is a pipeline of matters that could be resolved in 2017 and there have already been a number of enforcement cases announced. OFAC has recently settled several enforcement actions with a finding of a violation with no civil penalty, suggesting that potential findings of violation with no civil penalties might be issued against companies for purposes of informing the public and other businesses of conduct that is perceived to be a violation, yet not egregious enough to merit a monetary penalty. In addition to OFAC and BIS, we have seen the US Department of Justice (DOJ) releasing guidance on encouraging self-disclosure of criminal export controls and sanctions violations. Historically, OFAC would refer criminal matters to the DOJ, and the front-ending of the DOJ involvement and disclosure adds to the complexity of navigating compliance. Additionally, in 2016, the New York Department of Financial Services (DFS) concluded several enforcement actions that included sanctions-related components, all involving the New York-based activities of foreign banks. The way in which enforcement by the DFS might interact and interrelate to enforcement by the federal agencies might present additional compliance complexity for certain companies.
“Sanctions compliance requires companies operating in multiple international territories to be mobile, agile and always ready to react.”
FW: In your opinion, do the potential penalties for sanctions non-compliance constitute enough of a deterrent? What further measures, if any, are regulators considering?
Goodale: The potential penalties that can be imposed for non-compliance with sanctions do serve as a strong deterrent. In February 2017, the US government increased the civil penalties that can be imposed for sanctions violations. Pursuant to this change, with respect to most US sanctions programmes, the civil penalty that can be imposed per violation is the greater of $289,238 or twice the amount of the underlying transaction. Criminal penalties for sanctions violations are even harsher. With respect to most US sanctions programmes, criminal penalties can be up to $1m and/or 20 years of imprisonment per violation. Moreover, since the creation of the Export Enforcement Coordination Center (E2C2), there has been far greater coordination among US authorities on sanctions enforcement matters, which has led to numerous multi-million dollar settlements.
Bittner: The threat of monetary penalties constitutes a powerful deterrent and the sharp decline in enforcement cases from 2014 to 2016 seems to back that up. The ZTE case again demonstrated that US regulators are willing to impose huge penalties on companies that deliberately violate the US sanctions laws, and companies should understand that the imposition of independent monitors after settlement can impose an even higher cost in money and resources.
Lee: In addition to the potential criminal penalties, the potential civil penalties for sanctions have recently increased. OFAC recently issued regulations to implement the Federal Civil Penalties Inflation Adjustment Act of 1990, adjusting for inflation, and increasing, the maximum amount of civil monetary penalties that may be assessed under the relevant OFAC regulations.
Matthews: The level of penalties in the US has served as a more than active deterrent for some time. And because of the long reach of US sanctions jurisdiction, even before the added layer of secondary sanctions, this serves as a deterrent to businesses even where they, and their transactions, have only a relatively remote connection with the US. In the EU, businesses certainly take sanctions seriously, despite the perception of only a low enforcement risk. For many businesses, the reputational hit of being found in breach of criminal sanctions is enough of a deterrent, and for those with US exposure, the risk of US fines certainly makes businesses sit up. But in the UK, the various increases in penalties and enforcement options which are to be introduced this year will clearly add to the deterrence effect – and of those, the ability of OFSI to issue monetary penalties, having established liability only to a civil evidential standard, is likely to be the most used, and also to raise the greatest concerns.
Brown: Pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the recent increase in civil penalties for alleged violations of sanctions programmes does constitute a sufficient deterrent. It ensures that the civil penalties will keep pace with inflation. The potential penalties for sanctions non-compliance will continue to grow over time. OFAC has shown a marked increase in the issuance of Findings of Violations, which put industry on notice that certain transactions or behaviours are subject to sanctions. Likely to follow are significant penalties against and settlement agreements with entities that engage in the same or similar transactions or behaviours in the future.
FW: Could you highlight any recent examples of sanctions enforcement following noncompliance by an organisation? What lessons can we learn from such transgressions and the penalties that followed?
Lee: In the past year, we have seen the first OFAC enforcement against a company for violation of the 50 Percent Rule, where violations were based on clients that were not on the SDN List, but majority-owned by an individual or entity on the SDN List and the electronic customer records and sanctions screening did not accurately capture or screen for beneficial ownership for corporate customers. Broadly, the recent enforcement cases by OFAC demonstrate the political and historical independence of the agency and its willingness to bring enforcement actions against various businesses and actors. For example, OFAC brought enforcement actions against Alcon Laboratories, Inc. and PanAmerican Seed Co., even though the nature of the business of both companies arguably did not present any national security risks and the entities arguably could have complied by taking advantage of the general or specific licence processes.
Goodale: Two recent sanctions enforcement actions provide valuable insights into what is and is not viewed favourably by regulators. In one matter, following a thorough internal investigation in which it discovered that several of its non-US business units had committed over 3400 violations of US sanctions against Cuba and Iran, Toronto-Dominion Bank (TD Bank) submitted a voluntary self-disclosure (VSD) relating to the apparent violations to OFAC. Subsequently, OFAC concluded that the apparent violations constituted a non-egregious case and allowed TD Bank to pay a settlement amount of $516,105, which was a fraction of the potential penalty that could have been imposed. In contrast, in another recent enforcement action, ZTE did not submit a VSD and made numerous false statements during the investigation, which ultimately led to US authorities seeking $1.19bn in penalties. These two dramatically different cases show the value of submitting VSDs and cooperating with regulators.
Brown: OFAC recently reached a settlement with ZTE in the amount of $100,871,266 for apparent violations of the Iranian Transactions and Sanctions Regulations over a five year period. ZTE, among other things, continued to export and re-export US-origin goods to Iran or the government of Iran even after the company learned of the US government's investigation into its business activities. OFAC found ZTE's nonexistent or insufficient compliance programme to be an aggravating factor in calculating this record-breaking civil penalty. The ZTE case thus underscores the importance of having a strong compliance programme within an organisation that promotes transparency and accountability.
Matthews: From the US side, perhaps one of the most interesting decisions in recent years was the Schlumberger decision, which highlighted that even a relatively remote US involvement can lead to liability, in that case for facilitation. In the EU, sanctions enforcement has been patchy at best, and very largely weighted toward enforcement of export restrictions, rather than financial sanctions. I am aware of a number of self-reports that have led to raps over the knuckles, but up until now, OFSI and its predecessors have not shown any appetite to commence proceedings against an entity which has self-reported. However, for the UK, the penalties for breach of financial sanctions are about to get tougher, and OFSI will be able to issue fines directly, without the need to go to court, and to a civil standard. So it will be interesting to see how the picture develops in the UK in the coming year or two.
“The potential penalties for sanctions non-compliance will continue to grow over time.”
FW: In your opinion, what should companies (especially those operating in multiple international territories) be doing to stay up-to-date with new sanctions compliance requirements?
Gatti: To stay up-to-date with new sanctions compliance requirements, companies operating in multiple international territories need to engage dedicated sanctions compliance teams that are assigned to track specific sanction regime changes, especially for those countries that apply sanctions as a foreign policy tool. Sanctions compliance requires companies operating in multiple international territories to be mobile, agile and always ready to react, especially since many sanctions changes are effective on publication date and frequently do not provide for a wind-down period or any grandfathering of transactions already in process.
Bittner: The first thing I would recommend is to ensure that your company devotes adequate resources to sanctions compliance, whether it is in the form of qualified, in-house professionals or dedicated outside support. Sanctions compliance is a complicated regulatory area full of pitfalls for the unwary where penalties are often measured in the hundreds of millions of dollars. Trying to manage a complex web of international sanctions laws with people who handle sanctions compliance as one of many different job functions could result in costly errors, loss of reputation and even criminal penalties.
Goodale: Sanctions compliance requirements are frequently modified by US and non-US authorities. Given this fact, it is critical for companies to monitor compliance developments on a regular, if not daily, basis. However, doing so can be difficult for many companies that are only able to dedicate limited resources to sanctions compliance efforts and often may require that their designated in-house compliance personnel wear multiple business hats that permit them to focus only a small amount of time on monitoring compliance developments. In light of these realities, companies should consider utilising outside experts to provide them with regular updates on compliance developments. Alternatively, companies should seek to use publicly available resources to monitor compliance developments, such as government agency websites and alert notification email lists and blogs and websites dedicated to sanctions developments that are maintained by law firms and other entities.
Matthews: For most businesses, sanctions compliance means simply not breaching sanctions. This is not straightforward, and the ambiguities about ownership and control, and also about what constitutes proportionate due diligence, cause real uncertainty. I would advise all companies to have a sanctions compliance policy, as this forces them to think up front what their sanctions compliance risks are, which countries’ sanctions laws they need to comply with, and what procedures are needed to reduce or eliminate those risks. It also helps in any dealings with a sanctions authority to show that systems and controls are in place, even if they may have failed on a specific occasion, or failed to address properly a particular type of risk. The situation is different for FCA regulated entities which are under an obligation to have adequate systems and controls in place to prevent financial crime. For them, having a sanctions compliance policy is not merely good practice but is a regulatory requirement in itself.
Brown: First, multinational companies should sign up to receive alerts from OFAC when it issues a new penalty, finding of violation or settlement agreement. OFAC is required to post new penalties, findings of violations and settlement agreements on its website. The postings usually contain a summary of the facts and more importantly OFAC’s use of aggravating and mitigating factors under the enforcement guidelines. They provide valuable insight into OFAC’s enforcement priorities and its rationale in determining whether a particular case is egregious or not. Second, multinational companies should monitor the Federal Register on a consistent basis. OFAC and other agencies publish new regulations, amendments and general licences in the Federal Register as well as posting them on their websites. The timely dissemination of new sanctions regulations and policies ensures that significant gaps do not develop in a company’s sanctions compliance. Following OFAC’s enforcement actions, and the enforcement actions of similar agencies in other countries, and monitoring the Federal Register are the most effective ways a global or multinational company can stay up-to-date with new sanctions compliance requirements.
Lee: Keeping up with the almost daily changes in sanctions regimes is becoming increasingly difficult. There is no substitute for management commitment and dedication to this exercise, with the appropriate funding and staffing. Training and ongoing monitoring are critical.
“Keeping up with the almost daily changes in sanctions regimes is becoming increasingly difficult.”
FW: Are the costs of sanctions compliance increasing exponentially? How can companies manage these costs?
Bittner: I don’t know if the costs of sanctions compliance are increasing exponentially, but I think companies are beginning to realise that they need to have dedicated, professional sanctions compliance resources to properly manage this risk area.
Goodale: The burdens of sanction compliance are increasing exponentially. This is due in large part to the more nuanced ways in which countries are implementing and modifying their sanctions programmes. For example, the Ukraine-related sanctions that the US and EU authorities have been implementing since Russia annexed the Crimea Region of Ukraine in 2014 are much more targeted than sanctions typically have been in the past. These Ukraine-related sanctions, which are frequently amended, do not prohibit all business transactions with all Russian entities, but only certain kinds of transactions with specifically identified entities in certain sectors of the Russian economy. In order to comply with such constantly evolving and complex sanctions in a cost-effective manner, companies, with assistance from outside sanctions compliance experts, should develop a holistic sanctions compliance programme that is predicated on strong and appropriate screening mechanisms and that is implemented and understood by all concerned company personnel.
Brown: The costs of sanctions compliance are increasing exponentially because the number of sanctions programmes has increased and targeted sanctions are often more complex than comprehensive trade embargoes. Companies can manage these costs by automating compliance as much as possible. To the extent that compliance processes can be built into existing fulfillment and procurement systems, companies can avoid dedicating additional resources, such as training and time, to it.
Matthews: The costs of sanctions compliance will vary significantly according to the nature of a business and its risk tolerance. A company could take a risk averse approach such that its compliance risk and compliance costs would be very low, but it would miss out on business which competitors with more targeted compliance policies and procedures are able to take. So there is a trade-off for firms in terms of ability to take on certain business and the consequential compliance costs. An illustration of this is with the entities targeted as subject to an investment ban under the Russia sanctions, as with SSI listings in the US. Some businesses will prefer to take a clear line that they will not deal with a sanctions-listed entity. But the restrictions which apply in relation to the entities on the Russia investment ban list are actually quite narrow, and businesses which are prepared to do so may develop a more sophisticated policy which enables them to recognise this listing, but still to proceed, perhaps with caution, with activities that the listing does not prohibit.
Lee: Costs are certainly increasing. Keeping experienced personnel at the company is important, as is a regular review of where sanctions compliance resources are being directed and whether the focus is still appropriate. This is where a yearly risk-assessment can be an important part of cost containment as well as sanctions compliance.
FW: What advice would you give to organisations that are looking to develop an effective sanctions compliance programme? What steps can they take to ensure company-wide adoption?
Goodale: Performing a risk-based analysis of a company’s business operations is essential for the purposes of developing an effective compliance programme. Risk factors that should be analysed include, among other things: business and product lines, customer base, the number and variety of countries served, and the international merger and acquisitions activity of a company. Based on the risk-based analysis, the company should develop robust compliance policies and procedures, which should include effective screening mechanisms, and the policies and procedures should be set forth in a compliance manual. Training relating to the compliance policies and procedures, which should be updated as necessary, should be provided to all company personnel involved in international operations. To ensure that the policies and procedures are working effectively, compliance assessments should be performed on a periodic basis by internal or external entities that are independent of the sanctions compliance group.
Brown: I would advise organisations looking to develop an effective sanctions compliance programme to hire dedicated resources with the requisite knowledge, skills and drive to perform at a high level. Compliance personnel must fully understand the sanctions regulations and be able to communicate them to others within an organisation. The quality of the compliance personnel determines the effectiveness of an organisation’s sanctions compliance programme over time. An organisation can ensure company-wide adoption by cultivating a culture of compliance. This cultivation has to start at the top of the organisation. The leadership or management of an organisation must demonstrate a commitment to sanctions compliance and set an example for others to follow. The compliance personnel also have to believe that they have management support in making the difficult decision not to pursue or approve deals that pose a high level of risk to their organisation’s compliance with sanctions regulations or its reputation with the US government.
Matthews: Businesses come in all shapes and sizes and a good compliance policy will be well tailored to the structure, business and risks for that company. However at a general level, the key things I would focus on are ensuring genuine board level understanding and buy-in for the policy and identifying some clear key points and procedures for operational staff, while establishing a small core team within the business, headed by a senior person who will take overall responsibility for sanctions compliance and develop a fuller understanding of relevant sanctions requirements. In many cases, it is not necessary to try to make everyone in a business a sanctions expert. The small core team can take responsibility for keeping up to speed with sanctions risks and developments and can cascade the relevant bits to operational colleagues as necessary.
Lee: Because different offences may arise out of parallel investigations focused on related conduct, entities may benefit from integrating compliance reviews and allocating training and compliance resources according to the type of potential violations that are most relevant to the business. Because non-governmental agencies are increasingly involved in enforcing certain business conduct and publicising apparent wrongdoing, businesses must also understand that scrutiny into business practices may come from both government and non-government sources and understand the compliance requirements of the entities they are contractually obligated to.
Bittner: In addition to easy-to-access screening software that seamlessly integrates with the company’s enterprise resource planning systems, successful companies have clear policies and procedures that explain the sanctions laws in all of the countries in which they operate. They also have dedicated professionals to explain in real time what the business can do in the areas that are subject to sanctions.
Gatti: First, consider expenses associated with developing sanctions compliance programmes as expenses associated with developing quality control programmes. It is always less expensive to develop quality control plans than it is to deal with problems that result from a lack of quality controls or deficient quality controls. Second, keep in mind that sanctions compliance programmes should be equal parts art and science. It is no longer sufficient to rely exclusively on pure science which generally takes the form of ad hoc or routine automated screenings of the names of business partners. Sanctions compliance has become so complex that scientific processes must be applied in tandem with judgment-based analysis or artistic based processes. Third, make sure to obtain clear, written support from corporate management. Without such support, no sanctions compliance programme will ever be able to take root on a company-wide basis.
“Companies should consider utilising outside experts to provide them with regular updates on compliance developments. ”
FW: What best practices should organisations follow as part of their sanctions compliance? Generally-speaking, how would you characterise the quality of most organisations’ compliance programmes?
Brown: As part of their sanctions compliance, organisations should follow best practices in recordkeeping. The sheer volume of transactions and engagements in a global business or organisation can be daunting. However, effective recordkeeping provides a document trail so that compliance personnel can conduct reviews of business units or sales teams to ensure compliance with sanctions regulations. It also permits a global business or organisation to continuously improve compliance processes and procedures in the event weaknesses or inefficiencies are identified during a compliance review.
Matthews: In many cases where a business has identified the need to have a sanctions policy, the policy ends up being confused and overcomplicated – with the effect that it becomes either ill-understood and therefore ignored or overly burdensome and expensive to operate. Sanctions is ultimately not a hugely complicated area, even if there are undoubtedly complications within it. Of course there are exceptions – the more a business deals with listed persons, or operates in or with countries subject to sanctions, and the more countries’ sanctions laws a business has to respect, the more complex its procedures will inevitably become.
Gatti: Subscribe to an automated sanctions screening programme that screens sanctioned countries as well as sanctioned parties. For those companies that operate in multiple international territories, make sure that the sanction screening programme selected includes sanction regime screening for all countries where you have business operations. Also make sure that your sanctions screening programme permits ad hoc screenings as well as routine automated background screenings of all business partner names ever screened. In screening new business partners, also screen their beneficial owners as well as address locations for each party screened. Hire an experienced sanctions team and provide team members ongoing sanctions training to ensure that team members understand OFAC’s 50 percent deemed SDN/SSI rules. Also comprehend that some sanctions regimes involve prohibitions on all dealings with specific business partners whereas others merely trigger licensing requirements. Lastly, develop procedures for blocking newly sanctioned business partners as well as filing required blocking reports with OFAC.
Lee: Because the same or similar conduct may be investigated by both local and foreign enforcement agencies, businesses need to understand the key differences between local and federal regulations and never assume that misconduct is limited to local business units. Instead, such conduct may be indicative of a global problem. At all levels of enterprise, most sanctions programmes can be improved. However, having a ‘Cadillac version’ of a compliance programme can actually be counterproductive, as it is so complicated that it is not being followed by the company. It might be better to have a more streamlined programme that people actually follow.
Goodale: Companies of all sizes should consider following these five best practices for sanctions compliance. First, perform a risk-based analysis of the company’s operations periodically to determine whether changes to certain operations have occurred that warrant making significant modifications to the company’s sanctions compliance policies and procedures. Second, monitor sanctions developments frequently and make changes to the company’s sanctions compliance policies and procedures, as necessary. Third, provide training on the company’s sanctions compliance policies and procedures to all relevant company personnel on a regular basis. Fourth, perform frequent testing to confirm that screening mechanisms are working effectively. Finally, have internal or external compliance assessments performed on a periodic basis relating to the company’s policies and procedures. In addition, companies that export to certain countries and regions in which there are complex ownership structures should consider using sophisticated screening software or services to ensure compliance with OFAC’s 50 Percent Rule.
FW: With sanctions compliance and enforcement now part of the day-to-day fabric of global trade, what advice would you give to organisations when dealing with third parties and external agents?
Gatti: Screen third parties, external agents and their respective beneficial owners in the same manner as all business partners are screened.
Lee: Third-party diligence is often the weakest part of a compliance programme. The importance of doing appropriate diligence on your partners, agents, customers and counterparties cannot be overstated. It is also important to periodically update that diligence to make sure that you are aware of significant changes.
Goodale: As an initial matter, companies must effectively screen third parties and external agents. For companies subject to US jurisdiction, such screening must not only ensure that third parties are not on any proscribed entities lists, but it also should rule out the possibility that the third parties are owned or controlled 50 percent or more by one or more blocked persons in violation of OFAC’s 50 Percent Rule. As a best practice, such screening should be performed prior to engaging in each transaction with a third party to ensure that the third party has not been added to any of the proscribed entities lists or become subject to OFAC’s 50 Percent Rule since the last screening. Companies also should include compliance clauses in their contracts with third parties that require the third parties to comply with current and future US export control and sanctions regulations.
Matthews: Businesses should think carefully about how their business is protected from the risk of a third party breaching sanctions. What is appropriate will depend on the circumstances. Steps that are likely to be appropriate include a combination of ensuring that the third party has its own sanctions compliance policy, and asking to see it; contractual protections, including to allocate legal responsibility for doing each of the procedural steps required such as screening and obtaining licences, obtaining relevant warranties and undertakings; and active engagement, including from time to time doing the due diligence yourself even if you have allocated responsibility for it to the agent or third party. A common issue is that businesses think about these issues when entering into new relationships, but do not revisit existing arrangements which may have started when sanctions were a less prominent compliance issue.
Brown: I would advise organisations to do their due diligence. When dealing with third parties and external agents, organisations must take the time to find out with whom they are doing, or potentially may do, business. The reputation of an organisation could be adversely affected by transacting with third parties or hiring external agents to act on its behalf. Furthermore, an organisation could be held responsible by sanctions enforcement agencies if it knows or has reason to know that a third party or external agent is engaging in prohibited transactions.
“Businesses come in all shapes and sizes and a good compliance policy will be well tailored to the structure, business and risks for that company.”
FW: How do you expect the sanctions compliance landscape to develop throughout 2017 and beyond? Will organisations continue to improve their internal monitoring and compliance processes?
Matthews: In the UK, the introduction of OFSI’s new monetary penalties power is likely to focus minds. I expect the monetary penalties power to be used relatively soon – OFSI will want to demonstrate that it has teeth – but will likely wait for a relatively clear case of breach. As the Trump administration settles in, we may see changes to various US sanctions regimes in 2017 – he has expressed contrasting views on the current US sanctions arrangements as regards Russia and Iran, although changes to either come with complications, so he may opt to live with the status quo a little longer. In any event, as seen with Iran following the JCPOA, bank caution and an imbalance with EU sanctions may slow any practical impact of any sanctions-easing with regard to Russia. Another issue on the horizon, although probably not for 2017, is Brexit. It is to be expected that the UK and EU will continue to adopt broadly the same measures after Brexit, and to cooperate, but this should not be taken for granted.
Goodale: It seems likely that 2017 will be a momentous year for sanctions compliance. President Trump has indicated that the US may review changes that have been made to US sanctions against Cuba and Iran in recent years, which could result in some or all of the eased sanctions being rescinded. Conversely, President Trump has suggested that the US may re-evaluate and remove some of the Ukraine-related sanctions, although various members of the US Congress have expressed opposition to such actions being taken. Less speculatively, as indicated by the $1.19bn in penalties against ZTE that have recently been announced, the US government has served notice to all that it will continue to enforce US sanctions vigilantly through multi-agency enforcement actions and will impose severe penalties against entities that commit sanctions violations. For all of these reasons, companies will need to monitor sanctions developments closely in 2017.
Lee: One thing is certain, 2017 is going to be a very interesting year for sanctions compliance. We can expect changes due to the new US administration and increasing focus on Iran, Russia and Cuba. Companies are going to continue to be constrained by limited resources. Being ‘smart’ about the ways to comply with ‘smart’ sanctions is the best way to survive.
Gatti: The sanctions compliance landscape will continue to evolve during 2017. It is possible that the recent change in US leadership may result in changed US sanctions policy, but that is far from clear at this point. As for organisations continuing to improve their internal monitoring and compliance processes, such improvement is well advised, especially with respect to OFAC sanctions, given that many recent OFAC enforcement actions have cited compliance processes as a mitigating, or sometimes aggravating, factor in penalty assessment.
Brown: I expect the sanctions compliance landscape to become more complex in 2017 and beyond. It seems likely that the JCPOA will survive, at least in the short-term. However, there are a number of bills in the US Congress that would mandate additional sanctions in response to Iran’s recent behaviour related to terrorism, ballistic missiles and human rights. There are also bills in Congress that seek to codify existing Russian sanctions and limit the Trump administration’s ability to remove them without congressional review and approval. One bill, which appears to have bipartisan support, would mandate additional sanctions against Russia for its interference in the 2016 presidential election in the US. Finally, the Trump administration could target Chinese state-owned enterprises and financial institutions pursuant to existing sanctions in response to North Korea’s recent ballistic missile activity. Organisations will have to continue to improve their internal monitoring and compliance processes to navigate this sanctions compliance landscape.
Bittner: With the Trump administration now in charge of US sanctions, it is very difficult to predict what lies ahead in 2017 and beyond. As a candidate, Mr Trump declared that he would tear up the JCPOA with Iran in his first days in office. However, the deal remains in place and it does not seem that the administration has any plans of pulling out unilaterally. It is also impossible to say how the US relationship with Russia will evolve in the coming months and whether the changes will have any impact on the Ukraine and Russian sanctions programme. Companies will have to continue to monitor sanctions developments closely, and they should not assume that the US sanctions laws and regulations will be the same this time next year.
Roger Matthews is a senior lawyer in Dechert’s international trade, EU and government relations practice. Mr Matthews advises on all aspects of international trade regulation, focusing particularly on economic sanctions and trade restrictions. He also specialises in EU law and practice, including trade and services regulation and issues relating to Brexit. He advises a range of multinational companies on both ensuring sanctions compliance and strategic and contentious matters. He was previously a sanctions policy officer at the European Commission. He can be contacted on +44 (0)207 184 7418 or by email: roger.matthews@dechert.com.
Geoffrey M. Goodale is at partner at FisherBroyles, LLP. Throughout his career, Mr Goodale has assisted US and non-US financial institutions and companies in numerous industries develop and implement cost-effective strategies to accomplish their international business goals. His practice focuses on export controls, economic sanctions, import compliance, trade litigation, intellectual property rights protection, cyber security and foreign direct investment (e.g., CFIUS matters). Currently, he serves as co-chair of the ABA’s Export Controls and Economic Sanctions Committee. He can be contacted on +1 (202) 261 6644 or by email: geoffrey.goodale@fisherbroyles.com.
Judith Alison Lee is co-chair of Gibson Dunn & Crutcher LLP’s International Trade Regulation and Compliance Practice Group and partner in the firm’s Washington, DC office. She is also a former co-chair of the IBA’s Export Controls, Sanctions and Anti-Corruption Subcommittee. Her expertise includes the USA Patriot Act, the Foreign Corrupt Practices Act (FCPA), economic sanctions and embargoes, export controls and the Committee on Foreign Investment in the United States (CFIUS). She can be contacted on +1 (202) 887 3591 or by email: jalee@gibsondunn.com.
Kimberly N. Brown is responsible for reviewing potential engagements to ensure that IBM’s business units comply with economic sanctions and export control laws and regulations in the delivery of services to internal and external clients. Prior to joining IBM, Ms Brown worked as both a senior enforcement officer and policy analyst with the US Department of the Treasury’s Office of Foreign Assets Control. She can be contacted on +1 (202) 551 9523 or by email: brownkn@us.ibm.com.
Margaret M. Gatti represents US and non-US companies, universities and financial institutions in matters involving economic sanctions and export controls. In representing clients, she conducts merger and acquisition due diligence, provides compliance counselling and training, drafts compliance procedures, performs compliance audits and drafts voluntary disclosures for submission to US government enforcement agencies. Before joining Morgan Lewis, Ms Gatti was a partner in the corporate practice of a national law firm. She can be contacted on +1 (202) 739 5409 or by email: margaret.gatti@morganlewis.com.
Bryce Bittner is the director of global trade compliance at Textron Inc., where he oversees compliance with the export control, sanctions and customs laws for Textron’s family of companies, including Arctic Cat, ATAC, Bell Helicopter, Kautex, Jacobsen, Textron AirLand, Textron Aviation, Textron Financial, Textron Specialized Vehicles, Textron Systems, Textron Tools & Test and TRU Simulation & Training. Prior to joining Textron, Mr Bittner worked for Honeywell Aerospace and Akin Gump Strauss Hauer & Feld LLP. He can be contacted on +1 (202) 637 3815 or by email: bbittner@textron.com.
© Financier Worldwide
THE PANELLISTS
Dechert LLP
FisherBroyles, LLP
Gibson, Dunn & Crutcher LLP
IBM
Morgan, Lewis & Bockius LLP
Textron