Download - Managing sanctions compliance challenges
JAN-MAR 2014www.riskandcompliancemagazine.com
RCrisk &compliance&
Inside this issue:
FEATURE
The evolving role of the chief risk officer
EXPERT FORUM
Managing your company’s regulatory exposure
HOT TOPIC
Data privacy in Europe
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
JAN-MAR 2014 ISSUE
DATA PRIVACY IN EUROPE
www.riskandcompliancemagazine.com
Visit the website to request a free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2014 Financier Worldwide Ltd. All rights reserved.
R E P R I N T RCrisk &compliance&
MANAGING SANCTIONS COMPLIANCE CHALLENGES
���������������������������������
������������
risk &complianceRC&
������������������
�������
����������������������������������������������������������������������
����������������
������������
�����������������������������������������
���������
�����������������������������������������
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
JUL-SEP 2015 ISSUE
www.riskandcompliancemagazine.com
Visit the website to requesta free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2015 Financier Worldwide Ltd. All rights reserved.
RISK & COMPLIANCE Jul-Sep 20152 www.riskandcompliancemagazine.com
risk &complianceRC&
www.riskandcompliancemagazine.com
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 3
EXPERT FORUM
EXPERT FORUM
MANAGINGSANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 20154 www.riskandcompliancemagazine.com
EXPERT FORUM
Alexandre Lamy
Senior Associate
Baker & McKenzie
T: +1 (202) 835 1862
E: alexandre.
PANEL EXPERTS
Lauren Camilli
Director, Global Compliance
Programmes
CSC
T: +1 (703) 641 3237
Michael Cone
Partner
FisherBroyles
T: +1 (212) 655 5471
Christopher Recor
Managing Director
Grant Thornton, LLP
T: +1 (212) 542 9676
Alexandre Lamy joined Baker & McKenzie in 2009 and currently works in the firm’s International Trade Practice Group. He assists client with US export controls, trade and economic sanctions, antiboycott controls, and international anti-corruption measures. He advises US and non-US companies in the context of licensing, enforcement actions, internal investigations, compliance audits, mergers and acquisitions and other cross-border transactions, and the design, implementation and administration of compliance programs. Since August 2011, Mr Lamy has served on the steering group for the ABA Section of International Law’s Export Controls & Economic Sanctions Committee and is currently a Vice Chair of the Committee.
Lauren Camilli leads the global compliance functions for CSC, a publicly traded Fortune 200 information technology company with over 70,000 employees doing business in more than 70 countries. Ms Camilli is responsible for the creation and deployment of CSC’s compliance programmes including Global Trade & Sanctions, Anti-Corruption and Privacy & Data Protection. During Ms Camilli’s 15 year legal career, she held in-house positions focused on ethics and compliance for large international aerospace, defence and technology companies including BAE Systems, Intelsat and DRS Technologies.
Michael Cone, New York and Washington, DC Office Managing Partner at FisherBroyles, has over 20 years of experience practicing in the areas of international trade and federal regulatory law. He assists clients with import and export activities, helps them design and implement compliance programs, and defends them from government enforcement actions in both administrative and judicial forums. He regularly advises companies on a broad array of compliance matters including OFAC, FCPA, Customs, FDA, US Fish & Wildlife, CPSC, FTC, export controls, and many others.
Christopher Recor is the Financial Services Advisory Anti-Money Laundering (AML) Practice Leader at Grant Thornton LLP. He is a certified AML specialist and has spent over 20 years as a management consultant working with financial services clients on their AML, sanctions, compliance, anti-fraud and regulatory programmes. Mr Recor has experience working with regulatory regimes administered by FinCEN, FFIEC, SEC, FINRA, OFAC, FCA and the FATF.
Michelle Fisser joined Rabobank International in October 2008 as a senior compliance officer. At Rabobank she is responsible for corporate finance, global trade & commodity finance and private equity. Ms Fisser began her compliance career in 2003 at Fortis Bank Merchant Banking following a two year period as a tax consultant at PricewaterhouseCoopers.
Michelle Fisser
Senior Compliance Officer
Rabobank International
T: + 31 6 1311 2937
E: michelle.fisser@rabobank.
com
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 5
EXPERT FORUM
RC: What are some of the key challenges facing businesses in terms of sanctions compliance?
Camilli: One key challenge facing businesses is
keeping up with the various sanctions regulations
in all of the jurisdictions in which they do business.
There are hundreds of lists globally that can change
frequently, leaving companies struggling to find new
innovative solutions to keep up with the changing
regulatory landscape. In addition, the new Ukraine-
related sectoral sanctions can be complex, and
several directives have been issued with little
interpretive guidance, leaving companies with many
unanswered questions, including how they will be
enforced. Another challenge that many companies
face is ensuring that they are not in a position
where they are ‘facilitating’ trade to sanctioned
countries through third parties. Many US sanctions
programmes prohibit facilitation and that requires
a careful evaluation of your business transactions.
Lastly, companies face challenges when evaluating
a company’s ownership structure when screening
entities to determine if the entity is owned 50
percent or more by one or more blocked persons
under the revised Office of Foreign Assets Control
(OFAC) guidance given last year.
Cone: Moving targets, trap doors, foggy legal
landscapes and aggressive treasure hunting
by government regulators are among the key
challenges. When it comes to sanctions regimes
and the prospect of enforcement actions, the lack
of regulatory transparency combined with the
downside of severe financial consequences and
business disruption present significant challenges
for effective internal risk management. To make
things worse, a company engaged in international
commerce cannot content itself with tackling the
sanctions regime of its home state. The US and UK
sanctions regimes boast extraterritorial tentacles
that ambush unwitting violators by surprise, and if
a foreign business partner’s home state currently
lacks its own sanctions regime, it may soon join the
growing chorus of countries that do. To complicate
things further, in the US there are a number of
sanctions regimes administered by different
agencies such as BIS and OFAC. Accordingly,
thorough risk management requires navigating a
kaleidoscopic patchwork of domestic and foreign
laws.
Fisser: One key challenge is that it is impossible
to mitigate sanctions risk fully, since sanctions
may arise during the course of a transaction or
relationship even if your due diligence processes,
screening and filtering applications, and other
controls are fully implemented and effective. It
makes it even harder to deal with the different
interpretations in the market applying sanction
control frameworks, especially in situations where
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 20156 www.riskandcompliancemagazine.com
EXPERT FORUM
financial institutions have a common participation
– for example, syndicated loans –based in different
jurisdictions and having different risk appetites with
respect to the sanctions risk. Another example is
that a correspondent bank in a network identifies a
potential sanctions element and blocks or refuses
the payment, but is not cooperative enough to
identify the specific reason for this action. In this
instance, the business is required to solve the
issue personally; indeed, the only solution is to
start a full investigation. In instances such as these,
correspondent banks should have better and
mutual cooperation, since the banks all serve the
same purpose, which is to comply with sanctions
regulations.
Recor: OFAC administers and enforces economic
and trade sanctions against specific foreign
countries and regimes, as well as targeted sanctions
against entities and individuals which are based on
supporting US foreign policies and national security
goals. Businesses face several key challenges in
complying with sanctions regulations. First, sanctions
requirements frequently change as US foreign
policies and national security goals are revised,
due to ever changing global interests and political
situations. Second, screening technology solutions
produce a significant number of false-positives, in
part due to the design of the applications and the
difficulty in matching names. The sheer quantity
and quality of transactions processed by larger
institutions can also create an enormous number
of false-positives which creates increased analyst
workloads in terms of the subsequent investigation,
evidence gathering and resolution processes. Finally,
the complexity of the evolving sectoral sanctions,
and due diligence of the ownership structure of
certain targeted entities, means businesses need to
be very diligent in understanding the sanctions risks
associated with their products and services, third
party vendors, customers and employees during the
onboarding process.
Lamy: A key sanctions compliance challenge for
business is the more targeted nature of US sanctions
to make them ‘smarter’. Previously, US sanctions
focused primarily on comprehensive sanctions
under which companies subject to US jurisdiction
were broadly prohibited from engaging in virtually all
transactions involving targeted countries – such as
Cuba, Iran and Sudan – or parties, such as Specially
Designated Nationals (SDNs). Such near-absolute
prohibitions, while having a wider effect on business,
can be easier to police from a corporate compliance
perspective. In recent years, the US government has
developed more targeted territorial sanctions, such
as those in the Crimea region, and more targeted
restrictions against various categories of restricted
parties, such as the Foreign Sanctions Evaders
List (FSE List) for Iran and Syria, and the Sectoral
Sanctions Identifications List for Russia. This new
sanctions approach does not prohibit all business,
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 7
EXPERT FORUM
but can require significant compliance costs to
determine what is and is not permissible.
RC: How would you characterise current enforcement trends? How are these being applied to global businesses where jurisdictional issues may exist? What role is the US Office of Foreign Assets Control (OFAC) playing in this area?
Lamy: One trend to monitor is the
increased role multiple government
agencies are taking in terms of
enforcement, which makes OFAC only one
of the agencies which must be considered
in the trade compliance context. That said,
OFAC is still the leading agency on US sanctions
issues, primarily with respect to civil enforcement.
The various agencies do not always adopt common
approaches to sanctions issues or follow OFAC’s
lead, which can become a compliance headache.
In the financial sector, the growing significance of
the New York Department of Financial Services
(NYDFS) is evidence of this trend, particularly given
that NYDFS has insisted on some of the most
draconian penalties in recent enforcement cases
– including large fines, dismissal of employees and
suspension of US-dollar clearing services. Beyond
civil and criminal enforcement, the US government
has become more active in using administrative
measures, such as the Entity List and the FSE List,
to penalise bad actors and restrict their access to
US markets. In addition, there are also new players
among US state governments that are seeking to
pressure primarily non-US companies to stop doing
business with Iran or Sudan through divestment
measures.
Camilli: Recently we have seen very aggressive
enforcement trends, with record setting penalties
for violating sanctions. Within the last year, OFAC
penalties have included the almost $1bn in fines
handed down to BNP Paribas and more recently
Commerzbank agreed to settle for $258m for
falsifying business records for sanctioned countries.
US sanctions programmes can have a significant
Lauren Camilli,CSC
“Recently we have seen very aggressive enforcement trends, with record setting penalties for violating sanctions.”
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 20158 www.riskandcompliancemagazine.com
EXPERT FORUM
jurisdictional reach, and OFAC’s extraterritorial
reach can even extend to foreign subsidiaries of US
companies. Other than OFAC, the US Department of
Justice (DoJ) is also committed to bringing criminal
charges on sanctions laws and recently agreed
to a fine of $232m to settle criminal charges with
Schlumberger Oilfield Holdings Ltd for violating
US sanctions. This recent enforcement action also
demonstrates that regulators may be increasing their
scrutiny of US manufacturing companies
going forward.
Cone: OFAC continues to administer
its sanctions regime on an ad hoc basis.
Thus, when OFAC decided in August 2014
to change its interpretation of ‘blocked
entities’ to include those that are owned
50 percent or more in the aggregate by
blocked persons, as opposed to owned
50 percent or more by a single blocked
person, it accomplished this sea change
in the law simply by posting a notice on
its website. OFAC’s enforcement actions against
banks such as BNP Paribas and Commerzbank
grab headlines with hundreds of millions and
even billions of dollars in penalty assessments,
but OFAC continues to relentlessly pursue all
potential violators regardless of their size or type
of business. The trend across the globe is for
increased cooperation and informational exchange
among countries so that multinationals accused of
regulatory violations may be thoroughly investigated
and subjected to enforcement actions in both their
domestic and foreign jurisdictions.
Fisser: Current enforcement trends remain
a great challenge, but the overall regulatory
landscape is clear. The key is that there is a
global leading approach, maintaining the highest
standards where applicable, with respect to these
enforcement trends, and ensuring that they are
properly implemented. It is key that businesses
can demonstrate that they are in control and that
their measures are effective. Jurisdictional issues,
however, still remain – especially when organisations
are represented in different countries globally.
Recor: US regulators have taken an aggressive
stance to enforce sanctions compliance as
Christopher Recor, Grant Thornton, LLP
“US regulators have taken an aggressive stance to enforce sanctions compliance as evidenced by the recent multibillion dollar fines imposed on businesses.”
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 9
EXPERT FORUM
evidenced by the recent multibillion dollar fines
imposed on businesses. In addition, there have been
a number of high-profile cases where regulators
have charged key company personnel holding them
personal liability for compliance violations which
resulted in fines and forced terminations. From a
global perspective, OFAC sanctions programmes
apply to US persons and permanent resident
aliens regardless of where they are located in
the world, all persons and entities within the US
and all US incorporated entities, including their
foreign branches. Certain programmes may apply
to subsidiaries of US companies and to foreign
persons in possession of goods originating from the
US. Sanctions compliance for a global business can
be highly complex as other international sanctions
programmes, such as the European Union sanctions
regimes, for example, must also be a component of
the businesses’ overall sanctions programme.
RC: What lessons can we draw from recent notable examples of sanctions non-compliance, related enforcement action, and the penalties imposed?
Fisser: It is clear that sanction breaches are
penalised very seriously, especially when the root
causes changes in human behaviour. Unfortunately,
having the proper controls in place does not mean
that there will be no breaches. However, this is not
just limited to sanctions compliance. Unfortunately,
some breaches are sometimes not foreseen, which
brings a large amount of stress to organisations
that are very keen to comply with sanction laws
and regulations. Training, awareness and monitoring
should be an ongoing process to keep staff focused
and up to date.
Recor: Businesses need to become much more
aware of the complex US sanctions requirements
and what is needed to be compliant. To do this
effectively, frequent, targeted training needs to be
provided to employees, not only so they understand
the regulations, but also the types of risks their
businesses are exposed to as a result of their
particular products and services, transactions,
customers and the third parties they work with.
It is also important to perform periodic reviews
of the controls around the programme to ensure
that policies and procedures are being followed
and that inherent risks are being mitigated. Strong
governance will help to ensure that executive
management is aware of the key programme metrics
and pursues the timely remediation of programme’s
compliance issues. Management should be aware
that OFAC can impose financial penalties not only to
the business but also to key individuals within the
business, including forced terminations. Based on
the escalation of enforcement that has taken place
during the past several years, we can expect to see
regulators expand their reviews and areas of focus
to include those financial institutions that have a
MANAGING SANCTIONS COMPLIANCE CHALLENGES
smaller footprint than, say, the top 20 bank holding
companies – credit unions, casinos and money
services businesses – as well as large multinational
non-financial services industries.
Camilli: There have been several recent
enforcement cases that can provide companies with
insights into the mindset of regulators. In March of
this year, PayPal Inc agreed to pay $7.7m to settle
charges by OFAC that it violated trade sanctions
against Iran, Sudan and Cuba. One of the issues
identified was that PayPal failed to employ adequate
screening technology and procedures. Although the
company had a screening solution and procedures
in place, its software failed to identify a potential
match for six months and when the system did
flag the match, employees cleared the name on
six occasions prior to appropriately identifying and
blocking the party. A lesson we can draw from this
case is that having a solution in place is not enough,
and increased focus should be placed on auditing
and testing of company processes, and training
employees on clearing potential matches and
escalation procedures.
Lamy: One of the lessons that can be drawn
from recent enforcement cases is the importance
of tailoring sanctions training to each particular
audience. In one recent case, it appears that a
significant failing of a multinational’s sanctions
training programme was that non-US individuals
working in the US were not made aware that they
are subject to US sanctions jurisdiction – both
in terms of applicable restrictions and potential
consequences for violations. The activities of such
non-US individuals appear to have contributed
to the extent of the sanctions violations within
that company. Another lesson drawn from recent
MANAGING SANCTIONS COMPLIANCE CHALLENGES EXPERT FORUM
RISK & COMPLIANCE Jul-Sep 201510 www.riskandcompliancemagazine.com
enforcement cases is that the use of codenames
for sanctioned markets such as Iran and Sudan are
more likely than not to backfire. Within a company
using codenames, no one is fooled about what
is going on: business with prohibited markets.
More important, though, is that the use of such
codenames creates evidence for
future investigators that
company personnel
were aware that
such business raised
compliance issues
and were attempting
to hide or disguise it.
Cone: OFAC’s website
discusses aggravating and mitigating
factors in each case, and there are instructive
lessons to be learned from this year’s enforcement
actions. For example, once a company develops
internal controls, it must follow them. In March 2015
PayPal agreed to pay more than $7.6m in fines to
settle allegations that it processed just $44,000 in
payments that should have been blocked. One of
the aggravating factors was that several people
on PayPal’s compliance team “failed to adhere to
PayPal’s policies and procedures”. Other mitigating
factors lowered the penalty assessment from the
maximum potential fine of over $17m: “PayPal hired
new management within its Compliance Division...
and undertook various measures to strengthen
PayPal’s OFACscreening processes and measures,
including steps to implement more effective
controls...” OFAC has also recently discussed a
company’s cooperation with the investigation and
clean record over the prior five years as mitigating
factors.
MANAGING SANCTIONS COMPLIANCE CHALLENGES EXPERT FORUM
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 11
RISK & COMPLIANCE Jul-Sep 201512 www.riskandcompliancemagazine.com
EXPERT FORUM
RC: In your opinion, do the potential penalties for sanctions non-compliance constitute a sufficient deterrent?
Cone: Penalties for sanctions violations can
be staggering. To date, OFAC has announced six
penalties in 2015 with $267m in total fines assessed.
There were 23 OFAC penalties with $1.2bn in fines
assessed during 2014, 27 penalties with $137m in
fines during 2013 and 16 penalties with $1.14bn
in fines during 2012. Individual penalties can
range from tens of thousands to billions of dollars,
sufficient to strike fear into the hearts of hardened
executives. Additional costs can include substantial
outside legal fees as well as organisational
disruption involving internal investigations, preparing
submissions to governments, and employees and
executives whose careers may be put at risk. To the
extent these potential costs fail to act as a deterrent,
some of it is due to the lack of transparency
– regulated parties can’t conform their behaviour
to laws that are unclear or change without notice.
Consider FAQ No. 15 posted on OFAC’s website: “Can
OFAC change its previously stated, non-published
interpretation or opinion without first giving public
notice? Yes. OFAC, therefore, strongly encourages
parties to exercise due diligence when their business
activities may touch on an OFAC-administered
program”.
Recor: Potential penalties can include significant
financial fines to the organisation and key
personnel, as well as forced terminations of those
key personnel deemed responsible for performing
or allowing for the performance of the violations.
Benjamin Lawsky, superintendent of New York’s
Department of Financial Services, has recently been
talking about holding banking executives responsible
for their institutions’ AML/OFAC controls – or lack
thereof. With the introduction of personal liability
as a means of enforcing compliance, the penalties
for sanctions non-compliance have now gotten
the attention of business executives, resulting in
significant improvements in the sophistication and
quality of compliance and governance programmes.
There will continue to be lapses, due to lack of
education, insufficient or inadequate technology
solutions, key staffing changes that impact the
programme, mergers and acquisitions, and so on,
but the penalties are making a real difference in the
quality of sanctions programmes.
Lamy: The potential civil and criminal penalties
for US sanctions non-compliance do constitute a
sufficient deterrent, given the penalties that can
be imposed for each violation. The maximum civil
penalties alone for US sanctions or export control
violations are the greater of $250,000 or twice the
value of the transaction per violation. Even where
the US government may not be able to impose civil
or criminal penalties, it has other administrative
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 13
EXPERT FORUM
tools – for example, the Entity List and the Unverified
List – to restrict the access of bad actors to the
US market or US items. And US government
enforcement agencies are not shy about using
these tools in various cases. Accordingly, sanctions
compliance is not hobbled by insufficient potential
penalties. Rather, some companies lack awareness
about US sanctions and export controls, and how
they may affect companies in any industry. Once
that awareness issue is addressed, most
companies take action to address their
sanctions compliance risks.
Camilli: With the increased
enforcement in recent years and record
setting penalties, potential penalties for
sanctions non-compliance do constitute
a sufficient deterrent for business to
engage with sanctioned parties. Most
responsible companies do want to comply
with the regulations but struggle with the
costs of compliance and the changing
regulatory landscape. Ensuring sanctions compliance
can be increasingly complex and costly for large
multinational organisations. Most organisations
have to deal with budget constraints and therefore
have to take into account competing priorities with
other high risk compliance areas when allocating
resources, such as anti-corruption, data security, and
a host of other regulatory enforcement concerns.
Fisser: Avoiding penalties should not be the
key driver for financial institutions to comply with
sanctions, or any other, regulations. Institutions
should have an intrinsic motivation, from an
integrity point of view, to comply. Nevertheless, the
enforcement actions and the penalties imposed may
potentially be an additional trigger to keep reviewing
the control framework and staying focused.
RC: What should multinational businesses be doing to stay up-to-date with new sanctions compliance requirements? What steps do companies need to take when it comes to client screening processes, for example, to avoid inadvertent breaches?
Alexandre Lamy,Baker & McKenzie
“The potential civil and criminal penalties for US sanctions non-compliance do constitute a sufficient deterrent, given the penalties that can be imposed for each violation.”
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 201514 www.riskandcompliancemagazine.com
EXPERT FORUM
Recor: It is challenging for multinational
businesses doing business with foreign nationals
and corporations to maintain an effective and
efficient sanctions programme, especially with
regard to compliance with the jurisdictional
economic sanctions laws and regulations in each
of the locations they have facilities. To stay current
with compliance requirements for the different
jurisdictional sanctions, a dedicated
sanctions function is a necessity where
policies, procedures and controls can be
globally harmonised and implemented
with an overall governance function. In
addition, a sanctions-focused employee
training programme that provides
awareness of the company’s control
framework and enforcement actions and
penalties for non-compliance will also
help keep the organisation prepared for
changing sanctions regulations. OFAC
requirements apply to the country subject
to sanctions and the property or property interest
of individuals that are located in the US or in the
control or possession of a US person. Therefore, US
corporations with overseas branches must adhere
to both US OFAC sanctions requirements as well
as any local jurisdictional sanctions requirements,
such as those imposed by the European Union.
OFAC sanctions requirements will apply to any
international payments settled in US dollars which,
by definition, need to be cleared through a US
financial institution. To avoid inadvertent sanctions
breaches, businesses should leverage their OFAC
risk assessments and apply due diligence to those
individuals, entities and transactions where the
highest sanctions risks exist. Ensuring that licences
covering the export of restricted goods and reporting
requirements should also be closely managed.
Camilli: The sanctions requirements, both in the
US and in other countries, can change frequently
and companies must ensure that they are screening
against the most current information available and
against the lists relevant to the jurisdictions where
they do business. Technology solutions are not
infallible so your programme should include audits
and other reviews to ensure that whatever solution
you implemented is catching the right information
and screening the appropriate lists. Companies must
Michelle Fisser,Rabobank International
“Sanctions requirements may change overnight. Day to day monitoring of regulations and changes is therefore key.”
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 15
EXPERT FORUM
ensure that when the screening processes do catch
a potential sanctioned party that the responsible
persons who are reviewing that information are well
trained and that controls are in place to block those
individuals. In addition, companies should perform a
review of their compliance processes frequently to
ensure that they meet the changing requirements
and new guidance from the regulators.
Fisser: Sanctions requirements may change
overnight. Day to day monitoring of regulations and
changes is therefore key. Based on a company’s
assessment and sanctions compliance programme,
organisation can identify the areas which have a
potential increased sanctions risk. It is imperative to
ensure that you are quickly capable of identifying the
potential sanctions issues within your organisation.
Focus on ongoing training and awareness, which
should be tailor-made for the members of staff who
are required to understand and act.
Cone: To illustrate why multinationals need to
keep outside experts involved, consider Space
Exploration Technologies Corp. v. US, a 2014 federal
case where OFAC successfully took the position that
even if an entity is “controlled by” a person on the
SDN list, the entity itself is not blocked until OFAC
actually places that entity on the SDN list. As a side
note, OFAC’s successful argument enabled the US
Air Force to purchase rocket engines from a Russian
company controlled by a Russian politician on the
SDN list. On the other hand, OFAC still maintains
that an entity is automatically blocked if it is “owned
by” or “acts on behalf of” blocked persons – even if
OFAC has not placed that entity on the SDN list. That
means companies can take cold comfort from the
fact that an entity does not appear on the SDN list.
OFAC expects companies to send detailed screening
questionnaires to potential business partners to elicit
information concerning ownership and beneficial
interests, and holds companies strictly liable. Query
whether OFAC actually believes bad guys will tell the
truth.
Lamy: It is no easy task to stay up-to-date with
new sanctions developments, particularly from an
in-house perspective when there are many demands
for your time and attention. Unless you have a close
outside adviser to whom you can turn for periodic
updates on these issues, it seems like companies
need at least one in-house person dedicated to
monitor sanctions developments. Fortunately, there
are a variety of resources that can be used to help
monitor developments, from government agency
websites and email lists to law firm and consultant
blogs and other websites dedicated to sanctions
developments. Separately, companies often
engage in due diligence of potential counterparties
in the context of financial, reputational or anti-
corruption reviews, but the information gained
during such diligence is not always reviewed from
a sanctions compliance perspective. Ensuring
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 201516 www.riskandcompliancemagazine.com
EXPERT FORUM
that counterparties’ information is systematically
screened and then reviewed by knowledgeable
personnel can help avoid inadvertent breaches of
sanctions, particularly with respect to restricted
parties. It is easier to catch these issues upfront than
to try to clean up the mess afterward.
RC: What advice would you give businesses looking to develop an effective sanctions compliance programme? What steps can be taken to help ensure company-wide compliance?
Fisser: Companies should start with a proper risk
assessment from different angles, taking in different
sanctions risks – for example, client sanctions risk,
geographic sanctions risk and transaction sanctions
risk. Which activities have an inherent higher
sanctions risk? Which client executes transactions
in high risk sanctions countries or deals with
counterparties which have a potential increased
sanctions risk? Ensure that the control framework
is strong and includes all the different angles you
identified in your risk assessment. And again, carry
out and maintain ongoing training and awareness.
Appointing a compliance officer dedicated to those
areas where sanctions risk is higher and who is
capable of providing intraday advice and support
when needed is another important step.
Recor: A good starting point is the OFAC sanctions
risk assessment, which is effective in identifying
the sanctions inherent risks, controls to mitigate
those risks and the remaining residual risks. The
risk assessment should consider the products and
services, transactions, account holders and account
parties, entities and geographies served by the
business in relation to the OFAC regulations. It is
important to remember that some sanctions are
based on United Nations and other international
mandates and therefore require cooperation with
other governments. The programme should also
include a system of internal controls that will
identify suspect accounts and transactions, ensure
OFAC lists are updated on a timely basis, provide
for blocking or rejecting and OFAC reporting, and
maintaining copies of customers’ current OFAC
licences. To ensure company-wide compliance every
business should have an independent test of its
OFAC programme performed annually. A qualified
individual with sufficient knowledge of OFAC
regulations should be designated as responsible for
the compliance of the programme. Additionally, the
business should ensure that all employees have an
understanding of OFAC sanctions and are aware of
the penalties for non-compliance. Training should
include general awareness training for all employees
with targeted training for OFAC compliance
personnel.
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 17
EXPERT FORUM
Cone: Companies need to embrace a top down
commitment to compliance with sanctions regimes.
Senior management should provide its full support
to the sanctions compliance effort and designate
a manager responsible for it. A written compliance
manual tailored to the company’s operations
should be implemented. The compliance manager
should ensure that the compliance protocols set
forth in the manual are followed, and perform
periodic internal compliance audits. Due to the
ever-changing list of countries, businesses
and individuals subject to sanctions, the
company should engage in continuous
risk assessment including OFAC and
EAR screening of every foreign business
partner whether it be a customer, agent
or logistics provider. Given the constantly
shifting landscape, companies should
utilise sanctions compliance software
that facilitates the screening process and
updates new sanctions provisions in real
time. Internal controls should include
protocols for handling compliance issues
including reporting violations to regulators where it is
mandatory, or disclosing them voluntarily where it is
merely advisable, as voluntary disclosures often lead
to clemency by regulators.
Lamy: While the priorities for a sanctions
compliance programme should be made on a
risk-based assessment, companies can implement
certain measures on a global basis that can return
compliance dividends. For example, the default
use of contractual compliance clauses that require
counterparties such as distributors and agents to
comply with current and future US sanctions and
export control regimes, can be helpful to address
these compliance requirements. In this regard, force
majeure clauses are often insufficient to address
these types of issues. A compliance-specific clause
can address the fact that you never know which
one of your company’s markets will become the
next sanctions target. As a case in point, many
companies may not have had such contractual
clauses for Russia-related business before 2014. In
our experience, those types of compliance-specific
clauses have been helpful to clients that had them
in order to ensure compliance with sanctions and
Michael Cone,FisherBroyles
“The compliance manager should ensure that the compliance protocols set forth in the manual are followed, and perform periodic internal compliance audits.”
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 201518 www.riskandcompliancemagazine.com
EXPERT FORUM
export controls by distributors, agents and other
counterparties.
Camilli: One key to developing an effective
sanctions compliance programme is to have an
effective risk assessment that is updated and
reviewed frequently, taking into account changing
business partners, new markets and M&A activities.
Once you understand your highest risk areas, the
next step to implementing a programme is to ensure
that whatever policies and procedures that you put
in place for your organisation are being followed.
Testing and monitoring of company processes
is important to show the regulators that you are
meeting your own standards and the current
processes are working for your organisation. Finally,
no programme can be effective without a robust
training programme, focused on the employees who
may have the highest risk or may be responsible for
identifying potential sanctioned parties.
RC: What can companies do to manage sanctions compliance costs and make the compliance process more efficient?
Cone: There is no question that the greatest
compliance cost for a company could easily be
addressing instances of non-compliance. For
example, imagine having to respond to a DOJ
subpoena issued at the direction of a federal
grand jury convened to investigate potentially
criminal conduct. The US government is known to
promote the notion of strict liability for sanctions
violations. The good news is that these risks can
be minimised through familiar best practices for
regulatory compliance: assign a manager with formal
responsibility for ensuring sanctions compliance, and
implement formal written processes and procedures
designed to promote maximum compliance. It is far
cheaper to pay service providers to help design a
compliance program than to defend against non-
compliance. Also, in the sanctions area significant
efficiencies arise from utilising sophisticated and
continuously updated third party software to
screen current and potential business partners on a
constant basis.
Camilli: There are many ways in which you
can keep compliance costs down but still have a
programme that works for your company’s needs.
The first way to manage costs is to have a clear
understanding of your highest risks and focus your
resources on those risks areas. There are several
technology vendors who offer screening solutions
and it is in a company’s best interest to shop around
for the best value and the best solution to fit its
particular needs. Also, companies should try and
leverage as many current company processes and
people as possible, which will enable more efficiency
and integration into other work streams. Your supply
chain, internal audit, sales, finance and human
resources organisations may already have processes
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 19
EXPERT FORUM
in place for due diligence on particular third parties,
customers and employees. By leveraging existing
processes, you may be able to increase your
programme’s effectiveness while keeping costs low.
Lamy: Investing in training can be a good way to
manage sanctions compliance costs. There may be
upfront costs to get a good training programme up
and running, as well as ongoing costs to administer
and update the training. That said, there are many
benefits that can be gained from a well-tailored
training programme. First, well-trained employees
will expand the reach of a company’s programme
by deputising frontline employees to play a role
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 201520 www.riskandcompliancemagazine.com
EXPERT FORUM
in compliance. Trained employees will hopefully
identify potential compliance issues before they
become compliance headaches. Second, a good
training programme is an essential element of any
compliance programme that the US government
would consider as part of an investigation. This
may be doubly true if a company can point to the
fact that a trained employee identified sanctions
compliance issues at an early stage. Third, good
training requires periodic updates to keep the
programme current, which also helps a company’s
compliance programme to stay current.
Fisser: Unfortunately, it is still a fact that in general
regulations are not tailor-made for large, medium
or small financial institutions, based on activities,
jurisdiction, and other factors. The initial programme
therefore may also be costly for those smaller
institutions that potentially have a low sanctions
risk profile from an operational point of view. The
challenge lies especially with smaller non-financial
institutions that want to comply with sanctions laws
and regulations to avoid breaches. We have noticed
that those corporates with an increased sanctions
risk, due to the potential high risk jurisdictions in
which they may operate, hire compliance officers
from financial institutions that are capable of
developing effective compliance programmes to
mitigate sanctions risk. They maintain the same
standards as financial institutions, and are therefore
valuable to the company. Developing compliance
programmes may be costly, but effective and
beneficial in the long term.
Recor: Sanctions compliance programmes
are expensive because sanctions compliance
requirements are a moving target and the current
breed of sanctions technology solutions cannot
adequately provide for straight through processing,
due to the constantly changing geopolitical
environment. Gaining efficiency of the programme
requires better automation in the identification
of prohibited persons, individuals and entities on
sanctions lists and companies they own or control,
in the supplying, shipping or insuring of prohibited
goods to and from sanctioned countries based
on the nature and use of the goods – all of which
need to be blocked or rejected – and finally, in
the evidencing and resolution of false-positives
produced by most sanctions technology solutions.
The industry is slowly moving to a utility concept
where non-core and non-strategic functions are
being outsourced to consortium-based services
that serve multiple businesses with back office
functions for screening customer and transaction
information against global sanctions lists. In the
near-term, businesses can perform periodic reviews
of their sanctions processing to ensure that industry
best practices are being utilised and bottlenecks
in the workflow are identified and managed. OFAC
risk assessments can also be leveraged in targeting
transactions and customers which, due to higher
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 21
EXPERT FORUM
residual risks, expose the business to sanctions
risks. Isolating these risks allows for a review and
improvement of the programme controls.
RC: Looking ahead, how do you expect the sanctions compliance landscape to develop? Are businesses fully in tune with the need for internal monitoring and enforcement of compliance processes?
Lamy: One way in which the sanctions
compliance landscape is developing is that non-US
parties are becoming increasingly sophisticated
about US sanctions issues. In Russia, for example,
our experience is that local customers, distributors
and agents that understand US sanctions issues are
pushing back on claims that non-US subsidiaries
are subject to US jurisdiction, particularly where
multinationals are seeking to invoke force majeure
clauses. The Russia example is also one in which a
sophisticated government and local companies have
used various legal measures, such as antitrust law
and retaliatory sanctions, to complicate or frustrate
the application of US sanctions. This development
underscores the previous point that companies
should have robust sanctions and export control
compliance contractual clauses that are not limited
to force majeure provisions. Finally, the Russia-
related sanctions highlight the need for companies’
compliance functions to take a global approach to
their responsibilities and not be focused solely on
markets that are currently subject to sanctions.
Recor: Given the continuous global political
unrest, we don’t foresee any easing of economic
or trade sanctions in the near future. The changing
landscape of sanctions imposed by the US and other
nations requires constant management and a strong
governance framework to ensure the sanctions
programme effectively and consistently provides
protection for the enterprise. The level of effort
required to do this should not be underestimated
and businesses need to assess if their sanctions
programmes have the necessary internal controls
to ensure compliance. Businesses are required
to monitor, control and test their compliance
processes, and have an independent third party
attest to the effectiveness of the overall sanctions
programme. Going forward, the operating model
options will be broader and more robust with the
introduction of industry sanctions utilities which will
allow for the outsourcing of non-core compliance
functions and will leverage state of the art screening
capabilities.
Cone: Companies often develop rigorous
internal compliance controls only in response to
an enforcement action. By then they are reacting
to crisis instead of managing risk. Companies that
engage in international commerce without sufficient
internal controls are essentially driving drunk. At
MANAGING SANCTIONS COMPLIANCE CHALLENGES
RISK & COMPLIANCE Jul-Sep 201522 www.riskandcompliancemagazine.com
PERSPECTIVES
least 95 percent of the time they will not hit the oak
tree. But compliance professionals spend most of
their time tending to the wounded. While it is difficult
to convince those who hold the corporate purse
strings to spend money proactively on compliance,
various knock-off organisational efficiencies routinely
arise including enhanced internal communications,
elimination of supply chain disruptions and
heightened customer confidence. Looking ahead,
companies face increasing cooperation between
regulatory bodies in different countries which are
pursuing the shared goal of enforcing a broad and
proliferating cross-border regulatory arena. With
governments across the globe availing themselves
of information age tools, senior management should
take heed.
Fisser: It is difficult to predict if and how the
sanctions compliance landscape will develop. The
Ukrainian-Russia issue of last year showed that new
types of sanction programmes are easily issued.
Generally, financial institutions are up to speed with
their sanctions compliance programmes, but as a
result of the different interpretations may sometimes
struggle to be fully effective on an operational basis.
It remains a challenge.
Camilli: In the future I expect regulators
to continue on the path of more aggressive
enforcement and greater fines. Although the financial
services industry is a high risk industry which has
received the most scrutiny, other non-financial
industries will not be immune from prosecution,
and so need to review their sanctions compliance
programmes. As with other US regulators, I also
expect to continue to see greater international
cooperation among regulators with regard to
sanctions compliance and more information
obtained from whistleblowers. We see a range
of levels of sanctions compliance in businesses
today. For companies that do have some kind of
compliance processes in place, the recent high-
profile enforcement cases show the need for
effective compliance programmes, senior level
management support and the importance of training
your employees. RC&
MANAGING SANCTIONS COMPLIANCE CHALLENGES
www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 23
EDITORIAL PARTNERS
Grant Thornton can assist your institution
in establishing and maintaining a robust and
effective anti-money laundering (AML) and
OFAC/sanctions program. Our global team are
situated in the Americas, EMEA and Asia-Pacific
in order to support clients with local resources
in complying with the jurisdictional-specific
BSA / AML / KYC and OFAC-related regulations.
Leveraging proven analytical procedures,
tools and methods we have helped both
financial and non-financial institutions develop,
implement, assess, and remediate their AML
and OFAC/sanctions compliance programs.
Our core AML/OFAC sanctions services include
diagnostics, program consulting, risk consulting,
technology consulting, and enforcement actions
remediation.
E D I T O R I A L PA RT N E R
Grant Thornton
Christopher Recor
Managing Director
New York, NY, US
T: +1 (212) 542 9676
KE
Y
CO
NT
AC
T
www.g ran t tho rn ton .com
www.riskandcompliancemagazine.com
JUL-SEP 2015
risk &complianceRC&