Sanctions compliance & enforcement
March 2020 | ROUNDTABLE | GLOBAL TRADE
Financier Worldwide Magazine
March 2020 Issue
Sanctions and other trade-related restrictions can frequently disrupt a company’s global operations. Recent activity, such as increasing US sanctions, particularly against Iran, as well as the broadening of Office of Foreign Assets Control (OFAC) jurisdiction, has caused sudden interruption to supply chains across diverse sectors of activity. With the pace of new sanctions and enforcement actions almost certainly remaining stable or increasing in 2020, companies should be prepared to quickly adapt to changing geopolitical environments, more complex legal requirements and additional compliance challenges.
FW: In broad terms, what do you consider to be the key developments and trends to have arisen in sanctions compliance and enforcement over the past 12 months or so?
Katsoulis: The last 12 to 18 months were very active in terms of sanctions developments and it is likely that this trend will continue in the coming months. A number of developments relate to countries like Russia, Venezuela and Cuba, where sanctions were already in place. However, the country that has been at the centre of most sanctions-related developments and enforcement activities is Iran – especially in light of the withdrawal of the US from the Joint Comprehensive Plan of Action (JCPOA), the continuously increasing level of US sanctions and the recent tensions between the two countries. On the enforcement side, the last 12 to 18 months were a very active period – especially on the Office of Foreign Assets Control (OFAC) side – both in terms of the number of cases and the level of penalties imposed on companies across diverse sectors of activity. This will certainly be an area to monitor closely in the months ahead.
Lee: In May 2019, OFAC published ‘A Framework for OFAC Compliance Commitments’, the agency’s first public statement delineating the key elements that OFAC will look for in a robust sanctions compliance programme. OFAC has often emphasised that private industry is at the forefront of the effort to comply with economic sanctions and that the efforts of businesses to establish effective compliance programmes are essential to furthering the policy goals that US sanctions are designed to serve. Importantly, this guidance also aims to provide greater transparency with respect to how OFAC will assess the adequacy of a company’s compliance programme when a sanctions violation occurs. Another important trend to note is the increased involvement of Congress in shaping sanctions policy and enforcement. The US Congress passed or is considering new legislation encouraging, or in some cases seeking to force, the administration to impose new sanctions. For example, the Fentanyl Sanctions Act and the Protecting Europe’s Energy Security Act, both included in the National Defense Authorization Act (NDAA) 2020, seek to require the administration to impose new sanctions targeting China and Russia. The Hong Kong Human Rights and Democracy Act of 2019, signed in November, authorises sanctions against individuals deemed responsible for human rights violations in Hong Kong. In addition, Congress is considering the Uighur Act, an attempt to hold Beijing accountable for alleged human rights abuses against the ethnic and religious minority populations in the Xinjiang region. Companies with European operations should also monitor developments with respect to the JCPOA. On 14 January 2020, France, Germany and the UK reacted to Iran’s announced intention to cease complying with aspects of the 2015 Iran nuclear deal by triggering the agreement’s dispute resolution mechanism. If the parties cannot resolve the disagreement within coming months, the European parties to the JCPOA may reimpose nuclear-related sanctions on Iran.
Randall: New sanctions and other trade-related restrictions can frequently have a disruptive impact on a company’s global operations. In recent years, the US government, including OFAC and the Bureau of Industry and Security (BIS), have shown a willingness to sanction bigger and more economically integrated entities, further magnifying the significance of these actions. In 2018 and 2019, the targets of US government action have included, among others, the government of Venezuela, including state-owned oil company Petróleos de Venezuela, S.A., several Russian oligarchs and multinational companies affiliated with them, the second largest aluminium company, as well as a major Chinese shipping lines and telecommunications company. While designations are oftentimes unpredictable, companies – in particular those that do business with persons operating in sanctioned countries or otherwise with sanctioned persons – need to closely monitor sanctions-related developments and think about and plan for major and sudden interruptions in their customer base and supply chain.
Deaconu: The past year has seen the convergence of the sanctions and export controls used by government agencies and regulatory bodies. The increasing use of such controls in a non-traditional manner brings complexity, as well as vagueness, to the legal landscape, and increases business uncertainty for corporates and financial institutions. In addition to the convergence of export controls and sanctions, we also see a trend of export sanctions and human rights, anti-corruption and investment, with a high level of political interference. The nationalistic trend that has started to materialise in the realm of export controls and sanctions is a departure from the traditional, multilateral approach of past decades. Collaboration and common interest is to be found at a regulatory level, although this is not the case in the enforcement area, where agencies often disagree over jurisdictional issues.
Brown: One key development and trend in sanctions compliance and enforcement over the past 12 months or so has been a growing emphasis on non-financial institutions. Effective 21 June 2019, OFAC issued an interim final rule requiring both financial and non-financial institutions subject to US jurisdiction to report rejected transactions within 10 business days. OFAC also broadened the definition to include goods and services as well as funds transfers. Another key development is ‘A Framework for OFAC Compliance Commitments’, which OFAC issued on 2 May 2019. This document is significant in that it sets forth the essential elements of a successful sanctions compliance programme for the first time. In addition, OFAC makes clear that individuals are liable under OFAC regulations. Historically, OFAC has not pierced the corporate veil to target individual bad actors. Like the new reporting requirement, individual liability is another example of OFAC broadening its jurisdiction to target bad actors in new ways.
Davy: In May 2018, the US withdrew from the JCPOA and, in November of that year, reinstated all US secondary sanctions. This action was followed by executive orders in 2019 that ended sanctions exceptions for Iranian oil and several of the waivers under which foreign governments provided technical assistance to aspects of Iran’s nuclear programme that were allowed under the JCPOA. In January 2020, the administration issued new sanctions targeting Iran’s metals, construction, manufacturing, mining and textiles industries. The administration’s focus on Iranian sanctions is reflected in enforcement efforts by OFAC – more than 50 percent of OFAC’s 2019 enforcement actions related to violations of Iranian sanctions. US sanctions on Iran are largely unilateral, and companies with foreign affiliates will need to manage compliance with US sanctions alongside EU blocking statutes that prohibit them from observing US unilateral sanctions.
Vitale: The US continues to increasingly use sectoral and secondary sanctions, particularly in the Iran and Venezuela programmes. In the past year, multiple executive orders authorising such targeted sanctions were issued, followed by a constant flurry of designations. This impacts sanctions compliance programmes (SCPs) because, unlike broad prohibitions, such targeted sanctions require more sophisticated procedures, controls and training to identify prohibited activity. More risk analyses are required of current and future business involving sectors in jurisdictions where persons may be designated. OFAC appears to be looking more closely at these and other SCP elements in enforcement actions. Recent OFAC settlement agreements require an annual certification from firms regarding their SCP and, for the first time, OFAC outlined its recommendations for the essential components of an SCP, such as risk assessments and internal controls, in ‘A Framework for OFAC Compliance Agreements’.
“Just as the focus on violations of Iran sanctions poses an increased risk for companies that have affiliates outside the US, companies that engage in international trade also face heightened risk.”
FW: In your opinion, what are the most pressing sanctions-related issues now facing companies engaged in international trade?
Lee: One dynamic area to watch is the development of sanctions and export control policy with respect to China. Even as the Trump administration announced a ‘phase one’ trade deal with China, other executive branch agencies, as well as Congress, have indicated an increased willingness to deploy financial and economic sanctions on targeted Chinese individuals and entities. For example, in May 2019 the Commerce Department added global Chinese electronics manufacturer Huawei, as well as over 100 Huawei affiliates, to the Entity List. While designation to the Entity List is not strictly an application of ‘sanctions’, the Commerce Department restriction works in concert with OFAC’s sanctions programmes since Huawei’s designation is at least in part due to the company’s alleged violations of sanctions against Iran. In a closely related development, new regulations implemented by the Committee on Foreign Investment in the United States (CFIUS) also target the ability of Chinese companies to invest in or acquire US-based businesses. With these various and cross-cutting forces at play, China-related trade continues to be an area where heightened compliance attention is required. Another area of significant change is the increased use of the EU Blocking Statute by companies in Europe and Iran to pressure global companies to perform contracts that may run contrary to US secondary sanctions authorities. While the EU has long criticised the extraterritorial reach of US sanctions, European authorities did not appear eager to enforce the statute until the Trump administration’s rapid and often unilateral expansion of sanctions programmes in recent years, particularly those targeting Iran and Russia.
Randall: Multinational companies often need to comply with multiple and sometimes conflicting legal regimes. From a US perspective, companies not only need to consider the risks of violating US sanctions laws, but also the risks of secondary sanctions. Secondary sanctions are measures that principally target foreign persons for engaging in certain activities even where such activities have no US nexus and are increasingly being used by the US government. Unlike primary sanctions, the penalty for engaging in the enumerated activities is the imposition of sanctions, including the imposition of blocking sanctions on an entity and its senior executive officers. The US, however, is more often proceeding unilaterally, making compliance increasingly challenging. In recent years, companies have needed to consider the impact of countermeasures from other jurisdictions, which make it a violation of law to comply with US measures, such as the updated EU blocking statute and other counter-sanctions proposed by China and Russia.
Deaconu: The main challenge is to invest, boost resilience and improve processes, so that companies can swiftly adapt and embed changes into their ongoing business. In my view, one of the biggest challenges for any organisation that engages in international business transactions is to get business leadership to understand and accept that today’s sanctions and export control regulatory world is volatile and complex. As a result, there are business matters that require a global approach, while others will require a nationally focused approach. Think of it in terms of a shift from integrated global supply chains and IT infrastructure to local regionalised supply chains and IT; from global manufacturing, IT and research hubs to regional or local manufacturing footprints; from global access to a restricted, ‘need to know’ controlled work environment. The challenge facing the compliance professional is to keep pace with the daily, if not hourly, changes that are being made to an increasingly complex regulatory environment.
Brown: The most pressing sanctions-related issue facing companies is the increasing cost of compliance due to the complexity of the more targeted sanctions programmes like Russia and Venezuela. Companies must make significant investments in hiring and retaining qualified sanctions compliance personnel to execute the required risk assessments, internal controls, auditing and training of various business units. While screening technology continues to evolve and add efficiencies in automating certain processes, it cannot replace the role of qualified sanctions compliance personnel.
Davy: Just as the focus on violations of Iran sanctions poses an increased risk for companies that have affiliates outside the US, companies that engage in international trade also face heightened risk. There has been an increased enforcement focus on all aspects of international trade, including shipping, vessel flagging, airlines, trade and maritime insurance, and other supporting activity. Moreover, shell companies located in non-sanctioned countries are frequently used as front companies to mask sanctioned parties’ involvement in cross-border trade transactions. Sophisticated money laundering organisations are also being used to evade sanctions screening. These risks require companies to enhance their global sanctions compliance programmes across their organisations to ensure that their customers and counterparties in international trade transactions have effective sanctions compliance programmes. Companies that rely on certifications from their customers and counterparties should consider what steps they can take – through transaction monitoring and sampling – to verify the certifications.
Vitale: Companies engaged in international trade are faced with increasingly complex sanctions and higher due diligence expectations than ever. They must navigate through restrictions on extensions of debt, risk of future sanctions in some jurisdictions’ sectors, and conducting appropriate due diligence to confirm that transactions do not directly or indirectly involve sanctioned persons or countries. Companies must do this despite constantly evolving sanctions evasion schemes and in addition to screening counterparties and transactions against sanctions lists. To do this, sufficient and experienced compliance staff are needed, which is a challenge, particularly for smaller companies and those in certain locations where budget and the talent pool are limited.
Katsoulis: There are several issues that companies may face in relation to compliance with sanctions regulations, which is becoming increasingly complicated and requires significant investments in terms of systems, financial resources, time and personnel. Legal requirements change quite often and rapidly, which requires continuous monitoring, training and auditing, re-evaluation of policies, procedures and operations, as well as adaptation of IT systems. For companies operating across multiple countries, compliance with multijurisdictional laws can be quite challenging, especially when these laws differ in scope and requirements or even conflict with each other. Conducting effective due diligence of third parties or transactions may also prove difficult, in many cases due to a lack of information or reliable online resources, linguistic barriers or data privacy regulations.
“From a US perspective, companies not only need to consider the risks of violating US sanctions laws, but also the risks of secondary sanctions.”
FW: Have you observed any intensification of recent enforcement activity? How aggressively are regulators pursuing and punishing those companies which violate the rules?
Randall: The US continued robust sanctions enforcement in 2019 with an increased focus on non-financial institutions. Recent OFAC enforcement actions have also highlighted the importance of due diligence in the mergers and acquisitions context. Multiple OFAC actions in 2019 involved foreign companies that continued to conduct business with sanctioned persons post-acquisition without the knowledge of the buyer. The buyer, nevertheless, was held liable for US sanctions violations of the newly acquired entity. These cases highlight the importance of conducting sanctions-related due diligence prior to an acquisition, to allow the parties to decide whether and on what terms the deal should proceed. These cases equally highlight the importance of performing post-acquisition due diligence and of taking appropriate steps to train and monitor acquired companies for sanctions compliance.
Brown: In 2019, there was a marked increase in enforcement activity, both in terms of the number of penalties and settlements and the total amount of fines. The Trump administration’s policy of ‘maximum pressure’ with regard to Iran and North Korea suggests that the increased enforcement activity will continue. However, there is one area of enforcement that the Trump administration has not aggressively pursued. OFAC amended its regulations in March 2019 to incorporate references to The List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (CAPTA List). Distinct from OFAC’s Specially Designated Nationals (SDN) List, the new CAPTA List is intended to include foreign financial institutions subject to correspondent or payable-through account sanctions across several sanctions programmes, such as Iran, North Korea, Russia and terrorist financing. These secondary sanctions are underutilised tools in the Trump administration’s toolbox.
Katsoulis: Enforcement activity has increased during the last few months, as a result of the evolution of sanctions. 2019 was a very active year for OFAC, both in terms of the number of cases that resulted in penalties, whether through settlement or otherwise, and the level of penalties imposed – civil penalties reached approximately $1.3bn in total. Enforcement by the EU authorities also seems to have increased and more cases of sanctions violations are being made public. Overall, as geopolitical developments occur and sanctions regulations evolve accordingly, regulators continue to pay close attention to shipments of certain product types or shipments to potentially problematic countries and actively pursue companies that infringe the rules. This trend is also expected to continue, if not increase, in the coming months.
Davy: Two key signals indicate that enforcement is ratcheting up in the US. First, OFAC’s director recently stated that OFAC will not credit financial penalties paid to other agencies unless the penalty relates to the same pattern of conduct over the same period of time. In 2019, OFAC assessed the highest total penalties in the past 10 years, a substantial portion of which was assessed against two financial institutions, Standard Chartered and UniCredit SpA. Both received credit for payments made in satisfaction of other agencies’ penalties because the payments to other agencies met that standard. Second, the US Department of Justice (DOJ) announced a policy – that now applies to financial institutions – encouraging companies to self-report sanctions violations directly to the DOJ. Companies that do, and that fully cooperate with the DOJ and remediate, can expect a non-prosecution agreement – often an agreed-upon set of facts that become public without filing criminal charges.
Vitale: Even though the number and total amount of settlements and penalties published by OFAC in 2019 exceeds those in recent years, I do not see this as evidence of more intensity in enforcement. I believe there is a continuing trend that started years ago, in which OFAC and other regulators use discretion to focus on bigger cases involving pervasive and egregious sanctions violations. Whereas OFAC cases once involved one or a cluster of transactions, today cases often include systemic sanctions evasion or critical gaps in sanctions programmes leading to ongoing violations. We are seeing OFAC and other regulators going full force to pursue such cases involving both financial and non-financial companies. Nevertheless, in published settlements, we see OFAC providing mitigation for voluntary self-disclosures and cooperation, and multiple regulators are placing increasing attention on having firms remediate their sanctions compliance programmes rather than imposing purely punitive measures.
Lee: OFAC imposed a record total of over $1.2bn in penalties in 2019. There were also novelties in OFAC’s enforcement strategy, including the first-ever designation of a company official for engaging in the wilful violation of sanctions rules in the Kollmorgen case. In addition, the rate of designations to the Specially Designated and Blocked Persons List has remained at a record high under the Trump administration, with OFAC adding an average of 1000 names to the SDN list in each of the last three years. In another important enforcement-related development, in December 2019 the DOJ’s National Security Division published a revised policy offering greater incentive to businesses to submit voluntary self-disclosures to the DOJ of potentially wilful violations of sanctions and export control laws. In the new policy, the DOJ offers a presumption of a non-prosecution agreement to a company that submits a timely self-disclosure, fully cooperates with the government’s investigation and appropriately remediates the misconduct. This new policy appears to reflect the DOJ’s efforts to ramp up deterrence of criminal sanctions violations.
“Today, one can only answer the business question of ‘can we do the deal’ when one has the appropriate skillset, detailed knowledge of the deal in question and the trust of business leaders.”
FW: What, in your opinion, are the key requirements of a robust sanctions compliance programme? To what extent are companies utilising technology to assist them?
Deaconu: Gone are the days when an export controls and sanctions compliance professional could rely on the rather clear and predictable world of ‘name screening’ and a short list of countries subject to comprehensive, yet clear restrictions. Gone are the days when the answer to the question ‘can we to this deal?’ was a simple yes or no. Today, an export controls and sanctions compliance professional lives in the reals of ‘it depends’ and ‘let me try to figure it out’. However, for those professionals that grasp the new world of export controls and sanctions, this chaos also offers opportunity. A professional has to evolve from the traditional role of compliance and legal adviser to become a business savvy connoisseur, a true and trusted business partner, a magician skilled at working in the middle of uncertainty and constant change. Today, one can only answer the business question of ‘can we do the deal’ when one has the appropriate skillset, detailed knowledge of the deal in question and the trust of business leaders. Strong compliance professionals are also strong business professionals, having developed the unique skill of being able to understand a complex regulatory environment and apply that knowledge to a deal, while having the full support and understanding of business leaders.
Davy: Both OFAC and the DOJ issued guidance on evaluating sanctions programmes within days of each other last year, covering much, though not all, of the same ground. For example, OFAC’s guidance calls for recordkeeping and compensatory controls when a possible violation is discovered, while the DOJ’s does not refer to either. Technology is an essential piece of sanctions compliance, because sanctions lists from various jurisdictions, and their frequent updates, must be incorporated. Technology is also a common root cause of sanctions violations, for example the failure to update screening software, or to account for alternative spellings – which was the subject of a recent civil enforcement action against Apple. Apple received mitigation credit for assuming additional compliance commitments – as to structure, screening and training – as reflected in other recent enforcements against Standard Chartered and British Arab Commercial Bank. Adopting compliance commitments may persuade regulators to lower their fines or refrain from an enforcement action.
Vitale: A robust sanctions compliance programme must contain all of the essential components discussed in ‘A Framework for OFAC Compliance Commitments’. But I have found that firms with a strong sanctions compliance programme have the following features of note. First, a well-organised sanctions compliance structure, particularly in global firms, for consistent application of policies and procedures and oversight. Second, an enterprise-wide risk assessment to identify business, operational and other risks. Third, a risk control framework to ensure that there are appropriate controls in place to mitigate the identified risks. Fourth, systemic testing to ensure transaction and reference data are screened as expected. Fifth, targeted sanctions training for appropriate personnel, such as those whose duties involve customers and cash or other asset movements. Finally, a well-documented programme must have detailed written procedures, documentation of critical risk-based programmatic decisions, and records supporting investigation outcomes and regulatory filings.
Lee: The most important aspects of a robust sanctions compliance programme are senior management commitment and dedication of adequate resources. For many companies, sanctions compliance is done in a decentralised and informal manner, which does not allow corporate legal and compliance teams enough visibility into business practices to allow them to accurately assess the company’s risk profile. In addition, a lack of personnel and resources will hamper the ability of any organisation to address compliance concerns as they arise, in addition to hindering strategies for preventing non-compliance. Deploying a global technology solution for sanctions screening can be a helpful way to centralise compliance functions and address recordkeeping requirements. However, technological tools must be tailored to the different roles of business units and functions.
Katsoulis: As a starting point, there is no ‘one size fits all’ solution when it comes to sanctions compliance programmes. An effective compliance programme should be tailored to the company’s products and business operations. That said, it should include, as a minimum, a number of key elements: senior management commitment, effective policies and procedures, robust legal agreements, screening capabilities, regular training of employees and third parties, monitoring and risk-based auditing, good recordkeeping practices, and escalation and disclosure procedures. Technology is a key component of any efficient sanctions compliance programme, especially for companies operating in multiple countries. As sanctions regulations change often and rapidly, any technology used for compliance purposes should be sophisticated enough to accommodate such changes in order to remain a powerful tool in the organisation’s compliance arsenal.
Brown: The key requirements of a robust sanctions compliance programme are flexibility and visibility. A company’s sanctions compliance programme cannot be static or limited to compliance manuals. It must be able to respond quickly to the Trump administration’s ever-expanding use of sanctions. Practically speaking, business teams do not have to become sanctions experts. Rather, they must be able to spot sanctions issues and notify the appropriate compliance personnel. It is important to build relationships within the business so that teams know who to contact when sanctions-related issues arise. These relationships will strengthen a company’s sanctions compliance programme in ways that a written compliance manual often cannot.
Randall: A system of internal controls, including policies and procedures and technology to screen customers and transactions, is undoubtedly necessary to allow a company to identify and interdict transactions that may violate sanctions laws. However, a strong governance framework and a strong culture of compliance is paramount to whether a sanctions compliance programme will be successful. According to ‘A Framework for OFAC Compliance Commitments’, released in 2019, the board of directors and senior management of a company need to maintain effective oversight over the sanctions compliance programme and ensure that the programme receives adequate resources. Compliance personnel must also be sufficiently independent of the business and appropriately empowered to take decisions to protect the organisation. Finally, to support their oversight responsibilities, compliance risks and issues need to be appropriately escalated, reported and tracked by the board of directors and senior management.
“In 2019, there was a marked increase in enforcement activity, both in terms of the number of penalties and settlements and the total amount of fines.”
FW: How important is it for companies to carry out sanctions-related due diligence in their global business dealings? Are more companies seeking suitable warranties from counterparties and other entities they engage with, to further reduce their exposure?
Davy: Due diligence is essential, and third-party management is another common root cause of sanctions violations. A warranty or certification is one measure to help address sanctions while managing third parties, but companies should consider others, particularly for counterparties operating in higher risk sanctions environments. Other measures include audit rights, employing or getting assurances of training at those counterparties, and periodic updates to due diligence. Regular customer due diligence alone may not suffice when one’s customers may be trying to evade sanctions or themselves deal with sanctioned entities. Screening will not capture that sanctions risk, and it may prompt companies to use compliance techniques that resemble traditional anti-money laundering (AML) controls, such as Know Your Customer (KYC) programmes, steps to determine beneficial ownership of one’s customers, and proactive monitoring or verification procedures. Because of the ways in which customers may seek to evade sanctions, sanctions compliance programmes may begin to converge with AML compliance.
Lee: If companies are not currently including sanctions compliance provisions in their agreements with customers, distributors and joint venture partners, then they should seriously consider the potential consequences. Without specific sanctions compliance provisions, a company can find itself stuck in an agreement or obligated to abide by terms that bring significant enforcement risk exposure, or risk exposure to breach of contract litigation. It is best to address these risks at the outset of the customer relationship by performing sanctions-related due diligence and including appropriate global trade provisions in third-party agreements.
Katsoulis: Sanctions-related due diligence is an absolute must nowadays and ensuring that all business operations comply with relevant regulations should be part of the culture of any company engaged in international trade. The sanctions regulations are changing at a fast pace and are becoming increasingly complicated. Enforcement also continues to be very active, so that companies cannot afford to be found in breach of the relevant regulations and become exposed to potentially significant penalties. Sanctions-related due diligence should be a critical component of any company’s processes and operations in order to mitigate any potential compliance risks. In this respect, warranties from third parties could prove very useful, especially in the context of planned mergers or acquisitions, setup of business relationships with new partners or countries, or day-to-day transactions with existing business partners.
Brown: It is very important for companies to carry out sanctions-related due diligence in their global business dealings. OFAC’s 50 percent rule can be particularly problematic when dealing with counterparties or other entities. For example, changes in domestic laws are making it more difficult to determine ownership of Russian companies. Publicly available information is becoming scarce. Nevertheless, companies must conduct enough due diligence to avoid engaging in transactions with prohibited parties. Companies must also ensure that contracts with Russian companies include an export or compliance with laws clause that will allow them to stop the delivery of products or services due to the imposition of additional sanctions or prohibited end use.
Vitale: Sanctions-related due diligence is critical for companies engaged in international business. Companies should do a risk assessment of their business to determine appropriate diligence and other risk-mitigating measures. As a general matter, it is important for global businesses to perform due diligence to identify potential sanctions risks that are not evident, such as indirect owners of a customer who are sanctions targets or goods originating from a sanctioned country for sale in a third country. It is common for companies in many industries to obtain sanctions compliance representations from counterparties. This reduces risk by putting parties on notice of sanctions obligations and, in conjunction with other controls, demonstrates best efforts for compliance. These are important factors because, in many instances, screening and due diligence cannot be done in advance of a transaction or relevant information is not visible to the company. Accordingly, OFAC has advised conducting appropriate due diligence, including questionnaires and certifications, in FAQs and guidance.
Randall: Sanctions-related representations and warranties can be used to underscore the importance of compliance, restrict risky activities, provide legal protection if sanctions issues arise, and mitigate, to a degree, any violations that do occur. However, sanctions-related contractual provisions will not eliminate compliance risk and must be supported by appropriate customer and transaction due diligence. Such diligence must consider not only the direct, but the indirect risks, as OFAC is increasingly focusing on the later in its enforcement actions. For example, despite having contractual provisions in its leasing agreements, a US company recently paid a penalty when it leased two aircraft engines to an Emirati company, which then subleased the engines to a Ukrainian airline, which then installed the engines on an aircraft ‘wet leased’ to a Sudanese airline. Enhanced due diligence and monitoring needs to be performed on customers and transactions that present indirect risks at the beginning of and throughout a relationship or transaction.
Deaconu: Given the complexity and the uncertainty of the regulatory and business landscape, one does try to reach out to find easy solutions in implementing far-reaching reps and warranties in all contracts with business partners. While this is still good practice, and should definitely not be ignored, I believe this is not enough to withstand the high bar of ‘had reason to know’ and ‘should have known’ that regulators use to test organisations when things go south. Contractual warranties tend to bring a false sense of security and safety when business leaders start to blind themselves and do not invest time in partnering with the export control and sanctions professionals involved in international business deals. If the compliance due diligence piece of a puzzle is missing, the puzzle is not complete.
“The most important aspects of a robust sanctions compliance programme are senior management commitment and dedication of adequate resources.”
FW: In your opinion, do companies need to improve their ongoing compliance processes? Should they be more proactive in reviewing and updating their internal controls in line with regulatory changes, new business strategies and shifting market conditions, for example?
Vitale: Companies should proactively conduct process reviews to identify and remediate critical weaknesses or gaps and make incremental enhancements. An adequate compliance programme can quickly turn into a deficient one with changes in regulatory requirements and expectations, a company’s business profile or leading industry practices. Meanwhile, regulatory expectations for sanctions compliance programmes have been consistently increasing and there is no indication, based on recent enforcement actions and guidance, that this trend is slowing. Thus, companies should monitor their programme to ensure the controls in place are still appropriate and functioning as expected to address their risk and that their processes are consistent with current guidance. Failing to make updates on a regular basis places companies at greater risk of sanctions violations, and is likely to result in larger remediation projects that, when finally undertaken, are a more difficult, monumental endeavour.
Brown: Companies need to continuously improve their compliance processes. The need is underscored by the Framework for OFAC Compliance Commitments and the number of enforcement actions taken in 2019. OFAC expects companies to rapidly adjust to changes made to its sanctions lists and sanctions programmes. This type of rapid adjustment requires companies’ sanctions compliance personnel to have an in-depth knowledge of sanctions laws and regulations and their applicability to the business. The continuous improvements to compliance processes lends itself to sanctions compliance personnel being more proactive in reviewing new business strategies and shifting market conditions. If these compliance processes are effective, they may drive business instead of hindering it.
Katsoulis: In the current environment of continuously changing sanctions regulations, companies need to ensure that they have a robust compliance programme in place that is tailored to their needs and operations. As sanctions continue to evolve, companies may face increasing challenges to comply with new legal requirements. It is therefore critical that developments in sanctions regulations are actively monitored and any internal processes put in place to address sanctions compliance risks are periodically re-evaluated, adapted as necessary and regularly audited to ensure that they remain effective and in line with the continuously changing regulatory landscape. Business practices and strategies also need to be periodically reassessed to ensure that the company can continue to operate effectively without violating any sanctions regulations.
Deaconu: In a world without change, companies can keep everything unchanged without incurring any risk. In a world where change is the constant reality, continuous improvement is the new normal. There was a time when compliance processes were stable and changed little at a process level. However, today’s business and regulatory environment is different. Rigid processes are a risk in this new reality. Improvement does not mean disregarding existing processes, ways of working and infrastructure. Improvement means understanding current realities and working with people who are improving those realities. I believe that today’s compliance programmes and improvement processes need to have two pillars: a compliance ecosystem and people ecosystem. The compliance ecosystem comprises an internal compliance programme, one that is specifically tailored to a flexible formula. The people ecosystem consists of the way an organisation positions its export controls and sanctions professionals, and how compliance knowhow is utilised during normal business practice.
Randall: Regulators and prosecutors, including OFAC and the DOJ, have consistently stated that compliance programmes need to be responsive to evolving risks. These risks can manifest as a result of external events, such as changes in the law or new enforcement actions, or internal events, such as an acquisition or the introduction of new customers, products or services. Periodic risk assessments allow both financial and non-financial institutions to measure the risks presented by, among other factors, the location of its operations and its customers and intermediaries, and allow management to make informed decisions regarding risk appetite and budgeting. Periodic risk assessments also identify control gaps and opportunities for an organisation to update policies and procedures and improve the organisation’s processes.
Lee: If there is one thing we have learned by closely observing the sanctions, export controls and national security landscape with respect to global trade, it is that this area of the law is as fast-moving as the geopolitical issues that appear on the front pages of the newspapers. Compliance processes must keep pace in order to be effective. One way to accomplish this is by incorporating a regular audit and risk assessment process into your compliance programme. Both activities are pillars of the OFAC Compliance Framework.
Davy: A sanctions programme in particular must be adaptable, to quickly incorporate new designations or sanctions aimed at certain countries or governments, new licences, and new laws or regulations. Sanctions present a somewhat distinct set of concerns in the compliance context because of the frequency with which changes are made to the regulatory environment. Companies not only should be aware of what sanctions obligations currently exist, but should stay tuned to what may be coming – for example, recent events are reported to have prompted the US government to consider sanctioning Turkey and Iraq, and recent enforcement against Park Strategies LLC suggests a focus on professional services. Conversely, changes in business strategies should incorporate not only sanctions obligations, but areas of sanctions risk – like those related to customers – and anticipated changes to the sanctions landscape.
“Companies should do a risk assessment of their business to determine appropriate diligence and other risk-mitigating measures.”
FW: Looking ahead, what are your predictions for the sanctions landscape in the coming months? Do you anticipate increased government enforcement, and greater risks for multinational companies?
Brown: Looking ahead, sanctions related to Turkey may be imposed, and actually remain in place. The Trump administration did not revoke the executive order issued in October 2019 in response to the Turkish military offensive in northeast Syria. The executive order provides the Trump administration with ample authority to target the government of Turkey, sectors of the Turkish economy and its financial institutions. The actions of the Turkish government also prompted members of Congress to propose sanctions bills. If the situation with Turkey continues to deteriorate in the coming months due the collapse of the ‘ceasefire’ or its purchase of a Russian missile system, a sanctions bill may become law.
Katsoulis: It is difficult to predict what the sanctions landscape could look like in the coming months, however sanctions regulations will most likely continue to evolve and become more complicated. In light of recent events, Iran is likely to continue to be at the centre of sanctions-related developments and enforcement actions during the coming months, not only on the US side but also with the EU. It will be interesting to monitor developments in relation to other countries as well, such as Russia, Cuba, Venezuela or North Korea, against which certain sanctions are currently in place, as well as Libya, Turkey, Egypt and Iraq, where recent geopolitical developments indicate a potential risk for new or additional sanctions-related challenges. As sanctions regulations continue to evolve, companies should be prepared to quickly adapt to changing geopolitical environments, more complex legal requirements and compliance challenges, which will continue to make sanctions compliance a priority for multinationals.
Deaconu: Today, one would really have to be a clairvoyant to predict with any sense of accuracy the sanctions landscape in the coming weeks, let alone the coming months. There are things that are in the control of sanctions professionals and there are things over which they have no control. In my view, one should focus on the elements that one can be in control of, while monitoring and trying to influence those outside our direct control. Organisations that look at sanctions and export controls compliance through only a rigid lens, such as cost avoidance, may find themselves in muddy waters when trying to comply with complex legal requirements such as human rights, anti-corruption, facilitation, secondary sanctions, significant transactions, reputation, sustainability or investment risk. The world of sanctions is likely to become more convoluted and even more vague, as regulators struggle to react to global challenges and paradigms shifts, such as national security, foreign policy, and economic and human security.
Randall: The pace of new sanctions and enforcement actions will almost certainly remain stable or increase in 2020. However, two recent changes within the Treasury Department may shape US financial crime policy in 2020. First, on 6 January 2020, president Trump nominated Jessie K. Liu to replace the outgoing under secretary for terrorism and financial intelligence. If confirmed, Ms Liu will be the second former prosecutor in a row to oversee US government strategy to combat terrorist financing and money laundering and will set the tone for OFAC’s enforcement and licensing strategy. Additionally, the Financial Crimes Enforcement Network (FinCEN) launched the Global Investigations Division (GID). GID will leverage FinCEN’s authorities, including Section 311 of the PATRIOT Act, to investigate and target terrorist financing and money laundering. This reorganisation suggests a potential future increase in FinCEN’s designation of financial institutions of primary money laundering concern, which can in effect function very similar to OFAC sanctions.
Lee: Based on recent experience and our analysis of legislative and policy trends, we expect increased government enforcement of financial and economic sanctions in the coming year. In addition, companies must be aware of the increased complexity of complying with US sanctions considering the conflict of laws issues arising from differing sanctions requirements across jurisdictions. The EU, the UK, Canada and other nations maintain distinct and independent regulations regarding financial sanctions and export controls. It is not always easy to find the right path forward amid the competing requirements.
Davy: Given the signals given by both OFAC and the DOJ, enforcement of sanctions violations remains a priority and is likely to trend toward increasing enforcement, doing so with an increasingly international reach. Given recent US prosecutions of Turkish banker Mehmet Hakan Atilla and of the Turkish bank Halkbank, non-US companies and individuals need to be increasingly attuned to the risk of US authorities seeking to exercise jurisdiction over overseas sanctions offences. Moreover, OFAC continues to use its authority to impose secondary sanctions – sanctioning, usually foreign, persons or entities for doing business with other sanctioned entities. Historically, they had been used to support sanctions on Iran, but recent years have seen their use increase in the context of sanctions on Russia, Venezuela, North Korea and Syria. Companies should remain vigilant over their international operations and subsidiaries from a sanctions perspective.
Vitale: In 2020, we should expect to see continued expansion of sanctions and more designations in the Iran, Venezuela and possibly Russia and North Korea programmes in response to current events. With the upcoming US elections, we may also see expanded sanctions and designations under the ‘Foreign Interference in a U.S. Election Sanctions and Cyber-Related’ sanctions. With respect to enforcement, we may start to see cases posted by OFAC involving apparent violations of more complex sanctions that have been in place for over a year, such as sectoral and other targeted sanctions in the Ukraine and Russia programme, and the plethora of general licences issued in the Venezuela programme. Companies with weaknesses or gaps in their sanctions programme are more likely to run afoul of these more complex sanctions because they failed to identify certain prohibited persons – for example entities owned 50 percent or more by SDNs – track relevant deadlines for extensions of credit or adhere to narrowly-tailored general licences.
“It is difficult to predict what the sanctions landscape could look like in the coming months, however sanctions regulations will most likely continue to evolve and become more complicated.”
Kostas Katsoulis joined Cardinal Health as director, global trade in August 2016. In this position, he manages all import/export‐related operations for Cardinal Health in the Europe, the Middle East and Africa (EMEA) region. He has over 20 years of experience in dealing with a wide variety of trade issues, including customs, EU and US export controls and trade sanctions, anti‐boycott regulations, encryption controls, government procurement, trade defence measures, disclosures and audits. He can be contacted on +41 (0)41 561 4843 or by email: konstantinos.katsoulis@cardinalhealth.com.
Amber Vitale is a managing director in the financial services practice for FTI Consulting in New York, specialising in economic sanctions, anti-money laundering (AML) and anti-bribery/corruption compliance. Her expertise includes conducting OFAC investigations, financial crimes-related regulation and compliance, and risk management and internal controls. She is experienced at identifying complex regulatory issues, assessing compliance programmes, and developing and implementing compliance solutions. She has 15 years of experience conducting investigations and working on compliance matters. She can be contacted on +1 (646) 453 1269 or by email: amber.vitale@fticonsulting.com.
Judith Alison Lee is a partner in Gibson, Dunn & Crutcher LLP’s Washington, DC office and co-chair of the firm’s international trade practice group. Ms Lee practices in the areas of international trade regulation, including US Patriot Act compliance, economic sanctions and embargoes, export controls and national security reviews (CFIUS). Ms Lee also advises on issues relating to virtual and digital currencies, blockchain technologies and distributed cryptoledgers. She can be contacted on +1 (202) 887 3591 or by email: jalee@gibsondunn.com.
Kimberly N. Brown is responsible for reviewing potential engagements to ensure that IBM’s business units comply with economic sanctions and export control laws and regulations in the delivery of services to internal and external clients. Prior to joining IBM, Ms Brown worked as both a senior enforcement officer and policy analyst with the US Department of the Treasury’s Office of Foreign Assets Control. She can be contacted on +1 (202) 551 9523 or by email: brownkn@us.ibm.com.
Adela Deaconu is the binding factor for export controls and sanctions compliance programmes across all Royal Philips businesses, markets and functions worldwide. Ms Deaconu manages the global Philips export controls & sanctions policy, sanctions risk management, compliance processes and standards as part of the Philips general business principles. She leads a global team of subject matter experts and functionally guides and trains export control officers around the globe. She can be contacted on +31 (6)156 39802 or by email: adela.deaconu@philips.com.
Lindsey Randall focuses on cross-border investigations and enforcement matters affecting banks and other regulated financial institutions. She regularly counsels companies regarding compliance with US economic sanctions and anti-money laundering (AML) laws, and has worked with global financial institutions on complex compliance and enforcement matters, including examinations, internal investigations, voluntary disclosures, and the resolution of administrative and enforcement proceedings involving regulatory agencies and law enforcement. She can be contacted on +1 (202) 371 7226 or by email: lindsey.randall@skadden.com.
Beth Davy is a partner in the financial services and financial services litigation and investigations groups and is co-head of the economic sanctions and financial crime group. Her practice focuses on bank regulation and supervision, regulatory enforcement matters and internal investigations. Ms Davy is widely recognised as a leading expert in the areas of anti-money laundering (AML) and economic sanctions compliance and enforcement. She can be contacted on +1 (212) 558 4000 or by email: davye@sullcrom.com.
© Financier Worldwide
THE PANELLISTS
Cardinal Health
FTI Consulting
Gibson, Dunn & Crutcher LLP
IBM
Royal Philips
Skadden, Arps, Slate, Meagher & Flom LLP
Sullivan & Cromwell LLP