How to Not Get Caught by Surprise on Outbound Investment Sanctions

The new outbound investment regulations will reshape the world of compliance, necessitating that companies ready themselves for a more volatile global landscape. In this final article of our three-part series, we will delve into how you can best prepare for the coming changes. 

How Can Companies Prepare? 

It is crucial that companies understand that the world of global investments and securities is increasingly becoming politicized. These changes are a long-term reality, and the notion of the separation between business and politics is never going to return. Companies must incorporate national security considerations into their risk assessments when engaging in business activities, both on a local and global scale.

To appropriately incorporate the national security views into business operations requires a clear company risk appetite, a cohesive internal control and decision making infrastructure combined with the right information, both in data and risk analysis support, to make the correct decisions of what is “in” and “out” of our risk appetite.

Risk Appetite and Assessment, Easier Said than Done? 

The first place to start when examining any coming sanctions change is to obtain an overview of your company’s current risk exposure, and to conduct a comprehensive risk assessment of existing exposure against the coming restrictions.

  • What is the nature of the exposure? Where is it located? In what sectors?
  • How much of the company’s business activity is impacted by these investments? How many employees and fixed capital interests? How much investment/revenue is related to the impacted activity?
  • Decide what level of risk the company can stomach. Following the law as written may be possible, but it will constantly change and require substantial investment to ensure lines are not being crossed. Making policy decisions early to limit exposure is an easier approach but means ceding business to the competition.

A company’s risk appetite should incorporate a frank assessment of how much the firm is willing to invest, as well as maintain a comprehensive and uniform internal decision making structure that has the right competency and information to make the right decisions. Sanction Advisory exists because this is the biggest challenge that Nordic companies face and it is not something that is easy to fix internally.

Cohesive Controls and Decision Making

The next step is then to establish a robust controls and decision making framework to be able to conduct thorough due diligence on the current exposure and any future exposure at the pre-investment stage. This is to determine whether the investments are impacted by the regulation or outside of the company’s risk appetite decision.

The program will encompass the comprehensive risk assessment to gauge the political and regulatory dynamics in the short, medium and long term, along with developing possible scenarios and guidelines for the company’s course of action in each specific situation. The aim of the internal framework is to have clear concise and easy-to-implement risk decisions, that adhere to the firm’s risk appetite and don’t result in repeated exemptions and exceptions in the continuous pursuit of new risky business.

Data and Risk Information

The third necessary component is having the right data and risk information to inform the internal controls to ensure your company remains on the correct side of your risk appetite decision.

Your company needs to be able to answer the following questions to prepare and live with the coming world of outbound investment screenings: 

  • Is the security/counterparty currently targeted for restrictions? Is it in the cross-hairs of likely future restrictions?
  • Is the security/counterparty working with any entity, country, or in the sectors that implementing bodies have deemed a national security risk?  
  • Is the security/counterparty owned, controlled, or related to companies that have been targeted by sanctions, are tied to the military or intelligence apparatus of targeted countries or in the sectors that have been deemed a national security risk?

The only way to answer these questions is through having the best data and best horizon scanning risk advice.

  • Your company will need the global scope of all ISINs;
  • Reliable details of their complete ownerships and control and connections to sanctioned parties, government agencies, and other national security threats and;
  • Coverage for the sanctions regimes of the G7 and other locations where your firm has operations.

Finding the right data is a challenge, there are an increasing number of potential data providers in the market but we find that our partners at Kharon have the best solution. Having the right data is only part of the battle, each company needs to know how to use the data, how to implement its use in your company’s screening system and control framework, and also to understand that the political landscape and rules are constantly changing. Having regular tailored horizon scanning advice is also essential to not be caught by surprise.

If you or your company need some help preparing for this complex future of outbound investment screening, from risk assessment support to advice on commercial data providers, contact us via, and we can discuss your needs and the right solutions for your small, medium or global firm.

What is Coming for Outbound Investment Screening?

In this second article of our three-part series on outbound investment screening, we explore the outbound investment screening proposals from both the United States and the European Union and their future effects on Nordic companies.

US Outbound Investment Screening Regulations

Turning our attention first to the US outbound investment screening, we find that the US has adopted a relatively narrow strategy, often referred to as the “small yard, high fence” approach. The new Executive Order outlining the restrictions was issued in August 2023, and focuses on investments in specific technologies and sectors essential for “national security.”

With the concurrently issued guidance on the future regulations, we know that the three key technological categories in focus include semiconductors, quantum information technologies and artificial intelligence systems but the full scope of the regulation could have a pronounced effect on all firms that transact in or facilitate the transfer of knowledge related to these technologies.

The regulation intends to cover companies owned or located in “countries of concern” (currently only specified as China, including Macau and Hong Kong) and will cover a broad swath of securities such as debt, equity, joint ventures, and greenfield investments. It is important for us in the Nordics to appreciate that the scope of these restrictions is global, as it applies to all U.S. individuals and companies, including foreign branches, and targets investments anywhere in the world that are owned by nationals of the “countries of concern.”

Therefore, the risk extends beyond those directly engaged in the covered sectors; these restrictions will also affect companies operating outside of China that have affiliations with entities that are tied to China and are even indirectly tied to the targeted high-tech sectors.

Nordic companies may find their transactions and gaining investment for their operations under increased scrutiny from counterparties, including the large global financial institutions that underpin global monetary movements.

It is important to appreciate how these measures, even as limitedly scoped as they are, could upend your businesses plans. An illustration, even if not directly analogous, of just how US restrictions can impact non-US companies with substantial operations in the US is the case of Dutch chip manufacturing company ASML, which found itself compelled to restructure its operations related to China due to the introduction of new US restrictions.

EU’s Approach to Outbound Investment Screening

While the EU is slightly behind the US, it is closely monitoring and responding to US developments as it advances its own outbound investment screening initiative.

The EU’s initiative revolves around four key technologies: advanced semiconductors, artificial intelligence, quantum technologies, and biotechnologies, and is intended to protect EU outbound investments and technology. 

Generally speaking, the EU has two possible avenues for how to scope the outbound investment screening. A broad one, where the European Commission is allocated the authority to unilaterally enact and implement all outbound investment screening for critical technologies, requiring sector-specific investment registration. Or a narrow approach which would grant competence and authority for all aspects of the restrictions to member states, potentially leading to national variations instead of a unified EU-level screening tool.

The most probable scenario involves a middle-ground approach. The EU is expected to begin with a proof-of-concept, initially focusing on a very limited set of investments in high-tech industries and gradually expanding its scope. This approach will likely involve the Commission defining precise and limited policy objectives with the approval of member states, and member states having the responsibility for implementation and enforcement.  If this sounds familiar, that is because this approach is similar to the EU’s approach toward enacting, implementing and enforcing sanctions.

How Will This Impact Nordic Companies?

The EU and US measures will affect Nordic companies in several different ways and will extend well beyond just those firms primarily operating in the defined sectors. 

Potentially, any firm making use of AI, advanced semiconductors, quantum technologies or biotechnologies could face enhanced scrutiny and difficulties processing their transactions with counterparties including customers and suppliers. Furthermore, firms will very likely face explicit restrictions on joint ventures, mergers and acquisitions.

For example, the new regulations can include several subcategories of parts and components that can be defined as one of the covered categories. This may lead Nordic companies to unknowingly breach sanctions if they do not have a sufficient understanding of what is defined as the sanctioned component and the full chain of delivery, including the end use of the items. Furthermore, the list of covered components will likely be expanded over time as the regulation advances, adding more complexity to remaining compliant.

How can you prepare for the impending US and EU outbound investment screening proposal? Answer these questions to better identify if your company or investments are at risk of violating cross-border regulations:

  • Does your business have ties to China? Chinese-owned companies outside of China? Joint ventures with Chinese firms or Chinese owners? (China also includes Hong Kong and Macau)
  • Does your business have a US nexus, such as through:
    • American employees (including dual nationals)? 
    • US suppliers? 
    • US tech in your manufacturing? 
  • Do you know the ultimate beneficial owner or controller of all your counterparties? Do you know all the intermediary parties that own or have external control over your counterparty?

In our next article, we will explore how companies can best prepare for these impending regulatory changes. 

Outbound Investment Screening: What Does it Mean for Sanctions Compliance?

As tensions between China, Taiwan and the West have risen, there has been a lot of fervor around stemming technological and investment flows to Beijing. While outbound investment sanctions are relatively novel, they are not entirely new and thus can be studied and managed.

This is the first post of three that will examine what we are likely to experience for outbound investment screening for firms in the Nordics and give advice on how your company can prepare for the coming challenges. 

What is Outbound Investment Screening?

Simply put, outbound investment screening is a regulatory regime to restrict the flow of capital and technology to other countries. The measures often come in two forms, either a requirement to notify the home government of investments and transactions after they occur or an outright restriction on investments and transactions related to specific activities or technologies.

Because the current discussions in Europe and the US are fraught with often diverging vested interests, we are likely to see a solution that is a combination of these two types of measures that differ based on the sector, technology, and value of the investment.

While outbound investment screening is often categorized separately from other sanctions, for us on the compliance side the current discussions are best viewed as a continuation of the most recent sanctions restrictions, particularly on Russia. 

The innovative idea in the international response to Russia’s purported annexation of Crimea in 2014 was to impose “sectoral sanctions,” to restrict investments in debt and equity of specific companies, and the provision of high-tech energy technologies. Sectoral sanctions were also used as a bedrock of the US sanctions on Venezuela and were expanded upon (and sometimes double imposed by the US under the latest Executive Order) as part of the international response to Russia’s 2022 invasion of Ukraine.  

It is also helpful to appreciate that the discussions in the EU and US are not the first outbound investment screening regimes in the world. Most notably, China has implemented a comprehensive and restrictive strategy to control outbound investments. Beijing’s approach has been both carrots and sticks, encouraging investments abroad in industries selected as being important such as advanced manufacturing and high-tech assets, and simultaneously imposing restrictions on seemingly benign sectors like real estate, cinemas, and sports teams. We also have examples from Japan, South Korea and Taiwan which, to varying degrees of intended impact and focus, all have restrictions or notification requirements in some form. 

How can Outbound Investments Sanctions Impact my Business?

So, given that outbound investment screening is not a completely new idea, it is important to appreciate that we can understand and prepare for these measures, even without knowing all of the final details.  

Europe is looking to propose an outbound investment and technology control framework “by the end” of 2023 that will apply to various investment activities.

The final proposal likely will include restrictions on purchasing publicly traded securities in sensitive technology firms, engaging in joint ventures, greenfield investments and making foreign direct investments in China. The measures will also likely involve restrictions and notification obligations in critical sectors like semiconductors, quantum tech, and AI systems.

But no matter the final rules, it is assured that there will only be a continuous and growing scrutiny of transactions towards China and the discussed sectors in the future. To prepare, your company should determine:

  • What is the level of your company’s current business activities that relate to China (both in China and with Chinese individuals and firms abroad)? 
  • What is the level of your company’s current business activity that falls within the scope of prohibited sectors and technologies even if seemingly not directly tied to China?
  • Using the first two answers, what is the specific level of business activity that is related to the specific sectors and is tied directly or indirectly to China?
  • Finally, how will your company examine and decide upon engaging in future activity based on restrictions that are likely to change in the future, and how will your company be able to identify and avoid engaging in activity that likely will be attempts to circumvent the restrictions that are imposed?


While there is a particular focus on the current discussions on restricting technologies and the financial resources destined for China that support the development of Beijing’s military power, that is only where the measures are starting. As with all sanctions, we should expect the scope to expand over time to target more of the Chinese economy and other economies and actors as well. 

The approach and level of security needed for your company’s business activity will depend on your specific sector, with particularly finance, technology, and manufacturing sectors needing to closely scrutinize investments, supply chains and technology transfers for potential exposure.  

To help best position your company and to not get caught off guard, in our upcoming articles, we will look at what the EU proposal will likely cover in scope and content and how the US restrictions likely complicate investment operations for Nordic companies. Finally, we discuss how to approach implementing controls and tools to best manage the risk from these new restrictions from the start.

Why do Policymakers Love Complex Sanctions?

Now that we have seen the EU’s adoption of a slimmed down 10th sanctions package on Russia after months of ambitious discussion of imposing new costs, it makes sense for us in the compliance community to step back and take a wider view of why politicians and officials increasingly impose complicated sanctions measures and what it means for the future. 

So, why do we increasingly see new sanctions measures that are very limited in their intended impact? The simple answer is that there is a belief in sanctions policy making circles that sanctions measures can be precisely tailored to achieve a specifically desired impact on the target with minimal or even zero spillover impact to others.  We see it in the US Treasury’s Sanctions Review and in every paragraph of EU sanctions regulations containing the phrase “the prohibition…shall not apply…” 

And the fervent embrace of complicated sanctions is only growing.  They started with the enactment of sectoral sanctions against Russia following Moscow’s invasion of Crimea in 2014.  But since then have been deemed such a success to have been deployed toward Venezuela and again towards Russia to impose the same restrictions again (See EO 14024 Directive 3 and EO 13662 Directives 1, 2, 3) as well as the much hyped oil price caps.  

The Complicated Compliance of the Price Caps

The oil price caps, which politicians are touting as a great success despite the increasing evidence of their limited impact, are a prime example of measures with disproportionate compliance costs to their actual impact on the target.  

The price caps have been enacted to soften the potential blow to the global oil market from the EU’s import embargo to ensure that Russian oil continues to flow to international markets.  Because the primary focus of the measure is to not impact energy flows, the result is a much more complicated compliance task than what would have been required if the EU’s ban on services had proceeded as originally enacted in June 2022.

Even with the extraordinary guidance and embrace of an “attestation model” from US Treasury’s OFAC, the EU , and UK OFSI to purposely lessen the compliance burden of the price caps, as we in the compliance know, we are now in the position of having to gather and assess a multitude of information against a number of different factors to make a determination if activity is prohibited by sanctions or not.  

If the EU’s original ban on services for Russian seaborne crude and products had proceeded, companies would in most cases only need to ask one question, “is the product of Russian origin” to get to a definitive answer of it being prohibited or not.  But with the price cap, to know if the activity is in compliance with the restrictions, we need to be asking:

  • Is the product of Russian origin? 
  • Where is the product headed?
  • Does the destination have an import ban in place? 
  • What is the specific product and which CN code would apply?
  • Based on the CN code which price cap applies?
  • Was the product purchased for a price below the price cap maximum for the CN code of the product?
  • Is there any evidence that the stated purchase price is the true and final purchase price and that there will not be any supplementary compensation to, in effect, have a price above the price cap?
  • Are the shipping costs and other related services in line with industry norms and without evidence that they are inflated to, in effect, have a price above the price cap threshold? 
  • And more…

The value proposition of the oil price caps, a high compliance burden for market stability and the “right” impact on Russia, is made more perplexing when senior policymakers publicly permit Moscow’s use of its “shadow fleet” to ship oil outside the price cap restrictions.  And this is before we consider the extensive track record of the Russian government and aligned actors to work to evade and circumvent sanctions, exploiting carve outs, exceptions, and general licenses to mitigate the impact of sanctions and make compliance all the more difficult.

What does it Mean for the Future? 

There is a paradox of applying sanctions, the more complicated the measures and more difficult they are to implement, then the more the impact of sanctions is disconnected from the policy intent. Complicated sanctions create more opportunities for evasion and circumvention by design, and they also lead to “over compliance” because the questions and documentation needed to be gathered for compliance and thus the costs of personnel to ensure compliance are too great for the business value when there is enforcement risk for getting the rules wrong. 

But so long as policymakers are able to tout the success of the oil price caps and that sanctions can be narrowly tailored to take greater effect over time, complicated measures are here to stay and will continue to be deployed in future regimes.  Therefore it is important for us in compliance to face reality and build compliance programs that are robust and adaptable to a changing environment to enable company leadership to take decisions on what activity is within or outside of risk appetite. This is where we at Sanctions Advisory are uniquely positioned to support Nordic companies to make sure complying is a business advantage and not a burden.

Feel free to contact us at to discuss further how we can help your company best address the complex future of sanctions compliance. 

Takeaways from the Process for the 10th Sanctions Package 

Today marks the one year anniversary of Russia’s invasion of Ukraine, and we are still awaiting the EU’s long signaled 10th sanctions package, which was pledged to be a key statement of the resolve of the Union and further demonstration of the effort to hinder Russia’s ability to wage aggression.

Pegged by some just last week that the approval process would be smooth sailing to a comprehensive package targeting Russian revenue streams, sanctions circumvention and measures to enhance the ability of the union to implement sanctions, it seems the final result will mostly be more of the same as previous packages rather than a fresh broadside against the Russian economy. As we previously highlighted, previously proposed components of the 10th package would have been marked expansions to the scope of Russia sanctions and included targeting of the nuclear sector, a ban on importing diamonds, and more restrictions on rubber imports, all revenue generators for the Kremlin.  It seems though that all of these proposals won’t make it into the final text.

Why were the most expansive measures removed? The simple answer is out of concern for the economic impact on EU member states and Hungary’s increasing opposition to impose further costs on Putin.  Hungary staunchly opposed any targeting of Rosatom or Rosatom officials even with carve outs for key pain points such as continuing fuel imports, resulting in nixing even very targeted designations related to Russia’s nuclear activity. The asserted disproportionate impact on the European diamond trade resulted in import restrictions removed from the package in favor of G7 pledges to establish a broader track and trace mechanism. And targeting synthetic rubber with a permitted import quota exceeding the unrestricted annual totals for any year in the past decade to protect select firms and industries held up the last minute approval by Poland for being too permissive.

What does this mean for future sanctions? 

The key takeaway for us on the outside from the seemingly intractable negotiations, beyond a slimmed down package, is that for the future we are likely to see the focus of EU and G7 sanctions pivot from imposing additional costs on Russia to holding the line and enhancing implementation through targeting circumvention and evasion efforts. 

As EU, US and other officials have highlighted, in the last year exports to Russia from the EU, UK and US have dropped, however exports to Russia’s neighboring countries have increased. Exports to Russia more than halved between May and July last year, whereas exports to Armenia and Kyrgyzstan increased by more than 80% and in turn their exports to Russia doubled in the same period, raising calls to do more on sanctions evasion and workaround. 

As a result, we will see increased designations against individuals and companies engaging in circumvention and evasion, both in Russia’s neighbors and around the world, as well as increasing calls for applying punitive measures to countries that are permissive jurisdictions for such activity.  These broader targets of countries would likely include expanded export control prohibitions towards those countries, and in the future, potentially limiting trade access to the EU single market and other G7 markets. 

Increased focus on circumvention and evasion efforts likely also means increased scrutiny and, importantly, requests for information and explanation from local and international enforcement and regulatory bodies as well as the press over activities that are seemingly not in line with the letter, or the spirit, of the sanctions on Russia. 

Will Europe Target Privileged Industries in the 10th Sanctions Package?

Pushed by hawkish member states of Poland and the Baltic states, the EU has begun working on the 10th sanctions package with an expectation that it will be ready to enact in time for the one year anniversary of Russia’s invasion of Ukraine on 24 February. The discussions yet again mention banning the import of diamonds in to the EU, reducing nuclear cooperation with Russia including potentially designating the state nuclear agency and often arm of foreign policy ROSATOM, and banning more Russian propaganda outlets and banks from SWIFT. As this package is expected to come after EU alignment on extending the same restrictions on Russia sanctions to Belarus and agreeing on oil products price caps for next weeks EU-Ukraine summit, the real question is, will the anniversary of Putin’s invasion be enough of a catalyst for Europe to target thus far protected industries?

Reduce nuclear cooperation

Diplomatic sources have stated in press that reducing nuclear cooperation between the EU and Russia will be a focus of the next round of sanctions.  Earlier in January this year, Ukrainian Prime Minister Denys Shmyal said he expects Russian nuclear energy company Rosatom to be included in the next round of sanctions. The move comes after Ukrainian nuclear power station Zaporizhzia was occupied by the Russians and Putin transferred the plant’s ownership to a subsidiary of Rosatom. The nuclear plant is considered to be stolen from Ukraine and Rosatom is a leading actor in this by facilitating the seizure and stationing employees at the plant. Additionally, Rosatom develops nuclear weapons for Russia and has been found to aid the arms industry in Russia

The nuclear sector has not been targeted by sanctions until now, a reason being that 20% of the world’s nuclear power plants are Russian-designed and sanctions are feared to cause more energy price volatility in an already volatile time for energy prices. Additionally, Hungary’s foreign minister Peter Szijjarto has said that the country will not support any sanctions targeting or restricting nuclear cooperation between Hungary and Russia as the country is dependent on nuclear power, arguing it would be more damaging to the EU than Russia. For similar reasons the US has thus far not targeted the Russian nuclear industry either.

Ban on the import of diamonds 

A ban on the import of diamonds from Russia has been discussed as part of multiple sanctions packages the past year without becoming part of any of them. Trade restrictions on luxury goods were included in the fourth sanctions package in March 2022, but diamonds were excluded. A key reason for the lack of sanctions thus far is that Belgium has opposed a ban on diamond trade arguing it would be more damaging for Europe, particularly Antwerp, than for Russia and due to a fear of job losses. But for how long can Europe continue to justify the continued import of goods providing important profit for Putin, particularly when other G7 members have taken strides to target the same trade?Russia’s largest diamond miner, Alrosa, is sanctioned by the US, Canada and the UK.

Diplomats from EU member countries, particularly Poland and Lithuania, have endorsed a complete ban on diamond import- or at least, an Alrosa designation, though thus far they have been without success as they have not been able to secure the unanimity required for enacting EU sanctions. However this time may be different, as Belgium’s prime minister Alexander De Croo has repeatedly said he will not veto a ban if it is supported by a majority of members, but there are still a lot of negotiations before getting to that point.

Other proposals

Diplomats from the EU’s hawkish states propose banning more propaganda outlets and cutting off more banks from using SWIFT, and expanding the restrictions on imports of rubber products and compounds. In contrast to the highly debated and controversial proposals of reducing nuclear cooperation or banning the import of diamonds, achieving alignment on banning additional media outlets and non-strategic imports should be easier. On banks, Poland wants a strict new package with more banks including Gazprombank and Alfa Bank cut off from SWIFT. This seems like a strong negotiating position from Poland that once the dust settles will likely result in additional smaller banks cut off from SWIFT, but not major players like Gazprombank to preserve continuing business with Russia in energy and other industries important to world markets.

We will see how the negotiations play out and what proposals will come to fruition, but as always, preparation for what can come can save a lot of cost and heartache rather than getting caught by surprise.

Russian Oil Product Price Cap – What will it look like?

On 30 December 2022, US Treasury’s OFAC quietly released their preliminary guidance for the forthcoming price cap for the provision of services related to the maritime transport of Russian oil products. The cap is scheduled to be implemented by 5 February 2023 by the EU, G7 members and Australia. Much as with the crude oil price cap implemented in December, there are several takeaways and questions that remain from this guidance, both on ensuring compliance with the measure and on the practical impact of measure on the ability of Putin to continue waging war in Ukraine.

Compliance Takeaways

Multiple Caps: Despite what the title suggests and consistent with how officials across both sides of the Atlantic have been discussing in private, we are likely to see multiple price caps for different products. The guidance states “As with the crude oil determination, OFAC anticipates issuing a separate determination to set the price caps for Russian petroleum products.” The guidance also does not provide any indication of what the price could be, and as with the crude price cap it is the internal EU negotiations that are driving the discussions, it is quite possible that we see 3 or more caps with multiple reference prices when the political dust settles from any final agreement.

The “attestation model” continues: Companies will still be able to rely on attestations to meet their compliance obligations when it is appropriate. However, with multiple price caps for different products companies will still need to understand and apply substantial administrative resources to tracking the individual product and applicable price cap at a very detailed level to gain the appropriate verification or attestation.

Same “start” and “stop” as with the crude oil price cap in that once petroleum products are offloaded on land and used or substantially changed then the price caps will no longer apply. If the products are reloaded on to ships without a substantial transformation then the caps will apply again.

There is a similar wind down period as the crude oil price cap such that products loaded onto vessels by 1201 eastern standard time (0601 Central European Time) on 5 February 2023, will not be subject to service restrictions under the price caps until 1201 eastern standard time (0601 Central European Time) on 1 April 2023. This forward leaning guidance is a practical consideration given that, much like with the crude oil price cap, it could take right until the 5 February deadline for countries to agree on the products price caps.

Looking Forward – Policy Questions

In reviewing this guidance and seeing the limited impact on Russian finances from the substantial compliance effort with the crude price cap, it is helpful to take a step back and question what is the true aim of this entire exercise? Is the price cap policy truly about restraining the resources of Putin? Or are we seeing an elaborate effort to save face and enact a long ago announced policy that is being structured to purposefully have as little impact on energy trades, and thus Russian finances, as possible while imposing tremendous compliance costs on firms?

In a forthcoming post we will examine the policy dynamics at play with the price cap to help Nordic firms better understand the overall trajectory of G7+ sanctions policy.

Key Takeaways from OFAC Settlement Agreement with Danfoss A/S

On 30 December 2022, US Treasury’s OFAC announced its settlement with Danish company Danfoss A/S for causing US financial institutions to violate US sanctions on Iran, Syria and Sudan. The settlement was for over $4 million which was negotiated down from a statutory maximum of almost $22 million as a result of Danfoss’ extensive cooperation and material changes to their controls and operations.

The violations happened as a result of Danfoss’ UAE subsidiary, Danfoss FZCO, who was engaged in business with customers in Iran, Syria and Sudan. In particular, Danfoss FZCO directed customers to make payments to Danfoss’s account at a UAE branch of a US bank, and Danfoss FZCO made payments to Iran and Syria from the same account via third party payment providers.

Amongst the aggravating factors in the case, US Treasury’s OFAC found that Danfoss lacked the procedures necessary to identify potential sanctions risks related to Danfoss FZCO’s activities and the sufficient understanding of US sanctions. US Treasury also viewed Danfoss’ size and global operations as an aggravating factor.

Below are the the key takeaways which will help Nordic companies avoid similar mistakes as Danfoss.

  1. Monitor and Review your Subsidiaries
    • The findings of the case highlight that parent companies are responsible for the activities of their subsidiaries and parents need to apply constant and appropriate monitoring of the activities of the subsidiaries, particularly when resources are shared across a group of companies. This is best addressed through regular and consistent testing and monitoring of the business activity, operations, and controls, of subsidiaries either in-house or with the support of third parties.
    • For more information on how to approach monitoring and reviewing subsidiaries and operations, review our Sanctions Program 101 post on Testing and Auditing
  2. Tailor Controls for Your Company’s Risk
    • A critical deficiency by Danfoss is that they did not have in place controls that regularly were tailored to Danfoss FZCO’s operations in the Middle East region, to include independent monitoring of the operations of Danfoss FZCO and monitoring of the financial transactions for business activity of Danfoss FZCO.
    • As US Treasury has highlighted, this lack of tailored controls meant that Danfoss A/S could not identify potential sanctions violations unless reported by Danfoss FZCO, which wasn’t happening because of the lack of control and Danfoss FZCO’s use of third party providers in non-sanctioned jurisdictions to facilitate payments from sanctioned jurisdictions. These types of back-to-back/chain/linked payments through third parties are prohibited by sanctions regulations because they do provide benefit to prohibited parties and should always be treated as a major red flag of sanctions risk.
    • As we have written before, the best internal controls are those that are tailored to your company’s risks and that consider the regions your company and your subsidiaries operate and your specific activities. For more information on how to approach understanding your company’s risk and applying appropriate controls, review our Sanctions Program 101 post on Risk Assessment and Internal Controls.
  3. Tailor Training for Roles and Risk
    • US Treasury’s OFAC found that Danfoss personnel including senior management did not have adequate training on US sanctions, including how to detect possible sanctions violations and who to escalate violations to, leading to a delayed response in stopping the transactions. Danfoss FZCO was on multiple occasions informed by different actors that conducting payments with certain jurisdictions using a US financial institution could be prohibited and was informed that their activity caused concern for violating sanctions. But in the end, Danfoss FZCO did not change their use of the US branch account when conducting payments with sanctioned jurisdictions such as Syria and Iran.
    • With adequate training in place, employees would have known how to detect potential sanctions violations, and how to escalate concerns which could have led to avoiding the sanctions violations. An essential component of successful sanctions compliance is that employees receive training on a regular basis, updated with the lates sanctions regulations and tailored to their specific role and responsibilities. For more information on the importance of and how to approach implementing appropriate training, review our Sanctions Program 101 post on Training

Sanctions Compliance Program- Training

The most frequent questions we receive on sanctions training

  • How should our training be structured?
  • Where can I find resources for my company?
  • How often do staff need to be trained?

How should our training be structured?

Training is an essential component of your SCP to ensure that employees understand your company’s risk appetite, compliance structure, and policies and procedures used to achieve compliance.

We often see that organizations and suppliers of training materials focus on explaining in exhaustive detail the limitations and restrictions of sanctions under different regimes (eg. EU, US, ect.). However, this approach can often be counterproductive for most employees because they become overwhelmed with information that is not tailored to the realities of their daily work. The best focus for an organization’s training program is to ensure that all employees know their roles and responsibilities in the company’s SCP. This means that employees know where to escalate issues of concern, that they understand the company’s sanctions policies and risk appetite, and that they are able to apply the controls for their role, be it sales, procurement, logistics, and especially senior management. The level and detail of training should be based on each employee’s responsibility, so that employees from the entry level through senior management receive training appropriate to their roles and understand their responsibility for achieving compliance.  

How often do staff need to be trained?

Training should be mandatory for all employees and provided at a frequency appropriate to the organization’s risk profile. At a minimum, all employees should receive the necessary training as part of the onboarding process, and an annual refresher which includes any updates or changes the company has enacted in the past year and new risks that your organization faces. Given that sanctions can change rapidly, as with Russia, it very well may be appropriate to provide trainings that are held more frequently for those employees that most often need to understand the changing landscape, such as those involved in sales or similar roles.

Your training program should be updated frequently to reflect changes in the sanctions environment, and should also be updated after learning of negative audit or test findings to ensure that personnel learn and continuously improve. The benchmark to judge whether a training is effective, is not a lack of sanctions issues experienced by the company, but rather an increase in the number of questions and issues raised by employees, demonstrating that personnel understand the company’s approach to compliance and are paying attention to high-risk activities. 

Where can I find resources for my company?

There are many resources and materials available to companies from government entities, industry and trade associations, as well as conferences and seminars. The real challenge is taking these resources and making them appropriate to your specific company and this is where external experts such as ourselves can help. Even with the help of external experts it is still vital that there are personnel within the company that are able to manage the training program to ensure that training materials are appropriate to your organization and adding efforts for continuous improvement.

Your sanctions training should focus on: 

  • The risks specific to the company and its industry and the importance of maintaining compliance 
  • Indicators (red flags) to identify potential risks in the company’s line of business and specific roles 
  • The company’s compliance program and control framework, including the application of controls in specific roles and departments 
  • The points of escalation for issues and potential breaches of the company’s program and regulations. 

Questions to ask to evaluate your organization’s sanctions training

  • Do all our employees know how to contribute to sanctions compliance in their role? 
  • Are the employees demonstrating sanctions compliance knowledge in practice? 
  • Is training provided regularly/periodically? 
  • Is our training program updated to address lessons learned and changes in the sanctions environment? 

Sanctions Compliance Program- Testing and Auditing

The most frequent questions we receive on testing and auditing

  • What is the difference between auditing and testing?
  • How frequently do we need to audit?
  • Do I need an audit team or separate unit to do the audit? 

In essence, testing and auditing are variations of the same answer to the question, is our program working as intended and as needed? Testing and auditing are the means for your organization to evaluate the effectiveness of your sanctions compliance program in practice. In terms of the differences between the two, testing is best understood as a real-time view of how the controls are working and performing in practice as a snapshot of the overall SCP framework. An audit, on the other hand, is more of a comprehensive review of the overall approach to your program, controls, or specific aspects of each, including a review of policies, procedures, and their application, with a focus on what is working and what needs to be improved. The approach of an audit takes into account your organization’s sanctions risk, risk appetite and evolving sanctions environment to assess against what is needed in your program as where testing focus more on evaluating if the current controls are working as intended.

How to test and audit 

Your organization’s controls and processes should be tested and audited regularly to identify any deficiencies or inconsistencies. It can be helpful to think of both as efforts “trying to break the controls” and “doing the wrong things” because the point is to prove that the controls are working and enabling your organization to comply with its policies.

It is always better to find issues internally than to be informed of failures from an external review, so a successful test or audit is one that finds areas for improvement. If you find any deficiencies these must be documented, and your organization must respond to any negative test or audit result by implementing compensating measures to ensure appropriate control. Once deficiencies are identified, your organization should define, commit to, and implement improvements to ensure sanctions compliance in a timely manner. It is also important that this timeline is adhered to as best as possible and it is better to embrace a reasonable timeline from the start rather than an aggressive one that must be changed and delayed when it is not met.

Testing and auditing measures must be supported by senior management, but also should be used to hold senior management accountable. The evaluation of the organization’s risk assessments and internal controls must be independent, objective, and comprehensive, and in our experience the number of people designing and formulating the tests and audits should be kept to a minimum. When it comes to the quantity of personnel directing tests and audits it is often the case that less is more!

We are often asked if you need a dedicated team to conduct the tests and audits, but this depends on the size and nature of your company. It is important to have qualified personnel that are able to evaluate your company’s operations and it can often help to have external support for audits, as external advisors can help to define the international sanctions environment facing your company and provide a fresh perspective for how your operations are performing in practice.

We are also often asked what the appropriate frequency for conducting tests and audits is, and the truth is there are not hard and fast rules. There should always be an annual testing and audit plan with as many actions as is reasonably possible for your organization’s personnel to perform. Large organizations with dedicated audit teams should have audits constantly occurring, in contrast, smaller companies operating with SMEs can appropriately have fewer actions in a year. The most important element is not the quantity of tests and audits but the quality and demonstrating that your company is committed to constant improvement in your sanctions compliance program.

Questions to ask to evaluate your organization’s testing and auditing measures

  • Does our testing and auditing find faults in our SCP by “trying to break” our controls? 
  • Do staff embrace testing and auditing or argue against the scope of audits or problems being identified?
  • How many improvements are completed within the set original time frame? Are solutions to identified deficiencies regularly delayed and “put on the back burner” for other priorities?