Sanctions Compliance Program- Internal Controls

The most frequent questions we receive on internal controls:

  • Are there controls besides screening?
  • What is fuzzy matching and what is the best threshold for fuzzy matching?
  • Do I need to define my controls? 

Policies, instructions and procedures as internal controls 

Internal controls are multiple different actions and tools working together to form a comprehensive package of measures which are the means to minimize the sanctions risks to your company. There should be an inherent interplay between the findings of your company’s risk assessment and the internal controls applied to control the risks. This interplay is first and foremost born out in the policies, instructions and procedures that your company enacts to establish a control framework for managing sanctions risk.

Written policies, instructions, and procedures outline the organization’s SCP and are the bedrock of internal controls and should be implemented to ensure compliance. They should address the organization’s risk profile, risk appetite, day-to-day operations, and business activities. 

  • Policies operate as the organization’s guiding “North Star” and should be as short and to the point as possible. 
    • Policies should be broad and outline the scope and approach, providing just enough detail for employees to understand “what” is trying to be achieved, be it complying with EU sanctions everywhere your company operates, or avoiding all business with specific countries.
  • Instructions outline who is in charge of implementing the policies, the requirements for implementation, and the point of contact for escalations when there is doubt about satisfying the policy. 
    • Instructions provide the “who and how” your company will achieve compliance with the policy and should outline the roles, responsibilities and accountabilities of different offices and employee positions.
  • Procedures explain in exhaustive detail how to carry out the instructions and should be specific for each operational unit and task.
    • Procedures provide the “detailed how” of the specific operating actions for specific roles and positions to achieve their stated responsibilities.

When designing policies and procedures, it is important to keep in mind that these should be easy to implement and follow, and should reflect the organization’s culture of compliance. Dedicated personnel should be responsible for monitoring the implementing of policies and procedures, and for improving internal controls once weaknesses are discovered, as we will cover in the testing and auditing posts. All personnel should be informed and trained on your organizations policies as well as the procedures that are relevant for their role, and a reporting mechanism should be established so that all employees know who to escalate and report any potential sanctions violations or misconduct. 

KYC as primary control and screening as secondary control 

One area where we often see confusion is a common view that “screening is the control” rather than an appreciation that screening is one essential tool in a internal control framework. The most powerful means for controlling risk is avoiding it from the start and that is best accomplished through the Know Your Customer (KYC) process.

KYC enables you to ask risk identifying questions for your customer and counterparties, and is best thought of as the “primary control” for managing risk because the process allows your company to avoid risk before customers and counterparties are onboarded. The length and level of evaluation for each company’s KYC process will differ for each industry but it is important to appreciate that the aim of the KYC process is to gain enough information on the customer, counterparty or supplier, to be able to rule out or effectively control likely violations of sanctions.

While screening is an appropriate component of the initial KYC process it is best thought of as a “secondary control” which is used to help ensure that customers and counterparties are operating in line with your company’s expectations as demonstrated through the KYC process. Put another way, screening is best thought of as “finding the risk we are looking for” because the action of screening is setting criteria of filters so that the system generates alerts. The criteria for the filters is defined by your company, be it choosing which sanctions regulatory lists to screen (US SD/SSI/Entity List, EU Consolidated List, ect.) or indicators of potential risk such as geographic locations, products or activities or behaviors.

Also, because screening is the act of “finding the risk we are looking for” it empowers us to pre-define the actions that we take on the alerts that are generated. Because we have set the criteria of what is risky, the indicators of risk that the screening alerts on should lead to specific actions as defined in your company’s procedures and instructions. For example, if your screening system generates an alert for a potential match to an entity on the EU consolidated list, you should be able to look to your procedures to know the next steps to take to ensure that no funds or economic resources of any type are provided to that entity as you follow your company instructions to escalate the potential match for action up the management chain.

Finally, screening can often seem like it is imposed on you and your company from the outside. It can often feel like drinking from a fire hose from regulators, enforcement bodies, or vendors but the truth is that you and your company are in control of criteria used in screening criteria and the actions taken on screening results.

The United States’ Office of Foreign Assets Control (OFAC), the office regulating US sanctions, found MidFirst Bank breaching sanctions specifically due to their screening tool not being updated with the latest sanctions  1 . The vendor MidFirst Bank used for screening only screened the bank’s customers once a month, resulting in the bank not being notified about the designation of a customer until 14 days had passed, in the meantime conducting transactions on behalf of the designated person. 

Fuzzy matching in screening

The purpose of fuzzy matching in a screening system is to generate alerts for close potential matches of words, phrases and information that are similar to identified risk indicators. For example, a screening system should be able to identify not only “Crimea,” but also “Krimea” to generate an alert for potential sanctions risk. Similarly, screening solutions should have the capability to detect alternative spellings and languages (including the same word in different alphabets such as Arabic or Cyrillic), abbreviations, misspelled or omitted words as part of the fuzzy matching capabilities.

We often receive many questions about fuzzy matching and what is the “best threshold?” The best threshold for fuzzy matching depends on the technical capabilities of your screening system, but the honest response is that the screening system should be able to generate alerts to the same ability that an informed human would be able to make a potential connection. Additionally, an in house screening system should certainly return potential matches at the same ability that publicly available search tools from US Treasury’s OFAC and UK HMT’s OFSI offer.

Questions to ask to evaluate your organization’s internal controls

  • Do we know what to do when a risk is identified? What capabilities and learning about the risks facing our company do we have beyond screening? 
  • Do we have appropriate policies, instructions procedures in place? 
  • Do our personnel know who to escalate and report sanctions risk and misconduct to? 
  • Is the KYC process used as our primary control for our sanctions risk? 

Sanctions Compliance Program- Risk Assessment

The most frequent questions we receive on risk assessment:

  • How do I conduct a sanctions risk assessment?
  • What is inherent risk? 
  • Doesn’t screening assess my risk? 

What is a risk assessment?

A risk assessment is the means of identifying areas in your organization’s operations where there is inherent risk for potential sanctions violations or misconduct. Effective risk assessments are conducted regularly or as an ongoing exercise using a defined risk-based methodology that is tailored to the nature of your operations and evolves with the changing sanction environment.

The risk assessment identifies potential threats to your company’s sanctions compliance in every part of the business. The approach to find the inherent risk in your business should be both “top-down” and “bottom-up.” “Top down” means assessing the offerings that your company provides to your customers and counterparties in the form of all products and services offered directly and indirectly. “Bottom-up” means assessing from your customers and counterparties the risk they present including from their intentions for the use of your company’s products and services to their operations, partners, locations and other criteria. Taking this dual track approach will allow your company to a best practice effort to identify any direct or indirect engagement with a sanctioned party, sanctionable conduct, or efforts to circumvent or evade sanctions. 

Inherent risks

An inherent risk is a sanctions risk your company faces when there are no internal controls in place to mitigate these risks. Clients, customers, intermediaries, counterparties, products, services, supply chains, transactions, and geographical areas all pose inherent risks to your company and the purpose of the risk assessment is to identify those risks.

When conducting a risk assessment, your company should leverage existing information about your business, from the capabilities that your products and services offer to reviewing information obtained through onboarding and your KYC (Know Your Customer) or due diligence processes to review customers and counterparties. The information obtained through these processes should be used to assess the inherent sanctions risks related to your customers and counterparties. This will enable your company to focus your business and compliance activities to achieve the highest reward at the lowest risk. 

Adapt to the changing risk environment

Adapting to the changing risk environment is critical to identify the sanctions risk for your organization. Sanctions can change on a daily basis so this means updating the methodology of risk assessments as new sanctions, guidances, advisories, and enforcement actions are announced, and staying abreast of the current legislation and regulatory requirements.

Even if your company only operates in the Nordics, there remains a risk of violating different sanctions regimes from authorities around the world or becoming subject to sanctions yourself from your business activity. It is therefore essential that your organization both understand the sanctions requirements that are directly applicable to where and how you operate, including the regimes directly applicable to your financial transactions, as well as the global sanctions landscape from the UK and US as being designated by either country can be as devastating to a company as violating legally applicable sanctions.

This can be a daunting task and providing tailored advice on the changing global circumstances is a core offering that Sanctions Advisory provides to our clients.

The importance of risk assessment during mergers and acquisitions

Mergers and acquisitions have proven to be a challenging area for assessing sanctions risk and is an area that has recently been the subject of repeated enforcement cases and as such highlighted by regulatory and enforcement agencies for special focus. The target or partner company of the merger or acquisition may have existing sanctions liabilities and it can often be the case of the due diligence process that sanctions risks are overlooked or revealed too late in the process to adequately address before the transaction has closed. This means that it is particularly important for your organization to conduct thorough sanctions risk assessments and customer due diligence on target or partner companies during mergers and acquisitions, and it is best that you integrate the focus on sanctions and thus sanctions compliance units into the process from the beginning.

Assessing the sanctions risks associated with the merging or acquired party is essential to avoid sanctions violations after the transactions has closed. Due diligence must be conducted both before and after the acquisition to ensure that sanctions requirements are met, and that sanctions risks are assessed and appropriately controlled.  

Questions to ask to evaluate your organization’s risk assessments

The following questions are useful to ask when assessing your organization’s risk assessment. The answer to these questions will give you insight into whether your risk assessments are effective.

  • Do we know the sanctions risk for every part of the business?
  • Are KYC processes, screening and risk ratings conducted for all new customers? Is it a part of routine risk assessment? 


Finally, keep in mind that the action of assessing, screening or rating a risk is not a control in itself. A risk assessment only tells you what the risks are and as a result where to focus your controls to mitigate the risk. We will explain how to control the risks you have identified in our post on internal controls coming next Wednesday.

Sanctions Compliance Program – Management Commitment

The importance of an SCP

Your sanctions compliance program (SCP) should be a comprehensive set of policies and controls tailored to your organization’s risks and means of operation. The aim of an SCP is constant improvement to avoid and safeguard against costly sanctions violations in an ever changing environment. The lack of an SCP is a risk and is often a root cause of sanctions violations, as many breaches are committed due to simple misunderstanding of sanctions regulations and how the organization ensures compliance. The first step in achieving an SCP is to set the “tone from the top” and in this first post, we will guide you through what management commitment means in practice. 

The most frequent questions we receive on management commitment: 

  • What is management commitment?
  • How do we demonstrate management commitment? 
  • How much is enough? 

What is management commitment and how do we show it? 

Management Commitment means that senior management ensures the organization’s compliance with applicable sanctions programs by promoting a “culture of compliance” within the organization. This means that senior managers ensure that employees are aware of their responsibilities, inspire them to be compliant, and allocate adequate resources to enable the organization to be compliant. 

Management Commitment means that senior managers sign their name to guarantee the company’s approach to sanctions through a risk tolerance approach that is clearly defined, explained, and understood by all employees. It means that senior management lead by example by “rolling up their sleeves” to ensure compliance, and not by simply outsourcing the role and responsibility for compliance to the units and personnel with compliance in their title.

Management Commitment means that all personnel should be aware of the consequences and seriousness of violating sanctions. Personnel, senior management in particular, need to be informed that they can be held accountable for violations by authorities which possibly could include jail time. Locally in the Nordics, the Dan Bunkering verdict is a case in point, showcasing that management all the way up to the CEO have personal liability and responsibility for the sanctions compliance of an organization and its employees because leaders “set the tone” of the organization. 

How to ensure management commitment? 

“How much is enough management commitment?” you may ask, and while there is no set benchmark for how much is enough, that does not mean there are no requirements to show it. Management Commitment is an overarching assessment of the approach and actions of an organization. Regulators and enforcement bodies have left the requirements broadly defined to allow for their discretion to “know it when you see it” for how much is enough for your organization.  What is certain however, is that a lack of management commitment will lead to failure and enforcement action.

In our experience, demonstrating management commitment means that senior management ensures that decisions are made by the appropriate personnel with the right knowledge, authority and autonomy to take the measures needed to manage the risk. It means that there is a formal escalation process all the way “to the top ” as a key component of management commitment is clear decision-making with clear definitions of who takes responsibility for decisions, and who has that responsibility is understood throughout the organization. 

To ensure management commitment it is generally easiest for your organization to have a dedicated sanctions compliance officer as a point of contact for advice and instruction on how to handle sanctions matters. In larger organizations, there may be a team with a clear leader dedicated solely to this task, while in smaller organizations the officer may occupy multiple responsibilities in addition to being the sanctions subject matter expert. Whether it is an individual or a unit, the personnel ensuring sanctions compliance must have technical knowledge and expertise about the sanctions risks that are relevant for your organization, and understand senior management’s risk appetite to instruct employees on what specific actions to take. In addition, decision makers and compliance units must be allocated adequate financial, technical, and human resources to ensure sufficient and effective risk control for today and the changes that will come tomorrow. Budgets and tools alone do not ensure compliance, but without them failure is guaranteed. 

Senior management, decision-makers, and compliance units must be aware of activities and transactions that are not in line with policy. This means senior management must be willing and able to demonstrate that business which is not in line with policy has been rejected in the past and will be in the future. 

Management commitment also means that senior management are aware of when breaches and violations occur and take appropriate action to support the organization and employees to ensure they do not occur again. By fostering a culture of compliance, senior management must discourage misconduct, and create a space where employees are not afraid to report misconduct or wrongdoings. As a part of the compliance culture, reviewing the status of sanctions compliance within the company is as much a part of “business as usual” as reviewing other benchmarks of your business’ performance as is done on a regular basis within your organization. 

Questions to ask to evaluate your organization’s management commitment

The following questions are useful to ask when assessing if your organization has the necessary management commitment. The answers to these questions will allow you to know if your organization has a management commitment to sanctions compliance or not. 

  • Who takes responsibility for decisions? Is the “decision tree” clearly understood?
  • What truly happens when there is a breach of sanctions regulations or policy? Does anything in the organization change when there is a breach?
  • What are the real resources spent to control sanctions risk and what is the trend for allocating resources to sanctions compliance? 
  • How much business (deals, transactions, etc.) have we turned down because of sanctions risk? 
  • How many exceptions to our risk appetite and policy do we issue to take on business that should be prohibited?

What do the US Midterms Mean for Sanctions?

While we do not have complete results from Tuesday’s midterm election and the balance of both houses is still to be officially decided, what is certain is that the outcome from the election sets the ground for a much more complicated picture for US sanctions over the next two years. 

Biden still retains the power of veto,  but when it comes to sanctions, the dynamics of needing to use that power, if ever, will go through a byzantine process. We will have plenty of “smoke” from active members of Congress, particularly in the House, ready to push aggressive stances on foreign policy issues, or hold Biden administration priorities hostage for election posturing rather than foreign policy aims.  The difficulty for Nordic companies will be determining what is fire from all the smoke.

What will the future of Russia and China sanctions look like?

The two main issues that we will see plenty of boisterous rhetoric and efforts to force the Biden administration to realign are Russia/Ukraine and China.  

The House Republican budget boasts of many foreign policy efforts that will be more aggressive than where the Biden administration has gone thus far, and will certainly be calling for more sanctions on Russia in the face of continued aggression in Ukraine. Targeting additional industries, a broader cutoff from SWIFT to include the Central Bank of Russia, imposing “secondary sanctions,” and labeling Russia as a State Sponsor of Terrorism will all be efforts that are likely to be pushed in the near future.  How much traction these efforts gain will depend on the election outcome for each chamber, but will certainly depend on the course of events on the ground in Ukraine and the rapidly changing overall economic and political climate.

On China, we are likely to see continued calls for further restrictions on China’s access to industry leading technologies and efforts to compel international cooperation on the same front.  As newly empowered politicians promote “decoupling” the West from China, we are likely to see calls to add more companies to the Chinese Military-Industrial Complex list and to further restrict goods and services for companies on the list. We are also likely to see calls to force international alignment and to expand restrictions on exports to and imports from China for which the recent US Commerce’s BIS rule on advanced computing and semiconductors and the Uyghur Forced Labor Prevention Act (UFLPA) serves as a guide map. All of which complicate the market potential and supply chain reliability of China for Nordic companies. 

These next two years will see lots of charged rhetoric on sanctions and export controls, the likely result of which will be hearings and legislative proposals that have real and potentially dire impacts for Nordic companies.  Many of these efforts will be nothing more than smoke but some will certainly contain real fire. 

Fortunately, we are uniquely experienced in understanding the nuances of Washington and its impact on sanctions implementation, enforcement and international policy for which we currently advise clients in the Nordics and Asia. So certainly contact us so we can help your company understand the changing landscape and its impact now and in the future for your company. 

What do Nordic political changes mean for the  future of sanctions on Russia and beyond?

 At a time of acute economic and security challenges, when there seemed to be a whipsaw of leadership changes all across Europe, the same had not held quite as true in the Nordics. As we are now in the fluid period of government formation in Denmark, with the effort being led by the same  official, Prime Minister Mette Frederiksen, who was the center of the entire election, questions remain on what the government’s program will be and thus will there be any impact on sanctions.

While commentary and polls prior to the elections noted increasing concern with the security situation in the Nordics and the gloomy economic outlook, that sentiment did not materialize into calls for a change in policy approach to Russia and Ukraine in the campaigns in Denmark or Norway. Even in the face of the sabotage of the Nord Stream pipelines and recent threats to critical infrastructure in Norway, discussion of foreign policy was largely absent from the election debates, without mention of reversing the monumental actions from the spring and summer of Sweden’s still-to-be-finalized NATO ascension and Denmark removing their defense reservation toward the EU. 

What about the direction of sanctions in Europe as a whole?

The recent election results in Denmark and Sweden have resulted in historic political change, however they are overturning the stable pillar of Scandinavian policy of  standing up for international norms and leading and supporting sanctions on Russia and their continued use to face new challenges. We are likely to see some growing pains toward further integration of EU implementation and enforcement, particularly given that the EU-skeptic government in Stockholm will take over the rotating EU Council presidency at the start of 2023, but the direction towards collaboration and cooperation will continue. As Germany’s creation of the new Central Office for the Enforcement of Sanction demonstrates, the lessons learned from the ‘Freeze and Seize Task Force’ is centralization of information and action is key to enforcement and the future for sanctions in Europe is clearly headed toward more robust sanctions enforcement based on collaboration and coordination across country lines.

What does this mean for Nordic Companies? The continued use of sanctions as a tool of foreign policy will progress to see new programs developed and applied to threats around the world, the scope and complexity of which will be compared with Russia sanctions as a benchmark.  Coupled with the heightened focus on enforcement of sanctions means increased regulatory scrutiny and increased reputational risk even in the absence of civil or criminal inquiries.  Prevention is always the best medicine and now is the time to understand your company’s exposure and dependency on flash point areas, particularly China, and to implement a sanctions compliance program that can efficiently and effectively adapt to the challenges of tomorrow.

Key Takeaways for Senior Management and Compliance Personnel from the Dan Bunkering Verdict

The verdict against Dan Bunkering, Bunker Holding, as well as the chairman of Dan Bunkering and CEO of Bunker Holding, is monumental not only because it is a rare example of a criminal conviction for EU sanctions compliance failures, but because it confirms the scope and expectations for what it means to comply with EU sanctions. 

In particular, the verdict confirms: 1) the benchmark for sanctions compliance, 2) that senior management have personal liability for their decisions on sanctions compliance and 3) there are real costs for failing to comply. 

The most important lesson from this verdict though is that the situation was entirely preventable. If your company is looking for help establishing an appropriate sanctions compliance program to effectively and efficiently manage your company’s sanctions risk to prevent facing similar circumstances contact us at

The Benchmark of Sanctions Compliance: Known or “Should have Known” 

The court affirmed that failing to take reasonable action to ensure compliance with sanctions is at best negligence and at worst an intentional violation of sanctions.  The verdict makes clear that the responsibility for complying with sanctions does not end with just the direct parties of a transaction but extends to companies taking reasonable steps to ensure that the ultimate end use and user of the products won’t be in violation of sanctions.

In other words, the benchmark for compliance is that companies should know their activity will not violate EU sanctions or at least make every reasonable effort to ensure they tried to know, and therefore can demonstrate that it was unreasonable that they should have known the activity would violate EU sanctions.  For this case, the verdict makes clear that the court found all the defendants failed the benchmark of should have known. The red flags of the transactions were easily identifiable and that ignoring them to proceed with the transactions was an intentional violation of EU sanctions. 

As the verdict makes clear, the red flags evidencing that the defendants should have known the activity would violate EU sanctions were a new customer which is an agent for the Russian military wanting to acquire jet fuel by ship-to-ship transfer in the eastern Mediterranean after and the imposition of EU sanctions specifically targeting jet fuel destined for Syria in December 2014 and it was widely reported that the Russian military had started performing air raids in Syria in September 2015. 

“The majority of the judges found that T1 [Dan Bunkering] for all 33 trades must have realized that it was overwhelmingly probable that the jet fuel would be used by the Russian military in Syria. The majority thus found that T1 [Dan Bunkering] for all 33 trades committed an intentional violation of EU sanctions, emphasizing, among other things, that the trades were entered into by Russian employees at T1 [Dan Bunkering]’s branch office in Kaliningrad, where one must have been aware of the Russian intervention in Syria. It was also emphasized that the two Russian companies had not purchased jet fuel from T1 [Dan Bunkering] prior to October 2015, the amount of jet fuel delivered, and T1 [Dan Bunkering]’s knowledge that the two companies were general agents of the Russian fleet, which is why the jet fuel would be used by the Russian military.”

The court also affirmed that the decision by senior management of the group to not take immediate action to stop the trades after Dan Bunkering was approached by the Danish government is negligent. Even though Bunker Holding and it’s CEO were not conducting the day-to-day operations for these trades, as the head of the Group they made approvals for the deals and had the clear ability and capability to stop the trades based on their senior position in the group. 

In other words, the verdict makes clear that when senior management have the ability to take action and choose not to do anything is negligent because they knew activity was being conducted in violation of EU sanctions.

“The Court of Appeal unanimously found that both T2 [Bunker Holding] and T3 [Chairman/CEO] for the last 8 trades that took place in February to May 2017, had contributed to a negligent violation of EU sanctions, as following the Danish Business Authority’s inquiry to T1 [Dan Bunkering] in December 2016 and the subsequent internal investigation into the group’s activities, T2 [Bunker Holding] and T3 [Chairman/CEO] should have realized that the Russian company was supplying jet fuel for use in Syria in violation of EU sanctions, and that T2 [Bunker Holding] and T3 [Chairman/CEO] could and should have stopped trading.”

Senior Managers have Personal Liability for Sanctions Compliance

Throughout the case the defense attempted to argue that a holding company nor its management should be held responsible for the activities of its subsidiaries, the court however rejected this argument. This verdict makes clear that senior managers are directly liable and responsible for the sanctions compliance of the entire group, including subsidiaries, and risk prison time for not stopping violations of EU sanctions because they knew or should have known of the activity of the businesses that they control. 

“T3 [Chairman/CEO] has been sentenced to 4 months in prison, which has been made conditional. The court has hereby emphasized, among other things, that T3 [Chairman/CEO] is punished for a negligent violation of the sanctions, as well as the decision processing time [between the notice of inquiry by the Danish Business Authority and stopping the supplies].” 

Failure to Comply has Real Costs

The verdict confirms once again that prevention is always the cheaper option. The forfeiture of profit from the transactions and a fine of double the profit of the transactions for a total of 3 times the initial business profit demonstrates the real cost of failure to comply. By spending only a fraction of the profit forfeiture and direct fine, and much less when considering the legal and reputational costs the defendants have incurred, it would have been possible to prevent this entire episode by having a proper sanctions compliance program in place. 

“By the court’s judgment, T1 [Dan Bunkering] has been fined DKK 30 million, and T2 [Bunker Holding] has been fined DKK 4 million. Both fines are measured on the basis of the companies’ profits from the trades, so that the fine for T1’s [Dan Bunkering] intentional violation of the rules is measured at approximately double the profit, while the fine for T2’s [Bunker Holding] negligent infringement is measured so that it roughly corresponds to the profit of the last 8 trades.”

“T1 [Dan Bunkering] has the dividends confiscated from the traders, which have been calculated by the court to be approximately DKK 15.65 million.”

All quotes below are translated from Danish to English by the author.  The original judgement in Danish can be found here Dom i straffesag om levering af jetbrændstof i strid med EU’s sanktioner 

How should Nordic Banks and Companies React to the new US Russia Sanctions?

On April 15, 2021 the Biden administration announced a broad set of measures to combat malaign activities of the Rusisan government against the United States.  Some of these measures are very targeted and others create a broad structure for future sanctions that could have harsh consequences for us in the Nordics.  

While they complicate the environment, these measures won’t be the last actions taken by the US. President Biden has already forecasted the potential for future sanctions against Russia during the announcement when he stated “I was clear with President Putin that we could have gone further, but I chose not to do so, to be — I chose to be proportionate.” 

So what should banks and businesses do to mitigate the current and future risk of these sanctions?

First Step: Assess and Mitigate

The first action in addressing any new sanctions is to assess your exposure to the parties designated and the activities highlighted. The Biden administration has gone to great lengths in this announcement to make available identifiable information on the targets and their funding sources.  This information should be used to determine if your bank or business has any exposure to the actors and their nefarious activities of politically guided misinformation, election interference, or sanctions evasion as highlighted by the Department of the Treasury’s press release “Treasury Escalates Sanctions Against the Russian Government’s Attempts to Influence U.S. Elections”. If exposure is found it is best to devise a specific plan to orderly mitigate the sanctions risk as quickly as possible.

Specifically for banks, an assessment should also be conducted for exposure under the prohibitions of Directive 1 of the new Executive Order (E.O) “Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation.”  The directive prohibits US participation in the issuance of bonds by and lending to the Central Bank of Russia, the National Wealth Fund and the Ministry of Finance. It is important to note that the restrictions of Directive 1 are limited to the specified entities themselves and not to entities that they majority own, as clarified by FAQ 891. While these restrictions are currently very limited, as we have seen in other sanctions programs, there is always the potential for the administration to add secondary sanctions penalties in the future. Therefore it is strongly recommended that institutions understand their exposure and devise a mitigation strategy before there are potential consequences of restricted access to the US financial system.

Second Step: Plan for the future

As the designated parties and actors are outside of the Nordics and engaged in unusual business activities, the greatest impact of the new sanctions is likely to come from the broad authorizations of the new E.O. Several of the authorizations in the E.O. are similar to existing US sanctions, especially related to Ukraine and Human Rights, but this E.O. creates a new framework for more sweeping sanctions to target the Russian government in the future. As such, it is important to understand your bank or businesses exposure to parties engaged in activity that could be designated under the new E.O. and devise a plan to proactively address the risk of potential future designations. 

The new E.O sets out three new “buckets” of activity for which the US can now designate actors, which are appropriately categorized corresponding to the sections of the E.O. as: 

a) Supporting or engaged in conduct supporting the Russian government, 

b) Supporting designated governments via Russia, and 

c) Restricting energy exports to Russia’s neighbors

The restrictions under section a) have the most overlap to existing sanctions that have been applied to Russia. The important change is that now the criteria for designation has been expanded such that just being tied to the Russian government meets the criteria for designation. For example, under section a (iv) the US can designate an entity for acting as an “instrumentality” of the Russian government, which could be broadly applied to cover parties well beyond those that are owned and controlled by the Russian government. 

Section b) is clearly aimed at efforts to use Russia’s territory and economic infrastructure to circumvent US sanctions against designated governments such as Syria and Venezuela. This section does not change the sanctions that are imposed on the likes of Syria or Venezuela but, as with section a), broadens the criteria for sanctions to allow the US to designate Russian actors that even just provide goods or services to US designated governments.

Section c) is clearly aimed at creating the authority for the US to react to a potential bypassing of Eastern Europe with a completed and operational Nordstream 2 pipeline. Historically, Russia has restricted the flow of gas and energy to neighboring countries for political purposes and this measure is broad enough to enable sanctions in response to restrictions on the supply of electricity and other energy sources as well. 

Overall the new sanctions mark a broad expanse in the US architecture to target the Russian government, one which will only grow more complicated over time. As the sanctions challenges continue to expand, Sanctions Advisory is always here to help you solve any sanctions advice, risk management, training, and program development needs you have so please feel free to contact us via

All materials are intended as a general overview and a discussion of the subjects dealt with, and does not create a  relationship between any reader and Sanctions Advisory ApS. These materials are not intended to be, and should not be used as, a substitute for taking advice, including potential legal advice, in any specific situation. Sanctions Advisory ApS will accept no responsibility for any actions taken or not taken on the basis of this material. 

Copyright © 2021 Sanctions Advisory ApS. All rights  reserved.