Five Practical Steps to Elevate Your Sanctions Compliance Program (Part III of III)
Even with the current focus on sanctions compliance, many companies have done little to assess and enhance their existing sanctions compliance program. Instead, a number of companies have stitched together a basic sanctions compliance program that centers on a screening tool and little beyond that. Such a limited program provides just a false comfort of compliance. Many companies are not even conducting the mandated basic requirement of annual training of relevant employees.
If companies do not re-examine this issue and craft an enhanced strategy, they may face significant risk of government enforcement. OFAC and the Bureau of Industry and Security (“BIS”) have been increasing attempts to gather information, follow up on leads, and conduct informal inquiries in an attempt to verify compliance with sanctions requirements.
OFAC and BIS work closely with the Justice Department’s National Security Division, which is responsible for criminal sanctions and export controls enforcement. In light of this relationship, it does not – and will not – take much for OFAC or BIS to provide DOJ with sufficient information to launch a criminal probe and issue grand jury subpoenas (or even execute a search warrant if appropriate).
From our perspective, there are five practical areas that should be addressed in the near future to build out a sanctions compliance program. After these near term items are accomplished, further refinements can be addressed. To get started on this project, here are our top-5 practical suggestions:
Conduct (or Update) Risk Assessment – as a first step, companies need to fashion their risk profile. Unlike other areas, such as anti-corruption, anti-money laundering, privacy and data, a sanctions risk assessment is not as complicated nor as difficult. It often centers on geographic location, types of counter-parties, and frequency and value of the business relationship. As an initial step, a risk assessment creates a roadmap for additional actions, especially with regard to geographic risks (e.g. areas near prohibited countries) and third-party risks. These are two primary issues that are highlighted and qualified for further action.
Geo-Blocking – we have seen several enforcement actions where companies failed to implement geo-blocking technology in a comprehensive manner. Working closely with your Information technology group, trade compliance needs to develop a comprehensive geo-blocking capability to prevent any person who is prohibited or located in a prohibited country from engaging the business (i.e. direct, indirect, including facilitation or causing).
In recent enforcement actions, companies have suffered from piecemeal geo-blocking strategies, such as onboarding new customers but failing to geo-block existing customers, or failing to subject each and every transaction to geo-blocking functions. OFAC has insisted on enforcement settlements with companies that implement a piecemeal approach to geo-blocking capabilities.
Screening, Due Diligence, Independent Research and Escalation Control – Companies realize they have to implement a screening technology to determine if a counter-party is a prohibited entity or individual or located in a prohibited jurisdiction. OFAC has emphasized, along with the Justice Department, that screening is only the first step in the process. OFAC has directed companies to conduct independent research beyond the screening results.
A risk-based due diligence program means that independent research and further investigation should be conducted depending on the initial screening results and the overall risk profile. A successful screen of a company based in Canada versus a northern China company located near the Chinese-North Korea border will require different due diligence reviews.
Luckily, most companies will need to conduct additional investigations for a relatively small number of companies and individuals. Nonetheless, it is critical to conduct further investigation on the highest-risk customers, vendor/suppliers, and third parties (e.g. distributors) based on proximity or location with strong ties to a prohibited jurisdiction or entity.
High-risk screening and due diligence can often extend to uncovering the beneficial owners of the entity and the piecing together of complex ownership structures. Russian entities and individuals are notorious for adopting complex corporate and ownership structures that mask the underlying real owner. In many situations, it is clear that the malign actors are adept in cloaking their real-part in interest status.
To this end, independent research for higher-risk candidates has to focus on OFAC’s 50 percent rule for sanctions compliance, meaning that a non-listed entity would be prohibited if it is owned by one or more prohibited parties totaling 50 percent or more of the ownership of the non-designated entity. Enhanced due diligence may be necessary when this situation occurs.
Aside from appropriate screening, due diligence and research processes, a company has to ensure that procedures exist to ensure that when red flags are discovered, the issue is escalated within the organization to ensure proper resolution. OFAC has noted on several occasions the failure of a company to implement appropriate internal controls when an analyst uncovers a red flag and then unilaterally resolves the red flag. OFAC cited this deficiency in several enforcement actions where the individual erred in resolving the red flag, resulting in the company violating a specific sanctions program.
Third-Party Risks: End User Verifications and Documentation – Ass in the case of anti-corruption risks, sanctions compliance is often complicated with third-party risks in which a third-party may divert a product to a prohibited entity, individual or country. The principal company will be held liable for the diversion if the company had reason to know that the product may be diverted to a prohibited end user.
Also, OFAC has held a principal company for failing to confirm or verify the ultimate end user of a specific product. For example, in one case, OFAC held a principal company for the leasing of a jet engine that was sub-leased to a prohibited entity. Even in the case where the ultimate user was two-steps removed from the principal company, OFAC extracted a settlement agreement. Interestingly, the fact that the principal company secured written assurances as part of the lease requiring the lease to certify to compliance with OFAC sanctions, OFAC nonetheless held the company liable for the illegal use by the sublessee.
In the case of the Russian sanctions and export controls, there are a variety of dual-use items that are prohibited from various military end-users. The complexity of the Russian sanctions and export controls has created a growing use of end-user verifications and documentation as a risk mitigation strategy. This is a basic requirement for compliance and may require additional steps to ensure the accuracy and veracity of the end user certification.
Annual Training: Companies have to conduct (at a minimum) annual training for relevant employees and personnel. The training program should be “tailored to an entity’s risk profile and all appropriate employees and stakeholders.” There is no excuse for a company not to meet this basic requirement.