Russia’s invasion of Ukraine has made sanctions compliance a top concern for many companies — and for good reason. Compliance with economic sanctions rules is no easy task. It is a complex niche of corporate compliance that evolves quickly, and the consequences for sanctions violations can be painfully high.
Still, the reality today is that sanctions against Russia are a primary tool Western governments will use to push back against Russia’s aggression in Ukraine, and those sanctions aren’t likely to recede any time soon. On the contrary, expansive sanctions against Russia and vigorous enforcement could well be facts of business life for years to come.
All of this means that companies need to develop effective sanctions compliance programs. Let’s consider precisely what that means, and how a company can build that compliance capability quickly.
What is sanctions compliance?
At its simplest, sanctions compliance means that your company does not sell goods or services to parties (either specific individuals or companies) listed on government sanctions lists. Sometimes sanctions rules prohibit you from selling only certain goods and services to those parties, such as defense technology; other times, sanctions rules prohibit you from selling those parties anything at all.
Your business needs to comply with the sanctions rules that exist in any country where it does business — and given that so much international commerce transits through the U.S. financial system, U.S. sanctions laws are especially far-reaching.
At first glance it might seem like sanctions compliance is akin to anti-corruption compliance, since in both cases your company is trying to avoid doing business with certain parties. That comparison, however, isn’t quite right. Anti-corruption compliance is about how your company conducts its business: you cannot bribe foreign governments and should avoid third-party agents known to offer those bribes. Sanctions compliance is about who your company conducts business with: you cannot sell to sanctioned entities, period.
That is, you don’t need corrupt intent to violate sanctions rules. Simply selling your goods and services to anyone, without considering who that customer is, can be enough to put your business in sanctions trouble.
Why is sanctions compliance important?
Sanctions compliance is important because the legal penalties for a compliance violation are potentially enormous, but in practice, those penalties can be dramatically lower if your business can demonstrate that it at least tries to comply with sanctions rules.
For example, last year U.S. authorities took action against a Texas company that knowingly allowed its goods to be sold into Iran in the mid-2010s. Under the letter of the law, the Texas company could have faced penalties as high as $15 million — but it ultimately agreed to pay only $189,000.
How did that happen? According to U.S. sanctions rules, if a company voluntarily self-discloses its violations and the violations themselves aren’t egregious, the penalty is typically reduced to only 50 percent of the transaction value. In the Texas company’s case, that equaled $291,500.
Then regulators agreed to even more reductions because of other mitigating factors, such as the company having no prior history of sanctions trouble and its decision to self-disclose the violations. The company also agreed to implement numerous other compliance program improvements. By the end, that potential $15 million fine was cut by nearly 99 percent to that $189,000 final number.
The Texas company’s case is not unusual. Making the effort at sanctions compliance matters.
That said, sanctions lists change often, and the screening techniques to identify sanctioned parties are difficult to master. Building an effective sanctions compliance program is challenging.
What guidance exists about sanctions compliance programs?
The most useful and important guidance on sanctions compliance programs comes from the U.S. Office of Foreign Assets Control (OFAC), which is the primary regulator for sanctions in the United States. OFAC published guidance in 2020 about how an effective sanctions compliance program should work, and compliance professionals everywhere should give it a close read.
The European Union has a website dedicated to its own sanctions rules as well, plus an FAQs document to help understand how sanctions are enforced in the EU. Those sites do not, however, offer detailed guidance on sanctions compliance programs similar to what OFAC provides.
Compliance officers can also (as always) look to the U.S. Justice Department’s guidance on effective compliance programs, last updated in 2020. Granted, the Justice Department guidelines are broader in scope, meant to help build corporate compliance programs that can handle much more than sanctions — but the fundamental principles outlined by the Justice Department are identical to the ones cited by OFAC:
- Senior management should support a culture of compliance;
- The company should assess its compliance risks regularly;
- Where weaknesses exist, the company should remediate them.
That said, sanctions compliance is a particular branch of corporate compliance, and it does have several unique concerns.
What makes for an effective sanctions compliance program?
The OFAC guidance is so useful because it includes several common mistakes in compliance programs that OFAC sees all the time. If we look at those bad practices and do the opposite, then several good practices emerge.
- Actually have a sanctions compliance program. As simple as it sounds, too often companies simply don’t have a dedicated sanctions compliance program, even when they do significant business overseas. Compliance officers should assure that senior management understands the importance of sanctions compliance, and then build a formal sanctions compliance program with risk assessments, policies, procedures, and remediation efforts to keep that sanctions program working.
- Watch your third-party relationships. A U.S. company might believe that it can work with overseas resellers or distributors doing business in Russia (or Iran, or other sanctioned countries), and that insulates the U.S. company from sanctions liability. This is wrong. You need to monitor your third parties for sanctions risk just as you would for anti-corruption or other third-party risks.
- Use sanctions screening software correctly. Screening software is indispensable for sanctions compliance, but companies must configure that software correctly. Government lists of sanctioned parties change all the time; your screening tool needs to incorporate those changes. The tool should also check for partial matches, likely matches (“AB Acme Corp.” as well as “A.B. Acme”), and matches that rely on Cyrillic or other alphabets.
- Exercise strong oversight of your sanctions compliance program. A decentralized program, where business units around the globe handle their own sanctions screening and decisions about high-risk parties, can lead to disaster. OFAC recommends a single, centralized sanctions compliance program led by one team that is versed in sanctions law and makes decisions about possible violations consistently.
- Beware of non-standard transaction terms. People will try to mask prohibited transaction terms in all sorts of ways, such as having another party pay your invoice or asking to keep delivery addresses off the documentation. Develop monitoring and escalation procedures to assure that when such requests are made, they go to senior compliance officers for (very, very skeptical) review.
Businesses will likely need to deal with sanctions against Russia for quite some time. We’ve only scratched the surface of sanctions compliance programs here, but compliance programs will be a crucial part of how companies handle U.S. and EU actions against Russia’s behavior.
The good news is that the foundations of an effective sanctions compliance program — strong executive support, risk assessment, implementing policies and procedures, remediation of weaknesses — are the same ones that apply to any corporate compliance program. Compliance officers will be able to start from that familiar foundation.
Still, sanctions compliance programs also depend on personnel with specific expertise, astute use of technology, and carefully crafted policies and procedures. Compliance officers and senior executives need to give sanctions compliance serious, substantive attention if you want your program to work — and the sooner, the better.
Developing meaningful stakeholder engagement to successfully manage risk
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Interacting with high-risk parties and government officials in the life sciences and extractive industries sectors