Assessing Third-Party Sanctions Risks (Part II of III)
The task of designing appropriate third-party sanctions controls requires reverse engineering of relevant caselaw, particularly, the Epsilon Electronics case, which I reviewed in Part I of this series, and the Department of Treasury’s Office of Foreign Asset Control (“OFAC”) sanctions regulations. It is one thing to detect and prevent situations where a company actor has “actual knowledge” that a shipment to a third party is going to be reshipped to a prohibited country, entity or individual. It is another thing to extend such controls to detect and prevent shipments where a company actor has “reason to know” that a shipment to a third-party will be transshipped to a prohibited country, entity or individual.
OFAC implicitly acknowledges this difficult compliance challenge in its statement that “reason to know” can be established through a variety of circumstantial evidence, including “course of dealing, general knowledge of the industry or customer preferences, working relationships between the parties, or other criteria far too numerous to enumerate.” This list of potential evidence is expansive and presents real challenges for compliance officers.
As a first step, companies have to begin where all compliance officers start – referring to OFAC’s Framework for Sanctions Compliance Commitments, the definitive guide issued by OFAC in May 2019. Organizations have to take a risk-based approach that is keyed to identify potential areas in which the organization may engage with OFAC-prohibited persons, parties, countries, or regions. As part of this process, organizations should assess their customers, supply chain, intermediaries and counter-parties, the commercial products, networks and systems, and the geographic locations of customers, supply chain, intermediaries and counter-parties.
The purpose of the risk assessment is to identify inherent risks and make risk-based decision and controls. Organizations have to integrate existing information and data about its third parties in order to ensure a robust and accurate assessment of risks. At the heart of this assessment has to be the geographic locations of an organization’s third-party intermediaries. For example, third parties that are located in Dubai present a serious risk, solely by virtue of their proximity to Iran. Similar situations of geographic proximity occur in relation to North Korea, Cuba, Syria and other prohibited countries (and Crimea as a prohibited region).
Organizations have to apply OFAC’s broad standard defining circumstances when an organization has “reason to know” that a third party will transship items to a prohibited country, entity or individual. In particular, organizations have to collect, review and analyze data concerning the organization’s “course of dealing” with the third party. This process should be a robust examination of relevant information concerning its interactions and transactions with the third party. Applying a risk-based approach, organizations adjust the intensity of these reviews based on an overall risk-based approach, i.e. risk ranking that captures relevant risk factors such as geographic scoring, financial level of sales, and product/service characteristics. In certain high-risk situations, e.g. a high-volume, Dubai-based distributor with ties to Iran, a thorough review, including possible interviews of employees may be required to determine the actual level of risk. This risk-based examination will dictate the level of scrutiny and specific controls governing the onboarding of a new third party, the renewal of a third-party relationship, and approval of individual transactions involving the third-party.