Sanctions compliance & enforcement

February 2018  |  ROUNDTABLE  |  GLOBAL TRADE

Financier Worldwide Magazine

February 2018 Issue

The sanctions compliance and enforcement landscape has been impacted in recent months by a  number of significant developments, including the Trump administration’s rollback of Obama-era policies, more aggressive OFAC enforcement  actions and an uptick in coordination between government agencies pursuing sanctions violations. With global enforcement activities in 2018 likely to be as vigorous as the year before, companies are under pressure to address the complex nature of the sanctions environment and ensure their compliance obligations are fulfilled. The stakes, as ever, remain high.

FW: In broad terms, what do you consider to be the key developments and trends to have arisen in sanctions compliance and enforcement over the past 12 months or so?

Bittner: Four trends seem to have arisen in sanctions compliance and enforcement in the past 12 months: the Trump administration’s rollback of Obama-era policies, especially with respect to Cuba and Iran, aggressive Office of Foreign Assets Control (OFAC) enforcement actions that continue to stretch the agency’s jurisdiction, a slow dismantling of the executive branch’s sanctions policy apparatus through a hiring freeze, attrition and restructuring of the State Department, and an increasing role of the US Congress in sanctions policy. One might argue that the main trend since Mr Trump won the presidential election seems to be an almost knee-jerk dismissal of previous sanctions policy and practice without a clear, consistent path forward for industry to follow.

Lee: A major trend in sanctions compliance and enforcement that we have started to see over the past year is coordination across government agencies in pursuing sanctions violations. For example, the Department of Justice (DOJ), OFAC and the Bureau of Industry and Security (BIS) all coordinated in the ZTE Corporation investigation, which resulted in a guilty plea and penalty of over $430m for violating US sanctions by sending US-origin items to Iran. In the past, OFAC, the BIS and other agencies would generally conduct separate investigations. Other important developments over the past year have included increasing the number of enforcement cases that were brought for the theft of trade secrets and intellectual property, as well as the increasing use of the ‘causation’ theory under the International Economic Emergency Powers Act (IEEPA) to hold foreign financial institutions accountable for processing transactions in US dollars.

Barnhill: 2017 was quite a busy year with respect to US sanctions compliance and enforcement. We saw changes to the sectoral sanctions against Russia and the imposition of sectoral sanctions against Venezuela. We also saw changes to US sanctions against Cuba, additional sanctions against North Korea and those dealing with North Korea, and an end to US sanctions against Sudan. On top of that, OFAC made public a total of 16 settlement actions and three findings of violation. All of this means that companies continue to have the difficult task of ensuring that their compliance programmes address considerations under comprehensive, sectoral, list-based and secondary sanctions, and keeping those compliance programmes up-to-date in an often-changing and complex sanctions landscape.

Pride: Updates to various Russian sanction strategies was the biggest news over the past year. The US identified, blocked and prohibited Specially Designated Nationals (SDNs), sectoral sanctions continued, export product controls expanded and a virtually complete embargo on Crimea continued. We saw codification of the existing sanctions and restrictions were placed on the US president’s authority to reduce sanctions. We also saw an increase on reporting export activities to Russia. Other key developments include North Korea and Venezuela.

Matthews: In the UK, the key developments have been the arming of the Office of Financial Sanctions Implementation (OFSI) with the power to administer monetary penalties for sanctions breaches, and the expansion of the reporting requirement – such as the obligation to inform HM Treasury of sanctions breaches – to a range of professionals, including accountants and, save where privilege applies, lawyers. We have also seen some broadening approaches to interpretation of sanctions laws by OFSI. In turn, more businesses in more sectors are becoming aware of the need to ensure that they have robust sanctions compliance arrangements in place. For example, the asset management sector is noticeably more alert to the need to have robust compliance policies and adequate contractual protections.

Perrotti: OFAC’s enforcement history over the last year shows a focus on the Iran sanctions programme, with Cuba being a somewhat distant second. Of course, the lag time between the activity at issue and the enforcement action clouds the picture, but when OFAC exercised its enforcement action discretion in 2017, it skewed toward calling out activity in violation of the Iran sanctions. In addition, about two-thirds of the actions penalised US companies, so the focus fell on businesses located domestically. From a designations perspective, we saw a lot of activity from OFAC under the North Korea, Russia and Ukraine and Syria programmes, as well as those relating to terrorism and narcotics.

The ExxonMobil and TransTel cases, both from July 2017, demonstrate OFAC’s willingness to aggressively pursue sanctions violations.
— Bryce Bittner

FW: In your opinion, what are the most pressing sanctions-related issues now facing companies engaged in international trade?

Lee: There is a heightened need for transaction-level diligence, on account of two major developments: the targeted, sectoral sanctions implemented against Russia and Venezuela and the difficulties of determining which entity is the actual owner of a company, particularly with regard to applying the 50 percent OFAC rule. As to the former, the targeted sanctions placed on Russia and Venezuela are transaction and sector specific, as opposed to full embargos. This places a significant burden on companies to fully understand the nature of the transaction that they are contemplating and who, exactly, the counterparties and end-users are. In terms of the latter, companies need to be cognisant of OFAC’s 50 percent ownership rule to ensure that they are not engaging in transactions with an entity which, while not on the SDN list itself, is at least 50 percent owned by an entity that is on the SDN list.

Barnhill: Companies today face sanctions regimes which are increasingly complex, requiring consideration of a variety of factors and a detailed understanding of the underlying facts for any particular transaction. Screening a transaction for prohibited countries and parties listed on the SDN list may no longer be sufficient. Companies must now ensure that they are considering the prohibitions under comprehensive, sectoral and list-based sanctions, which can overlap with one another. Further, there are additional criteria by which the US government can impose secondary sanctions for activities otherwise outside of US jurisdiction. Companies must now also consider those secondary sanctions risks when evaluating transactions and potential business partners.

Pride: The most pressing sanctions-related issues are twofold. Firstly, keeping up with the changes and secondly, interpreting the various sanctions imposed by individual countries and communities.

Matthews: The most difficult issue now on the EU side is that banks have reacted to years of US sanctions fines by adopting extremely risk-averse sanctions compliance approaches based on a cautious reading of US restrictions. Often the biggest obstacle for an EU business is not identifying which activities are permitted in relation to a sanctioned country, but finding a bank that will support that activity. Arguments that an activity is legitimate, under applicable EU law, often fall on deaf ears. Another issue that is emerging is the risk of sanctions pluralism. EU and US sanctions are no longer closely aligned on Iran, and are moving apart on Russia. The UK’s exit from the EU potentially creates another different set of sanctions requirements and others, such as Canada, sometimes take a different position. Additionally, other regional sanctions, such as Qatar, or counter-sanctions, such as Russia on Turkey, further complicate the picture.

Perrotti: International trade inherently means exports, and for US export control laws, that implicates the BIS export administration regulations, which govern exports of US items. While the BIS, which enforces the Export Administration Regulations (EAR), was not involved in more than one or two of the 2017 OFAC enforcement actions, it is possible that better export-related controls could have prevented, or at least mitigated, the activity cited for penalties by OFAC. While a number of OFAC actions related to re-export or reshipment, some involved direct exports to prohibited geographies. Solid export controls are designed to control for this risk and secondarily can reduce a company’s risk from a sanctions perspective.

Bittner: Companies engaged in international trade tend to have two perspectives on sanctions compliance. First, they look at which markets are subject to sanctions and, therefore, off-limits because of unwanted legal or reputational risk. Second, they look at what new markets are opening because of changes to existing sanctions policy. When governments impose new sanctions against countries, persons and entities that are already subject to strict controls, companies tend not to pay much attention as they were not likely to do business there in the first place. However, compliance experts watch for changes in enforcement policy that could signal new scrutiny on activities that were not previously risky. For instance, OFAC taking the position that they have jurisdiction over a transaction that was viewed as being outside of the reach of US sanctions enforcement or that appears to divert from past OFAC practice, such as the ExxonMobil case, warrants close attention. Companies also focus significant resources to understand new opportunities that arise due to loosening of existing sanctions laws. In this vein, the US sanctions against Iran continue to be a pressing issue for US and US-owned and controlled international companies as the Trump administration’s policy towards Iran continues to evolve. Iran represents a sizeable market, and US companies, especially those in the aerospace industry, are watching this area closely.

FW: Have you observed any intensification of recent enforcement activity? How aggressively are regulators pursuing and punishing those companies which violate the rules?

Barnhill: OFAC published information related to 16 settlement actions in 2017. While this is an increase from the 2016 numbers, it is consistent with the number of settlements in 2015 and 2012, and is less than the number of total settlements in 2013 and 2014. The indications are that regulators intend to continue to actively pursue companies that violate the regulations, including non-US companies, and that they will continue to seek significant penalties for such violations. One of the most widely publicised cases of 2017 involved a settlement among OFAC, the US Commerce Department and the DOJ, with a total penalty of more than $892m, of which OFAC’s portion was over $100m. This is yet another of several examples in recent years of multi-million dollar settlements with companies for violations of the US sanctions.

Pride: The enforcement case study from 2017 was the ZTE Corporation (ZTE) case for violations of the Iranian Transactions and Sanctions Regulations (ITSR) and the EAR. The DOJ and the National Security Agency (NSA) settled with ZTE for more than $430m plus three years of corporate probation. In the same case, the BIS settled for $661m, $300m suspended, plus a seven-year probationary period and six audits by an independent compliance auditor. And OFAC closed out the ZTE case for $100,871,266 which represented OFAC’s largest settlement to date with a non-financial entity.

Matthews: In the EU, there are clear signs that some Member States’ approaches to enforcement are on the rise, albeit from a very low starting point. OFSI in the UK now has its power to issue monetary penalties, although it has yet to use it, and there are reports of 50 to 60 cases under active investigation. In France, sanctions enforcement authorities recently raided the offices of an entity suspected of Syria sanctions breaches; and there have been a number of prosecutions in the Netherlands in 2017. This may not sound like much relative to OFAC, but the direction of travel is clearly towards a more proactive enforcement approach by EU Member State authorities. Further indications of a more aggressive sentiment can be seen in the tone of OFSI’s guidance around monetary penalties and its revised general sanctions guidance.

Bittner: Many will point to ZTE and its enormous penalties as the case of 2017, but the key facts in that case – wilful violations, creation of false records, destroying evidence and lying to the US government – make it an outlier for me and not very instructive for companies that are trying diligently to comply with the sanctions laws. The ExxonMobil and TransTel cases, both from July 2017, demonstrate OFAC’s willingness to aggressively pursue sanctions violations. Although the first case only resulted in a $2m penalty, it represents an apparent departure from past OFAC practice in that the agency charged ExxonMobil for dealing with a non-restricted Russian company whose president was an SDN. ExxonMobil believed that it was acting within the policy set forth in OFAC’s previous public statements, but the agency disagreed. ExxonMobil took an usual step and challenged OFAC’s penalty in US district court, the results of which are pending. TransTel is the first case that OFAC has brought against a non-US, nonfinancial entity for causing violations of the Iranian sanctions. This extends OFAC’s extraterritorial jurisdiction into a new area. TransTel was charged $12m for originating over 100 wire transfers from an account denominated in US dollars for services in support of Iranian oil and gas projects.

Perrotti: Simply judging by the number of enforcement actions, 2017 was really in line with prior years, and for the most part the monetary penalties assessed were well below $1m. There were a couple of exceptions to this, and those cases with penalties on the higher end of the scale were categorised as “egregious”, while most if not all of the lower fines were not. Another interesting note is that most of the actions undertaken by OFAC were not against companies that had voluntarily self-disclosed, potentially indicating OFAC pursuing its own methods of uncovering what it deems to be unlawful behaviour.

Lee: If intensification is measured by the size of the penalties, then absolutely we have observed an intensification of recent enforcement activity. In particular, the ZTE settlement resulted in the largest penalties ever for sanctions violations. That said, there appears to have been a slowdown in the number of sanctions enforcement actions being brought, especially against large financial institutions.

Given that the majority of actions in 2017 were driven by violations of the Iran programme, companies that have business activity that involves Iran are likely at higher risk of attracting regulatory scrutiny.
— Brenda Perrotti

FW: Could you highlight any recent examples where authorities have issued penalties stemming from sanctions non-compliance? What insights can we draw from these cases?

Pride: The ZTE issues stemmed from an executive scheme. Not only did the executives have a plan to sell to sanctioned countries but they embarked on an effort to deceive federal officials by having their employees sign non-disclosure agreements. Then ZTE executives planned to continue exports to Iran while evading the provisions of the European Economic Area (EAA) and the EAR.

Perrotti: The largest penalty in 2017 was assessed against China’s ZTE for violating both the Iran and North Korea sanctions programmes. ZTE entered numerous contracts with Iranian entities to build and operate telecommunications networks in Iran using US origin equipment and software. ZTE was also found to have made a number of shipments to North Korea. The total fine was $1.2bn, with more than $600m going to the BIS within the US Commerce Department, and more than $100m to OFAC. The DOJ also assessed penalties. The involvement of BIS shows the interrelated nature of exports and sanctions compliance, and the care companies should take in managing both areas. The ZTE fine was in fact the largest civil penalty ever assessed by BIS, and it was done in conjunction with a sanctions case.

Lee: The ZTE case suggests that greater coordination between agencies might be the norm in sanctions enforcement actions going forward, and portends larger penalties for sanctions non-compliance in the future. Another notable enforcement action from 2017 involved ExxonMobil Corporation agreeing to a $2m penalty for violations of the Ukraine-related sanctions. Exxon-Mobil violated the Ukraine-related sanctions by engaging in transactions related to oil & gas projects in Russia. ExxonMobil was found to have violated the Ukraine-related sanctions, despite the fact that Rosneft is not an SDN, but because it signed legal documents with Igor Sechin, the president of Rosneft, who is an SDN. This action underscores the fact that companies must be vigilant when engaging in transactions with jurisdictions that are subject to targeted sanctions to ensure that despite dealing with a non-designated entity, they are not entering into contracts with a designated individual.

Matthews: In the UK, OFSI has not yet used its new enforcement powers. But, given the reports of the number of cases under investigation, I expect it to issue some penalties in 2018, and would not be surprised if the recipients challenge the penalties in court, leading to some interesting litigation. There have been a number of recent prosecutions in the Netherlands in 2017, and there is at least one more in the pipeline, although the focus has been on cases involving breaches of export controls, rather than the potentially more complex financial sanctions issues. My impression is that in the US, OFAC’s focus seems similarly to be shifting away from banks, toward wider financial services providers and also to non-financial companies, such as energy-related services providers.

Barnhill: OFAC published information related to a total of 16 settlement actions in 2017. Among the important takeaways from those cases is that companies ensure that they are adequately screening transactions and business partners against the restricted parties lists, and for destinations subject to comprehensive sanctions. Screening should include signatories to contracts and other legal documents. Companies should also remain mindful of risks related to facilitation, as several settlements cited violations of the prohibition on facilitating a transaction in which the person or entity could not participate directly. Finally, the settlements also revealed the importance that non-US companies be mindful of their risks under US sanctions, including related to re-exports of US origin goods to Iran and engaging in activities that cause a violation of the sanctions.

Any violations involving Iran, Russia or China are likely to prompt more attention from the Trump administration and are more likely to result in enforcement actions.
— Judith Alison Lee

FW: Are there any sanctions violations that appear to be either more or less likely to prompt enforcement action?

Lee: Any violations involving Iran, Russia or China are likely to prompt more attention from the Trump administration and are more likely to result in enforcement actions. The administration appears to be particularly focused on Iran, as it looks to continue to increase pressure on the country following president Trump’s decision to decertify the Iran nuclear deal. And of course, any violations that are deemed wilful, as opposed to unintentional, will result in more attention from OFAC and the BIS and referral to the DOJ.

Bittner: Based on recent OFAC enforcement cases, it appears that the agency is currently focused on US-based companies, with a particular interest in information technology, telecommunications and offshore services firms. While past cases may not predict future enforcement actions, in the five years prior to 2016, cases against financial services firms represented 36 to 53 percent of OFAC enforcement actions, with a high of 53 percent in 2015. In 2016-2017, however, the percentage of OFAC cases against financial services companies dropped to less than one-fourth of the total.

Matthews: There are no indications that some EU sanctions offences are inherently more or less likely to prompt enforcement action than others, although some may be easier to evidence than others. OFSI makes clear that it takes all sanctions breaches seriously. However, the likelihood of enforcement will be affected by the conduct of those involved. OFSI has emphasised that its approach, on discovering a potential breach, will be informed by three issues: whether the breach was promptly self-disclosed, the level of cooperation of the offending party with OFSI’s enquiry and the actions the party has taken to improve future compliance. That said, for OFSI’s first uses of its new powers, it is likely to want to focus on substantive core breaches, rather than technicalities or fringe activity, and to be sure of successes even in the face of potential legal challenge.

Barnhill: OFAC settlements in 2017 involved both US and non-US entities and covered a range of violations across several sanctions programmes. Iran continued to receive a high level of attention from US regulators, with 10 of the 16 OFAC public settlement actions and each of the findings of violation in 2017 involving violations of the US sanctions against Iran. Whether a particular violation is more likely to prompt enforcement action depends on a number of factors, including whether the behaviour was wilful, whether there was awareness of the conduct throughout the organisation, the harm to US sanctions objectives, the sophistication of the organisation, the existence of a compliance programme, any corrective actions taken, when the violation occurred, the potential deterrent effect of an enforcement action and other relevant factors.

Perrotti: Given that the majority of actions in 2017 were driven by violations of the Iran programme, companies that have business activity that involves Iran are likely at higher risk of attracting regulatory scrutiny. North Korea poses another possible hotspot. The North Korea sanctions are already quite comprehensive, and there is not much room left for additional restrictions. As a result, there could be more focus on actors from outside North Korea that are conducting any kind of business with, or that somehow benefits, North Korea. This should encourage companies to look at their customers and joint venture partners, and determine if there are any links to North Korea and its weapons programme which could attract regulatory attention.

Pride: Prompting enforcement is not really the issue. Any sanctions activities that the regulatory agencies find will be pursued in the current political environment. The example of ZTE highlights the fact that you can have the most robust programme in place, but your supplier could be in violation and put your entire supply chain at risk. While the ZTE case was being played out, almost all the companies that ZTE supplied were working on contingency plans to source materials from third parties should ZTE be placed on the Entity List. Companies should not just worry about being caught. The reality is that potential sanctions violations could sideline an IPO or sale of the company. Sanctions are not just limited to compliance anymore; they should be incorporated in a company’s corporate strategy.

FW: What, in your opinion, are the key requirements of a robust sanctions compliance programme? What steps should companies take to ensure they are not dealing with prohibited countries, companies or individuals?

Perrotti: A robust sanctions compliance programme is about managing risk effectively. Therefore, the basis of any programme should be an in-depth and dynamic risk assessment process. Designing, implementing and updating the controls to manage the risks should be guided by the seven principles in the Federal Sentencing Guidelines. First, documented standards and procedures are in place to prevent and detect prohibited behaviour. Second, the most senior level of management is knowledgeable about and exercise oversight over the compliance programme and demonstrates a commitment to compliance. Third, the individuals responsible for implementing the compliance programme are capable, and have adequate authority and resources. Fourth, appropriate communication and training relating to the programme is provided. Fifth, steps are taken to ensure the compliance programme is monitored and audited, its effectiveness is periodically evaluated and there is an appropriate system for reporting violations. Sixth, the programme has appropriate incentives for compliance, measures to address noncompliance, and is promoted and enforced consistently across the organisation. Finally, reasonable steps are taken in response to violations, including changes to the programme to prevent future violations.

Matthews: The shape and complexity, or otherwise, of a sanctions compliance policy will vary according to the countries and sectors a company operates in, the nature of its business and its risk appetite. But in general terms, companies need to be clear which countries’ sanctions laws they are aiming to comply with, as a matter of law and policy, and crucially whether they wish to or must comply with US sanctions. As regards targeted sanctions, companies need to be clear whose names need to be screened against relevant lists and identify who internally is responsible for doing the screening. They need to establish proportionate processes for identifying the ownership and control of counterparties or clients who are not themselves designated. Where there is a match, there needs to be clarity as to what will be done – who will make the judgment as to whether the match prohibits the transaction? When should external legal advice be sought? A traffic-light system can work well. For sectoral sanctions, it should be easier to set clear red lines, but that will not always be the case.

Barnhill: The most effective sanctions compliance programmes are designed to address key areas of risk. At a minimum, a robust programme will set out the expectations of the company regarding sanctions compliance, provide a framework for the processes that the company will follow with respect to reviewing transactions for sanctions considerations, and include provisions related to conducting audits and addressing suspected compliance issues. A first step to prevent unauthorised dealings with prohibited countries, companies or individuals is having in place mechanisms to flag transactions that involve destinations subject to US sanctions and to screen customers, vendors and other business partners against the US government lists of restricted parties. Companies should also ensure that they are conducting adequate due diligence on the ownership of their business partners to ensure that they are capturing any flow down blocking requirements that would apply to an entity owned 50 percent or more, directly or indirectly, by one or more blocked persons.

Bittner: Companies must devote adequate resources to sanctions compliance, either by hiring high-quality in-house professionals or engaging outside support. Sanctions compliance is complicated and full of pitfalls, and penalties can reach hundreds of millions of dollars. Trying to manage the complex web of international sanctions laws with people who handle sanctions compliance as one of many different jobs can result in costly errors, loss of reputation and even criminal penalties.

Pride: The ZTE case highlights the fact that commercial, non-military products can create the same, if not more, financial risk to a company depending on the violation. As a result, all companies should implement sanctions compliance programmes that include country and party screening at the initiation of a relationship, negotiation of a deal and delivery of the products or services. It should also include end-user and end-use screening for all parties to the transaction. And lastly, it should include a detailed training programme to ensure awareness and heighten red-flag identification and scrutiny.

Lee: A robust sanctions compliance programme should include a strong tone from the top and ‘buy in’ from senior management. There should also be individuals who take the lead on compliance issues across different business units, for example an employee within the marketing department should know the law well enough to ‘issue-spot’ potential sanctions violations and flag these for the legal department. In addition, a company needs to implement effective screening software and procedures, including automated screening where possible and periodic screening on the back-end because the sanctions regime is changing constantly. Finally, the compliance department should be backed up by the internal audit department.

It is important to do careful due diligence on customers and clients to ensure that shipments of sensitive goods are declared to them and establishing a right to inspect clients’ records periodically.
— Roger Matthews

FW: What strategies should companies deploy to ensure they do not engage in supplying, shipping or insuring prohibited goods, such as sensitive military or quasi-military goods?

Matthews: For businesses directly involved in international trade, the simple message is to know where the goods they are shipping originated, what the goods are and how they are classified, where and for whom they are ultimately destined, and their intended use. For businesses that are a step removed from the underlying trade, such as insurers, the best strategy is often a mix of contractual protections, such as warranties that another entity will make certain checks as to the goods and their end destination, and internal processes, including setting some red-line situations in which insurance will not be provided. It is important to do careful due diligence on customers and clients to ensure that shipments of sensitive goods are declared to them and establishing a right to inspect clients’ records periodically. It is not necessary for every party to check everything, but reliance on others may not offer full protection. Ultimately, the right strategy will vary from one business to another, so there is a danger in generalising, especially internationally.

Barnhill: It is critically important to understand the export control classification of any goods you are supplying, shipping or insuring in advance. In cases where you are not the manufacturer of the goods, this requires some additional effort, and while obtaining a certification from another party regarding the goods and their classification is useful, it may not be enough. Companies should conduct their own diligence with respect to the information that is provided to ensure that it comports with their understanding of the transaction, particularly if there are any red flags. In certain circumstances, this may mean that companies need to request additional information or conduct their own review to determine the classification of the items being shipped, supplied or insured.

Bittner: In addition to hiring or retaining trade compliance professionals, companies should establish robust information technology systems to help classify their products and technologies on the relevant export control lists and to screen against restricted party lists.

Pride: Since sanctions controls touch on sales, services and products, companies must develop a robust export controls programme in all departments. This includes procurement, sales, operations, manufacturing, human resources, engineering and quality. And companies must expand their compliance activities to include digital currency, especially where Russia and Venezuela are concerned.

Lee: It is important that companies understand what type of diligence has been done by their counterparties before relying on representations provided by those counterparties. In addition, the company must not only be familiar with OFAC sanctions, but also should have an understanding of the International Traffic in Arms Regulations (ITAR) and export classification system generally. A company should know the export classifications for its goods and should screen its goods against the Commerce Department list.

Perrotti: A strong export controls compliance programme can support and provide redundant and complementary controls to a sanctions compliance programme. The BIS at the US Department of Commerce, which is responsible for enforcing US export controls laws, strictly limits and in some cases prohibits exports of items to the countries on which OFAC has imposed comprehensive geographic sanctions. In some cases, BIS will issue a licence for an export to a prohibited country or region, but likely not without seeing a licence from OFAC. If controls are in place to flag intended exports to a customer in a sanctioned geography for export purposes, or to identify items that need an export licence from BIS to go to a country that is not subject to comprehensive geographic sanctions – more likely the case with military items – coordination between exports and sanctions compliance can effectively reduce risk of prohibited shipments.

FW: How important is it for companies to carry out sanctions-related due diligence in their global business dealings? Are more companies seeking suitable warranties from counterparties and other entities they engage with, to further reduce their exposure?

Barnhill: Sanctions-related due diligence is key to identifying and addressing sanctions risks in global business dealings. Such due diligence should extend beyond screening for restricted parties and embargoed countries to also assess risks under comprehensive, sectoral and secondary sanctions. As part of the due diligence process, it is becoming more common for companies to seek warranties from counterparties and business partners regarding compliance with relevant sanctions. Companies should ensure that, where relevant, such warranties address and distinguish between risks under comprehensive sanctions and sectoral sanctions. In addition, both US and non-US companies should be vigilant for risks under secondary sanctions, including the risk of becoming a target of secondary sanctions or having to cease dealings with an entity that becomes a secondary sanctions target.

Lee: Sanctions-related due diligence is extremely important, considering the fact that global companies need to comply with not only US sanctions but also EU and Canadian sanctions. And while receiving sanctions-related warranties from counterparties in transactions has been a standard practice for some time now, the importance of these warranties is growing as companies are becoming savvier in terms of the content and implications of these provisions.

Pride: We cannot understate the value of sanctions-related due diligence when making global business deals. The risk is enormous.

Perrotti: Contract provisions are a good tool to reduce the risk of sanctions violations, but they will not obviate a company’s responsibility to know its customers. Due diligence on customers is critical and one of the most challenging aspects of that process is determining the accurate ownership structure. In light of OFAC’s 50 percent rule, just knowing about the immediate customer is insufficient – best practice is to get through all ownership levels to the ultimate owner in the form of a person or persons. And since prohibited entities’ ownership interests must be aggregated for purposes of the rule, this additional layer of analysis is often required. Knowing one’s customers, and of course where they are located, is absolutely critical.

Bittner: Sanctions-related due diligence is essential for global companies as penalties for non-compliance can run in the hundreds of millions of dollars, as well as lead to criminal investigations. Companies should continue to seek reps and warranties whenever possible to minimise sanctions compliance risk. A recent trend I have seen in M&A transactions is an unwillingness or reluctance by the selling companies to provide trade compliance-related representations and warranties. Although trade compliance indemnification language has been a common practice in the past, some portfolio-company sellers have tried to push, sometimes successfully, for buyers to obtain insurance against the risk of trade compliance rather than the selling company assuming the risk through indemnification.

Matthews: Thorough due diligence is essential to sanctions compliance. It is often assumed that a company only needs to conduct due diligence on persons associated with countries that are subject to sanctions, but that is incorrect. Of course, the sanctions compliance risk is heightened when a connection with such countries is known, but SDNs own businesses in other countries too. That said, it is legitimate to place some limits on this – the due diligence can and should be proportionate, both to the value of the activity and other risk indicators. At the same time, warranties and other contractual protections should form a central part of any business’ sanctions compliance approach. These are not a substitute for good due diligence, but rather a complement to it, especially when taking a proportionate approach to direct due diligence, which is acceptable under EU sanctions but more difficult for US companies.

As part of the due diligence process, it is becoming more common for companies to seek warranties from counterparties and business partners regarding compliance with relevant sanctions.
— Megan Barnhill

FW: Are any industries or sectors at greater risk of breaching sanctions than others? What is your advice to companies operating in these higher-risk areas?

Perrotti: Iran continues its efforts to expand its economic footprint following the removal of many sanctions, including some US secondary sanctions, after the Joint Comprehensive Plan of Action (JCPOA) was implemented in January 2016. Companies that are involved in the oil and infrastructure-type industries, in addition to financial services of course, are likely to have an elevated risk profile should they become involved in activities that relate to Iran. This risk can be mitigated by ensuring a solid understanding of the Iranian sanctions, which are notoriously complex and difficult to interpret, and extensive due diligence on the substance of, and parties to, any business dealings in these industries.

Pride: We have seen sanctions violations in almost every industry, from healthcare to aerospace and defence. We have also seen sanctions violations in non-profit and for-profit companies.

Matthews: Some sectors and industries are more frequently exposed to sanctions issues than others. Banks, and energy and military defence equipment companies have been a key enforcement and regulatory focus of sanctions authorities in recent years, and generally are alert to the need to monitor carefully their sanctions compliance processes. But there are other sectors for whom sanctions should be a particular focus. The wider financial services industry, such as asset managers and insurers, and more generally those involved in international trade – by which I include not only exporters and service providers but also those providing support services such as shipping and transport. All companies in these sectors should have, and should apply, robust sanctions compliance procedures, and should ensure suitable contractual provisions regarding sanctions.

Lee: Companies in military and defence-related sectors are certainly at greater risk of breaching sanctions, as are telecommunication companies. Additionally, financial services are still key and financial institutions should be particularly vigilant in complying with sanctions regulations, despite the downturn in enforcement actions brought against financial institutions over the past year. Companies should treat sanctions compliance and due diligence as part of the standard cost of doing business in these higher-risk industries and ensure that the resources required to comply with sanctions regulations are in place.

Barnhill: Any company operating in today’s global economy faces risks under US sanctions, but companies in the financial services, shipping, and oil and gas industries have historically had a higher risk profile. Companies in the wholesale and retail trade and the healthcare industries also face risks under US sanctions. It is important that companies in high-risk areas understand where they face compliance risks and put into place standardised processes that address those specific risks. They should also keep records of these processes, including screening results or other analysis regarding particular activities or transactions. In addition, they should conduct regular audits to ensure that processes are being followed and that any potential compliance issues are timely identified and corrective actions put in place.

FW: In your opinion, do companies need to improve their ongoing compliance processes? Should they be more proactive in reviewing and updating their internal controls in line with regulatory changes, new business strategies and shifting market conditions, for example?

Pride: Companies need to improve their compliance programmes, specifically global programmes which still have a long way to go. More companies should align their compliance operations with their business risk rather than just focus on a US-based compliance programme.

Matthews: Generally, international banks, energy and defence companies are familiar with the requirements and dedicate resources to compliance. It is perhaps the next tier – the rest of the financial services industry, and others involved in international trade – where the robustness of controls is less consistent. I would certainly advise companies in these categories to ensure that they have up-to-date policies and procedures which reflect the nature of their business and the risks to which they are exposed, and changes to EU and US sanctions approaches. Businesses that operate in the UK need to be aware that it will have a new sanctions framework with effect from 30 March 2019, separate from that of the EU as a result of Brexit, which will likely require all such businesses to make adjustments to their sanctions compliance processes. The legislation establishing this legal framework is currently working its way through Parliament.

Lee: Companies absolutely need to be more proactive because the sanctions compliance regime is frequently and constantly changing. Best practice is for compliance policies to be reviewed annually, at least, and for the review of compliance policies to be integrated, so that lead compliance personnel across various business functions are involved in the review. And, of course, compliance personnel must be familiar with the OFAC website and the Commerce Department website, so that they are kept abreast of changes made to sanctions programmes and any additions to the SDN List.

Barnhill: Any truly effective compliance programme will require periodic updates to address changes. It can be particularly challenging with the number of changes to US sanctions to ensure that compliance processes are kept up-to-date, such as ensuring that they reflect the recent changes to the tenor of prohibited debt under Directives 1 and 2 and the expansion of the projects covered by Directive 4 of the US sectoral sanctions against Russia. What can be easy to overlook is the need to update compliance processes to reflect changes to business activities, whether that be the result of an expansion into new markets, the establishment of new entities or the acquisition of another company. It is just as important to ensure that compliance processes are updated to reflect those changes in addition to changes to the underlying regulations. Companies should also ensure that they are auditing their compliance processes and implementing changes to address any identified gaps or areas for further improvement.

Perrotti: Compliance programmes need to be in a constant state of evaluation and ongoing improvement. In addition to keeping current on regulatory developments, one of the best ways to accomplish this is by leveraging internal metrics that identify where business risks are increasing. For example, where are you onboarding high-risk customers? Are certain countries or regions increasing their customer risk profile? Are your product teams launching products with a higher than usual risk profile, and, of course, where are the products being launched? The answers to these questions can guide not just your annual risk assessment, but one-off assessments and the design and upgrade of specific controls. This type of risk information is critical to identifying where to focus limited resources to control for the higher levels of risk.

Companies need to improve their compliance programmes, specifically global programmes which still have a long way to go.
— Beth Pride

FW: What are your predictions for the sanctions landscape throughout 2018? Do you anticipate increased government enforcement, and greater risks for multinational companies?

Bittner: Many companies are hopeful that the Trump administration further clarifies its policy toward Iran in 2018. In October 2017, president Trump decertified the Iran deal, triggering an expedited 60-day process for Congress to impose new sanctions legislation. However, this timeline passed without any new laws. President Trump had the opportunity to certify Iran’s compliance with the JCPOA on 11 January, and he must renew the waivers on US secondary sanctions against Iran. If he fails to certify and renew, it could signal the end of the JCPOA for the US. If president Trump decertifies the deal but renews the waivers, it will create an unclear environment for US business and make it difficult for US sanctions officials at the US State and Treasury Departments to issue guidance to industry.

Perrotti: With so many companies able to more easily reach customers outside their own geography, such as through online sales channels, the challenges of sanctions compliance will increase for companies that are thus ‘multinational’ but not necessarily of the size or scale to build comprehensive compliance programmes. OFAC is of course constrained by its own resource limitations as well, but it will be interesting to see how OFAC allocates its enforcement attention on these smaller entities. In 2017, OFAC issued a finding of violation, but no penalty, under the ITSR against a very small company based in Massachusetts – Dominica Maritime Registry, Inc. – for signing one binding Memorandum of Understanding, not a binding contract, with a blocked Iranian tanker company. So even this type of small company can be on OFAC’s radar. The larger companies, however, likely remain front and centre for potential OFAC enforcement actions. As these companies become greater in number and in size, their sanctions risk inherently increases with increased volumes. And as the bigger, more well-known companies continue to expand their global footprint, the number of customers and volume of activity they have with non-US partners will inevitably increase as well, along with their risk. Unless there is a corresponding increase in the coverage of the firm’s sanctions compliance programme, there will be more possibility of sanctions violations.

Barnhill: Companies will continue to have to address the complex nature of US sanctions in 2018. Whether enforcement in 2018 will be as vigorous as in 2017 remains to be seen, but it appears likely that regulators will continue to strongly enforce the sanctions, including against non-US companies. We have already seen designations in 2018 of persons and entities under the counter-terrorism, non-proliferation, Iranian and Venezuelan sanctions programmes. In addition, reporting required under the Countering America’s Adversaries Through Sanctions Act may lead to further changes to US sanctions. Companies, and particularly multinational companies, will need to ensure that they stay up-to-date with the latest developments and be ready to implement changes to compliance programmes to address new sanctions risks.

Lee: As the US continues to try to avoid war with North Korea, it is likely that it will exert more pressure on Russia and China through sanctions. China will be likely be a particular focus as it is effectively the only country that still has any leverage over North Korea. In addition, there will likely be more sanctions imposed against Venezuelan officials and entities, and potentially even sanctions established against Pakistan.

Matthews: In the EU, I expect to see increased sanctions enforcement activity in 2018, but it will not be evenly spread across all Member States. In the case of the UK, we will likely see the first monetary penalties by OFSI. This significantly increases the risk for multinationals operating in the UK, since the evidential threshold is the civil rather than criminal, and the fines can be issued by OFSI directly, as OFAC does in the US, rather than by a court. Other indications from OFSI, including its own guidance, also point to a likely assertive approach – for example as regards the use of pounds sterling and the position of non-UK subsidiaries of UK companies, and an increased emphasis on the reporting obligation. Sanctions enforcement is certainly high up the UK government’s agenda and features prominently in the mandate for the newly-established position of minister for economic crime. For multinationals, this should serve as a timely reminder to review their sanctions compliance policies and their implementation, and to address any known breaches before OFSI comes to them.

Pride: There will be increased government enforcement. The risks will be even greater for multinational companies as countries continue to operate in a protectionist manner and we see retaliation for increased sanctions. The only way to counter these activities is through performing regular risk assessments and compliance reviews and providing sanctions training.


As the president of BPE Global, Beth Pride brings 25-plus years of operational expertise in global trade and international logistics to assist BPE Global clients to develop their global trade strategy and implement a strong global trade posture. She offers subject matter expertise in brokerage, import operations, export operations and the development and maintenance of global supply chain security programmes. A global trade evangelist, Ms Pride is the author of numerous benchmark reports, white papers and articles. She can be contacted on +1 (415) 845 8967 or by email

Megan Barnhill counsels foreign and domestic clients on regulatory matters related to international business transactions, including US export controls, trade sanctions, anti-boycott and registration and reporting under the Foreign Agents Registration Act (FARA). Ms Barnhill has experience conducting due diligence reviews and compliance audits, developing compliance programmes, preparing registrations, commodity jurisdiction and classification requests, notifications and assisting in day-to-day compliance on matters involving US export controls and economic sanctions. She can be contacted on +1 (202) 508 6302 or by email

Roger Matthews is a senior lawyer in Dechert’s international trade and EU law practice, based in London. He advises on international trade regulation, with a focus on international financial sanctions and trade restrictions. He also specialises in EU law and practice, including trade and financial services regulation, and Brexit planning. Prior to joining Dechert, he served as a sanctions specialist at the European Commission and as a legal adviser on sanctions to HM Treasury. He can be contacted on +44 (0)20 7184 7418 or by email

Judith Alison Lee is co-chair of Gibson Dunn & Crutcher LLP’s International Trade Regulation and Compliance Practice Group and a partner in the firm’s Washington, DC office. She is also a former co-chair of the IBA’s Export Controls, Sanctions and Anti-Corruption Subcommittee. Her expertise includes the USA Patriot Act, the Foreign Corrupt Practices Act (FCPA), economic sanctions and embargoes, export controls and the Committee on Foreign Investment in the United States (CFIUS). She can be contacted on +1 (202) 887 3591 or by email

Brenda Perrotti is the vice president, legal compliance global sanctions and export controls compliance at Mastercard, where she is responsible for managing the implementation of the sanctions and export controls compliance programmes. Ms Perrotti also leads the development of communications and training initiatives, and partners with the product, technology and other teams to evaluate sanctions and export risks and design appropriate controls. She can be contacted on : +1 (914) 249 3745 or by email

Bryce Bittner is the director of global trade compliance at Textron Inc. where he is responsible for compliance with export control, sanctions, anti-boycott and customs laws across Textron’s family of companies, including Bell Helicopter, Beechcraft, Cessna, Kautex, Jacobsen, Textron Airborne Solutions, Textron Aviation Defense, Textron Financial, Textron Specialized Vehicles, Textron Systems, Textron Tools & Test and TRU Simulation & Training. Mr Bittner is a member of the US State Department’s Defense Trade Advisory Group (DTAG) and the US Commerce Department’s TransTAC. He can be contacted on +1 (202) 637 3815 or by email

© Financier Worldwide



Beth Pride

BPE Global


Megan Barnhill

Bryan Cave LLP


Roger Matthews

Dechert LLP


Judith Alison Lee

Gibson, Dunn & Crutcher LLP


Brenda Perrotti



Bryce Bittner

Textron Inc.

©2001-2019 Financier Worldwide Ltd. All rights reserved.