Sanctions compliance: balance between reactivity and proactivity

November 2022  |  EXPERT BRIEFING  | GLOBAL TRADE

financierworldwide.com

 

Compliance in the general meaning encompasses a businesses’ abidance by the rules and regulations of the jurisdictions it operates in, as well as by applicable international treaties.

A prerequisite for efficient compliance is risk identification and management. It lies in the definition of the risk portfolio depending on business specifics, ranking those risk profiles from low to high, measuring a company’s risk appetite, and, lastly, implementing preventive measures to manage, influence and minimise identified risks.

Effective risk management considers every conceivable scenario which a business may find itself in, because sometimes naming the risk could just mean to eliminate it. For instance, businesses need to take into account foreign (seemingly inapplicable) legislation, like US export controls that could come into play whenever US origin goods are part of the deal. Or sanctions legislation, which inevitably affects business worldwide, even if one is not legally obligated to follow it.

Depending on the legislative and enforcement framework of the country, as well as their business specifics, companies can face different challenges and compliance considerations, respectively. Take the Transparency International’s annual Corruption Perceptions Index, for instance, which ranks countries depending on perceived levels of public corruption.

Given that data, and combined with their risk appetite, companies assess risk differently and implement compliance measures and instruments of varying depth and intensity. The more complex and comprehensive a sanctions programme is, the more factors and controls should be taken into account when doing business.

Sanctions compliance is crucial for companies that have a large number of clients (counterparties) around the world, operate internationally, depend on foreign-made goods and technology, and effect foreign currency transactions. Even for smaller companies, though, ignoring sanctions could result in the imposition of ‘secondary’ sanctions against them, leaving them cut off from US counterparties or their bank accounts.

As well as ethics, anti-money laundering (AML), anti-corruption and other areas of compliance, sanctions became and will remain one of the most import compliance considerations for companies conducting business around the globe. Sanctions compliance is also challenging when it comes to flexibility in decision making.

Traditionally, banks are pioneers and (for the most part) ‘straight-A students’ when it comes to sanctions compliance. Due to dealing with a huge number of clients worldwide, and given the fact that banks are frequently prosecuted by regulators (where penalties may reach billions of dollars), banks possess a deeper understanding of the value of sanctions compliance. A proper sanctions compliance programme (SCP) was first described by the US Office of Foreign Assets Control (OFAC) in 2019. It includes five essential elements: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) testing and auditing; and (v) training.

Currently, OFAC’s approach is universally acceptable and widely used, regardless of jurisdiction. An SCP is no longer a defining feature of a large multinational corporation – it is routinely implemented in smaller ‘mom-and-pop shops’ too.

The elements of an SCP are interdependent and ensure the overall efficiency of the programme. Thus, senior management’s commitment to supporting an organisation’s SCP determines its success. Routine and ongoing risk assessment ensures that risks are accurately identified and addressed appropriately.

Internal controls exist to outline clear expectations, define procedures and processes pertaining to sanctions compliance, and minimise risks identified in risk assessments. In the case of MidFirst Bank, its internal controls were not strong enough: specifically, counterparties were only screened monthly whereas they should have been screened daily, if not hourly. Testing and auditing identify weaknesses and deficiencies in an SCP, so enhancements can be made. Finally, training provides employees with job-specific knowledge and sets out clear expectations for their sanctions compliance responsibilities.

The existence, nature and adequacy of an SCP are evaluated by OFAC in its investigations and can drastically change the amount of penalty a violator faces. Consider that OFAC can prosecute entities extraterritorially, and the proactive implementation of an effective SCP becomes even more compelling.

This is what makes a proactive, well designed, tailor-made SCP an irreplaceable tool – not only to run a business smoothly, but also to save the company significant cash or even prison time. However, one must not be ignorant of the fact that sanctions are an extremely dynamic regulatory tool that follow rapidly evolving political circumstances. Unexpected regulatory changes could interfere with business plans and may fall outside the scope of a pre-made SCP. In these situations, standard compliance programmes may no longer meet a businesses’ changing needs.

That is the time to react quickly. Granted, before February 2022, business could not know that massive sanctions would be imposed against Russia; even less what countermeasures Russian lawmakers would rapidly deploy to resist them.

Russian authorities imposed restrictions on exports of certain significant items, including medical, technological and telecommunication equipment, forcing some Western companies to make write offs. For some businesses, existing the market became subject to local authority approval, if not prohibited. Raiffeisenbank, Unicredit-bank, Citibank, Intesa, Sumitomo Mitsui Bank and dozens of others found themselves temporarily unable to sell their Russian affiliates. In some cases, businesses faced a conundrum whereby Western sanctions made it illegal for them to remain, while Russian countermeasures forbid them to leave.

Since February 2022, approximately 1000 companies have either suspended or ceased their operations in Russia. The majority said they elected to withdraw rather than trying to find solutions, on a cost-benefit basis. Naturally, those deeply rooted in the market find it more challenging and expensive to cease business. Reputational risk should also be borne in mind. Russia rapidly became ‘toxic’ to most Western companies.

The quickest companies were able to leave the market before it became difficult or impossible. The lesson some learned is that it is easier to halt operations on a de facto basis, and to formalise an exit later, once it becomes possible.

It is doubtful that any of the businesses that either left Russia or remained had any idea what was coming. However, had they imagined that risk and proactively included it in their risk assessment, they would have been able to make quicker, more rational and more cost-effective decisions.

Prior risk assessment can provide a business with insight into a potential ‘crash’ scenario and allow it to understand the factors that would cause it to suspend business, exit a market, or whatever. Proper and effective risk management considers risks that may appear unrealistic at the time, but prepare a reaction plan regardless. This plan will come in handy in the event that the risk scenario actually occurs (for instance, the imposition of comprehensive sanctions).

Methods of market exit that proved effective in Russia could assist corporations in reacting to similar sanctions threats in other regions. Modern, large businesses appear to have been tempered by the Russia experience and are prepared to apply the lessons learned to their Chinese assets if Taiwan is attacked. For instance, some companies had a plan ready for extreme situations, and were able to successfully implement it in response to the coronavirus (COVID-19) lockdowns. Similar reaction plans should exist for terrorist attacks and other force majeure events, such as war.

As always, the balance of risk versus reward should be observed. Sanctions do not always hinder business activities; sometimes they merely introduce additional compliance requirements. The ability to quickly adapt to new sanctions regulations could save a business significant costs associated with rushing headfirst to exit a market instead.

Hence, both proactive and reactive compliance measures should be combined, in order to minimise damage (both financial and reputational), manage risks (whether foreseeable or unexpected) and help the business continue to generate revenue in the modern world.

 

Konstantin Dobrynin is a senior partner at Pen & Paper. He can be contacted on +44 (0)20 7337 2600 or by email: k.dobrynin@pen-paper.com.

© Financier Worldwide

BY

Konstantin Dobrynin

Pen & Paper

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.