Sanctions compliance – The bare minimum isn’t enough
Eric Sohn, Director of Business Product, Dow Jones Risk & Compliance, New York, warns against trying to scrape by with a minimal sanctions compliance programme.
When faced with sanctions compliance requirements, many firms focus on ‘requirements’ so as to avoid regulatory scrutiny. However, de minimus efforts to ‘tick the box’ frequently fail to identify and address important aspects of regulatory expectations, as well as commercial concerns that can have a noticeable impact on a company’s bottom line. While, ultimately, a firm may choose to establish lower standards of care for their international business, or to ignore requirements not reflected in sanctions listings, it is vitally important that such a decision is the result of proper due diligence, and not one created for reasons of expedience or purely to minimise the costs of compliance.
Companies should consider whether or not their sanctions compliance programme needs to contain the following elements:
- geographic place names in countries subject to comprehensive sanctions
- names of companies owned or controlled by sanctions targets, and
- sanctions lists from foreign jurisdictions in which business is conducted, as well as any data required by regulation and/or guidance.
Where in the world?
Sanctions regulations, once they expand beyond asset freezes of specific people, and begin blocking significant swaths of import and/or export to a particular country, require a heightened level of diligence. On a basic level, one must check every transaction containing a reference to these countries, or a location within them.
There aren’t a lot of these comprehensively sanctioned countries. Most of them are only sanctioned to that extent by the US, although other national regulators may impose targeted sanctions (for example non-comprehensive measures against specific targets). However, the United Nations imposes comprehensive sanctions against the Democratic People’s Republic of Korea, so, technically, all firms need to have some level of geographic location screening.
The types of geographic locations a firm should search for include country and city names, airports and seaports (both the names and the standardised port codes), as well as the names of regions (for example Crimea, Macau) and free trade zones that may be used in normal commerce to identify a location. However, in order to not be swamped by the pure volume of such locations, consider how many people would live in a municipality large enough to house a company likely to do business internationally? While it is certainly possible that a village of 1,000 persons could be the location of an export/import company, it is not particularly likely.
Whose is this?
Both the US and European Union have issued regulatory rules stating that companies which are not listed on sanctions lists, but which are majority owned by individuals or firms that are, are themselves considered sanctioned. The US sanctions regulator, the Office of Foreign Assets Control (OFAC), issued a multi-million dollar civil penalty to a bank which did not properly comply with this ‘50% Rule.’ Clearly, one ignores such generalised rules at one’s peril.
Even if your domestic regulator does not have such rules, sanctions regulations often prohibit dealing in ‘property or interests in property’. It is reasonable to assume that firms owned by those on sanctions lists would fall into that category. However, such prohibitions are only realistic for legal entities with which a company deals directly. For one’s customers, suppliers and partners, it would be prudent to identify those who own or control those entities, and to consider declining the business if it is not possible to do so.
Depending on the nature of the business a firm conducts with counterparties in a given jurisdiction (as well as other factors outlined in the final section of this article), it may be prudent to include that location’s sanctions lists as well as the targets implied by regulations and guidance (for example those specified in the previous two sections) in a firm’s sanctions compliance programme. While foreign regulators will not have legal jurisdiction, there are potentially both regulatory and commercial consequences of violating other countries’ sanctions requirements. These are explained in greater detail below.
It is important to understand the variety of sanctions list and listing types. The type of sanctions list most familiar to firms are blocking lists. A transaction which violates a blocking list will result in monetary losses, as the transaction will be blocked and not executed. Additionally, there are not-blocking lists; transactions which violate these are returned to the instructing customer. A firm can certainly decide, on a risk-based basis, to comply with any combination of the published lists, in order to appropriately manage that element of their regulatory and commercial risk.
Within sanctions lists, certain listings may specify that ‘secondary sanctions’ are attached. Secondary sanctions, as imposed by the US (the only country known to impose them), result in the imposition of restrictions on future business dealings in the country if a company conducts business dealings with the sanctions target (even if the business does not directly involve the US). The most notable of these secondary sanctions were those imposed on firms who did significant business with sanctioned Iranian banks or were involved with significant purchases of Iranian petroleum products.
Truth or consequences
Within a firm’s home country, there are a range of consequences stemming from trying to scrape by with a minimal compliance programme.
Whether or not a less rigorous programme puts a company in regulatory jeopardy heavily depends on the enforcement philosophy of the domestic regulator. OFAC, in the US, is amazingly transparent in that regard. On their website, they provide access to their Enforcement Guidelines, which explain the range of penalties that can be imposed (from no enforcement action to the imposition of a civil monetary penalty), as well as the factors that are considered in making the decision and determining the size of any penalty. In addition, they provide a substantial archive of past enforcement actions, each of which (since 2012) explains the details of the actions at issue, the penalties imposed and the factors (from the Enforcement Guidelines) which were considered in fixing any penalty assessed. In the absence of detailed guidance from other regulators, the OFAC Enforcement Guidelines provide a good baseline from which to start understanding a firm’s regulatory exposure. However, it might be prudent to assume stricter enforcement and harsher penalties in environments where high-profile financial crimes (including money laundering, and bribery and corruption) have occurred recently.
When considering the level of domestic compliance beyond the minimum, note that OFAC’s Enforcement Guidelines factor in the size and level of commercial sophistication of the offending person or company. Small firms, especially those with little international business, are not expected to be as far-reaching in their compliance efforts as larger firms with riskier business models.
Besides the obvious ability of a domestic regulator to impose financial penalties, companies should also consider the impact of the publicity surrounding the enforcement action, if any. It may cause defections from current customers, suppliers and business partners as well as create hurdles to acquiring new customers and working on new efforts with suppliers and partners.
Lastly, regulators can also specify changes to a firm’s compliance programme as part of remediating the programme gaps. This can result in companies needing to expand staff, change policies and procedures, and hire consultants to do extensive lookbacks of older business transactions. Regulators can also require that a firm’s compliance programme be overseen by an independent monitor. This loss of control over how a firm conducts part of its business may, in fact, be the most significant, long-lasting consequence of regulatory enforcement.
As discussed earlier, international jurisdictions, even if they can’t impose a civil monetary penalty, can take actions that impact a firm’s access to that market. Financial services firms can have their business with US banks restricted or even terminated, under a number of statutes, including Section 311 of the USA PATRIOT Act, the Iran Sanctions Act, and the 31 CFR Part 561, which emanated from the National Defense Authorisation Act. Violations of the Iran Sanctions Act can also cause a number of restrictions to be imposed by the US to both financial and non-financial firms.
Non-financial companies should additionally identify the import/export restrictions a country can impose on a firm for activities which thwart their sanctions programme goals. In the US, for example, the Commerce Department can require the granting of an export licence in order to gain access to US-origin goods. This is, in fact, the sanction applied to ZTE Corporation when it shipped US-origin goods to Iran.
Cut to commercial
Even if a firm has no regulatory liability beyond its shores, there are still real-world implications of limiting one’s sanctions screening programme to domestic requirements. Imagine, for example, that a financial services firm in the US makes a payment through an EU correspondent which ultimately credits a person subject to the sanctions imposed under the Guinea-Bissau programme. In the best case, the correspondent bank freezes the assets and the US firm is out the money. The company cannot rightly claim that the customer must bear the brunt of its error, as it had the capacity to intercept the transaction and return the funds to the customer. It therefore must make the customer whole, so they can re-attempt the transaction in a way that skirts the EU and any other countries which sanctions that party. If and when the sanctions are lifted from the target, the firm can attempt to get the frozen assets released. In the meantime, however, the US company’s bottom line has learned a potentially expensive lesson.
Unfortunately, that is the best outcome in such a case. A correspondent bank could certainly choose to terminate the correspondent relationship. In theory, this could leave the instructing bank without a correspondent in the currency that the affected transaction was denominated in. In such a case,
the bank’s clients would not be able to effect international trade transactions involving that currency. It is also reasonable to expect that a global bank might blacklist such a correspondent, one who causes them to incur additional compliance costs and raises their profile with their regulator, on a global basis. Depending on the diversity of one’s correspondent network, such an action might be catastrophic to one’s corporate services business.
Even international sanctions that do not involve asset freezes have commercial customer satisfaction implications. If an EU bank, for example, makes a payment through a US bank for a firm on OFAC’s Foreign Sanctions Evaders or Non-SDN Palestinian Leadership Council List, the originating customer will get their funds returned to them. However, that return of funds may not be same day. This can not only create the need to reimburse the customer for the use of their funds, but may affect their customer satisfaction for not having caught the reference to the sanctions target before it left the originating bank.
Where firms choose to address international regulatory concerns, and their commercial knock-on effects, and where they do not, is ultimately a risk-based decision. That calculation should consider a number of factors related to both the type of business the firm is involved in and the jurisdiction involved:
- The total value of transactions conducted in a given country provides a sense of Value at Risk (VAR). A country whose VAR is insignificant might present a more acceptable argument for ignoring their sanctions requirements.
- The total number of transactions conducted provides a sense of how likely one might be stopped for compliance concerns, while the average size of transactions can help a firm estimate the bottom line impact of a compliance issue.
- Identifying which clients transact in a given jurisdiction may inform a firm of the commercial impact of customer service issues arising from stopped items.
- As a purely actuarial matter, identifying the correspondent banks, and the location of their headquarters, can further inform the likelihood of those correspondents identifying, and acting upon, a sanctions violation arising from a less rigorous programme. For example, a foreign branch of a US financial institution is more likely to be diligent in its compliance requirements in a country not known for sanctions enforcement than a domestic institution from that jurisdiction.
- Companies can consider how different a foreign country’s sanctions requirements are from their domestic requirements. If, for example, a jurisdiction’s sanctions listings overwhelmingly mirror that of the United Nations, that may minimise the need for specialised processing for that country.
- A foreign country’s history of enforcing sanctions regulations may also be a consideration, all other things being equal. If a foreign regulator does not impose penalties for sanctions violations, or for programme shortcomings, it makes it less likely that a firm in that country will monitor for sanctions violations and, therefore, a smaller risk of an issue with transactions sent to that country.
Additionally, the risk-based decision on the amount of effort to comply with international sanctions requirements should be cognisant of a given country’s strategic importance to a firm’s strategic plans. Even if the current exposure is slight, the impact of having a presence in a particular jurisdiction, and a spotless reputation for adhering to local laws and regulations, may outweigh any potential savings from taking advantage of near-term shortcuts in daily compliance processing.
By the numbers
Technically, there are no laws that say one has to implement a sanctions compliance programme, or how comprehensive that programme needs to be. But the laws, and the attendant regulations and guidance, do lay out the consequences. While ultimately a firm may or may not incorporate some of the above elements into their policies and procedures, it is essential from a risk management perspective to do the cost/benefit analyses relating to adopting or ignoring each additional extension to current compliance processes.
Director of Business Product,
Dow Jones Risk & Compliance,
The author can be contacted at: firstname.lastname@example.org.