Sanctions compliance and enforcement
March 2023 | ROUNDTABLE | GLOBAL TRADE
Financier Worldwide Magazine
March 2023 Issue
Companies today face an increasingly challenging sanctions compliance and enforcement landscape – a landscape awash with challenges that have grown considerably more complex since Russia’s invasion of Ukraine 12 months ago. The primary challenge, particularly for multinationals, is navigating the patchwork of numerous different sanctions regimes around the world that can be poorly drafted and subject to constant change. Now more than ever, companies must be vigilant to ensure they comply with all applicable sanctions regimes.
FW: Could you outline some of the major sanctions compliance and enforcement issues companies are facing in the current market? How aggressively are regulators punishing companies which violate the rules?
Hood: Developing practical and effective compliance programmes requires some certainty as to the law and what is expected of companies. The primary challenge is navigating the patchwork of numerous different sanctions regimes around the world that can be poorly drafted and subject to constant change. For example, the UK adopted 17 different measures that enhanced or modified its Russian sanctions in 2022, together with over 40 general licences, while the European Union (EU) is negotiating its 10th package of Russian sanctions. However, guidance is developed at pace and regularly changed and is not always consistent between authorities in the same countries. While regulators ultimately want to support companies trying to comply, they are increasingly looking at how to enforce sanctions measures more effectively. The US remains at the vanguard of punishing non-compliance, but others around the world – including the UK, Canada and some EU member states – are arming themselves to be more proactive in penalising those who intentionally or inadvertently break the rules.
Deaconu: Over the past 12 months, the life of a sanctions professional has been defined by two words: unprecedented and complex. Directly or indirectly, any company that operated in a multinational environment has been affected either by rules emanating from China or Russia. Additionally, regulators have shown that economic interest can be overcome by a common cause when there is enough willpower and when all players are affected, from legal services and business advisers to the most sophisticated technology driven industries, to IT infrastructure and healthcare and pharma. In 2022, in the context of Russia and China, regulators demonstrated that they are capable of innovation when deploying sanctions and export controls tools. In 2021, we started to see a broader convergence of sanctions and export controls as well as other areas of compliance. 2022 was a game-changer. The nationalistic trend seen in 2021 was disrupted by a fully coordinated, fully aligned approach on implementing sweeping, complex restrictions. The speed with which regulators have aligned with one another and published sweeping regulations will also be seen in the upcoming enforcement environment. I believe that regulators will look favourably on those companies trying but sometimes failing to remain in compliance, while those that have not shown any effort to comply and instead adopted a more opportunistic approach will be punished more severely.
Fisch: Companies face an increasingly challenging sanctions compliance and enforcement landscape. Sanctions compliance challenges facing companies, particularly multinational companies, have grown considerably and become more complex since Russia’s invasion of Ukraine, with expanding and often overlapping sanctions regimes in the US, the UK, the EU and other jurisdictions. More than ever, companies must be vigilant to ensure that they are complying with all applicable sanctions regimes. Against this backdrop, regulators remain committed to an aggressive enforcement posture. The US Department of Justice (DOJ), for example, launched a substantial interagency law enforcement task force dedicated to enforcing sanctions and export restrictions, that the US imposed in response to Russia’s invasion of Ukraine. At the same time, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has continued to bring civil enforcement actions against US and non-US companies across industries and sanctions programmes. As sanctions regimes outside the US continue to grow and mature, we expect to see additional non-US enforcement activity as well.
Munro: 2022 presented new challenges and complexities in sanctions compliance as a result of Russia’s invasion of Ukraine. It was not only the pace of the actions taken against Russia, but also the complexity of new approaches, such as deposit caps in the EU and price caps on the purchase of Russian oil, and nuances of navigating across multiple legal regimes each with their own unique aspects on timing, implementation, enforcement, guidance and licensing. Despite close coordination at the policy level, specific prohibitions and regulatory requirements and obligations in implementation varied considerably across jurisdictions. For example, the so-called wind-down or personal remittance general licences are essential to implementing sanctions while minimising collateral, unwanted harm by allowing parties to exit pre-sanctions relationships and to address the potential humanitarian concerns by allowing funds to reach individuals who bear no responsibilities for the malign acts prompting the sanctions. However, where there is inconsistency in the various jurisdictions’ implementation of these programmes, such as what qualifies for the exemption, what specific criteria is required, or how terms are defined, they become operationally difficult to implement and apply in a correct, compliant manner, and where compliance requirements are uncertain, this undermines the purpose and intent of such licences. Financial institutions cannot take risks with compliance.
Wolber: I would characterise sanctions compliance issues facing companies today with one word: complexity. Gone are the relatively simplistic days when the vast majority of tangible sanctions risks centred around largely binary decisions involving a handful of US comprehensively sanctioned countries with minor or modest economic footprints, or blocked persons such as those on OFAC’s specially designated nationals (SDN) List. The sanctions landscape today looks dramatically different, with the increased use of sectoral and other specialised, limited sanctions programmes, the targeting of significantly larger world economies and corporates with far reaching global implications, such as Russia and China, increasing use of ‘anti-sanctions’ and blocking statute counter responses, the sheer number of sanctions targets and the proliferation of sanctions, and increasing enforcement, by other jurisdictions which may or may not be aligned. All of this has created a vastly more complex patchwork of varying obligations and real world conflicts of risks, if not actual conflicts of law in limited circumstances. While recent enforcement actions appear to remain focused on the more traditional sanctions prohibitions – there have been only two OFAC enforcement actions to date based on violations of US Russian sectoral sanctions – there is a often a lag in enforcement, and companies nonetheless need to manage the complexity of risks today.
“Risk assessments are frequently overlooked but are central to an effective sanctions compliance programme and should, at a minimum, cover risks related to customers, products and services, and geographies.”
FW: Could you highlight any recent, notable examples of sanctions breaches and related penalties, that should serve as a warning to others?
Wolber: A broad survey of US enforcement actions over recent years shows that the classics of ‘what not to do’ still seem to represent the lion’s share of actions – wilful misconduct by employees or management, obfuscation, misrepresentation of data or use of intermediaries which caused third party US persons or financial institutions to fail to identify sanctioned party or country connections, or significant compliance programme inadequacies, usually despite internal warnings and red flags without appropriate remediation. A few interesting trends to note, however, are an increasing number of crypto-related enforcement actions and designations involving crypto exchanges, currency mixers, individual blockchain addresses and other participants in the sector, a focus on penalising companies for failures to implement geolocation technology controls, such as IP address tracking, and a small number of actions, albeit with unique facts, where OFAC has deemed that two separate sets of transactions – only one of which involved a US nexus and only one of which involved a sanctioned party nexus – should be viewed together to create an overall sanctions violation. There have also been quite a number of recent sanctions designations against companies and individuals deemed to be complicit in efforts designed to help sanctioned persons evade sanctions restrictions, particularly in the Russian and Iran spheres.
Fisch: Companies operating in the virtual currency space continue to be a focus of OFAC enforcement actions. Notably, in October 2022, OFAC and the Financial Crimes Enforcement Network (FinCEN) announced parallel enforcement actions against Bittrex, Inc., which was the first of its kind for FinCEN and OFAC in this space and – with a settlement of over $24m – was the largest virtual currency enforcement action by OFAC to date. According to OFAC’s enforcement release, Bittrex failed to prevent persons located in sanctioned jurisdictions from accessing Bittrex’s platform, including when Bittrex had reason to know that users were located in sanctioned jurisdictions because it possessed users’ IP and physical addresses. OFAC also identified a number of deficiencies in Bittrex’s sanctions compliance programme. OFAC’s Bittrex action highlights that companies in the virtual currency space will be expected to implement effective sanctions compliance programmes and that OFAC is closely monitoring this sector.
Munro: In 2022, OFAC issued at least four civil enforcement actions that addressed failures by a company to understand the complexities of operating an internet-based business in a sanctions-compliant manner. In each of these cases, OFAC seems to point to the necessity of assessing the unique risks of operating digital businesses and implementing controls to address the unique sanctions risk presented by these technologies. This is not a new development, as OFAC has taken similar actions in prior years, but the focus on this remains clear with over $25m of the $38m penalties assessed by OFAC in 2022 related to this issue. These enforcement actions highlight the importance of using information readily available within internet-based business operations, such as IP addresses and geolocation data, for sanctions compliance controls.
Hood: In the dying days of 2022 the US announced a penalty of approximately £4m against Danfoss for breaches of US Iran, Syria and Sudan sanctions. The breaches were seen as non-egregious and there was no suggestion that Danfoss – or its UAE subsidiary – knew it was breaching US sanctions or attempted to circumvent them. The company was saved from the maximum, approximately £65m, penalty because Danfoss ceased all trade in those countries and adopted enhanced sanctions compliance once the failings were uncovered. While the size of the company – employing around 42,000 people – made the task of compliance harder, it also raised the expectation of US authorities about the sophistication and effectiveness of Danfoss’ global compliance regime. It is a salutary lesson that simply having a compliance regime is not enough: it must be fit for purpose and adhered to. The UK imposed a total of two financial sanctions penalties in 2022, together worth £45,000, although more is likely to be in the pipeline given the scale of the sanctions on Russia.
“The unprecedented pace in which various authorities around the world have adopted new sanctions and the complexity of those sanctions make sanctions compliance both more important and more difficult than ever before.”
FW: What do you consider to be the key elements of an effective sanctions compliance programme?
Fisch: OFAC recognises that effective sanctions programmes vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations. In guidance, OFAC has emphasised that a sanctions programme should incorporate management commitments, risk assessments, internal controls, testing and auditing, and training. Risk assessments are frequently overlooked but are central to an effective sanctions compliance programme and should, at a minimum, cover risks related to customers, products and services, and geographies. A risk assessment should also examine the strength of applicable controls, including policies and procedures, screening, transaction analysis, compliance training and exclusion clauses. Similarly, a company’s internal controls should be developed to mitigate its particular risk of sanctions violation. Where mitigation is not possible, a company should consider other ways to lower its exposure to sanctions risks.
Munro: One key essential, and unique, aspect in sanctions compliance is the ability to adapt to and implement new, and often complex, prohibitions almost immediately. Sanctions have never been more complex than they are right now. The unprecedented pace in which various authorities around the world have adopted new sanctions and the complexity of those sanctions make sanctions compliance both more important and more difficult than ever before. The sanctions compliance programme must be designed to identify, assess and implement change straight away, correctly and comprehensively across all products and services, and remain nimble enough to repeat this process over and over in short time spans as new developments and responses follow close behind. This is a unique aspect of sanctions compliance that must be built into the programme by design.
Deaconu: Regulators in various countries have published comprehensive overviews on what they consider to be important key elements of an effective programme. We believe that while all companies and institutions, depending on the industry, size and footprint, may be able to tailor these elements to make them work for them, there is one element that remains critical but is often underestimated: people and culture. In 2022, those export control and sanctions professionals who were able to survive the rapidly developing sanctions outlook began to be recognised as a trusted business partner, able to combine external and internal factors and still operate in a crisis. Trust and business knowledge brought together makes a powerful combination. A programme centred around people as professionals makes a programme successful. Today more than ever, the question of “can we do the deal?”, can only be answered when compliance professionals have a broad skill set, detailed knowledge of the business deal, the organisational footprint and infrastructure, and the trust of the company’s leadership team. Strong compliance professionals are also strong business professionals who have developed the unique skill of being able to translate the complex regulatory environment and apply it to any deal, while having the full support and understanding of the business leaders. Being seen as an enabler and a partner allows the compliance professional to weave herself into the DNA of the organisation. With the evolution of the role of the export controls and sanctions professional, there has also been an evolution within company compliance programmes whereby export controls and sanctions-related due diligence is not the exception or an ad-hoc activity, but an integral part of the organisation and its people.
Hood: There are four key elements of an effective sanctions compliance programme. First, top-down support. This is expected by the authorities and sets the tone for compliance throughout the organisation. Second, and crucially, a pragmatic and risk-based compliance policy. This must be tailored to the risks faced by a company and be workable; throwing the kitchen sink at a compliance programme will make it unwieldy and encourage staff to sidestep rather than adhere to the policy. Third, tailored training. Staff need to understand what is expected of them and how to comply in the context of their day to day work. Finally, a good compliance team with support from specialist external counsel who understand their business. They can help tailor any compliance policy to the needs of the business, help gather lessons learned to constantly improve, and be a safe pair of hands with pragmatic solutions if and when red flags are raised.
Wolber: Although there is no ‘one size fits all’ standard, a best practice compliance programme would include the following elements: a demonstrated commitment to compliance from the top of the organisation, an up to date risk assessment of the company’s sanctions exposure, effective internal controls to manage that exposure, a testing and auditing function to ensure the controls are working properly, and periodic training to enable proper identification of risk and competent management of compliance controls. An effective programme will want to be structured such that responsibility for sanctions compliance is sufficiently diffuse throughout the entire organisation to enable various personnel to identify and address sanctions risks as appropriate for their function and line of sight – management, the business, compliance, legal, IT, procurement and other functions can each play a role, working together to manage sanctions risk at the enterprise level.
“Technology is a compliance professional’s best friend, but it can also pose risks, creating a false sense of safety when used for the wrong reasons, such as cutting cost versus effective control points.”
FW: What strategies can companies deploy to ensure they are not dealing with prohibited entities or supplying restricted goods?
Wolber: In today’s quick-moving environment, an effective programme should have controls in place to ensure those key personnel tasked with managing compliance and legal risks stay abreast of regulatory changes in each of the key jurisdictions in which the company conducts business, as close to real time as possible. Depending on the nature of each regulatory change, it may require simple screening list updates or it could prompt a limited refresh of the company’s risk profile to identify potential new sanctions exposure, such as an assessment of commercial and business relationships in a particular product line, industry or geography. Where new types of sanctions programmes are promulgated or new detailed guidance is issued by regulators, appropriate legal analysis should be conducted, and an internal determination made as to whether adjustments in or the creation of new control mechanisms are warranted. If so, ad-hoc training and the dissemination of internal guidance may be advisable where regulations have created new risks and obligations.
Hood: The starting point is to have a good compliance programme: clear support from the top of the organisation, a pragmatic and effective compliance policy, effective training and a first-rate compliance team who know the business. With a solid foundation, a company is better able to understand where the risks lie – whether it is in the goods and services that are provided, the type of clientele they are dealing with or the countries they are doing business in. If the risks are known then you can establish systems that manage those risks and help provide proper oversight across the organisation, without stifling business as usual.
Deaconu: Any transaction must be done in line with applicable regulations, and this includes export control and sanctions laws and regulations, even for local transactions. The best strategy is to have an ecosystem in place to address the realities of screening and classification. The company needs to feed information into its screening programme as related to the entity, its local activities and its ownership and control information from local sources. As for the supply of ‘restricted goods’, the classification system should be comprehensive enough to adapt to the requirements of the law. Most importantly, this is done in collaboration with technical experts who have the right understanding of the product, together with the right sanctions, exports controls dual-use and customs classification regulatory experts. Russian sanctions have brought in a complexity of definitions and detail not only in product classification but also in the classification and definition of services according to various other regulations that need to be understood by those trying to answer whether or not something is a ‘prohibited item’. Maybe the only strategy that is of any value in today’s complex world is to know what is needed by both the law and the appropriate regulator, and know where to find the expertise internally to help solve the puzzle relevant to your situation, and then use technology to support your transactional screening.
Munro: Sanctions compliance programmes increasingly intersect with other related efforts to combat money laundering and financial crime, for example money laundering for sanctions evasion in commercial real estate transactions, cited recently by FinCEN, and the increased use of transnational criminal networks to facilitate sanction circumventions. It has become increasingly important to implement sanctions compliance programmes as part of a coordinated, integrated approach to combatting broader financial crimes. The strategies for this focus on integrating data sets across parts of the organisation, drawing on cross-functional expertise, and accessing the extensive body of external information to provide better insights and understanding of how threats of sanctions evasion are evolving in the context of broader financial crimes – recognising that transnational criminal networks will use many of the same techniques to launder the proceeds of crime as they will to facilitate sanctions evasion.
Fisch: At a high level, a key consideration in mitigating the risk of dealing with prohibited entities or restricted goods is to have a clear understanding of who you are dealing with and what you are dealing in. What sounds rather simple, though, can prove to be more complex in practice. The most important tools a company can deploy are clear and effective policies and procedures that set out, step by step, the types of information the company needs to collect from its counterparties and how that information is subsequently reviewed. For example, companies will frequently collect information about the beneficial ownership of their counterparties, their address, the export and import classification of the relevant goods, technology or software, and information about the counterparties’ operations in sanctioned jurisdictions, if any. This information should be screened against government and commercial databases of sanctioned persons. Regulators increasingly expect companies to understand and review, and hold companies responsible for, the information available in their systems. It is crucial that employees understand how their role contributes to proper compliance and execute their duties in a timely fashion. For example, a sales representative may be responsible for collecting the necessary information before entering into any new contract, and another department – such as compliance or, where a company has not yet developed a mature compliance function, finance – evaluates the information and screens key data points against relevant databases. When an employee identifies red flags or potential issues, the employee needs to understand and follow correct reporting lines to escalate any concerns. To ensure everyone understands their duties and responsibilities, periodic training is often essential.
FW: To what extent are companies using technology to assist with sanctions compliance?
Hood: Technological assistance is becoming increasingly common as sanctions, including on the movement of goods, become ever-more complex and widespread. Companies are very familiar with software that can help with onboarding service providers, but they increasingly recognise that this software must be sophisticated enough to cope with global sanctions that apply different tests and are evolving faster than ever. Similarly, companies are adapting other familiar technology to better assist with the practical implementation of sanctions compliance. These can be used to provide built in checks and balances throughout a company’s operations meaning, for example, that goods cannot be exported to certain destinations or contracts cannot be executed until key compliance requirements are completed. However, whenever deploying technology, we always work with clients to ensure it helps their operations and does not create new risks or simply throw up another hurdle to doing business.
Deaconu: Technology is a compliance professional’s best friend, but it can also pose risks, creating a false sense of safety when used for the wrong reasons, such as cutting cost versus effective control points. Technology is at its best when employed for the right reasons, such as supporting appropriate control points of the compliance programme. Having a technology ecosystem in your internal control programme that is scalable and flexible, augmented with people and professionals who understand the regulatory challenges, is the only way technology serves its purpose of enabling compliance.
Munro: Sanctions compliance was once seen as primarily the task of screening names against government-issued watchlists of prohibited parties and imposing blunt embargoes against entire countries. As the types of sanctions and their prohibitions, and the ways to evade them, have become more complex, this is no longer the case. Consequently, the ability to detect sanctions risks and potential exposure must be similarly more sophisticated. Technology and tools that provide rapid processing of data, assist data quality and completeness, integrate information from various sources, provide tools for advanced analytics of large data sets to find the linkages and patterns, and offer machine learning to remove the large volume of non-risk and provide focus on actual risk, are all part of the compliance toolbox.
Fisch: Technology solutions are used increasingly to aid companies with sanctions compliance. At the same time, as technological solutions are developed industry-wide, regulators come to expect that such solutions are employed in the ordinary course. Examples include software-based and data-driven screening tools, including geolocation and IP address blocking, to identify persons subject to sanctions, such as persons on OFAC’s SDN List. Blockchain analytics solutions are increasingly being incorporated into company controls, such as customer due diligence, transaction monitoring and sanctions screening for companies exposed to virtual assets. These offerings include sophisticated analytics platforms that can use information from various blockchains, open source information and other data sources to help identify transactions and wallets that may be engaged in suspicious or potentially unlawful activity.
Wolber: Technology continues to play an ever-increasing and critical role in managing sanctions risk in a cost-effective manner, particularly as the pace of change and breadth of sanctions regulations and targets continues to increase exponentially. There are a multitude of vendors, tools and service offerings available that can be quite useful in helping companies run sanctions checks, consolidate, manage and feed changes to various global sanctions lists, identify complex ownership structures and tag related capital markets products, to name just a few functions. Limited, or sectoral, sanctions programmes may still present a bit of a challenge in terms of technical solutions, as often an assessment of whether a particular activity is prohibited under these programmes goes well beyond mere list-based identification, requiring detailed, transaction, project and customer specific inquiries and human-based risk assessments. That said, a very interesting trend to watch in the near- to mid-term will be the increasing use of more sophisticated artificial intelligence enabled systems, and the impact this will have on technology-based assessments of sanctions risk, from the mundane to the more complex inquiries.
“To a large degree, each company needs to be evaluated on its own merits and circumstances. Some are going to be more advanced and robust in their basic compliance controls than others.”
FW: In your opinion, do businesses need to do more to enhance their sanctions compliance framework? What advice would you offer on developing a strong, multinational sanctions programme for today’s complex regulatory landscape?
Deaconu: First, companies should stop looking at their compliance framework as a one-time activity and look at it as a living, breathing organism that must be maintained daily. Second, as a multinational company operating in multiple countries you cannot have a ‘one size fits all’ approach where the centre of the programme is the laws of one country. Look at your compliance programme as a DNA string made up of the laws and regulations of the countries you operate in. It is unique to you and your culture, your product portfolio and footprint as an organisation – and it needs people with appropriate knowledge to operate. Having the right balance of a corporate culture with professionals and compliance ambassadors who cascade and communicate the right message to the right place at the right time, so that the organisation can be in sync, is a dream come true for any organisation and any compliance professional. Organisations and leaders that embrace sanctions and export controls compliance as a matter of culture and competitive advantage and less as a cost and risk management exercise will be able to manage any issue that regulators introduce. Compliance is not only the job of one or a couple of people within an organisation; rather, it is a matter of doing business, where each business leader and each person in the organisation looks at sanctions and export control risk in all business deals they are involved in as a matter of common practice. We believe that today’s compliance programmes and any improvement processes must have two pillars: a compliance ecosystem and a people ecosystem. The people ecosystem consists of the way an organisation positions its export controls and sanctions professionals, its ambassadors and compliance know-how as part of the business’ ways of working, accepted as normal business practice.
Munro: It is increasingly important that multinational organisations create a global sanctions compliance framework that incorporates an enterprise-wide approach to sanctions compliance through its policies, operational processes, oversight and decision making that anticipates the intersections, impacts and potential conflicts inherent across the global sanctions landscape. Not only does a global approach assist multinational organisations with complex operational structures managing compliance risk in a coordinated framework, it also allows the organisation to engage clients more effectively who may themselves be impacted by these challenges.
Fisch: Regulators continue to expect companies to take a risk-based approach to sanctions compliance, and a key starting point for developing or enhancing a sanctions compliance programme is an assessment of the specific risks presented by a company’s business model and geographic footprint. The results of a company’s sanctions risk assessment should inform how a company develops its sanctions compliance programme, including internal controls that it adopts and the training that it offers to its personnel. Throughout the lifecycle of a sanctions compliance programme, a company should conduct periodic audits and testing to ensure that the company’s sanctions compliance programme is appropriately calibrated to the company’s risk profile and functioning effectively. Finally, sustained commitment by senior management to sanctions compliance is a critical component of a successful sanctions compliance programme. Senior management should ensure that the company’s sanctions compliance function has sufficient authority and independence to implement the company’s sanctions compliance programme and that it has adequate staffing and resources to meet the challenges raised by today’s complex sanctions landscape. There is not a ‘one size fits all’ approach for sanctions compliance; different companies will have different needs to ensure a strong, multinational sanctions compliance programme.
Wolber: To a large degree, each company needs to be evaluated on its own merits and circumstances. Some are going to be more advanced and robust in their basic compliance controls than others. That said, I would say that all or most companies are continuing to struggle with adapting to increasing complexities. Just as there is no ‘one size fits all’ compliance programme, there no longer is any ‘one size fits all’ sanctions programme. I see a large number of companies still engaged in robust internal debates about how to manage the compliance, legal, reputational and commercial risks associated with many of the more nuanced sanctions actions over the last three to four years. Deciding what is and is not legal business under these specialised sanctions programmes, and how to approach even the legal business in light of potential reputational and political risks, is no longer an easy decision for many global institutions. One effect I have seen is that these conversations need to be, and increasingly are, escalated into larger risk-based conversations held at the highest levels of an organisation with senior leadership and cross-functional representation and input.
Hood: There is often more that can be done, but the answer is usually ‘smarter compliance’ rather than ‘more compliance’. Any compliance programme must be pragmatic, risk-based and tailored to the needs of the company. A multijurisdictional programme needs to be as simple as possible. It should help identify the key risks for a company and establish a practical system that helps to manage those risks and allows employees to raise any red flags and direct any concerns to a trained compliance team. Given the differences between sanctions regimes, recusal policies ensure that certain ‘foreign’ nationals among their staff are not involved in certain activities to ensure the company is not inadvertently caught by sanctions regimes that would not otherwise apply.
“If the risks are known then you can establish systems that manage those risks and help provide proper oversight across the organisation, without stifling business as usual.”
FW: What are your expectations for sanctions regulation and enforcement over the coming months? Are there any particular trends you expect to unfold?
Munro: There has been a clear commitment by government officials to engage and communicate, but, like everyone in this space, they are overwhelmed, and many are reacting to developments, adopting sanctions regimes, and working through the challenges of implementing novel programmes with limited and stretched resources. This necessarily requires prioritisation and delay. Getting interpretations, guidance and resolution on difficult issues will be slow, and as the more novel programmes, like the price caps on Russian oil products, are fully implemented, more issues of first impression will surface. In the absence of clear guidance in an environment of ambiguity, most will adopt the most restrictive approach rather than risk making the wrong decision and inviting future enforcement action.
Fisch: We expect that in the near term Russia will continue to be the primary focus of sanctions. Even though it may seem that western jurisdictions have all but exhausted the tools in their sanctions toolkit, the recent price caps on Russian crude oil and petroleum products help illustrate that there are still additional and significant ways to further economically isolate Russia. Hand-in-hand with these recently imposed sanctions, we expect to see an uptick in sanctions enforcement. Determining the extent of enforcement at any one time is difficult, though, as it may take years to resolve an enforcement action and they are typically not made public, if at all, until after an enforcement action has run its course. We also expect that regulators will continue to focus on digital assets and other new technologies, both in terms of strengthening the regulatory framework and clarifying how existing rules apply in this space. This trend has been ongoing for a number of years, and with several high-profile regulatory enforcement actions and indictments over the past 12 months, we fully expect this trend to continue into next year.
Hood: While the war in Ukraine sadly continues to rage, I think we will continue to see Russia sanctions go broader and deeper across the globe. However, while the pace and scope of legislative change may tail off, I think attention will increasingly turn to enforcement. The US has always been at the forefront of global sanctions enforcement, but other regulators are starting to flex their muscles. The UK, for example, is taking a number of measures: the doubling of staff at the Office of Financial Sanctions Implementation (OFSI), a strict liability test that enables easier imposition of fines and a ‘name and shame’ alternative to prosecution that utilises the potential of reputational damage to companies identified as breaching sanctions while minimising the risk for government in taking action. The other main issue to watch is China. The US is extending its restrictions on certain Chinese companies and strategic technologies, and pressing others to take similar measures. This screw looks set to tighten further.
Wolber: While 2022 was marked by an intense focus and escalation of sanctions and export controls against Russia, the latter half of the year saw a bit of a return to a focus on China, particularly in the areas of export and technology controls and sabre rattling on cross-border investment issues. As opposed to sanctions which do still tend to carry more of a blunt force effect, even when tailored, the use of export controls seems to have become a preferred tool of US regulators to target specific Chinese sectors and companies from a technological capability standpoint, while trying to avoid direct financial decoupling. All indications are that this trend will continue throughout 2023, along with increasing scrutiny and implementation of further controls targeting US-China cross-border investment in sensitive advanced technology sectors.
Deaconu: In 2022, we saw a paradigm shift in collective national and economic security, foreign policy and human security. There are things that are in the sphere of control of sanctions professionals and there are things that are outside of that sphere of control. As a professional, one should focus on those elements that one can control, while monitoring and trying to influence those out of our direct control. Organisations that have their compliance programme tailored to their ecosystem, with leaders having compliance in their DNA, have less to fear as they operate in the spectre of an uncertain regulatory world. Organisations that look at sanctions and export controls compliance through a single rigid lens will find themselves in muddy waters when trying to comply with complex legal requirements reaching into issues such as human rights, anti-corruption, secondary sanctions, significant transactions, reputation, sustainability or investment risk. With all this, there is one element that we see developing and becoming part of the compliance equation: activism. There is a world where the law, and compliance with the law, is not good enough anymore, and a moral element is brought more aggressively to the forefront. The question of “is it legal to do the transaction?” shifts into the realm of “while it may be legal, it might not be the right thing to do”. Sanctions are supposed to be a political tool used as a last resort to deter war and loss of life. Today, the reality is that we have both at the same time, with no end in sight. There are no winners in such situations, and sanctions are our only hope for a better world.
Andrew Hood heads Fieldfisher’s London international trade team. He was previously a Foreign Office lawyer responsible for negotiating and drafting UN and EU sanctions. He now advises industry on the impact of UK/EU sanctions and export controls, including advising on the legality of specific transactions, drafting compliance policies, undertaking voluntary disclosures to regulators, supporting M&A due diligence, providing training and undertaking internal audits. He can be contacted on +44 (0)330 460 6968 or by email: andrew.hood@fieldfisher.com.
David Wolber counsel clients on navigating the complex legal, compliance, reputational, political and other risks arising out of the interplay of various international trade, national security and financial crime laws and regulations, with particular focus on US economic and trade sanctions, export controls and foreign direct investment/CFIUS laws and regulations. He resumed his practice at Gibson Dunn in 2022 after five years serving as in-house global financial crimes counsel to HSBC in Hong Kong and MUFG Bank in New York. He can be contacted on +852 2214 3764 or by email: dwolber@gibsondunn.com.
Adela Deaconu is an export controls and sanctions compliance professional with experience leading global operations, projects and teams in the semiconductors, consumer and healthcare industries. She has a track record in guiding and managing cross-functional professional teams in setting a strategic direction, risk management, design and implementation of sanctions compliance programmes in a matrix organisation. She also maintains government relations for an effective export control and sanctions licence programme. She can be contacted on +31 6 156 39802 or by email: adela.deaconu@philips.com.
Stevenson Munro joined Standard Chartered Bank in July 2015 as the global head of sanctions compliance, having held senior financial crime compliance leadership positions at other global financial institutions focusing on the strategy, programme design and implementation of anti-corruption, economic sanctions and anti-money laundering compliance programmes. Mr Munro previously served as deputy chief counsel for OFAC, providing legal counsel, and the US Treasury Department related to the development, implementation and enforcement of foreign policy-based economic sanctions programmes. He can be contacted on +1 (202) 255 5341 or by email: stevenson.munro@sc.com.
Eytan J. Fisch has extensive experience representing global financial institutions and multinational companies on complex cross-border compliance and enforcement matters, including internal investigations, voluntary disclosures, and administrative and enforcement proceedings. He frequently counsels US and international clients on numerous aspects of US economic sanctions and anti-money laundering laws, including day-to-day compliance counselling, the development and implementation of compliance programmes, and issues that arise in the context of M&A. He can be contacted on +1 (202) 371 7314 or by email: eytan.fisch@skadden.com.
© Financier Worldwide
THE PANELLISTS
Fieldfisher LLP
Gibson Dunn
Royal Philips
Standard Chartered Bank
Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates