Why do Policymakers Love Complex Sanctions?

Now that we have seen the EU’s adoption of a slimmed down 10th sanctions package on Russia after months of ambitious discussion of imposing new costs, it makes sense for us in the compliance community to step back and take a wider view of why politicians and officials increasingly impose complicated sanctions measures and what it means for the future. 

So, why do we increasingly see new sanctions measures that are very limited in their intended impact? The simple answer is that there is a belief in sanctions policy making circles that sanctions measures can be precisely tailored to achieve a specifically desired impact on the target with minimal or even zero spillover impact to others.  We see it in the US Treasury’s Sanctions Review and in every paragraph of EU sanctions regulations containing the phrase “the prohibition…shall not apply…” 

And the fervent embrace of complicated sanctions is only growing.  They started with the enactment of sectoral sanctions against Russia following Moscow’s invasion of Crimea in 2014.  But since then have been deemed such a success to have been deployed toward Venezuela and again towards Russia to impose the same restrictions again (See EO 14024 Directive 3 and EO 13662 Directives 1, 2, 3) as well as the much hyped oil price caps.  

The Complicated Compliance of the Price Caps

The oil price caps, which politicians are touting as a great success despite the increasing evidence of their limited impact, are a prime example of measures with disproportionate compliance costs to their actual impact on the target.  

The price caps have been enacted to soften the potential blow to the global oil market from the EU’s import embargo to ensure that Russian oil continues to flow to international markets.  Because the primary focus of the measure is to not impact energy flows, the result is a much more complicated compliance task than what would have been required if the EU’s ban on services had proceeded as originally enacted in June 2022.

Even with the extraordinary guidance and embrace of an “attestation model” from US Treasury’s OFAC, the EU , and UK OFSI to purposely lessen the compliance burden of the price caps, as we in the compliance know, we are now in the position of having to gather and assess a multitude of information against a number of different factors to make a determination if activity is prohibited by sanctions or not.  

If the EU’s original ban on services for Russian seaborne crude and products had proceeded, companies would in most cases only need to ask one question, “is the product of Russian origin” to get to a definitive answer of it being prohibited or not.  But with the price cap, to know if the activity is in compliance with the restrictions, we need to be asking:

  • Is the product of Russian origin? 
  • Where is the product headed?
  • Does the destination have an import ban in place? 
  • What is the specific product and which CN code would apply?
  • Based on the CN code which price cap applies?
  • Was the product purchased for a price below the price cap maximum for the CN code of the product?
  • Is there any evidence that the stated purchase price is the true and final purchase price and that there will not be any supplementary compensation to, in effect, have a price above the price cap?
  • Are the shipping costs and other related services in line with industry norms and without evidence that they are inflated to, in effect, have a price above the price cap threshold? 
  • And more…

The value proposition of the oil price caps, a high compliance burden for market stability and the “right” impact on Russia, is made more perplexing when senior policymakers publicly permit Moscow’s use of its “shadow fleet” to ship oil outside the price cap restrictions.  And this is before we consider the extensive track record of the Russian government and aligned actors to work to evade and circumvent sanctions, exploiting carve outs, exceptions, and general licenses to mitigate the impact of sanctions and make compliance all the more difficult.

What does it Mean for the Future? 

There is a paradox of applying sanctions, the more complicated the measures and more difficult they are to implement, then the more the impact of sanctions is disconnected from the policy intent. Complicated sanctions create more opportunities for evasion and circumvention by design, and they also lead to “over compliance” because the questions and documentation needed to be gathered for compliance and thus the costs of personnel to ensure compliance are too great for the business value when there is enforcement risk for getting the rules wrong. 

But so long as policymakers are able to tout the success of the oil price caps and that sanctions can be narrowly tailored to take greater effect over time, complicated measures are here to stay and will continue to be deployed in future regimes.  Therefore it is important for us in compliance to face reality and build compliance programs that are robust and adaptable to a changing environment to enable company leadership to take decisions on what activity is within or outside of risk appetite. This is where we at Sanctions Advisory are uniquely positioned to support Nordic companies to make sure complying is a business advantage and not a burden.

Feel free to contact us at inquiries@sanctionsadvisory.dk to discuss further how we can help your company best address the complex future of sanctions compliance. 

Takeaways from the Process for the 10th Sanctions Package 

Today marks the one year anniversary of Russia’s invasion of Ukraine, and we are still awaiting the EU’s long signaled 10th sanctions package, which was pledged to be a key statement of the resolve of the Union and further demonstration of the effort to hinder Russia’s ability to wage aggression.

Pegged by some just last week that the approval process would be smooth sailing to a comprehensive package targeting Russian revenue streams, sanctions circumvention and measures to enhance the ability of the union to implement sanctions, it seems the final result will mostly be more of the same as previous packages rather than a fresh broadside against the Russian economy. As we previously highlighted, previously proposed components of the 10th package would have been marked expansions to the scope of Russia sanctions and included targeting of the nuclear sector, a ban on importing diamonds, and more restrictions on rubber imports, all revenue generators for the Kremlin.  It seems though that all of these proposals won’t make it into the final text.

Why were the most expansive measures removed? The simple answer is out of concern for the economic impact on EU member states and Hungary’s increasing opposition to impose further costs on Putin.  Hungary staunchly opposed any targeting of Rosatom or Rosatom officials even with carve outs for key pain points such as continuing fuel imports, resulting in nixing even very targeted designations related to Russia’s nuclear activity. The asserted disproportionate impact on the European diamond trade resulted in import restrictions removed from the package in favor of G7 pledges to establish a broader track and trace mechanism. And targeting synthetic rubber with a permitted import quota exceeding the unrestricted annual totals for any year in the past decade to protect select firms and industries held up the last minute approval by Poland for being too permissive.

What does this mean for future sanctions? 

The key takeaway for us on the outside from the seemingly intractable negotiations, beyond a slimmed down package, is that for the future we are likely to see the focus of EU and G7 sanctions pivot from imposing additional costs on Russia to holding the line and enhancing implementation through targeting circumvention and evasion efforts. 

As EU, US and other officials have highlighted, in the last year exports to Russia from the EU, UK and US have dropped, however exports to Russia’s neighboring countries have increased. Exports to Russia more than halved between May and July last year, whereas exports to Armenia and Kyrgyzstan increased by more than 80% and in turn their exports to Russia doubled in the same period, raising calls to do more on sanctions evasion and workaround. 

As a result, we will see increased designations against individuals and companies engaging in circumvention and evasion, both in Russia’s neighbors and around the world, as well as increasing calls for applying punitive measures to countries that are permissive jurisdictions for such activity.  These broader targets of countries would likely include expanded export control prohibitions towards those countries, and in the future, potentially limiting trade access to the EU single market and other G7 markets. 

Increased focus on circumvention and evasion efforts likely also means increased scrutiny and, importantly, requests for information and explanation from local and international enforcement and regulatory bodies as well as the press over activities that are seemingly not in line with the letter, or the spirit, of the sanctions on Russia. 

Will Europe Target Privileged Industries in the 10th Sanctions Package?

Pushed by hawkish member states of Poland and the Baltic states, the EU has begun working on the 10th sanctions package with an expectation that it will be ready to enact in time for the one year anniversary of Russia’s invasion of Ukraine on 24 February. The discussions yet again mention banning the import of diamonds in to the EU, reducing nuclear cooperation with Russia including potentially designating the state nuclear agency and often arm of foreign policy ROSATOM, and banning more Russian propaganda outlets and banks from SWIFT. As this package is expected to come after EU alignment on extending the same restrictions on Russia sanctions to Belarus and agreeing on oil products price caps for next weeks EU-Ukraine summit, the real question is, will the anniversary of Putin’s invasion be enough of a catalyst for Europe to target thus far protected industries?

Reduce nuclear cooperation

Diplomatic sources have stated in press that reducing nuclear cooperation between the EU and Russia will be a focus of the next round of sanctions.  Earlier in January this year, Ukrainian Prime Minister Denys Shmyal said he expects Russian nuclear energy company Rosatom to be included in the next round of sanctions. The move comes after Ukrainian nuclear power station Zaporizhzia was occupied by the Russians and Putin transferred the plant’s ownership to a subsidiary of Rosatom. The nuclear plant is considered to be stolen from Ukraine and Rosatom is a leading actor in this by facilitating the seizure and stationing employees at the plant. Additionally, Rosatom develops nuclear weapons for Russia and has been found to aid the arms industry in Russia

The nuclear sector has not been targeted by sanctions until now, a reason being that 20% of the world’s nuclear power plants are Russian-designed and sanctions are feared to cause more energy price volatility in an already volatile time for energy prices. Additionally, Hungary’s foreign minister Peter Szijjarto has said that the country will not support any sanctions targeting or restricting nuclear cooperation between Hungary and Russia as the country is dependent on nuclear power, arguing it would be more damaging to the EU than Russia. For similar reasons the US has thus far not targeted the Russian nuclear industry either.

Ban on the import of diamonds 

A ban on the import of diamonds from Russia has been discussed as part of multiple sanctions packages the past year without becoming part of any of them. Trade restrictions on luxury goods were included in the fourth sanctions package in March 2022, but diamonds were excluded. A key reason for the lack of sanctions thus far is that Belgium has opposed a ban on diamond trade arguing it would be more damaging for Europe, particularly Antwerp, than for Russia and due to a fear of job losses. But for how long can Europe continue to justify the continued import of goods providing important profit for Putin, particularly when other G7 members have taken strides to target the same trade?Russia’s largest diamond miner, Alrosa, is sanctioned by the US, Canada and the UK.

Diplomats from EU member countries, particularly Poland and Lithuania, have endorsed a complete ban on diamond import- or at least, an Alrosa designation, though thus far they have been without success as they have not been able to secure the unanimity required for enacting EU sanctions. However this time may be different, as Belgium’s prime minister Alexander De Croo has repeatedly said he will not veto a ban if it is supported by a majority of members, but there are still a lot of negotiations before getting to that point.

Other proposals

Diplomats from the EU’s hawkish states propose banning more propaganda outlets and cutting off more banks from using SWIFT, and expanding the restrictions on imports of rubber products and compounds. In contrast to the highly debated and controversial proposals of reducing nuclear cooperation or banning the import of diamonds, achieving alignment on banning additional media outlets and non-strategic imports should be easier. On banks, Poland wants a strict new package with more banks including Gazprombank and Alfa Bank cut off from SWIFT. This seems like a strong negotiating position from Poland that once the dust settles will likely result in additional smaller banks cut off from SWIFT, but not major players like Gazprombank to preserve continuing business with Russia in energy and other industries important to world markets.

We will see how the negotiations play out and what proposals will come to fruition, but as always, preparation for what can come can save a lot of cost and heartache rather than getting caught by surprise.

Russian Oil Product Price Cap – What will it look like?

On 30 December 2022, US Treasury’s OFAC quietly released their preliminary guidance for the forthcoming price cap for the provision of services related to the maritime transport of Russian oil products. The cap is scheduled to be implemented by 5 February 2023 by the EU, G7 members and Australia. Much as with the crude oil price cap implemented in December, there are several takeaways and questions that remain from this guidance, both on ensuring compliance with the measure and on the practical impact of measure on the ability of Putin to continue waging war in Ukraine.

Compliance Takeaways

Multiple Caps: Despite what the title suggests and consistent with how officials across both sides of the Atlantic have been discussing in private, we are likely to see multiple price caps for different products. The guidance states “As with the crude oil determination, OFAC anticipates issuing a separate determination to set the price caps for Russian petroleum products.” The guidance also does not provide any indication of what the price could be, and as with the crude price cap it is the internal EU negotiations that are driving the discussions, it is quite possible that we see 3 or more caps with multiple reference prices when the political dust settles from any final agreement.

The “attestation model” continues: Companies will still be able to rely on attestations to meet their compliance obligations when it is appropriate. However, with multiple price caps for different products companies will still need to understand and apply substantial administrative resources to tracking the individual product and applicable price cap at a very detailed level to gain the appropriate verification or attestation.

Same “start” and “stop” as with the crude oil price cap in that once petroleum products are offloaded on land and used or substantially changed then the price caps will no longer apply. If the products are reloaded on to ships without a substantial transformation then the caps will apply again.

There is a similar wind down period as the crude oil price cap such that products loaded onto vessels by 1201 eastern standard time (0601 Central European Time) on 5 February 2023, will not be subject to service restrictions under the price caps until 1201 eastern standard time (0601 Central European Time) on 1 April 2023. This forward leaning guidance is a practical consideration given that, much like with the crude oil price cap, it could take right until the 5 February deadline for countries to agree on the products price caps.

Looking Forward – Policy Questions

In reviewing this guidance and seeing the limited impact on Russian finances from the substantial compliance effort with the crude price cap, it is helpful to take a step back and question what is the true aim of this entire exercise? Is the price cap policy truly about restraining the resources of Putin? Or are we seeing an elaborate effort to save face and enact a long ago announced policy that is being structured to purposefully have as little impact on energy trades, and thus Russian finances, as possible while imposing tremendous compliance costs on firms?

In a forthcoming post we will examine the policy dynamics at play with the price cap to help Nordic firms better understand the overall trajectory of G7+ sanctions policy.

Key Takeaways from OFAC Settlement Agreement with Danfoss A/S

On 30 December 2022, US Treasury’s OFAC announced its settlement with Danish company Danfoss A/S for causing US financial institutions to violate US sanctions on Iran, Syria and Sudan. The settlement was for over $4 million which was negotiated down from a statutory maximum of almost $22 million as a result of Danfoss’ extensive cooperation and material changes to their controls and operations.

The violations happened as a result of Danfoss’ UAE subsidiary, Danfoss FZCO, who was engaged in business with customers in Iran, Syria and Sudan. In particular, Danfoss FZCO directed customers to make payments to Danfoss’s account at a UAE branch of a US bank, and Danfoss FZCO made payments to Iran and Syria from the same account via third party payment providers.

Amongst the aggravating factors in the case, US Treasury’s OFAC found that Danfoss lacked the procedures necessary to identify potential sanctions risks related to Danfoss FZCO’s activities and the sufficient understanding of US sanctions. US Treasury also viewed Danfoss’ size and global operations as an aggravating factor.

Below are the the key takeaways which will help Nordic companies avoid similar mistakes as Danfoss.

  1. Monitor and Review your Subsidiaries
    • The findings of the case highlight that parent companies are responsible for the activities of their subsidiaries and parents need to apply constant and appropriate monitoring of the activities of the subsidiaries, particularly when resources are shared across a group of companies. This is best addressed through regular and consistent testing and monitoring of the business activity, operations, and controls, of subsidiaries either in-house or with the support of third parties.
    • For more information on how to approach monitoring and reviewing subsidiaries and operations, review our Sanctions Program 101 post on Testing and Auditing
  2. Tailor Controls for Your Company’s Risk
    • A critical deficiency by Danfoss is that they did not have in place controls that regularly were tailored to Danfoss FZCO’s operations in the Middle East region, to include independent monitoring of the operations of Danfoss FZCO and monitoring of the financial transactions for business activity of Danfoss FZCO.
    • As US Treasury has highlighted, this lack of tailored controls meant that Danfoss A/S could not identify potential sanctions violations unless reported by Danfoss FZCO, which wasn’t happening because of the lack of control and Danfoss FZCO’s use of third party providers in non-sanctioned jurisdictions to facilitate payments from sanctioned jurisdictions. These types of back-to-back/chain/linked payments through third parties are prohibited by sanctions regulations because they do provide benefit to prohibited parties and should always be treated as a major red flag of sanctions risk.
    • As we have written before, the best internal controls are those that are tailored to your company’s risks and that consider the regions your company and your subsidiaries operate and your specific activities. For more information on how to approach understanding your company’s risk and applying appropriate controls, review our Sanctions Program 101 post on Risk Assessment and Internal Controls.
  3. Tailor Training for Roles and Risk
    • US Treasury’s OFAC found that Danfoss personnel including senior management did not have adequate training on US sanctions, including how to detect possible sanctions violations and who to escalate violations to, leading to a delayed response in stopping the transactions. Danfoss FZCO was on multiple occasions informed by different actors that conducting payments with certain jurisdictions using a US financial institution could be prohibited and was informed that their activity caused concern for violating sanctions. But in the end, Danfoss FZCO did not change their use of the US branch account when conducting payments with sanctioned jurisdictions such as Syria and Iran.
    • With adequate training in place, employees would have known how to detect potential sanctions violations, and how to escalate concerns which could have led to avoiding the sanctions violations. An essential component of successful sanctions compliance is that employees receive training on a regular basis, updated with the lates sanctions regulations and tailored to their specific role and responsibilities. For more information on the importance of and how to approach implementing appropriate training, review our Sanctions Program 101 post on Training

Sanctions Compliance Program- Training

The most frequent questions we receive on sanctions training

  • How should our training be structured?
  • Where can I find resources for my company?
  • How often do staff need to be trained?

How should our training be structured?

Training is an essential component of your SCP to ensure that employees understand your company’s risk appetite, compliance structure, and policies and procedures used to achieve compliance.

We often see that organizations and suppliers of training materials focus on explaining in exhaustive detail the limitations and restrictions of sanctions under different regimes (eg. EU, US, ect.). However, this approach can often be counterproductive for most employees because they become overwhelmed with information that is not tailored to the realities of their daily work. The best focus for an organization’s training program is to ensure that all employees know their roles and responsibilities in the company’s SCP. This means that employees know where to escalate issues of concern, that they understand the company’s sanctions policies and risk appetite, and that they are able to apply the controls for their role, be it sales, procurement, logistics, and especially senior management. The level and detail of training should be based on each employee’s responsibility, so that employees from the entry level through senior management receive training appropriate to their roles and understand their responsibility for achieving compliance.  

How often do staff need to be trained?

Training should be mandatory for all employees and provided at a frequency appropriate to the organization’s risk profile. At a minimum, all employees should receive the necessary training as part of the onboarding process, and an annual refresher which includes any updates or changes the company has enacted in the past year and new risks that your organization faces. Given that sanctions can change rapidly, as with Russia, it very well may be appropriate to provide trainings that are held more frequently for those employees that most often need to understand the changing landscape, such as those involved in sales or similar roles.

Your training program should be updated frequently to reflect changes in the sanctions environment, and should also be updated after learning of negative audit or test findings to ensure that personnel learn and continuously improve. The benchmark to judge whether a training is effective, is not a lack of sanctions issues experienced by the company, but rather an increase in the number of questions and issues raised by employees, demonstrating that personnel understand the company’s approach to compliance and are paying attention to high-risk activities. 

Where can I find resources for my company?

There are many resources and materials available to companies from government entities, industry and trade associations, as well as conferences and seminars. The real challenge is taking these resources and making them appropriate to your specific company and this is where external experts such as ourselves can help. Even with the help of external experts it is still vital that there are personnel within the company that are able to manage the training program to ensure that training materials are appropriate to your organization and adding efforts for continuous improvement.

Your sanctions training should focus on: 

  • The risks specific to the company and its industry and the importance of maintaining compliance 
  • Indicators (red flags) to identify potential risks in the company’s line of business and specific roles 
  • The company’s compliance program and control framework, including the application of controls in specific roles and departments 
  • The points of escalation for issues and potential breaches of the company’s program and regulations. 

Questions to ask to evaluate your organization’s sanctions training

  • Do all our employees know how to contribute to sanctions compliance in their role? 
  • Are the employees demonstrating sanctions compliance knowledge in practice? 
  • Is training provided regularly/periodically? 
  • Is our training program updated to address lessons learned and changes in the sanctions environment? 

Sanctions Compliance Program- Testing and Auditing

The most frequent questions we receive on testing and auditing

  • What is the difference between auditing and testing?
  • How frequently do we need to audit?
  • Do I need an audit team or separate unit to do the audit? 

In essence, testing and auditing are variations of the same answer to the question, is our program working as intended and as needed? Testing and auditing are the means for your organization to evaluate the effectiveness of your sanctions compliance program in practice. In terms of the differences between the two, testing is best understood as a real-time view of how the controls are working and performing in practice as a snapshot of the overall SCP framework. An audit, on the other hand, is more of a comprehensive review of the overall approach to your program, controls, or specific aspects of each, including a review of policies, procedures, and their application, with a focus on what is working and what needs to be improved. The approach of an audit takes into account your organization’s sanctions risk, risk appetite and evolving sanctions environment to assess against what is needed in your program as where testing focus more on evaluating if the current controls are working as intended.

How to test and audit 

Your organization’s controls and processes should be tested and audited regularly to identify any deficiencies or inconsistencies. It can be helpful to think of both as efforts “trying to break the controls” and “doing the wrong things” because the point is to prove that the controls are working and enabling your organization to comply with its policies.

It is always better to find issues internally than to be informed of failures from an external review, so a successful test or audit is one that finds areas for improvement. If you find any deficiencies these must be documented, and your organization must respond to any negative test or audit result by implementing compensating measures to ensure appropriate control. Once deficiencies are identified, your organization should define, commit to, and implement improvements to ensure sanctions compliance in a timely manner. It is also important that this timeline is adhered to as best as possible and it is better to embrace a reasonable timeline from the start rather than an aggressive one that must be changed and delayed when it is not met.

Testing and auditing measures must be supported by senior management, but also should be used to hold senior management accountable. The evaluation of the organization’s risk assessments and internal controls must be independent, objective, and comprehensive, and in our experience the number of people designing and formulating the tests and audits should be kept to a minimum. When it comes to the quantity of personnel directing tests and audits it is often the case that less is more!

We are often asked if you need a dedicated team to conduct the tests and audits, but this depends on the size and nature of your company. It is important to have qualified personnel that are able to evaluate your company’s operations and it can often help to have external support for audits, as external advisors can help to define the international sanctions environment facing your company and provide a fresh perspective for how your operations are performing in practice.

We are also often asked what the appropriate frequency for conducting tests and audits is, and the truth is there are not hard and fast rules. There should always be an annual testing and audit plan with as many actions as is reasonably possible for your organization’s personnel to perform. Large organizations with dedicated audit teams should have audits constantly occurring, in contrast, smaller companies operating with SMEs can appropriately have fewer actions in a year. The most important element is not the quantity of tests and audits but the quality and demonstrating that your company is committed to constant improvement in your sanctions compliance program.

Questions to ask to evaluate your organization’s testing and auditing measures

  • Does our testing and auditing find faults in our SCP by “trying to break” our controls? 
  • Do staff embrace testing and auditing or argue against the scope of audits or problems being identified?
  • How many improvements are completed within the set original time frame? Are solutions to identified deficiencies regularly delayed and “put on the back burner” for other priorities?

Sanctions Compliance Program- Internal Controls

The most frequent questions we receive on internal controls:

  • Are there controls besides screening?
  • What is fuzzy matching and what is the best threshold for fuzzy matching?
  • Do I need to define my controls? 

Policies, instructions and procedures as internal controls 

Internal controls are multiple different actions and tools working together to form a comprehensive package of measures which are the means to minimize the sanctions risks to your company. There should be an inherent interplay between the findings of your company’s risk assessment and the internal controls applied to control the risks. This interplay is first and foremost born out in the policies, instructions and procedures that your company enacts to establish a control framework for managing sanctions risk.

Written policies, instructions, and procedures outline the organization’s SCP and are the bedrock of internal controls and should be implemented to ensure compliance. They should address the organization’s risk profile, risk appetite, day-to-day operations, and business activities. 

  • Policies operate as the organization’s guiding “North Star” and should be as short and to the point as possible. 
    • Policies should be broad and outline the scope and approach, providing just enough detail for employees to understand “what” is trying to be achieved, be it complying with EU sanctions everywhere your company operates, or avoiding all business with specific countries.
  • Instructions outline who is in charge of implementing the policies, the requirements for implementation, and the point of contact for escalations when there is doubt about satisfying the policy. 
    • Instructions provide the “who and how” your company will achieve compliance with the policy and should outline the roles, responsibilities and accountabilities of different offices and employee positions.
  • Procedures explain in exhaustive detail how to carry out the instructions and should be specific for each operational unit and task.
    • Procedures provide the “detailed how” of the specific operating actions for specific roles and positions to achieve their stated responsibilities.

When designing policies and procedures, it is important to keep in mind that these should be easy to implement and follow, and should reflect the organization’s culture of compliance. Dedicated personnel should be responsible for monitoring the implementing of policies and procedures, and for improving internal controls once weaknesses are discovered, as we will cover in the testing and auditing posts. All personnel should be informed and trained on your organizations policies as well as the procedures that are relevant for their role, and a reporting mechanism should be established so that all employees know who to escalate and report any potential sanctions violations or misconduct. 

KYC as primary control and screening as secondary control 

One area where we often see confusion is a common view that “screening is the control” rather than an appreciation that screening is one essential tool in a internal control framework. The most powerful means for controlling risk is avoiding it from the start and that is best accomplished through the Know Your Customer (KYC) process.

KYC enables you to ask risk identifying questions for your customer and counterparties, and is best thought of as the “primary control” for managing risk because the process allows your company to avoid risk before customers and counterparties are onboarded. The length and level of evaluation for each company’s KYC process will differ for each industry but it is important to appreciate that the aim of the KYC process is to gain enough information on the customer, counterparty or supplier, to be able to rule out or effectively control likely violations of sanctions.

While screening is an appropriate component of the initial KYC process it is best thought of as a “secondary control” which is used to help ensure that customers and counterparties are operating in line with your company’s expectations as demonstrated through the KYC process. Put another way, screening is best thought of as “finding the risk we are looking for” because the action of screening is setting criteria of filters so that the system generates alerts. The criteria for the filters is defined by your company, be it choosing which sanctions regulatory lists to screen (US SD/SSI/Entity List, EU Consolidated List, ect.) or indicators of potential risk such as geographic locations, products or activities or behaviors.

Also, because screening is the act of “finding the risk we are looking for” it empowers us to pre-define the actions that we take on the alerts that are generated. Because we have set the criteria of what is risky, the indicators of risk that the screening alerts on should lead to specific actions as defined in your company’s procedures and instructions. For example, if your screening system generates an alert for a potential match to an entity on the EU consolidated list, you should be able to look to your procedures to know the next steps to take to ensure that no funds or economic resources of any type are provided to that entity as you follow your company instructions to escalate the potential match for action up the management chain.

Finally, screening can often seem like it is imposed on you and your company from the outside. It can often feel like drinking from a fire hose from regulators, enforcement bodies, or vendors but the truth is that you and your company are in control of criteria used in screening criteria and the actions taken on screening results.

The United States’ Office of Foreign Assets Control (OFAC), the office regulating US sanctions, found MidFirst Bank breaching sanctions specifically due to their screening tool not being updated with the latest sanctions  1 . The vendor MidFirst Bank used for screening only screened the bank’s customers once a month, resulting in the bank not being notified about the designation of a customer until 14 days had passed, in the meantime conducting transactions on behalf of the designated person. 

Fuzzy matching in screening

The purpose of fuzzy matching in a screening system is to generate alerts for close potential matches of words, phrases and information that are similar to identified risk indicators. For example, a screening system should be able to identify not only “Crimea,” but also “Krimea” to generate an alert for potential sanctions risk. Similarly, screening solutions should have the capability to detect alternative spellings and languages (including the same word in different alphabets such as Arabic or Cyrillic), abbreviations, misspelled or omitted words as part of the fuzzy matching capabilities.

We often receive many questions about fuzzy matching and what is the “best threshold?” The best threshold for fuzzy matching depends on the technical capabilities of your screening system, but the honest response is that the screening system should be able to generate alerts to the same ability that an informed human would be able to make a potential connection. Additionally, an in house screening system should certainly return potential matches at the same ability that publicly available search tools from US Treasury’s OFAC and UK HMT’s OFSI offer.

Questions to ask to evaluate your organization’s internal controls

  • Do we know what to do when a risk is identified? What capabilities and learning about the risks facing our company do we have beyond screening? 
  • Do we have appropriate policies, instructions procedures in place? 
  • Do our personnel know who to escalate and report sanctions risk and misconduct to? 
  • Is the KYC process used as our primary control for our sanctions risk? 

Sanctions Compliance Program- Risk Assessment

The most frequent questions we receive on risk assessment:

  • How do I conduct a sanctions risk assessment?
  • What is inherent risk? 
  • Doesn’t screening assess my risk? 

What is a risk assessment?

A risk assessment is the means of identifying areas in your organization’s operations where there is inherent risk for potential sanctions violations or misconduct. Effective risk assessments are conducted regularly or as an ongoing exercise using a defined risk-based methodology that is tailored to the nature of your operations and evolves with the changing sanction environment.

The risk assessment identifies potential threats to your company’s sanctions compliance in every part of the business. The approach to find the inherent risk in your business should be both “top-down” and “bottom-up.” “Top down” means assessing the offerings that your company provides to your customers and counterparties in the form of all products and services offered directly and indirectly. “Bottom-up” means assessing from your customers and counterparties the risk they present including from their intentions for the use of your company’s products and services to their operations, partners, locations and other criteria. Taking this dual track approach will allow your company to a best practice effort to identify any direct or indirect engagement with a sanctioned party, sanctionable conduct, or efforts to circumvent or evade sanctions. 

Inherent risks

An inherent risk is a sanctions risk your company faces when there are no internal controls in place to mitigate these risks. Clients, customers, intermediaries, counterparties, products, services, supply chains, transactions, and geographical areas all pose inherent risks to your company and the purpose of the risk assessment is to identify those risks.

When conducting a risk assessment, your company should leverage existing information about your business, from the capabilities that your products and services offer to reviewing information obtained through onboarding and your KYC (Know Your Customer) or due diligence processes to review customers and counterparties. The information obtained through these processes should be used to assess the inherent sanctions risks related to your customers and counterparties. This will enable your company to focus your business and compliance activities to achieve the highest reward at the lowest risk. 

Adapt to the changing risk environment

Adapting to the changing risk environment is critical to identify the sanctions risk for your organization. Sanctions can change on a daily basis so this means updating the methodology of risk assessments as new sanctions, guidances, advisories, and enforcement actions are announced, and staying abreast of the current legislation and regulatory requirements.

Even if your company only operates in the Nordics, there remains a risk of violating different sanctions regimes from authorities around the world or becoming subject to sanctions yourself from your business activity. It is therefore essential that your organization both understand the sanctions requirements that are directly applicable to where and how you operate, including the regimes directly applicable to your financial transactions, as well as the global sanctions landscape from the UK and US as being designated by either country can be as devastating to a company as violating legally applicable sanctions.

This can be a daunting task and providing tailored advice on the changing global circumstances is a core offering that Sanctions Advisory provides to our clients.

The importance of risk assessment during mergers and acquisitions

Mergers and acquisitions have proven to be a challenging area for assessing sanctions risk and is an area that has recently been the subject of repeated enforcement cases and as such highlighted by regulatory and enforcement agencies for special focus. The target or partner company of the merger or acquisition may have existing sanctions liabilities and it can often be the case of the due diligence process that sanctions risks are overlooked or revealed too late in the process to adequately address before the transaction has closed. This means that it is particularly important for your organization to conduct thorough sanctions risk assessments and customer due diligence on target or partner companies during mergers and acquisitions, and it is best that you integrate the focus on sanctions and thus sanctions compliance units into the process from the beginning.

Assessing the sanctions risks associated with the merging or acquired party is essential to avoid sanctions violations after the transactions has closed. Due diligence must be conducted both before and after the acquisition to ensure that sanctions requirements are met, and that sanctions risks are assessed and appropriately controlled.  

Questions to ask to evaluate your organization’s risk assessments

The following questions are useful to ask when assessing your organization’s risk assessment. The answer to these questions will give you insight into whether your risk assessments are effective.

  • Do we know the sanctions risk for every part of the business?
  • Are KYC processes, screening and risk ratings conducted for all new customers? Is it a part of routine risk assessment? 

Conclusion

Finally, keep in mind that the action of assessing, screening or rating a risk is not a control in itself. A risk assessment only tells you what the risks are and as a result where to focus your controls to mitigate the risk. We will explain how to control the risks you have identified in our post on internal controls coming next Wednesday.

Sanctions Compliance Program – Management Commitment

The importance of an SCP

Your sanctions compliance program (SCP) should be a comprehensive set of policies and controls tailored to your organization’s risks and means of operation. The aim of an SCP is constant improvement to avoid and safeguard against costly sanctions violations in an ever changing environment. The lack of an SCP is a risk and is often a root cause of sanctions violations, as many breaches are committed due to simple misunderstanding of sanctions regulations and how the organization ensures compliance. The first step in achieving an SCP is to set the “tone from the top” and in this first post, we will guide you through what management commitment means in practice. 

The most frequent questions we receive on management commitment: 

  • What is management commitment?
  • How do we demonstrate management commitment? 
  • How much is enough? 

What is management commitment and how do we show it? 

Management Commitment means that senior management ensures the organization’s compliance with applicable sanctions programs by promoting a “culture of compliance” within the organization. This means that senior managers ensure that employees are aware of their responsibilities, inspire them to be compliant, and allocate adequate resources to enable the organization to be compliant. 

Management Commitment means that senior managers sign their name to guarantee the company’s approach to sanctions through a risk tolerance approach that is clearly defined, explained, and understood by all employees. It means that senior management lead by example by “rolling up their sleeves” to ensure compliance, and not by simply outsourcing the role and responsibility for compliance to the units and personnel with compliance in their title.

Management Commitment means that all personnel should be aware of the consequences and seriousness of violating sanctions. Personnel, senior management in particular, need to be informed that they can be held accountable for violations by authorities which possibly could include jail time. Locally in the Nordics, the Dan Bunkering verdict is a case in point, showcasing that management all the way up to the CEO have personal liability and responsibility for the sanctions compliance of an organization and its employees because leaders “set the tone” of the organization. 

How to ensure management commitment? 

“How much is enough management commitment?” you may ask, and while there is no set benchmark for how much is enough, that does not mean there are no requirements to show it. Management Commitment is an overarching assessment of the approach and actions of an organization. Regulators and enforcement bodies have left the requirements broadly defined to allow for their discretion to “know it when you see it” for how much is enough for your organization.  What is certain however, is that a lack of management commitment will lead to failure and enforcement action.

In our experience, demonstrating management commitment means that senior management ensures that decisions are made by the appropriate personnel with the right knowledge, authority and autonomy to take the measures needed to manage the risk. It means that there is a formal escalation process all the way “to the top ” as a key component of management commitment is clear decision-making with clear definitions of who takes responsibility for decisions, and who has that responsibility is understood throughout the organization. 

To ensure management commitment it is generally easiest for your organization to have a dedicated sanctions compliance officer as a point of contact for advice and instruction on how to handle sanctions matters. In larger organizations, there may be a team with a clear leader dedicated solely to this task, while in smaller organizations the officer may occupy multiple responsibilities in addition to being the sanctions subject matter expert. Whether it is an individual or a unit, the personnel ensuring sanctions compliance must have technical knowledge and expertise about the sanctions risks that are relevant for your organization, and understand senior management’s risk appetite to instruct employees on what specific actions to take. In addition, decision makers and compliance units must be allocated adequate financial, technical, and human resources to ensure sufficient and effective risk control for today and the changes that will come tomorrow. Budgets and tools alone do not ensure compliance, but without them failure is guaranteed. 

Senior management, decision-makers, and compliance units must be aware of activities and transactions that are not in line with policy. This means senior management must be willing and able to demonstrate that business which is not in line with policy has been rejected in the past and will be in the future. 

Management commitment also means that senior management are aware of when breaches and violations occur and take appropriate action to support the organization and employees to ensure they do not occur again. By fostering a culture of compliance, senior management must discourage misconduct, and create a space where employees are not afraid to report misconduct or wrongdoings. As a part of the compliance culture, reviewing the status of sanctions compliance within the company is as much a part of “business as usual” as reviewing other benchmarks of your business’ performance as is done on a regular basis within your organization. 

Questions to ask to evaluate your organization’s management commitment

The following questions are useful to ask when assessing if your organization has the necessary management commitment. The answers to these questions will allow you to know if your organization has a management commitment to sanctions compliance or not. 

  • Who takes responsibility for decisions? Is the “decision tree” clearly understood?
  • What truly happens when there is a breach of sanctions regulations or policy? Does anything in the organization change when there is a breach?
  • What are the real resources spent to control sanctions risk and what is the trend for allocating resources to sanctions compliance? 
  • How much business (deals, transactions, etc.) have we turned down because of sanctions risk? 
  • How many exceptions to our risk appetite and policy do we issue to take on business that should be prohibited?