Sanctions: Not Just a Financial Institution Issue

What's changed

Nearly 20 years ago, I wrote an article entitled: “OFAC: Not Just a Banking Issue.” I don’t recall exactly what prompted me to write the article. I think it was tied to the U.S. government’s use of sanctions as one of its tools for fighting terrorism in the post 9/11 world.

Twenty years from now someone may wonder why I chose this time to update the article. I don’t think it will be much of a mystery, however. History will likely remember the current period as seminal in the evolution of sanctions policy and enforcement. Since Russia’s invasion of Ukraine in February 2022, we have witnessed unprecedented cooperation and coordination by Western powers and other key allies to punish Russia for its actions. We have also seen stepped-up sanctions activity to address the conflict in the Middle East, U.S.-China tensions, and many other situations across the globe. In 2023, 6,000+ sanctions designations were issued globally.^[1]The early days of 2024 suggest it will be another active year.

To paraphrase my earlier article: many people historically thought of sanctions, principally those designated by the U.S., as an issue that was only relevant to banks that operated internationally. Today, we are way beyond thinking of sanctions as a mere banking issue. Every sector of the financial services industry — banking, capital markets, asset management, insurance, payments, virtual assets and more — has been affected by the proliferation of sanctions in the last two years. Increasingly, other industries have come to understand how sanctions can affect their operations — where they source materials, how materials and finished products are transported, where and to whom they sell products and services, the end users of their products and services, and their business partners.

We are also way beyond thinking of sanctions as primarily punishment imposed by the U.S., specifically the Office of Foreign Assets Control (OFAC). Companies now need to be concerned about European Union (EU), United Kingdom (UK), Swiss and Canadian sanctions, just to mention a few of the more active regimes. In addition, we are way beyond thinking of sanctions as bans on all activity with a designated jurisdiction. Today, we need to deal with sectoral sanctions, secondary sanctions, trade and two-way investment restrictions — and myriad methods of sanctions evasion. We also recognise that the enforcement environment has evolved — while the U.S. has a long track record of sanctions enforcement, other countries, including the UK and EU member states, have signaled their commitment to more aggressive enforcement.

The bottom line: While few, if any, sanctions practitioners in financial institutions are likely to say they are confident that their compliance programs are 100% effective, financial institutions at least have established frameworks and tools along with experienced subject-matter experts to address the challenges. Not all industries may be this well-positioned, and that makes them more vulnerable to potential violations.

Sanctions compliance: Sanctions compliance is binary: you comply, or you don’t. There is no middle ground. There are no “small” violations of law. How a company chooses to manage its sanctions risk is its decision. That said, since I authored the first article on this topic, OFAC published A Framework for OFAC Compliance Commitments which provides useful guidance for all companies, both U.S. and non-U.S., to consider when they are designing a sanctions compliance program. The OFAC Framework summarises five components of an effective sanctions compliance program:

1. Management commitment — fostering a “culture of compliance” through words and actions, including ensuring adequate resourcing of and investment in the compliance effort
2. Risk assessment — a holistic assessment of the company’s exposure to sanctions risk and the controls in place to mitigate the risk
3. Internal controls — the adoption of policies, procedures and tools (including, as warranted, screening technology) necessary to support the compliance effort
4. Testing and auditing — a periodic, independent testing of the effectiveness of the compliance effort
5. Training — a training and awareness program for company personnel and other stakeholders (for example, clients, suppliers, business partners, and counterparties) that may impact compliance.

Image

Does adopting the OFAC Framework approach to sanctions compliance mean that every company should have a discrete sanctions compliance department with large numbers of subject-matter experts and sophisticated technology? Not all. How a company chooses to manage sanctions compliance risk should be determined by its risk assessment and answers to questions such as:

• How pervasive is our sanctions risk exposure? Does our exposure primarily stem from one or a limited number of sanctions programs (e.g., primarily from our interaction with parties in Russia), or does our business and geographic reach (including jurisdictions near or known to be friendly to those with significant sanctions) mean we have far broader exposure?
• What is the volume of transaction activity that needs to be screened for sanctions? Is it realistic to think we can manually screen our transaction activity?
• Do we have the in-house expertise necessary to meet our sanctions compliance obligations?
• Does sanctions compliance align with other compliance or risk management activities we are performing?
• Does our internal audit team have the experience to evaluate the effectiveness of our sanctions compliance efforts?
• What’s our company’s track record on sanctions compliance? Are we seeing more enforcement activity related to our industry?

The answers to these questions can help determine how a company should structure its sanctions compliance efforts. Some non-financial services companies may determine that, based on their risk profiles, they do need to staff a discrete sanctions compliance function and invest in technology to support the compliance effort. Many non-financial companies may decide that sanctions compliance can and should be part of their third-party, or vendor, risk management programs — with or without a technology investment depending on their exposure. Other companies may decide that oversight of sanctions compliance should be the responsibility of the General Counsel’s office, a Business Integrity Office, or a Trust and Safety function. Some non-financial companies may decide that sanctions compliance is not a core competency, and that they don’t have the experience or capacity internally to manage the risks; for these companies, outsourcing or managed services options could be the solution.

Similarly, many companies may look to external parties to assist with training and conduct independent testing. There is no right or wrong answer to how a sanctions compliance function should be structured. What’s important is understanding the risks and managing them, with the support of management and the board of directors, in the most effective and efficient manner for the company and being able to evidence the compliance effort.

The final word: Any company that answers the questions above with “I don’t know" may want to seek legal and/or consulting advice. The penalties for violating sanctions can include fines, reputational damage, and in the extreme, personal liability and jail time. And the failure to establish and maintain a compliance program is often an aggravating factor when these penalties are determined.