Avoiding Compliance Overkill — Properly Assess and Manage Tangible Risks
Alex Cotoia, Regulatory Manager and Compliance Consultant, rejoins us for a timely posting on compliance overkill in this era of aggressive sanctions enforcement. Alex can be reached at [email protected].
The uptick in recent sanctions activity caused in large part by the Russian Federation’s unprovoked and unilateral invasion of Ukraine has caused absolute pandemonium in many compliance circles. While the U.S. Department of Justice (and the enforcement apparatuses of other foreign jurisdictions) have indeed made enforcement of sanctions against Russia a critical priority of regulators, legal and compliance professionals can—and should—counsel clients carefully, considering the organization’s specific risk profile and recommending appropriate risk mitigation techniques.
To date, too many organizations across all economic sectors have taken a proverbial axe to the problem when a scalpel may be more appropriate. It is worth reiterating here that while many individual and institutional actors associated with the Russian government—including, but not limited to, allies of Russian President Vladimir Putin, billionaire oil magnates, state-owned banks and other enterprises, and institutions comprising Russia’s military-industrial complex—have indeed been designated by various jurisdictions as pariahs (e.g., subject to full blocking sanctions, asset freezes, travel restrictions, etc.), the vast majority of Russian individuals and businesses remain unsanctioned. Here, we attempt to provide an abbreviated list of recommendations for organizations affected by Russian sanctions activity. While by no means exhaustive, this list is intended to focus the compliance function’s attention on tangible risk factors versus purely theoretical ones.
- Perform a Sanctions-Specific Risk Assessment. The DOJ Criminal Division’s highly regarded Guidelines for the Evaluation of Corporate Compliance Programs (hereinafter, “Guidelines”) last updated in 2020 require that, when faced with an investigation of potential malfeasance, a prosecutor assess the three-fold factors of risk management, resource allocation, and updates and revisions to the organization’s compliance program. With respect to updates and revisions specifically, the Guidelines ask whether: (a) the risk assessment is current and subject to periodic review; (b) based on “continuous access to operational data and information across functions”; (c) leads to updates in policies, procedures and internal controls; and (d) account for risks discovered through misconduct or other compliance program deficiencies.
As an initial matter, organizations should assess the nature and extent of their connections with the Russian Federation. Any “touchpoints” with the Russian Federation should be prioritized for review. These include, but are not limited to, connections to banks, distributors, suppliers, contractors, raw material providers, professional services firms, legitimate intermediaries, and any third-party generally engaged by the organization within the Russian Federation itself. After taking the initial step of identifying these touchpoints, the compliance function—working in conjunction with other elements of the organization’s core operational team—should prioritize both the criticality of the function served by the Russian party to the organization’s continued operations and the risk posed by continued dealing with that entity. Here, both initial and continuous third-party screening is indispensable to the compliance team in evaluating risk. As sanctions lists continued to evolve and manual processes become too time consuming, organizations should license access to an appropriate sanctions screening database with a reputation for ease-of-use, delivery of relevant information, and timely identification of newly sanctioned individuals and entities. The database should also be capable of delivering proactive screening results to the compliance team at frequent (ideally weekly) intervals. In the absence of such a platform, manual screening is possible utilizing the federal government’s Consolidated Screening List (“CSL”), the United Kingdom’s Sanctions List, and the European Union’s global Sanctions Map website, among others. However, because an organization with international operations may have thousands of connections to the Russian Federation, manual screening is often too laborious, time consuming, and prone to error to be of any significant value to the organization as a whole. Contemporary compliance practice all but requires that organizations use state-of-the-art proprietary tools to check for sanctions risk. Reliance on manual screening processes is notoriously unreliable and increases the risk that the organization might engage in a transaction with a prohibited party, necessitating either a voluntary disclosure or prompting an investigation and potential prosecution.
- Properly Identify Sanctions Applicable to Designated Parties. Sanctions regimes in different jurisdictions vary considerably. In the United States, for instance, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”), the U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”), and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) bear joint responsibility for the imposition and administration of sanctions against individuals and institutions deemed to be threats from a national security perspective. While OFAC regulations are arguably the most notorious, familiarity with trade controls—especially for those operating in a sector requiring the return shipment of materials outside of the United States—is a necessary predicate to avoiding the potential for a regulatory infraction. Increasingly, third-party screening systems are providing users with helpful context around what sanctions may be imposed both from a country-wide and/or regional perspective, as well as sanctions that may be applicable to the targeted entity. An intimate familiarity with—and through review of—pertinent information from BIS and DDTC is indispensable for those engaged in international trade.
The United Kingdom (primarily through the HM Treasury’s Office of Financial Sanctions Implementation) and European Union operate more centralized sanctions systems. Scrutiny of potential positive hits, however, is required, against the applicable sanctions legislation and/or statutory instruments.
- Adopt and Implement a Consistent Approach to Dealing with Sanctioned Parties. Too often, a palpable disconnect exists between a corporation’s various support functions and core operational activities. Such silos are a recipe for disaster. Once sanctioned countries, regions or parties have been identified, operational leaders—working with the compliance function of the organization—have the crucial task of developing and implementing internal controls tailored to the specific risk posed by the third party. It is simply a myth—and indeed, a very dangerous one—that the compliance function of the organization bears primary responsibility for this task. As case after case demonstrates, the proverbial buck stops with corporate leadership and the board of directors. While compliance professionals must be the part of any proposed risk mitigation effort, the success or failure of those efforts are the responsibility of operational leaders who have much great visibility and insight into the various components of the enterprise that pose the most risk. Finally, once adopted, these internal controls should be disseminated to the entire organization, alerting both front-line workers, middle managers, and executives alike that a significant shift in the corporation’s policies towards “X” country or region is about to occur.
- Invest Now in Compliance Resources. It is pellucidly clear that sanctions activity in recent years is increasingly viewed by western governments as a powerful weapon in the diplomatic arsenal. Regulators—both within and from without the United States—view access to financial and human resources as a critical component of a truly effective compliance program. A core question posed by the DOJ Guidelines asks quite clearly whether, in fact, a “[c]orporation’s compliance program is adequately resourced and empowered to function effectively.” The emphasis on resources and empowerment is intended to avoid the exact result contemplated by the DOJ’s Principles of Federal Prosecution of Business Organizations; namely, that corporations will establish compliance programs “on paper” only. To demonstrate that the organization does not have a paper-only program, the onus is on such organizations to assess the total magnitude of their various compliance risk factors (harkening back to the need for a complete risk assessment) and implement internal controls designated to mitigate the potential for any infraction. Here, it seems trite, but necessary to mention that sufficiently skilled, equipped, and empowered compliance personnel is an important component of compliance work. Organizations too often adopt the mentality that compliance is a cost, rather than a benefit. As a consequence, sizable organizations that might warrant more personnel devoted exclusively to the compliance function fail to appreciate the need for competent professionals to prevent infractions of the law and other ethical lapses. From both a monetary and reputational perspective, having a fully-functioning and properly staffed compliance program will permit virtually any organization to adapt to evolving regulatory circumstances in a much more effective manner.
By taking these simple four (4) steps—essentially returning to the foundation of compliance practice—corporations can avoid unjustified panic and the concomitant delay that results from such panic when dealing with the latest geopolitical crises.