What continued Russian sanctions mean for compliance
In response to the Crimean crisis, countries such as the United States, Canada, Denmark, Switzerland, Turkey, Japan and Australia have imposed restrictions on their business activities with certain Russian companies and individuals.
The first round of targeted sanctions came in March 2014, when United States President Barack Obama signed three executive orders to issue travel bans on and freeze assets of certain individuals and entities that were said to have contributed to the instability in Ukraine.
In July 2014, the Office of Foreign Assets Control of the United States Treasury Department (OFAC) imposed a set of sanctions against Russian companies in the financial, energy and defense sectors. These were included in Directive 1 and Directive 2, which were amended under Executive Order 13662 in September 2014 to include a broadened scope of sanctions. At the same time, Directive 3 and Directive 4 were introduced.
In general terms, the directives prohibit United States persons from dealing with and providing finances for entities listed therein. Directives 1 and 2 target Russia’s financial and energy sectors respectively, while Directives 3 and 4 concern the country’s defense and deepwater- and oil-exploration sectors. OFAC has added specific Russian entities into its Specially Designated Nationals List and Sectoral Sanctions Identification List, including five defense companies and five energy companies.
The Council of the European Union (EU) has also imposed sanctions targeting sectoral cooperation and exchanges with Russia. These sanctions are applicable to all EU companies and to any person operating elsewhere but doing business within the EU. Similar to the United States sanctions, EU persons are not allowed to deal with or provide finance for certain Russian entities, including five major state-owned banks, three major energy companies, and three major defense companies.
In addition to the United States’ and EU’s response to the Crimean crisis, other countries have also imposed sanctions against Russia. Australia, for example, decided in September 2014 to escalate its sanctions against Russia by forbidding arms exports to the country and barring Russian state-owned banks from entering into the Australian capital market. These sanctions affect a further 63 Russian individuals and 21 businesses.
Although there have been calls from France and Greece to roll back the sanctions against Russia, EU member states agreed on 27 January that EU sanctions are to remain until at least September this year.
Building an effective sanctions programme
Sanctions not export controls
As highlighted in Issue 14 of Compliance Insider®, one common misguided approach to sanctions compliance is for companies to think that it can be approached in the same way as export-control compliance. While an export-control programme typically focuses on the target individual or country your company can provide its goods or services to (these are things that make up the ‘list’), or the types of goods or services your company can provide, a sanctions compliance programme usually involves broader consideration.
A sanctions programme requires careful eyes on all lines of business across your company. It is about making sure that your company does not engage sanctioned entities through your sales agents, process transactions with sanctioned banks, or deal with a business partner that breaches sanctions laws.
Furthermore, sanctions programmes imposed by state governments normally spring from political rather than pure economic motives. This political undertone makes the rules hard to follow as they can change quite quickly. The United States sanctions against Russia are undoubtedly more complex than just blacklisting certain entities from business dealings. For instance, United States sanctions ban only certain types of short- and medium-term credit extensions against some named Russian banks.
The political undertone for this of course is to enable the United States to limit collateral damage caused to its allies, but it also allows it to scale back sanctions should Russia decide to cooperate. However, this makes problematic transactions and business dealings very difficult for companies to trace. It is not possible to identify a particular transaction by simply relying on watchlist screening, especially when companies may process numerous transactions with banks or other companies every day. A credit extension to Russian state-owned bank Sberbank for more than 30 days, which is prohibited under current United States sanctions, is not something you can catch by simply checking the list. To put it simply, the ‘checking against the list’ approach to export-controls compliance is no longer adequate to meet the risks of sanctions non-compliance – you have to go further than that.
Not just about the United States or the EU
There is a misguided country-focused approach to sanctions compliance that may be attributable to the fact that sanctions rules (and export-control rules) are often extra-territorial. Politically-aligned countries often impose sanctions in concert, although the specific measures can vary. Compliance officers are often led to think that complying with United States laws will suffice, when, in fact, Russia has been sanctioned by many other countries besides the United States, and many cases do not involve the United States at all. Different jurisdictions take different approaches at different times. It is therefore dangerous to be United States-centric and conclude that all other legal requirements are similar to those of the United States.
The sanctions lists of individuals imposed by the EU, Switzerland and Norway, for instance, cover many more individuals than those of the United States or Australia. One should note also that Russia has introduced reverse sanctions on the United States, the EU, Australia, Norway and Canada. The aforesaid countries are banned from exporting certain food products to Russia, and to do so would be a breach of Russian laws.
Knowing the scope of local trade regulations is just as important as knowing the United States or EU restrictions. Compliance officers must identify and have access to local regulatory sources (including translated copies). Having the URLs of the relevant legal sources, control lists and government websites at hand is good, but is not enough. Trade compliance officers must keep up with the latest changes to sanctions rules. Some state governments, such as the United States Government, provide sanctions email updates that companies can sign up to. Equally, subscribing to periodic compliance publications may help compliance officers receive sanctions news.
Find a specialist and perform due diligence
To some export-oriented businesses, there may be good reasons to assign significant resources (human, capital and time) to maintaining a sanctions compliance programme. To others, who may not treat sanctions compliance as a priority in their overall compliance programme, budgets are usually dedicated to managing other major risk areas, such as bribery and corruption, antitrust, and data privacy. As such, to internally maintain a set of centralized, up-to-date sanction watchlists and monitoring systems can be a burdensome task for companies that do not have the benefits of a sizable budget and strong expertise. (The United States OFAC list alone has a few thousand entities.)
A number of compliance consultancy firms and due diligence providers now offer risk-based watchlist-screening services. These usually include screens for sanctioned entities and individuals, and are based upon compiled databases of numerous high-risk entities in sensitive regions that companies may not otherwise be able to identify. Moreover, some firms provide technology platforms that offer trade compliance monitoring systems so that companies can save the cost of reinventing the wheel. Companies should consider leveraging the expertise and databases of their external consultants to screen their partners or third parties when conducting due diligence.
The more important point, however, is that it is insufficient to simply rely on watchlist checks to screen for problematic transactions or business dealings. The nuances of the sanctions simply do not allow companies to do it. This is also because the sanctions lists (and the names of the listed entities) change regularly. As in the case of Russia, many government officials run and control businesses and assets through their relatives or investment vehicles. Screening software is simply not a tool to reveal the ownership structure of a company. Do not forget that screening software has been known to generate false-positive records. For some jurisdictions, there are further barriers to corporate information posed by the lack of available sources on the internet and sometimes by their own data-protection rules. To minimize risks, companies should seek to perform higher-level due diligence before engaging a third party, including sending people to conduct on-the-ground site visits to obtain and verify corporate registry records.
Conduct programme assessments and audits
Like other compliance risk areas, sanctions compliance programmes require standardized processes and proper audits. In fact, performing regular checks is vital to sanctions compliance given the ever-evolving regulatory environment. Trade compliance officers should seek to constantly update their programme (and internal watchlist databases, if they maintain their own) to fulfil the latest requirements. Processes, operations and decisions must be promptly documented for all transactions.
Assessments and audits should be performed to examine the different aspects of an integrated sanctions compliance programme. These may include checks against the time validity of watchlist databases, watchlist screening mechanisms, the maturity and effectiveness of technology systems, the systems’ ability to generate update alerts, decisions and approval workflows, compliance history, staff awareness of and capabilities for handling sanctions issues, and internal reporting systems if something goes wrong. Performing audits also means that companies should develop a set of performance metrics (for instance, companies can keep statistical data for the frequency of watchlist updates, the number of trainings delivered, instances of internal reporting of sanctions concerns, and remediation or corrective actions taken to address reported concerns).
While it is good to have internal officers dedicated to monitoring and reviewing the programme, assembling a team that has expertise in the area may not be easy or cost-friendly. It may be better to hire external trade compliance consultants to review and benchmark the programme.
Sanctions against Russia will continue. The scope and subtlety of these sanctions show that companies must move away from the old and rigid ‘check-the-list’ approach. As crucial as it has been to monitoring sanctions compliance, automated watchlist screening technology may no longer be smart enough to reveal problematic transactions and their risks. Compliance officers must take further steps to determine the underlying cause of things and regularly assess and update their existing internal controls.