Managing sanctions compliance challenges

JAN-MAR 2014www.riskandcompliancemagazine.com

RCrisk &compliance&

Inside this issue:

FEATURE

The evolving role of the chief risk officer

EXPERT FORUM

Managing your company’s regulatory exposure

HOT TOPIC

Data privacy in Europe

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

JAN-MAR 2014 ISSUE

DATA PRIVACY IN EUROPE

www.riskandcompliancemagazine.com

Visit the website to request a free copy of the full e-magazine

Published by Financier Worldwide [email protected]

© 2014 Financier Worldwide Ltd. All rights reserved.

R E P R I N T RCrisk &compliance&

MANAGING SANCTIONS COMPLIANCE CHALLENGES

��

��

risk &complianceRC&

��

��

��

��

��

��

��

��

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

JUL-SEP 2015 ISSUE


Visit the website to requesta free copy of the full e-magazine

Published by Financier Worldwide [email protected]

© 2015 Financier Worldwide Ltd. All rights reserved.

RISK & COMPLIANCE Jul-Sep 20152 www.riskandcompliancemagazine.com

risk &complianceRC&


www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2015 3

EXPERT FORUM

EXPERT FORUM

MANAGINGSANCTIONS COMPLIANCE CHALLENGES


EXPERT FORUM

Alexandre Lamy

Senior Associate

Baker & McKenzie

T: +1 (202) 835 1862

E: alexandre.

[email protected]

PANEL EXPERTS

Lauren Camilli

Director, Global Compliance

Programmes

CSC

T: +1 (703) 641 3237

E: [email protected]

Michael Cone

Partner

FisherBroyles

T: +1 (212) 655 5471


Christopher Recor

Managing Director

Grant Thornton, LLP

T: +1 (212) 542 9676


Alexandre Lamy joined Baker & McKenzie in 2009 and currently works in the firm’s International Trade Practice Group. He assists client with US export controls, trade and economic sanctions, antiboycott controls, and international anti-corruption measures. He advises US and non-US companies in the context of licensing, enforcement actions, internal investigations, compliance audits, mergers and acquisitions and other cross-border transactions, and the design, implementation and administration of compliance programs. Since August 2011, Mr Lamy has served on the steering group for the ABA Section of International Law’s Export Controls & Economic Sanctions Committee and is currently a Vice Chair of the Committee.

Lauren Camilli leads the global compliance functions for CSC, a publicly traded Fortune 200 information technology company with over 70,000 employees doing business in more than 70 countries. Ms Camilli is responsible for the creation and deployment of CSC’s compliance programmes including Global Trade & Sanctions, Anti-Corruption and Privacy & Data Protection. During Ms Camilli’s 15 year legal career, she held in-house positions focused on ethics and compliance for large international aerospace, defence and technology companies including BAE Systems, Intelsat and DRS Technologies.

Michael Cone, New York and Washington, DC Office Managing Partner at FisherBroyles, has over 20 years of experience practicing in the areas of international trade and federal regulatory law. He assists clients with import and export activities, helps them design and implement compliance programs, and defends them from government enforcement actions in both administrative and judicial forums. He regularly advises companies on a broad array of compliance matters including OFAC, FCPA, Customs, FDA, US Fish & Wildlife, CPSC, FTC, export controls, and many others.

Christopher Recor is the Financial Services Advisory Anti-Money Laundering (AML) Practice Leader at Grant Thornton LLP. He is a certified AML specialist and has spent over 20 years as a management consultant working with financial services clients on their AML, sanctions, compliance, anti-fraud and regulatory programmes. Mr Recor has experience working with regulatory regimes administered by FinCEN, FFIEC, SEC, FINRA, OFAC, FCA and the FATF.

Michelle Fisser joined Rabobank International in October 2008 as a senior compliance officer. At Rabobank she is responsible for corporate finance, global trade & commodity finance and private equity. Ms Fisser began her compliance career in 2003 at Fortis Bank Merchant Banking following a two year period as a tax consultant at PricewaterhouseCoopers.

Michelle Fisser

Senior Compliance Officer

Rabobank International

T: + 31 6 1311 2937

E: michelle.fisser@rabobank.

com



EXPERT FORUM

RC: What are some of the key challenges facing businesses in terms of sanctions compliance?

Camilli: One key challenge facing businesses is

keeping up with the various sanctions regulations

in all of the jurisdictions in which they do business.

There are hundreds of lists globally that can change

frequently, leaving companies struggling to find new

innovative solutions to keep up with the changing

regulatory landscape. In addition, the new Ukraine-

related sectoral sanctions can be complex, and

several directives have been issued with little

interpretive guidance, leaving companies with many

unanswered questions, including how they will be

enforced. Another challenge that many companies

face is ensuring that they are not in a position

where they are ‘facilitating’ trade to sanctioned

countries through third parties. Many US sanctions

programmes prohibit facilitation and that requires

a careful evaluation of your business transactions.

Lastly, companies face challenges when evaluating

a company’s ownership structure when screening

entities to determine if the entity is owned 50

percent or more by one or more blocked persons

under the revised Office of Foreign Assets Control

(OFAC) guidance given last year.

Cone: Moving targets, trap doors, foggy legal

landscapes and aggressive treasure hunting

by government regulators are among the key

challenges. When it comes to sanctions regimes

and the prospect of enforcement actions, the lack

of regulatory transparency combined with the

downside of severe financial consequences and

business disruption present significant challenges

for effective internal risk management. To make

things worse, a company engaged in international

commerce cannot content itself with tackling the

sanctions regime of its home state. The US and UK

sanctions regimes boast extraterritorial tentacles

that ambush unwitting violators by surprise, and if

a foreign business partner’s home state currently

lacks its own sanctions regime, it may soon join the

growing chorus of countries that do. To complicate

things further, in the US there are a number of

sanctions regimes administered by different

agencies such as BIS and OFAC. Accordingly,

thorough risk management requires navigating a

kaleidoscopic patchwork of domestic and foreign

laws.

Fisser: One key challenge is that it is impossible

to mitigate sanctions risk fully, since sanctions

may arise during the course of a transaction or

relationship even if your due diligence processes,

screening and filtering applications, and other

controls are fully implemented and effective. It

makes it even harder to deal with the different

interpretations in the market applying sanction

control frameworks, especially in situations where



EXPERT FORUM

financial institutions have a common participation

– for example, syndicated loans –based in different

jurisdictions and having different risk appetites with

respect to the sanctions risk. Another example is

that a correspondent bank in a network identifies a

potential sanctions element and blocks or refuses

the payment, but is not cooperative enough to

identify the specific reason for this action. In this

instance, the business is required to solve the

issue personally; indeed, the only solution is to

start a full investigation. In instances such as these,

correspondent banks should have better and

mutual cooperation, since the banks all serve the

same purpose, which is to comply with sanctions

regulations.

Recor: OFAC administers and enforces economic

and trade sanctions against specific foreign

countries and regimes, as well as targeted sanctions

against entities and individuals which are based on

supporting US foreign policies and national security

goals. Businesses face several key challenges in

complying with sanctions regulations. First, sanctions

requirements frequently change as US foreign

policies and national security goals are revised,

due to ever changing global interests and political

situations. Second, screening technology solutions

produce a significant number of false-positives, in

part due to the design of the applications and the

difficulty in matching names. The sheer quantity

and quality of transactions processed by larger

institutions can also create an enormous number

of false-positives which creates increased analyst

workloads in terms of the subsequent investigation,

evidence gathering and resolution processes. Finally,

the complexity of the evolving sectoral sanctions,

and due diligence of the ownership structure of

certain targeted entities, means businesses need to

be very diligent in understanding the sanctions risks

associated with their products and services, third

party vendors, customers and employees during the

onboarding process.

Lamy: A key sanctions compliance challenge for

business is the more targeted nature of US sanctions

to make them ‘smarter’. Previously, US sanctions

focused primarily on comprehensive sanctions

under which companies subject to US jurisdiction

were broadly prohibited from engaging in virtually all

transactions involving targeted countries – such as

Cuba, Iran and Sudan – or parties, such as Specially

Designated Nationals (SDNs). Such near-absolute

prohibitions, while having a wider effect on business,

can be easier to police from a corporate compliance

perspective. In recent years, the US government has

developed more targeted territorial sanctions, such

as those in the Crimea region, and more targeted

restrictions against various categories of restricted

parties, such as the Foreign Sanctions Evaders

List (FSE List) for Iran and Syria, and the Sectoral

Sanctions Identifications List for Russia. This new

sanctions approach does not prohibit all business,



EXPERT FORUM

but can require significant compliance costs to

determine what is and is not permissible.

RC: How would you characterise current enforcement trends? How are these being applied to global businesses where jurisdictional issues may exist? What role is the US Office of Foreign Assets Control (OFAC) playing in this area?

Lamy: One trend to monitor is the

increased role multiple government

agencies are taking in terms of

enforcement, which makes OFAC only one

of the agencies which must be considered

in the trade compliance context. That said,

OFAC is still the leading agency on US sanctions

issues, primarily with respect to civil enforcement.

The various agencies do not always adopt common

approaches to sanctions issues or follow OFAC’s

lead, which can become a compliance headache.

In the financial sector, the growing significance of

the New York Department of Financial Services

(NYDFS) is evidence of this trend, particularly given

that NYDFS has insisted on some of the most

draconian penalties in recent enforcement cases

– including large fines, dismissal of employees and

suspension of US-dollar clearing services. Beyond

civil and criminal enforcement, the US government

has become more active in using administrative

measures, such as the Entity List and the FSE List,

to penalise bad actors and restrict their access to

US markets. In addition, there are also new players

among US state governments that are seeking to

pressure primarily non-US companies to stop doing

business with Iran or Sudan through divestment

measures.

Camilli: Recently we have seen very aggressive

enforcement trends, with record setting penalties

for violating sanctions. Within the last year, OFAC

penalties have included the almost $1bn in fines

handed down to BNP Paribas and more recently

Commerzbank agreed to settle for $258m for

falsifying business records for sanctioned countries.

US sanctions programmes can have a significant

Lauren Camilli,CSC

“Recently we have seen very aggressive enforcement trends, with record setting penalties for violating sanctions.”



EXPERT FORUM

jurisdictional reach, and OFAC’s extraterritorial

reach can even extend to foreign subsidiaries of US

companies. Other than OFAC, the US Department of

Justice (DoJ) is also committed to bringing criminal

charges on sanctions laws and recently agreed

to a fine of $232m to settle criminal charges with

Schlumberger Oilfield Holdings Ltd for violating

US sanctions. This recent enforcement action also

demonstrates that regulators may be increasing their

scrutiny of US manufacturing companies

going forward.

Cone: OFAC continues to administer

its sanctions regime on an ad hoc basis.

Thus, when OFAC decided in August 2014

to change its interpretation of ‘blocked

entities’ to include those that are owned

50 percent or more in the aggregate by

blocked persons, as opposed to owned

50 percent or more by a single blocked

person, it accomplished this sea change

in the law simply by posting a notice on

its website. OFAC’s enforcement actions against

banks such as BNP Paribas and Commerzbank

grab headlines with hundreds of millions and

even billions of dollars in penalty assessments,

but OFAC continues to relentlessly pursue all

potential violators regardless of their size or type

of business. The trend across the globe is for

increased cooperation and informational exchange

among countries so that multinationals accused of

regulatory violations may be thoroughly investigated

and subjected to enforcement actions in both their

domestic and foreign jurisdictions.

Fisser: Current enforcement trends remain

a great challenge, but the overall regulatory

landscape is clear. The key is that there is a

global leading approach, maintaining the highest

standards where applicable, with respect to these

enforcement trends, and ensuring that they are

properly implemented. It is key that businesses

can demonstrate that they are in control and that

their measures are effective. Jurisdictional issues,

however, still remain – especially when organisations

are represented in different countries globally.

Recor: US regulators have taken an aggressive

stance to enforce sanctions compliance as

Christopher Recor, Grant Thornton, LLP

“US regulators have taken an aggressive stance to enforce sanctions compliance as evidenced by the recent multibillion dollar fines imposed on businesses.”



EXPERT FORUM

evidenced by the recent multibillion dollar fines

imposed on businesses. In addition, there have been

a number of high-profile cases where regulators

have charged key company personnel holding them

personal liability for compliance violations which

resulted in fines and forced terminations. From a

global perspective, OFAC sanctions programmes

apply to US persons and permanent resident

aliens regardless of where they are located in

the world, all persons and entities within the US

and all US incorporated entities, including their

foreign branches. Certain programmes may apply

to subsidiaries of US companies and to foreign

persons in possession of goods originating from the

US. Sanctions compliance for a global business can

be highly complex as other international sanctions

programmes, such as the European Union sanctions

regimes, for example, must also be a component of

the businesses’ overall sanctions programme.

RC: What lessons can we draw from recent notable examples of sanctions non-compliance, related enforcement action, and the penalties imposed?

Fisser: It is clear that sanction breaches are

penalised very seriously, especially when the root

causes changes in human behaviour. Unfortunately,

having the proper controls in place does not mean

that there will be no breaches. However, this is not

just limited to sanctions compliance. Unfortunately,

some breaches are sometimes not foreseen, which

brings a large amount of stress to organisations

that are very keen to comply with sanction laws

and regulations. Training, awareness and monitoring

should be an ongoing process to keep staff focused

and up to date.

Recor: Businesses need to become much more

aware of the complex US sanctions requirements

and what is needed to be compliant. To do this

effectively, frequent, targeted training needs to be

provided to employees, not only so they understand

the regulations, but also the types of risks their

businesses are exposed to as a result of their

particular products and services, transactions,

customers and the third parties they work with.

It is also important to perform periodic reviews

of the controls around the programme to ensure

that policies and procedures are being followed

and that inherent risks are being mitigated. Strong

governance will help to ensure that executive

management is aware of the key programme metrics

and pursues the timely remediation of programme’s

compliance issues. Management should be aware

that OFAC can impose financial penalties not only to

the business but also to key individuals within the

business, including forced terminations. Based on

the escalation of enforcement that has taken place

during the past several years, we can expect to see

regulators expand their reviews and areas of focus

to include those financial institutions that have a


smaller footprint than, say, the top 20 bank holding

companies – credit unions, casinos and money

services businesses – as well as large multinational

non-financial services industries.

Camilli: There have been several recent

enforcement cases that can provide companies with

insights into the mindset of regulators. In March of

this year, PayPal Inc agreed to pay $7.7m to settle

charges by OFAC that it violated trade sanctions

against Iran, Sudan and Cuba. One of the issues

identified was that PayPal failed to employ adequate

screening technology and procedures. Although the

company had a screening solution and procedures

in place, its software failed to identify a potential

match for six months and when the system did

flag the match, employees cleared the name on

six occasions prior to appropriately identifying and

blocking the party. A lesson we can draw from this

case is that having a solution in place is not enough,

and increased focus should be placed on auditing

and testing of company processes, and training

employees on clearing potential matches and

escalation procedures.

Lamy: One of the lessons that can be drawn

from recent enforcement cases is the importance

of tailoring sanctions training to each particular

audience. In one recent case, it appears that a

significant failing of a multinational’s sanctions

training programme was that non-US individuals

working in the US were not made aware that they

are subject to US sanctions jurisdiction – both

in terms of applicable restrictions and potential

consequences for violations. The activities of such

non-US individuals appear to have contributed

to the extent of the sanctions violations within

that company. Another lesson drawn from recent

MANAGING SANCTIONS COMPLIANCE CHALLENGES EXPERT FORUM


enforcement cases is that the use of codenames

for sanctioned markets such as Iran and Sudan are

more likely than not to backfire. Within a company

using codenames, no one is fooled about what

is going on: business with prohibited markets.

More important, though, is that the use of such

codenames creates evidence for

future investigators that

company personnel

were aware that

such business raised

compliance issues

and were attempting

to hide or disguise it.

Cone: OFAC’s website

discusses aggravating and mitigating

factors in each case, and there are instructive

lessons to be learned from this year’s enforcement

actions. For example, once a company develops

internal controls, it must follow them. In March 2015

PayPal agreed to pay more than $7.6m in fines to

settle allegations that it processed just $44,000 in

payments that should have been blocked. One of

the aggravating factors was that several people

on PayPal’s compliance team “failed to adhere to

PayPal’s policies and procedures”. Other mitigating

factors lowered the penalty assessment from the

maximum potential fine of over $17m: “PayPal hired

new management within its Compliance Division...

and undertook various measures to strengthen

PayPal’s OFACscreening processes and measures,

including steps to implement more effective

controls...” OFAC has also recently discussed a

company’s cooperation with the investigation and

clean record over the prior five years as mitigating

factors.

MANAGING SANCTIONS COMPLIANCE CHALLENGES EXPERT FORUM



EXPERT FORUM

RC: In your opinion, do the potential penalties for sanctions non-compliance constitute a sufficient deterrent?

Cone: Penalties for sanctions violations can

be staggering. To date, OFAC has announced six

penalties in 2015 with $267m in total fines assessed.

There were 23 OFAC penalties with $1.2bn in fines

assessed during 2014, 27 penalties with $137m in

fines during 2013 and 16 penalties with $1.14bn

in fines during 2012. Individual penalties can

range from tens of thousands to billions of dollars,

sufficient to strike fear into the hearts of hardened

executives. Additional costs can include substantial

outside legal fees as well as organisational

disruption involving internal investigations, preparing

submissions to governments, and employees and

executives whose careers may be put at risk. To the

extent these potential costs fail to act as a deterrent,

some of it is due to the lack of transparency

– regulated parties can’t conform their behaviour

to laws that are unclear or change without notice.

Consider FAQ No. 15 posted on OFAC’s website: “Can

OFAC change its previously stated, non-published

interpretation or opinion without first giving public

notice? Yes. OFAC, therefore, strongly encourages

parties to exercise due diligence when their business

activities may touch on an OFAC-administered

program”.

Recor: Potential penalties can include significant

financial fines to the organisation and key

personnel, as well as forced terminations of those

key personnel deemed responsible for performing

or allowing for the performance of the violations.

Benjamin Lawsky, superintendent of New York’s

Department of Financial Services, has recently been

talking about holding banking executives responsible

for their institutions’ AML/OFAC controls – or lack

thereof. With the introduction of personal liability

as a means of enforcing compliance, the penalties

for sanctions non-compliance have now gotten

the attention of business executives, resulting in

significant improvements in the sophistication and

quality of compliance and governance programmes.

There will continue to be lapses, due to lack of

education, insufficient or inadequate technology

solutions, key staffing changes that impact the

programme, mergers and acquisitions, and so on,

but the penalties are making a real difference in the

quality of sanctions programmes.

Lamy: The potential civil and criminal penalties

for US sanctions non-compliance do constitute a

sufficient deterrent, given the penalties that can

be imposed for each violation. The maximum civil

penalties alone for US sanctions or export control

violations are the greater of $250,000 or twice the

value of the transaction per violation. Even where

the US government may not be able to impose civil

or criminal penalties, it has other administrative



EXPERT FORUM

tools – for example, the Entity List and the Unverified

List – to restrict the access of bad actors to the

US market or US items. And US government

enforcement agencies are not shy about using

these tools in various cases. Accordingly, sanctions

compliance is not hobbled by insufficient potential

penalties. Rather, some companies lack awareness

about US sanctions and export controls, and how

they may affect companies in any industry. Once

that awareness issue is addressed, most

companies take action to address their

sanctions compliance risks.

Camilli: With the increased

enforcement in recent years and record

setting penalties, potential penalties for

sanctions non-compliance do constitute

a sufficient deterrent for business to

engage with sanctioned parties. Most

responsible companies do want to comply

with the regulations but struggle with the

costs of compliance and the changing

regulatory landscape. Ensuring sanctions compliance

can be increasingly complex and costly for large

multinational organisations. Most organisations

have to deal with budget constraints and therefore

have to take into account competing priorities with

other high risk compliance areas when allocating

resources, such as anti-corruption, data security, and

a host of other regulatory enforcement concerns.

Fisser: Avoiding penalties should not be the

key driver for financial institutions to comply with

sanctions, or any other, regulations. Institutions

should have an intrinsic motivation, from an

integrity point of view, to comply. Nevertheless, the

enforcement actions and the penalties imposed may

potentially be an additional trigger to keep reviewing

the control framework and staying focused.

RC: What should multinational businesses be doing to stay up-to-date with new sanctions compliance requirements? What steps do companies need to take when it comes to client screening processes, for example, to avoid inadvertent breaches?

Alexandre Lamy,Baker & McKenzie

“The potential civil and criminal penalties for US sanctions non-compliance do constitute a sufficient deterrent, given the penalties that can be imposed for each violation.”



EXPERT FORUM

Recor: It is challenging for multinational

businesses doing business with foreign nationals

and corporations to maintain an effective and

efficient sanctions programme, especially with

regard to compliance with the jurisdictional

economic sanctions laws and regulations in each

of the locations they have facilities. To stay current

with compliance requirements for the different

jurisdictional sanctions, a dedicated

sanctions function is a necessity where

policies, procedures and controls can be

globally harmonised and implemented

with an overall governance function. In

addition, a sanctions-focused employee

training programme that provides

awareness of the company’s control

framework and enforcement actions and

penalties for non-compliance will also

help keep the organisation prepared for

changing sanctions regulations. OFAC

requirements apply to the country subject

to sanctions and the property or property interest

of individuals that are located in the US or in the

control or possession of a US person. Therefore, US

corporations with overseas branches must adhere

to both US OFAC sanctions requirements as well

as any local jurisdictional sanctions requirements,

such as those imposed by the European Union.

OFAC sanctions requirements will apply to any

international payments settled in US dollars which,

by definition, need to be cleared through a US

financial institution. To avoid inadvertent sanctions

breaches, businesses should leverage their OFAC

risk assessments and apply due diligence to those

individuals, entities and transactions where the

highest sanctions risks exist. Ensuring that licences

covering the export of restricted goods and reporting

requirements should also be closely managed.

Camilli: The sanctions requirements, both in the

US and in other countries, can change frequently

and companies must ensure that they are screening

against the most current information available and

against the lists relevant to the jurisdictions where

they do business. Technology solutions are not

infallible so your programme should include audits

and other reviews to ensure that whatever solution

you implemented is catching the right information

and screening the appropriate lists. Companies must

Michelle Fisser,Rabobank International

“Sanctions requirements may change overnight. Day to day monitoring of regulations and changes is therefore key.”



EXPERT FORUM

ensure that when the screening processes do catch

a potential sanctioned party that the responsible

persons who are reviewing that information are well

trained and that controls are in place to block those

individuals. In addition, companies should perform a

review of their compliance processes frequently to

ensure that they meet the changing requirements

and new guidance from the regulators.

Fisser: Sanctions requirements may change

overnight. Day to day monitoring of regulations and

changes is therefore key. Based on a company’s

assessment and sanctions compliance programme,

organisation can identify the areas which have a

potential increased sanctions risk. It is imperative to

ensure that you are quickly capable of identifying the

potential sanctions issues within your organisation.

Focus on ongoing training and awareness, which

should be tailor-made for the members of staff who

are required to understand and act.

Cone: To illustrate why multinationals need to

keep outside experts involved, consider Space

Exploration Technologies Corp. v. US, a 2014 federal

case where OFAC successfully took the position that

even if an entity is “controlled by” a person on the

SDN list, the entity itself is not blocked until OFAC

actually places that entity on the SDN list. As a side

note, OFAC’s successful argument enabled the US

Air Force to purchase rocket engines from a Russian

company controlled by a Russian politician on the

SDN list. On the other hand, OFAC still maintains

that an entity is automatically blocked if it is “owned

by” or “acts on behalf of” blocked persons – even if

OFAC has not placed that entity on the SDN list. That

means companies can take cold comfort from the

fact that an entity does not appear on the SDN list.

OFAC expects companies to send detailed screening

questionnaires to potential business partners to elicit

information concerning ownership and beneficial

interests, and holds companies strictly liable. Query

whether OFAC actually believes bad guys will tell the

truth.

Lamy: It is no easy task to stay up-to-date with

new sanctions developments, particularly from an

in-house perspective when there are many demands

for your time and attention. Unless you have a close

outside adviser to whom you can turn for periodic

updates on these issues, it seems like companies

need at least one in-house person dedicated to

monitor sanctions developments. Fortunately, there

are a variety of resources that can be used to help

monitor developments, from government agency

websites and email lists to law firm and consultant

blogs and other websites dedicated to sanctions

developments. Separately, companies often

engage in due diligence of potential counterparties

in the context of financial, reputational or anti-

corruption reviews, but the information gained

during such diligence is not always reviewed from

a sanctions compliance perspective. Ensuring



EXPERT FORUM

that counterparties’ information is systematically

screened and then reviewed by knowledgeable

personnel can help avoid inadvertent breaches of

sanctions, particularly with respect to restricted

parties. It is easier to catch these issues upfront than

to try to clean up the mess afterward.

RC: What advice would you give businesses looking to develop an effective sanctions compliance programme? What steps can be taken to help ensure company-wide compliance?

Fisser: Companies should start with a proper risk

assessment from different angles, taking in different

sanctions risks – for example, client sanctions risk,

geographic sanctions risk and transaction sanctions

risk. Which activities have an inherent higher

sanctions risk? Which client executes transactions

in high risk sanctions countries or deals with

counterparties which have a potential increased

sanctions risk? Ensure that the control framework

is strong and includes all the different angles you

identified in your risk assessment. And again, carry

out and maintain ongoing training and awareness.

Appointing a compliance officer dedicated to those

areas where sanctions risk is higher and who is

capable of providing intraday advice and support

when needed is another important step.

Recor: A good starting point is the OFAC sanctions

risk assessment, which is effective in identifying

the sanctions inherent risks, controls to mitigate

those risks and the remaining residual risks. The

risk assessment should consider the products and

services, transactions, account holders and account

parties, entities and geographies served by the

business in relation to the OFAC regulations. It is

important to remember that some sanctions are

based on United Nations and other international

mandates and therefore require cooperation with

other governments. The programme should also

include a system of internal controls that will

identify suspect accounts and transactions, ensure

OFAC lists are updated on a timely basis, provide

for blocking or rejecting and OFAC reporting, and

maintaining copies of customers’ current OFAC

licences. To ensure company-wide compliance every

business should have an independent test of its

OFAC programme performed annually. A qualified

individual with sufficient knowledge of OFAC

regulations should be designated as responsible for

the compliance of the programme. Additionally, the

business should ensure that all employees have an

understanding of OFAC sanctions and are aware of

the penalties for non-compliance. Training should

include general awareness training for all employees

with targeted training for OFAC compliance

personnel.



EXPERT FORUM

Cone: Companies need to embrace a top down

commitment to compliance with sanctions regimes.

Senior management should provide its full support

to the sanctions compliance effort and designate

a manager responsible for it. A written compliance

manual tailored to the company’s operations

should be implemented. The compliance manager

should ensure that the compliance protocols set

forth in the manual are followed, and perform

periodic internal compliance audits. Due to the

ever-changing list of countries, businesses

and individuals subject to sanctions, the

company should engage in continuous

risk assessment including OFAC and

EAR screening of every foreign business

partner whether it be a customer, agent

or logistics provider. Given the constantly

shifting landscape, companies should

utilise sanctions compliance software

that facilitates the screening process and

updates new sanctions provisions in real

time. Internal controls should include

protocols for handling compliance issues

including reporting violations to regulators where it is

mandatory, or disclosing them voluntarily where it is

merely advisable, as voluntary disclosures often lead

to clemency by regulators.

Lamy: While the priorities for a sanctions

compliance programme should be made on a

risk-based assessment, companies can implement

certain measures on a global basis that can return

compliance dividends. For example, the default

use of contractual compliance clauses that require

counterparties such as distributors and agents to

comply with current and future US sanctions and

export control regimes, can be helpful to address

these compliance requirements. In this regard, force

majeure clauses are often insufficient to address

these types of issues. A compliance-specific clause

can address the fact that you never know which

one of your company’s markets will become the

next sanctions target. As a case in point, many

companies may not have had such contractual

clauses for Russia-related business before 2014. In

our experience, those types of compliance-specific

clauses have been helpful to clients that had them

in order to ensure compliance with sanctions and

Michael Cone,FisherBroyles

“The compliance manager should ensure that the compliance protocols set forth in the manual are followed, and perform periodic internal compliance audits.”



EXPERT FORUM

export controls by distributors, agents and other

counterparties.

Camilli: One key to developing an effective

sanctions compliance programme is to have an

effective risk assessment that is updated and

reviewed frequently, taking into account changing

business partners, new markets and M&A activities.

Once you understand your highest risk areas, the

next step to implementing a programme is to ensure

that whatever policies and procedures that you put

in place for your organisation are being followed.

Testing and monitoring of company processes

is important to show the regulators that you are

meeting your own standards and the current

processes are working for your organisation. Finally,

no programme can be effective without a robust

training programme, focused on the employees who

may have the highest risk or may be responsible for

identifying potential sanctioned parties.

RC: What can companies do to manage sanctions compliance costs and make the compliance process more efficient?

Cone: There is no question that the greatest

compliance cost for a company could easily be

addressing instances of non-compliance. For

example, imagine having to respond to a DOJ

subpoena issued at the direction of a federal

grand jury convened to investigate potentially

criminal conduct. The US government is known to

promote the notion of strict liability for sanctions

violations. The good news is that these risks can

be minimised through familiar best practices for

regulatory compliance: assign a manager with formal

responsibility for ensuring sanctions compliance, and

implement formal written processes and procedures

designed to promote maximum compliance. It is far

cheaper to pay service providers to help design a

compliance program than to defend against non-

compliance. Also, in the sanctions area significant

efficiencies arise from utilising sophisticated and

continuously updated third party software to

screen current and potential business partners on a

constant basis.

Camilli: There are many ways in which you

can keep compliance costs down but still have a

programme that works for your company’s needs.

The first way to manage costs is to have a clear

understanding of your highest risks and focus your

resources on those risks areas. There are several

technology vendors who offer screening solutions

and it is in a company’s best interest to shop around

for the best value and the best solution to fit its

particular needs. Also, companies should try and

leverage as many current company processes and

people as possible, which will enable more efficiency

and integration into other work streams. Your supply

chain, internal audit, sales, finance and human

resources organisations may already have processes



EXPERT FORUM

in place for due diligence on particular third parties,

customers and employees. By leveraging existing

processes, you may be able to increase your

programme’s effectiveness while keeping costs low.

Lamy: Investing in training can be a good way to

manage sanctions compliance costs. There may be

upfront costs to get a good training programme up

and running, as well as ongoing costs to administer

and update the training. That said, there are many

benefits that can be gained from a well-tailored

training programme. First, well-trained employees

will expand the reach of a company’s programme

by deputising frontline employees to play a role



EXPERT FORUM

in compliance. Trained employees will hopefully

identify potential compliance issues before they

become compliance headaches. Second, a good

training programme is an essential element of any

compliance programme that the US government

would consider as part of an investigation. This

may be doubly true if a company can point to the

fact that a trained employee identified sanctions

compliance issues at an early stage. Third, good

training requires periodic updates to keep the

programme current, which also helps a company’s

compliance programme to stay current.

Fisser: Unfortunately, it is still a fact that in general

regulations are not tailor-made for large, medium

or small financial institutions, based on activities,

jurisdiction, and other factors. The initial programme

therefore may also be costly for those smaller

institutions that potentially have a low sanctions

risk profile from an operational point of view. The

challenge lies especially with smaller non-financial

institutions that want to comply with sanctions laws

and regulations to avoid breaches. We have noticed

that those corporates with an increased sanctions

risk, due to the potential high risk jurisdictions in

which they may operate, hire compliance officers

from financial institutions that are capable of

developing effective compliance programmes to

mitigate sanctions risk. They maintain the same

standards as financial institutions, and are therefore

valuable to the company. Developing compliance

programmes may be costly, but effective and

beneficial in the long term.

Recor: Sanctions compliance programmes

are expensive because sanctions compliance

requirements are a moving target and the current

breed of sanctions technology solutions cannot

adequately provide for straight through processing,

due to the constantly changing geopolitical

environment. Gaining efficiency of the programme

requires better automation in the identification

of prohibited persons, individuals and entities on

sanctions lists and companies they own or control,

in the supplying, shipping or insuring of prohibited

goods to and from sanctioned countries based

on the nature and use of the goods – all of which

need to be blocked or rejected – and finally, in

the evidencing and resolution of false-positives

produced by most sanctions technology solutions.

The industry is slowly moving to a utility concept

where non-core and non-strategic functions are

being outsourced to consortium-based services

that serve multiple businesses with back office

functions for screening customer and transaction

information against global sanctions lists. In the

near-term, businesses can perform periodic reviews

of their sanctions processing to ensure that industry

best practices are being utilised and bottlenecks

in the workflow are identified and managed. OFAC

risk assessments can also be leveraged in targeting

transactions and customers which, due to higher



EXPERT FORUM

residual risks, expose the business to sanctions

risks. Isolating these risks allows for a review and

improvement of the programme controls.

RC: Looking ahead, how do you expect the sanctions compliance landscape to develop? Are businesses fully in tune with the need for internal monitoring and enforcement of compliance processes?

Lamy: One way in which the sanctions

compliance landscape is developing is that non-US

parties are becoming increasingly sophisticated

about US sanctions issues. In Russia, for example,

our experience is that local customers, distributors

and agents that understand US sanctions issues are

pushing back on claims that non-US subsidiaries

are subject to US jurisdiction, particularly where

multinationals are seeking to invoke force majeure

clauses. The Russia example is also one in which a

sophisticated government and local companies have

used various legal measures, such as antitrust law

and retaliatory sanctions, to complicate or frustrate

the application of US sanctions. This development

underscores the previous point that companies

should have robust sanctions and export control

compliance contractual clauses that are not limited

to force majeure provisions. Finally, the Russia-

related sanctions highlight the need for companies’

compliance functions to take a global approach to

their responsibilities and not be focused solely on

markets that are currently subject to sanctions.

Recor: Given the continuous global political

unrest, we don’t foresee any easing of economic

or trade sanctions in the near future. The changing

landscape of sanctions imposed by the US and other

nations requires constant management and a strong

governance framework to ensure the sanctions

programme effectively and consistently provides

protection for the enterprise. The level of effort

required to do this should not be underestimated

and businesses need to assess if their sanctions

programmes have the necessary internal controls

to ensure compliance. Businesses are required

to monitor, control and test their compliance

processes, and have an independent third party

attest to the effectiveness of the overall sanctions

programme. Going forward, the operating model

options will be broader and more robust with the

introduction of industry sanctions utilities which will

allow for the outsourcing of non-core compliance

functions and will leverage state of the art screening

capabilities.

Cone: Companies often develop rigorous

internal compliance controls only in response to

an enforcement action. By then they are reacting

to crisis instead of managing risk. Companies that

engage in international commerce without sufficient

internal controls are essentially driving drunk. At



PERSPECTIVES

least 95 percent of the time they will not hit the oak

tree. But compliance professionals spend most of

their time tending to the wounded. While it is difficult

to convince those who hold the corporate purse

strings to spend money proactively on compliance,

various knock-off organisational efficiencies routinely

arise including enhanced internal communications,

elimination of supply chain disruptions and

heightened customer confidence. Looking ahead,

companies face increasing cooperation between

regulatory bodies in different countries which are

pursuing the shared goal of enforcing a broad and

proliferating cross-border regulatory arena. With

governments across the globe availing themselves

of information age tools, senior management should

take heed.

Fisser: It is difficult to predict if and how the

sanctions compliance landscape will develop. The

Ukrainian-Russia issue of last year showed that new

types of sanction programmes are easily issued.

Generally, financial institutions are up to speed with

their sanctions compliance programmes, but as a

result of the different interpretations may sometimes

struggle to be fully effective on an operational basis.

It remains a challenge.

Camilli: In the future I expect regulators

to continue on the path of more aggressive

enforcement and greater fines. Although the financial

services industry is a high risk industry which has

received the most scrutiny, other non-financial

industries will not be immune from prosecution,

and so need to review their sanctions compliance

programmes. As with other US regulators, I also

expect to continue to see greater international

cooperation among regulators with regard to

sanctions compliance and more information

obtained from whistleblowers. We see a range

of levels of sanctions compliance in businesses

today. For companies that do have some kind of

compliance processes in place, the recent high-

profile enforcement cases show the need for

effective compliance programmes, senior level

management support and the importance of training

your employees. RC&



EDITORIAL PARTNERS

Grant Thornton can assist your institution

in establishing and maintaining a robust and

effective anti-money laundering (AML) and

OFAC/sanctions program. Our global team are

situated in the Americas, EMEA and Asia-Pacific

in order to support clients with local resources

in complying with the jurisdictional-specific

BSA / AML / KYC and OFAC-related regulations.

Leveraging proven analytical procedures,

tools and methods we have helped both

financial and non-financial institutions develop,

implement, assess, and remediate their AML

and OFAC/sanctions compliance programs.

Our core AML/OFAC sanctions services include

diagnostics, program consulting, risk consulting,

technology consulting, and enforcement actions

remediation.

E D I T O R I A L PA RT N E R

Grant Thornton

Christopher Recor

Managing Director

New York, NY, US

T: +1 (212) 542 9676


KE

Y

CO

NT

AC

T

www.g ran t tho rn ton .com


JUL-SEP 2015

risk &complianceRC&

Managing sanctions compliance challenges

Business

Transcript of Managing sanctions compliance challenges