Sanctions compliance & enforcement
March 2022 | ROUNDTABLE | GLOBAL TRADE
Financier Worldwide Magazine
March 2022 Issue
Enforcing compliance with economic sanctions has been a top priority for regulators and law enforcement over the past 12 months. Extraordinarily difficult geopolitical issues, where the economic and human consequences are unpredictable and severe, have resulted in the imposition of penalties. As sanctions regulations become more complex, far-reaching and adaptive – demonstrated by the shifting balance between multilateralism and plurilateralism – companies need to be as proactive as possible, ready to quickly respond to new challenges and more complex legal requirements.
FW: In broad terms, what do you consider to be the key developments and trends to have arisen in sanctions compliance and enforcement over the past 12 months or so?
Johnson: The US Department of Commerce’s Bureau of Industry and Security (BIS), which administers export administration regulations, announced its first enforcement action for violations of Huawei-related export control restrictions. The Huawei-related measures are a key development, and as much of a sanction initiative as an export control initiative. The US government clearly considers Huawei a threat to US national security and has addressed that threat by systematically implementing measures to try to cripple Huawei’s access to technology. The Huawei rules are complicated, including rules that enable BIS to claim jurisdiction over a tremendous amount of non-US manufactured items. Hence, we think that the enforcement actions, having now started, will increase over the next several years. We also expect that the US government will use the Huawei model to address emerging areas of concern, such as how it intends to deal with the situation around Russia and Ukraine.
Lee: The past 12 months have, of course, coincided with the first year of the Biden administration. The Biden administration made its mark on US sanctions in 2021 – reviewing, revising, maintaining, augmenting and, in some cases, revoking various sanctions and trade restrictive measures created during the Trump era. Biden is widely seen as an institutionalist and a multilateralist, and in his first year he sought to undo some of the damage done by the unilateral approach taken by the Trump administration. Biden sought to engage and cooperate with allies to develop and expand multilateral sanctions. There was a renewed focused on human rights abuses and the beginning of a new rapprochement with Iran. However, there were other challenges during this first year that the administration addressed on a more unilateral basis. China remained at the forefront of the US national security dialogue as the administration sought to solidify measures to protect US communications networks and sensitive personal data and blunt the development of China’s military capabilities, after numerous earlier efforts by the Trump administration were blocked or limited by US courts. China showed few signs of backing down in the face of US pressure, instituting new restrictions that could potentially require multinational companies to choose between compliance with US or Chinese law – creating a potential compliance minefield for global firms.
Rezendes: Sanctions compliance and enforcement is evolving with the world. One key trend I see is clear expansion into the digital assets space – both from a compliance as well as an enforcement perspective. In October of last year, the Office of Foreign Assets Control (OFAC) issued its ‘Sanctions Compliance Guidance for the Virtual Currency Industry’, detailing OFAC’s compliance expectations for the industry. Likewise, in the past 14 months, OFAC published its resolution of two enforcement matters – BitPay, Inc. and BitGo, Inc. – demonstrating OFAC’s expectation that market participants screen for and evaluate IP address data of transaction parties, including indirect parties.
Munro: I see three broad, thematic developments with broad applicability for sanctions compliance. From an enforcement perspective, there seems to be a focus on internet-based businesses and their unique exposures to sanctions risk and the necessity for reasonable controls to detect and prevent sanctions violations in the context of the technologies and types of data used in these businesses. This has relevance not solely for these specific internet-based businesses; it reveals universal lessons about sanctions compliance in a rapidly evolving, increasingly digitalised environment – in particular, the principle that innovation conveys many benefits, but carries the obligation to understand and mitigate the sanctions exposures it presents. Similarly, US authorities seem to be focusing on and holding accountable parties whose actions or inactions are the core source of a sanctions violation, even when that is a non-US person. This does not excuse the downstream US person’s participation in a violating transaction, but it is an important trend that looks beyond the facilitating US financial transaction to address the sanctions exposure at its origination. This is similar to the increased use by the US of ‘secondary sanctions’ as the basis for imposing sanctions on individuals and entities whose actions have materially assisted, sponsored or provided financial, material or technological support for, or goods or services to or in support of, a previously sanctioned party. This increases risk of extrajurisdictional application of US sanctions against non-US persons who do not voluntarily decide to comply with US prohibitions.
Deaconu: The past year has continued to broaden the convergence of sanctions and export controls, as well as other areas of compliance, including human rights, cyber security and supply chains, as used by government agencies and regulatory bodies. Sanctions and export controls tools are typically being used in a non-traditional manner and are politically driven, which brings further complexity, as well as uncertainty, to the legal landscape. This has increased business uncertainty for corporates and financial institutions. In addition, nationalistic trends in the realm of export controls and sanctions have led to a departure from the traditional multilateral approach seen over past decades. Moreover, multilateral collaboration and common interests are scarce at a regulatory level, with governments moving toward plurilateral, but still mostly bilateral, approaches. Unfortunately, this is not the case in the enforcement area, where agencies are coming together to demand a piece of the action while claiming jurisdiction.
Bentley: Several key developments stand out. First, the US signalled an increased interest in multilateral sanctions coordination with allies. Examples included the March 2021 sanctions on certain Chinese and Hong Kong officials by the US, European Union (EU), UK and Canada, and the August 2021 sanctions against certain Belarussian officials by the same countries. Second, the Biden administration fine-tuned its approach to China, revoking and replacing president Trump’s Executive Orders which imposed restrictions on WeChat and TikTok, and imposing modified sanctions against Chinese companies thought to operate in the defence and surveillance technology sectors, creating the Non-SDN Chinese Military-Industrial Complex Companies List. Third, the US expressed increasing interest in sanctions enforcement related to cryptocurrencies: OFAC recently announced its first designation of a virtual currency exchange for its alleged role in facilitating ransomware transactions. OFAC also published an updated advisory on sanctions risks associated with facilitating ransomware payments.
Katsoulis: The last 12 months have seen increased international coordination between governments in the adoption of sanctions – a trend that is likely to continue going forward. In response to ongoing tension in Eastern Europe, regulators have been paying more attention to Russia and Belarus by imposing several rounds of sanctions affecting these countries. Iran has been at the centre of most enforcement actions, and it will be interesting to monitor closely the ongoing negotiations regarding the potential revival of the Joint Comprehensive Plan of Action (JCPOA). Tension between the US and Russia and China has also led to the reinforcement of sanctions in areas such as human rights, forced labour and cyber security. Finally, regulators have significantly increased the use of denied or restricted party lists during the past 12 months. On the enforcement side, although the last 12 months may seem like a less active period, especially on the OFAC side, compared to recent years, companies should not perceive this as a relaxation of government enforcement, which is expected to continue being active in the months ahead.
FW: In your opinion, what are the most pressing sanctions-related issues facing companies engaged in international trade?
Lee: Right now, all eyes are on Russia given the tensions on the border with Ukraine. Economically, Russia is at least twice the size of any country the US has ever sanctioned. The leaders of the US Senate foreign relations committee said on 30 January that they were on the verge of approving “the mother of all sanctions” against Vladimir Putin. Given the amount of engagement with Russian companies, particularly in Europe, these sanctions are expected to be extremely impactful. There is much work going on in Washington to assess any unintentional ‘collateral damage’ these sanctions could cause and ways to reduce any harmful effects on innocent populations. The Biden administration is working overtime to ensure that any sanctions that are imposed are implemented on a multilateral basis with our European allies to make sure they are of maximum effect and that US companies are not harmed in a competitive manner.
Rezendes: With the growing trend of ‘smart’ sanctions – those designed to be more surgical in nature – the most pressing sanctions-related issue facing companies today is how to navigate the line between what is permissible and what is not. Although generally more limited in nature, smart sanctions can be more difficult and resource-intensive to navigate. Decisions around pursuing and managing lawful activity and evaluating what activity may expose a non-US person to the risk of secondary sanctions are high stakes in an environment with little guidance or meaningful benchmarks.
Munro: There is the challenge of accurate and complete transparency, end to end, through the supply chain and the payments process inherent in every business. This is not unique to sanctions, but the consequence and expectations are often more pronounced when there is a sanctions failure or circumvention that is detected too late to prevent. This becomes particularly acute as the technologies through which business and finance and payments are conducted are outpacing the technologies used to detect and prevent sanctions risks. The typical sanctions compliance techniques, primarily watchlist screening, start to be increasingly less relevant, far too slow or practical in a range of new business models that deliver globally accessible, instantaneous performance.
Deaconu: One of the biggest challenges for any organisation that engages in international business transactions is to get its leadership to understand and accept that today’s sanctions and export control regulatory world is volatile and complex, and as a result, there are business matters that require a global approach while others require a nationally-focused approach. It is important to think about a shift from globally integrated supply chains and IT infrastructure to local and regionalised supply chains and IT. From global manufacturing, IT and research hubs to regional or local manufacturing footprints. Organisations will also need to adapt to an access restricted, need-to-know controlled work environment. Compliance professionals must keep pace with an increasingly complex regulatory environment, with daily, if not hourly, changes that may affect an organisation’s business somewhere in the world. How to keep change and compliance requirements on the management agenda, particularly amid a global pandemic where the survival of the business may be at stake, is one of the biggest challenges facing a compliance professional, in any domain. Organisations that have a people-focused approach to compliance, where the purpose of doing business is intertwined with an enterprise-wide compliance mindset, are likely to be the most resilient in the face of ever-complex compliance challenges.
Bentley: Over the last few years, companies have had to adapt to the evolving landscape of non-geographical human rights-related sanctions. This has notably included the increased use of Magnitsky-style sanctions by the US, EU, UK, Canada and Australia. New legislative initiatives such as the US Uyghur Forced Labor Protection Act are combining additional supply chain due diligence obligations with new sanctions designation powers. A second challenge is the possibility of a significant escalation in Ukraine-related US and EU sanctions against Russia. Presently, in the event of a Russian invasion, the US is considering actions such as placing on the Specially Designated Nationals (SDN) List certain oligarchs and major Russian banks such as Sberbank and VTB, imposing technology-related US export controls, and prohibiting all trade in new issuances of Russia sovereign debt.
Katsoulis: There are several issues that companies face in their efforts to comply with sanctions regulations, which are becoming increasingly complicated and challenging. Legal requirements, especially the lists of denied or restricted parties, change quite often, which requires continuous monitoring, training and auditing, re-evaluation of policies, procedures and operations, and adaptation of IT systems. Compliance with multijurisdictional regulations can be quite challenging, especially when they differ in scope and requirements or even conflict with each other. New compliance requirements, such as those related to human rights and forced labour, have also emerged very prominently and require companies to closely evaluate their supply chain structures to mitigate potential risks of violations and penalties. Finally, due diligence of third parties and transactions continues to be a critical compliance activity but may also prove challenging in many cases due to the lack of reliable information, linguistic barriers or data privacy regulations.
Johnson: China and Russia dominate the headlines. We have seen a heightened focus by the US government for sanctions based on human rights issues, including issues related to reported atrocities against the Uyghurs in China. Companies with business in China are going to have to up their game to ensure that they do not run afoul of OFAC sanctions against Chinese entities that have been put in place in connection with alleged serious rights abuses against the Uyghurs. We expect more activity focused on these issues from OFAC, in particular. As to Russia, it feels like we are on the brink of significant multilateral sanctions cooperation and coordination among the US, North Atlantic Treaty Organization (NATO) members, and others. The US Congress is on the verge of passing sweeping sanctions legislation to address Russia’s actions targeting Ukraine. Assuming that legislation is passed, which seems inevitable, the Biden administration will be taking actions that could have devastating effects on certain sectors of the Russian economy, and collateral effects on the global supply chain. Companies will need to be nimble to ensure they do not run afoul of new blocking sanctions and that they quickly pivot to sources not burdened by those inevitable sanctions.
FW: Have you observed any intensification of recent enforcement activity? How aggressively are regulators pursuing and punishing companies that breach sanctions?
Rezendes: Sanctions enforcement is intended to operate – at least in part – as a deterrent, and for that reason OFAC is generally intentional in choosing the cases it pursues to settlement or civil penalty. Public broadcasting of enforcement resolutions serves to inform the public of OFAC’s interpretation of its regulations and the underlying executive orders and statutes, and so OFAC uses enforcement to message its policy objectives. For example, we are likely to continue to see enforcement around activities by non-US persons that cause a US person to violate US sanctions, conduct by persons owned or controlled by US persons pursuant to Iranian transactions and sanctions regulations, and the debt and equity restrictions applicable to US persons pursuant to the Ukraine/Russia-related sanctions programme.
Munro: Understandably, for sanctions policy to work, it requires enforcement. Despite the frequent use of sanctions as the ‘go-to’ tool for foreign policy and the perception that there is a sanctions solution for every problem, the imposition of sanctions is not done lightly and without consideration of the potential for severe collateral harm they can cause. Therefore, strict enforcement is an essential aspect of the decision to impose sanctions. For the sanctions to be impactful in support of the intended policy objective considering the risk of the unintended consequences they might cause, enforcement of the sanctions needs to be intense. No one should expect otherwise.
Bentley: A warning for non-US companies is that OFAC continues to launch enforcement actions for broad reasons including ‘causing’, pursuant to the relevant regulation, US persons to violate applicable sanctions, and processing payments through the US financial system that involved sanctioned persons. As with OFAC’s 2020 enforcement action against Swiss IT travel services provider SITA, enforcement actions in 2021 again indicated that OFAC will often determine that a US nexus exists such that a non-US person can be deemed to have made a costly violation of primary US sanctions rather than secondary sanctions. In the UK, the Office of Financial Sanctions Implementation (OFSI) announced a civil penalty against FinTech company TransferGo for multiple breaches of EU sanctions relating to Ukraine that were in force in the UK prior to Brexit. This case may herald a shift in the OFSI’s enforcement focus from traditional financial institutions to FinTech firms and payment service providers.
Johnson: BIS has become more active and geared up for enforcement work. For over a year, the agency has bolstered its staff with lawyers from the Department of Justice’s (DOJ’s) National Security Division. In our experience, many OFAC enforcement actions involve investigations that start with or have exports that are integral to the activities that are alleged as violations. As BIS increases activity, sanctions-related enforcement may increase as well. In addition, the US government’s sanctions focus has expanded, and with the prospect of widespread sanctions against a number of sectors of the Russian economy, we likely will see attempts at evasion and aggressive enforcement in response.
Katsoulis: In comparison with previous years, 2021 was relatively slower in terms of enforcement cases and level of penalties, especially on the OFAC side. However, even though enforcement activity might appear to have slowed down during recent months, the message from the regulators is very clear that enforcement is still top of their agenda and that cases of violations of sanctions regulations will continue to be pursued aggressively. Interestingly enough, the recent enforcement cases involve companies established in a diverse mix of countries across the globe and violations of different sets of sanctions regulations, including those against Iran, Syria, Sudan, Russia, Zimbabwe and the Congo. Overall, as geopolitical developments occur and sanctions regulations evolve accordingly, companies should expect regulators to continue paying close attention to compliance with sanctions laws and actively pursue companies that infringe the relevant rules.
Lee: In September 2021, OFAC settled with Cameron International Corporation for its potential civil liability for apparent violations of the Ukraine-related sanctions. In this case, Cameron, a Houston-based supplier of goods and services for the oil and gas industries, agreed to pay almost $1.5m for apparent violations arising from its provision of services to Russian energy firm Gazprom-Neft Shelf for an Arctic offshore oil project. Cameron provided these services when US senior managers at Cameron approved contracts for its foreign subsidiary in Romania to supply goods to Gazprom-Neft Shelf’s Prirazlomnaya offshore oil production and exploration platform, located in the Russian Arctic. The lesson from the recent enforcement action is clear: even though the Russian subsidiary itself was not directly subject to the Ukraine sanctions programme, US persons cannot be involved in approving these contracts. Companies with international operations involving activities by US persons may face sanctions risks, even if the goods or services to a sanctioned entity are provided by non-US person entities or if the US person is not physically present in the US.
FW: What, in your opinion, are the key requirements of a robust sanctions compliance programme? To what extent are companies utilising technology to strengthen their processes and controls?
Deaconu: Gone are the days when an export controls and sanctions compliance professional could rely on the predictable world of ‘name screening’ and a shortlist of countries subject to comprehensive restrictions. It is also no longer the case that the answer to the question ‘can we do this deal?’ was a simple yes or no. Rather, export controls and sanctions compliance professionals are in the realm of ‘it depends’, shifting from a ‘let me figure it out’ mindset to a ‘let us try to figure it out together’ stance. However, for those professionals that can grasp the new world of export controls and sanctions, there are opportunities. Such professionals are evolving from their traditional role of compliance and legal advisers to become business savvy connoisseurs – trusted business partners skilled in a world of uncertainty and constant change. Today, companies can only answer the business question ‘can we do the deal or transaction?’ when they have a broad skillset, a detailed knowledge of the business deal, and an organisational footprint and infrastructure allied with robust business leadership. Strong compliance professionals are also strong business professionals, having developed the unique skill of being able to translate a complex regulatory environment and apply it to a transaction, while having the full support and understanding of senior management.
Katsoulis: An effective sanctions compliance programme is an absolute must and should always be tailored to the company’s products, structure and business model. Given that it can be a key mitigating factor for any violations of sanctions regulations, a robust sanctions compliance programme should include, as a minimum, certain key elements: senior management commitment, effective policies and procedures that are periodically reviewed and updated, robust legal agreements with and vetting of third parties, advanced screening capabilities, regular training of employees at different levels across the organisation, risk-based auditing, solid record-keeping practices, escalation and disclosure procedures, and adequate staffing. Technology is a key component of any efficient sanctions compliance programme, especially for any company operating across multiple countries. As sanctions regulations change often and rapidly, any technology and IT systems or processes used for compliance purposes should be sophisticated enough to accommodate such changes in order to effectively support any organisation’s compliance efforts.
Lee: According to OFAC guidance, a company’s sanctions compliance programme should employ a risk-based approach that is predicated on the five essential components of compliance: senior management commitment, risk assessment, internal controls, testing and training. Technology can be employed to assist with all of these components, except perhaps senior management commitment. For example, online, subscription-based tools are available to assist US companies with their corporate ownership queries, which include detailed ownership information that their analysts have obtained from various sources. However, sometimes it can be cost prohibitive and extremely time consuming for compliance resources at many US exporters to use these screening modules for every international transaction. Therefore, in developing a risk-based approach, it is important to identify the areas and transactions with the most risk, and to devote the most resources – including technology resources – to those areas.
Johnson: Put simply: screening remains paramount. Companies doing business across borders must have a screening feature built into their business process systems. Given the proliferation of sanctions, screening that is integrated into business processes to automatically vet transactions is almost essential. Anything less means that screening is subject to human error, shortcuts and workarounds that can lead to one or more regrettable transactions.
Bentley: Over the last few years, both the US and EU have published useful guidance documents to assist companies in developing strong programmes. The OFAC Compliance Framework, published on 2 May 2019, remains a useful blueprint to assist any company evaluating its sanctions compliance programme. The OFAC Framework sets out five key elements: commitment by senior management, risk assessments, internal controls, testing and auditing, and training. Yet a critical sixth element is that companies must also invest human resources in monitoring legislative changes published by authorities such as OFAC and BIS. It is essential that internal roles and responsibilities are defined such that designated legal or trade compliance personnel track and interpret for business colleagues the impact of such developments.
Munro: Because sanctions are driven by largely unpredictable external events, a key requirement to a robust sanctions compliance programme is creating the mechanisms that use internal data and external information to routinely update a business’ assessment of its inherent risks, the effectiveness and opportunities to modify and enhance the processes used to monitor and control its business operations, its training and its business strategies and policies. These are not standalone but must operate as an integrated programme. The ability to source, capture, organise, analyse, contextualise and incorporate the volume of internal and external data points increasingly relies on various technology-driven solutions.
Rezendes: OFAC itself has helpfully itemised the key necessary components of a successful compliance programme in its framework for compliance commitments: management commitment, risk assessment, internal controls, testing and auditing, and training. In achieving this base case, technology has indeed emerged as a necessary ingredient to strengthen processes and controls. For example, gold standard screening tools widely used across the market today tell us far more about the screening target, which is critical in assessing sanctions risk. Indeed, in considering OFAC’s 50 Percent Rule, without the aid of technology it may not be readily apparent that a potential counterparty is owned by one or more sanctions target.
FW: How important is it for companies to carry out sanctions-related due diligence in their global business dealings? Are more companies seeking suitable assurances from entities they engage with, to reduce their exposure?
Lee: In its guidance on sanctions compliance, OFAC has made it clear that it expects companies to clearly communicate its sanctions compliance policies and procedures to all relevant staff, as well as relevant gatekeepers and business units operating in high-risk areas, including customer acquisition, payments and sales, and to external parties performing sanctions compliance responsibilities on behalf of the organisation. Failure to ensure adequate communication of sanctions risks and restrictions not only increases the chances that a violation will occur, but also decreases the chances that OFAC will mitigate or lessen any penalties as a result of that violation. Since civil penalties can be assessed by OFAC on a strict liability basis – that is, no showing of negligence is required – it is extremely important to take every action possible to put your organisation in the best possible position to persuade OFAC to mitigate any penalties to the greatest extent possible.
Johnson: Sanctions diligence is imperative for any company doing business globally. Most of these companies have systems and processes in place to diligence their business partners and transactions, including processes to gain adequate insight into end users who may not be direct customers. However, too often in a merger or some other deal, diligence turns up weaknesses in sanctions and export control processes. That scenario often is a hard lesson for the management of the target as the presence of sanctioned entities in a customer base or transactions that appear to have not been properly diligenced for sanctions exposure can lead to significant trouble in the merger or acquisition. Not only should a company have a strong sanctions diligence process to keep itself out of harm’s way as it conducts its daily business but, if a company if going to put itself on the market for acquisition, lack of focus on sanctions compliance can become a significant barrier to completing a transaction.
Bentley: Operationalising effective third-party risk management must remain a priority of any corporate compliance programme, and companies are seeking suitable assurances via contractual obligations and revised third-party codes. However, the risks inherent in M&A are often overlooked. Given the expanding landscape of sanctioned parties, particularly under Magnitsky-style human rights sanctions programmes, in-house lawyers should proactively incorporate M&A due diligence questions related to sanctions and export controls, and insist on appropriate warranties and representations where needed.
Katsoulis: Sanctions regulations are continuously evolving and becoming increasingly complex. As a result, sanctions-related due diligence is an absolute must, and every company should ensure that all its activities remain in compliance with applicable sanctions regulations. Sanctions compliance should be an integral part of the culture and practice of any company engaged in international trade activities, especially if these involve high-risk products, countries or business partners. As government enforcement remains active, companies cannot afford to be found in breach of the relevant regulations and become exposed to potentially significant penalties and negative publicity. Sanctions-related due diligence should therefore be a critical component of any company’s processes to mitigate any potential compliance risks. As the complexity of the relevant regulations continues to increase, written assurances from third parties are quickly becoming more standard, especially in the context of mergers or acquisitions, setup of business relationships with new partners or countries, or day-to-day transactions with existing business partners.
Munro: There are many ways sanctions risks are managed. In isolation, no one approach to mitigating sanctions risk is perfect, so it is typical for a range of different preventative and detective controls to be used, working in concert to help a business identify, understand and take actions to mitigate its risk and exposure to sanctions. The due diligence any particular business conducts to understand its risk of exposure to sanctions and to understand what actions may be necessary to mitigate that exposure will vary, but in many contexts, the end-to-end transparency into every possible point of potential exposure is incomplete, inaccurate, impractical or impossible. As a result, businesses must balance the limitations of their due diligence against the sanctions risks and the options for mitigating those limitations. Assurances from business partners, clients or vendors who have access to the relevant information and the ability to detect and manage the sanctions risks at the most effective point in the end-to-end process is common and, if implemented correctly, an effective preventative control. But as with all forms of reliance, it has obvious limitations. Whether it is a reasonable and effective way to manage the risks will depend on the specific context, including the likelihood of exposure to sanctions, the party’s capabilities making the assurance, and the clarity and transparency of each party’s roles and responsibilities.
Rezendes: It is paramount that companies carry out sanctions-related due diligence in global business dealings. US sanctions generally impose strict liability, including liability for non-US persons who cause a US person to violate US sanctions, and liability for a US person who facilitates, even unknowingly, a transaction by a non-US person which would have been prohibited for the US person. In assessing the appropriate enforcement response to an apparent violation of its regulations, OFAC will consider what diligence steps were undertaken to guard against a potential sanctions issue, including what representations and warranties were sought to ensure downstream compliance for all parties. Although seeking assurances around sanctions compliance from counterparties will generally not insulate a party from its own sanctions liability, OFAC will consider the existence of such assurances in an enforcement context.
Deaconu: Given the complexity and uncertainty of the regulatory and business landscape, companies need to reach out and find solutions in the contracting realm of representations and warranties. While this is good practice, and should definitely not be ignored, it is not enough to withstand the high bar of ‘had reason to know’ and ‘should have known’ that regulators set. Contractual warranties tend to bring a false sense of security and safety, with business leaders often blind to realities while failing to partner with the export control and sanctions professional in international deals. If the compliance due diligence piece of a puzzle is missing, the puzzle is not complete. Additionally, the latest trends, such as the insertion of complex, contractual language into all kinds of contractual agreements, is worrying, with the language often not fit for purpose and creating legal liability upon acceptance. Now more than ever, companies need to have a specific programme in place to review the general terms and conditions of their suppliers, as well as a well-trained procurement team that understands the liabilities associated with acceptance of such terms, alongside an ability to comply for the scope and duration of the contract. When lawyers or procurement teams do not understand the provisions of the language, a state of ‘death by contract language’ can be the result, bringing unnecessary risk instead of achieving its purpose of protection.
FW: In your opinion, do companies need to improve their ongoing compliance processes? To what extent should they proactively review and update internal controls in line with regulatory changes, new business strategies and shifting market conditions, for example?
Katsoulis: Sanctions regulations are never static. They continue to change very frequently and, in many cases, without much advance notice. Although companies should have robust compliance programmes in place that are tailored to their structure and business operations, they also need to ensure that they can quickly adapt to new challenges and legal requirements. It is therefore critical that developments in sanctions regulations be actively monitored, and any internal processes be periodically reassessed, adapted as necessary and regularly audited to ensure that they remain effective and in line with applicable regulatory requirements. Training is a key component in this case and companies should ensure that their employees – across different levels of the organisation – are adequately trained in sanctions compliance matters. Business practices and strategies should also be periodically re-evaluated to ensure that the company can stay clear of any high-risk areas that could lead to violations of sanctions regulations, which can be extremely costly and damaging to any organisation.
Bentley: Many multinational companies – particularly in the life sciences sector – face compliance exposure in countries which are volatile due to political instability, civil war, sanctions and alleged violations of human rights. To reduce the risk of decision-making inertia in the face of such challenges, it can be useful for companies to formalise a risk review and decision-making structure. Certain companies have developed a committee framework to assess ongoing activities and any proposed new business engagements in certain countries facing these challenges. This framework typically requires senior management engagement, the commissioning of enhanced due diligence reports for prospective new partners, and cross-functional involvement – including commercial leaders, legal and compliance.
Johnson: Properly devised, a compliance process should be able to handle regulatory changes and new sanctions initiatives with little or no modification. The sectoral sanctions programme that OFAC rolled out about seven years ago required some modifications to programmes, but if a company has a solid screening programme, the changes required to ensure proper attention to sectoral sanctions risks are often modest. Those companies that have not taken the time and effort to implement that basic backbone of a compliance programme seem to be forever playing catch up as the regulatory framework changes and, for example, as OFAC imposes more and more targeted sanctions. Ironically, an embargo is oftentimes much simpler from a compliance perspective than a more nuanced and targeted sanctions programme.
Munro: Because businesses are complex, new technologies and innovations are resulting in new products and faster operations, and sanctions are by nature nuanced, borne from geopolitical events, and frequently changing with no prior notice, the most essential feature of a sanctions compliance programme, unique when compared to other regulatory compliance programmes, is the ability to incorporate complex changes almost instantaneously. These factors have the potential to undermine a sanctions compliance programme when a business lacks a clear articulation of the internal policy and commitment by the business leadership to comply with that policy. Despite ever-changing, complex geopolitics, every person in the business needs to know, as a broad principle, what business activities the company will not conduct, and that the leadership stands behind and will enforce its policy. Similarly, businesses must understand when and how to modify long-existing compliance controls to adjust to the new, unique and evolving products and business operations or the novel ways in which governments have crafted new regulatory sanctions. A business cannot simply assume existing sanctions controls are effective without assessing these developments to understand what a sanctions exposure will look like in the new environment, where in the operational processes these indicators of sanctions exposure, both new and old, are detectable, and which technology is capable of effectively identifying those indicators at the relevant point in the evolving business operations, in light of the type, format and accessibility of the often new data collected in the delivery of these new products and services.
Rezendes: The best compliance processes are living things – agile, flexible and able to change with regulatory changes, new business strategies and shifting market conditions. An effective compliance process – one that could withstand scrutiny were it to be examined – is regularly evaluated, audited and updated to address changing circumstances.
Deaconu: In a world where change and uncertainty are a constant reality, continuously assessing and improving is the new normal. There was a time when compliance processes were stable and not much changed at a process level, however today’s business and regulatory environment is different and rigid processes are a risk in this new reality. Today’s compliance programmes and any improvement processes need to have two pillars: a compliance ecosystem and a people ecosystem. A compliance ecosystem comprises an internal compliance programme specifically tailored as a flexible formula: external reality and internal reality equalling a risk and control environment. A people ecosystem consists of the way an organisation positions its export controls and sanctions professionals, alongside compliance know-how, as normal business practice, effortless and with low friction. Overall, however, there is no ‘one size fits all’ approach. However, there is one constant element that can make or break a compliance programme in any organisation: people. People who are empowered to make the right decisions and have the compliance infrastructure to support those decisions without having to go through a long review and decision process, are the heroes of an effortless compliance culture and the dream of any compliance executive.
Lee: Our advice for companies looking to improve their ongoing compliance processes is to proceed with caution but with all deliberate speed. Go the extra mile with your diligence on these companies and individuals and use all available resources. OFAC will expect you to be familiar with all publicly available information about your counterparty, and you will want to be familiar with even the non-public information to the extent you can access it. And continue to monitor developments in regions like China and Russia. What is an authorised transaction or permissible person or entity today could be unlawful tomorrow.
FW: Looking ahead, what are your predictions for the sanctions landscape in the coming months? Do you anticipate increased government enforcement, and greater risks for multinational companies?
Bentley: The Treasury Department will likely take further steps to implement the October 2021 conclusions of its sanctions review, including continuing multilateral coordination where possible, adopting a structured policy framework linking sanctions to a clear policy objective and calibrating sanctions to mitigate unintended economic, political and humanitarian impacts. Companies can also expect an increase in enforcement activities by the DOJ and BIS. Following its recent prosecution of German company SAP, the DOJ has made public statements pledging to increase the number of sanctions and export control enforcement cases. Meanwhile, Matt Axelrod, the new appointee as assistant secretary of BIS’ Office of Export Enforcement, noted at his confirmation hearing that he intends to “raise the profile of export enforcement” as a means of incentivising compliance programmes and deterring potential violations.
Johnson: So much depends on Russia and Ukraine. The Biden administration has spent significant time evaluating sanctions levers to deal with Russian aggression in that region. If Russia presses forward and launches an incursion into Ukraine, we are apt to see sweeping new sanctions rolled out. In addition, the Biden administration’s focus on human rights may also significantly shape the sanctions landscape. A little more than 10 years ago, Sergei Magnitsky died in a Russian prison, and since then, we have seen a fairly steady initiative by the US and other governments to look hard at human rights abuses and impose sanctions on perpetrators. Obviously, the most publicised issue on the world stage right now is the Chinese government’s treatment of Uyghurs. I think we are bound to see more and more sanctions from Western governments prompted by human rights abuses. Multinational companies cannot afford to run afoul of such sanctions, because both the penalties and negative public relations ramifications can be debilitating.
Munro: We can expect to see increasing complexity, particularly where sanctions are imposed on extraordinarily difficult geopolitical issues where the economic and human consequences are unpredictable and severe. This will require businesses to find ways to analyse and understand the risks and indicators within their own data to identify emerging obfuscation typologies and circumvention risks. Businesses cannot do this in isolation. Staying ahead of newly emerging typologies and evolving opportunities for circumvention depends on greater communication and sharing of relevant information between parties and with relevant authorities.
Rezendes: We are unlikely to see the imposition of new country-wide sanctions programmes like Iran or Cuba, but rather we will likely continue to see the issuance of broad-based executive orders and statutes that are deployed on an incremental basis in response to and at pace with the geopolitical landscape. Through the issuance of broad authorities that provide for significant sanctions, but which are leveraged gradually, the US retains maximum flexibility to address threats to US national security in a moderated manner, which, if done effectively, will aim to minimise unintended consequences and collateral damage. The added benefit of such an approach is that the existence of sanctions authorities – even when not deployed – is often a significant deterrent to the market.
Deaconu: Today, one would have to be a clairvoyant to predict with any sense of accuracy the sanctions landscape in the coming weeks, let alone coming months. There are things that are inside the sphere of control of sanctions professionals and some that are not. A professional should focus on the elements that can be controlled, while monitoring and trying to influence those outside their direct control. Organisations that have a people-focused ecosystem, in conjunction with leaders who have compliance in their DNA, have less to fear in an uncertain regulatory world. Moreover, organisations that view sanctions and export controls compliance through a rigid lens often find themselves in muddy waters when trying to comply with complex legal requirements that deal with issues such as human rights, anti-corruption, facilitation, secondary sanctions, significant transactions, reputation, sustainability or investment risk. The move from multilateralism to plurilateralism and nationalism requires a wide lens to capture all the flavours of the compliance environment.
Lee: We expect Russian sanctions to take centre stage in the coming months. The Biden administration has said that all options remain on the table and has suggested that it could impose an array of sanctions on Russian financial institutions, as well as new restrictions on the export of American products. The most far-reaching option on the table is to take away Russia’s access to Swift, the Society for Worldwide Interbank Financial Telecommunications. Swift is a Belgian messaging service that connects more than 11,000 financial institutions involved in global money transfers. Swift does not actually hold or transfer funds but allows banks and other financial firms to alert one another of transactions that are about to take place. Blocking access to Swift would deal a strategic blow to the Russian financial system. Another area to look out for is the area of digital currencies and ransomware. OFAC this year intensified its focus on digital currencies and ransomware by issuing multiple rounds of industry guidance and announcing the first US sanctions designation of a virtual currency exchange. As cyber crime and ransomware schemes proliferate, OFAC appears poised to continue pursuing investigations and enforcement actions in the virtual currency space.
Katsoulis: Sanctions regulations are continuously evolving in response to different types of perceived threats and geopolitical situations. They are becoming increasingly complicated and require companies to invest significantly in time, people and systems to ensure compliance. In 2021, we also saw increased coordination between governments in imposing new sanctions, which we should expect in the months to come as well. Russia and Iran will likely continue being in the centre of sanctions-related developments and enforcement actions. However, it will also be interesting to monitor developments in relation to China, Belarus, Venezuela, cyber security threats and human rights violations and forced labour. Extended use of denied or restricted party lists is also likely to remain a key tool in any regulator’s arsenal going forward. As sanctions regulations become more complex and far-reaching, companies should be as proactive as possible and ready to quickly respond to new challenges and more complex legal requirements, which will continue to make sanctions compliance a priority for multinationals.
Maura Rezendes advises clients – financial institutions and corporates alike – on a wide range of matters implicating economic sanctions administered by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), foreign investment in the US regulated by the Committee on Foreign Investment in the United States (CFIUS), export controls, anti-corruption and money laundering. He/She can be contacted on +1 (202) 683 3864 or by email: maura.rezendes@allenovery.com.
Konstantinos Katsoulis is responsible for all trade compliance matters at Cardinal Health. He has over 23 years of experience in a wide variety of trade matters, including customs, export controls and trade sanctions, encryption, disclosures and audits. Prior to joining Cardinal Health, he worked for PerkinElmer, Toyota Motor Europe and Baker & McKenzie. He has a Law Degree from the University of Athens and Master’s Degrees in European and International Law from the ULB in Brussels. He can be contacted on +41 75 433 1753 or by email: konstantinos.katsoulis@cardinalhealth.com.
Judith Alison Lee’s areas of expertise include OFAC, FCPA, export controls, CFIUS, and blockchain and cryptocurrency issues. Ms Lee has consistently been selected by Chambers Global-Business as a leading lawyer for USA International Trade in Export Controls and Economic Sanctions, and by Chambers and Partners as a leading International Trade Lawyer in Chambers USA: America’s Leading Lawyers for Business Guide. She is former co-chair of the IBA’s Export Controls, Sanctions and Anti-Corruption Subcommittee. She can be contacted on +1 (202) 887 3591 or by email: jalee@gibsondunn.com.
Nicholas Bentley is Head Legal Trade Sanctions at Novartis. He is responsible for providing strategic and operational legal advice for all activities regarding sanctions. He also leads the cross-divisional legal trade sanctions team. Mr Bentley is based in Basel, Switzerland. He was admitted to the Ontario Bar in Canada. Mr Bentley holds a dual JD/Bachelor of Civil Law from McGill University in Montréal, where he specialised in international trade law and European Union law. He can be contacted on +41 79 690 98 19 or by email: nicholas.bentley@novartis.com.
Adela Deaconu provides leadership to Philips’ export control officer network around the globe. She represents Philips toward various governmental and non-governmental bodies worldwide and actively participates in export controls and sanctions discussions at EU and UN level as well as with US government representatives in BIS and OFAC. She also leads the NL, US BIS and OFAC licence programme for Philips. She can be contacted on +31 6 156 39802 or by email: adela.deaconu@philips.com.
Stevenson Munro is the global head of economic sanctions compliance, high risk clients and emerging threats at Standard Chartered Bank. He has over 20 years’ experience in all aspects of economic sanctions compliance both within the US Treasury Department and in multiple financial institutions where he has been responsible for setting the strategy, programme design and implementation of comprehensive sanctions and financial crime compliance programmes. He can be contacted on +1 (202) 255 5341 or by email: stevenson.munro@sc.com.
Dave Johnson leads the export controls and economic sanctions practice at Vinson & Elkins LLP. He works with companies to manage legal complications that may arise from exports as well as inbound foreign investment. His work on export controls, economic sanctions and national security matters over many years has involved ITAR, EAR and the sanctions regimes administered by OFAC, DDTC and the Bureau of Industry and Security (BIS). He can be contacted on +1 (202) 639 6706 or by email: drjohnson@velaw.com.
© Financier Worldwide
THE PANELLISTS
Allen & Overy
Cardinal Health
Gibson, Dunn & Crutcher LLP
Novartis Pharma Services AG
Royal Philips
Standard Chartered Bank
Vinson & Elkins LLP