Implementing the US-imposed sanctions: A review of the compliance system in action

Enforcement of economic and trade sanctions is usually based on a country's foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, including the foreign policy and the economy.1
The key challenges in enforcing these sanctions are following:
-- The preferences in global interests and politics of the major powers vary from time to time, hence sanction requirements, too, change frequently and the businesses have to cope with these developments effectively.
-- The sheer quantity and quality of transactions processed by larger institutions usually creates an enormous number of false positives and the same increases the workloads of the analysts in terms of the investigations, evidence gathering and resolving the problem.2
-- Diligence requirements of the businesses increase and become complicated during the on boarding process in understanding the risks associated with sectoral sanctions including products and services, and third party vendors, customers and employees.
The US sanctions issues are managed by OFAC having its primary emphasis on civil enforcement. However, the problem is that different agencies engaged in enforcing sanctions do not follow common approaches. Many agencies follow lead given by OFAC, this state of affair leads to complications for enforcing the sanctions. This trend can be witnessed in the prosecutions being initiated by the New York Department of Financial Services (NYDFS), and that is why the NYDFS insists for imposition of draconian penalties.3 The US sanctions programmes possess significant jurisdictional reach4, and OFAC's extra-territorial reach can extend to foreign subsidiaries of US companies.5 Other than OFAC, the US Department of Justice (DoJ) is also committed to bring criminal prosecutions for violating the laws relating to sanctions. For example, the department of justice agreed to a fine of $232m to settle criminal charges in the case relating to Schlumberger Oilfield Holding Ltd, for violating the US sanctions.6
Recently made interpretation of the term "blocked entities" now means an ownership where entity is owned 50 percent or more in the aggregate by blocked persons, as opposed to own 50 percent or more by a single blocked person.7 OFAC'S enforcement actions against banks such as BNP Paribas and Commerzbank became headline news as hundreds of millions and even billions of dollars were assessed in penalties, and OFAC continues to relentlessly pursue all potential violators regardless of their size or type of business. This global trend requires an increased co-operation and information sharing among different countries in order to initiate (accused of regulatory violations) investigations and enforcement actions against multination accused of regulatory violations in domestic and foreign jurisdictions.8
It may be noted that OFAC can impose financial penalties not only on the businesses but also on key individuals involved in businesses.9 Recently OFAC accused PayPal for violating the sanction-related violations and the company agreed to pay $7.7 million to settle the charges.10 In this legal battle, one of the issues identified was that PayPal failed to employ adequate screening technology and procedures and failed to enforce sanctions. As per facts reported, the company had a screening solution and procedures in place, however, its software failed to identify a potential match for six months and when the system did flag the match; employees had cleared the name on six occasions prior to appropriately identifying and blocking the party. A lesson we can draw from this case is that having a solution in place is not enough, and increased focus should be placed on auditing and testing of company processes, and the training of employees engaged in clearing potential matches and escalation procedures.
There are instructive lessons to be learned from these enforcement actions, for example, once a company develops internal controls, it must follow them. Recently PayPal agreed to pay more than $7.6m in fines to settle allegations that it processed just $44,000 in payments that should have been blocked. One of the aggravating factors was that several people on PayPal's compliance team "failed to adhere to PayPal's policies and procedures".11
As a measure, deterrent penalties for sanction violations can be staggering.12 Penalties imposed on individuals can range from tens of thousands to billions of dollars, the cause is thus sufficient to strike fear into the hearts of hardened executives.
The penal system in this regard constitutes a sufficient deterrent, since the penalties which can be imposed for each violation are significant. The maximum civil penalties to be imposed for violating US sanctions or export control violations can reach up to $250,000 or twice the value of the transaction. Where the US government is not able to impose civil or criminal penalties, it uses other administrative tools, for example, the entity list to restrict the access of bad actors to the US market. The US government enforcement agencies are not shy to use these tools.13
Businesses doing business with foreign nationals and corporations are required to maintain an effective and efficient sanctions control programme, especially with regard to compliance particularly with reference to foreign jurisdiction-based entities falling within the framework of US domestic regulation governing economic sanctions. To stay current with compliance requirements for the different jurisdictional sanctions, a dedicated sanctions function is a necessity where policies, procedures and controls can be globally harmonised and implemented with an overall governance function. In addition, a sanction focused employee training programme that provide awareness of the company's control framework and enforcement actions and penalties for non-compliance can also help keep the organisation prepared for changing sanction regulations.14
Requirements relating to sanctions both in the US and in other countries can change frequently and this fact lays down duty on companies to ensure that they screen against the most current information available and against the lists relevant to the jurisdictions where they do business. The control programme in this regard includes audits and other reviews to make it sure that whatever checks are being implemented, they catch the right information. Where the screening processes catch a potential sanctioned party, the business must ensure that the responsible persons who are reviewing that information are well-trained and that controls are in place to block those individuals. Companies should also perform review of their compliance related processes frequently to ensure that they meet the regulators changing requirements.
In the well known case of Exploration Technologies Corp V. US, (a 2014 federal case), OFAC contended that even if an entity is "controlled by" a person on the SDN list, the entity itself is not blocked until OFAC actually places that entity on the SDN list.15 On the basis of this view point, US Air Force was able to purchase rocket engines from a Russian company controlled by a Russian politician on the SDN list. However, OFAC still maintains that an entity is automatically blocked if it is "owned by" or "acts on behalf of" blocked persons - even if OFAC has not placed that entity on the SDN list.16
The propositions so far discussed state that risk assessment is to be made from different angles, that is, taking in different sanctions risks, for example, client sanctions risk, geographic sanctions risk and transaction sanctions risk. The situation also gives rise to other questions to examine, like, which activities have an inherent higher sanctions risk? Which client executes transactions in high risk sanctions countries or deals with counterparties which have a potential increased sanctions risk? The situation thus lays duty on businesses to ensure that the control framework is strong and includes all the different angles you identified in your risk assessment.
Thus an effective control programme may include:
-- A system of internal controls identifying suspect accounts and transactions
-- Updating of OFAC lists on a timely basis, and to provide for blocking or rejecting the suspects.
-- Maintaining copies of customers' current OFAC licences.17 Measures to be taken A written compliance manual tailored to the company's operations should be implemented. The compliance managers are required to ensure that:
-- The compliance protocols [set forth in the compliance manual] are followed.
-- Periodic internal compliance audits are performed.
-- The businesses are engaged in continuous risk assessment of every foreign business partner whether it be a customer, agent or logistics provider.
-- Given the constantly shifting landscape, companies may utilise sanctions compliance software that facilitates the screening process and updates new sanctions provisions in real time.
-- Internal controls may include protocols for handling compliance issues including reporting violations to regulators where it is mandatory, or disclosing them voluntarily where it is merely advisable, as voluntary disclosures often lead to clemency by regulators.
The default use of contractual compliance clauses that require counterparties such as distributors and agents to comply with current and future US sanctions and export control regimes can be helpful to address these compliance requirements. In this regard, force majeure clauses are often insufficient to address these types of issues. A compliance specific clause can address the fact that you never know which one of your company's markets will become the next sanctions target.
These risks can be minimised through familiar best practices for regulatory compliance. A manager may be assigned with formal responsibility for ensuring sanctions compliance, and implement formal written processes and procedures designed to promote maximum compliance.
How to manage costs
-- To have a clear understanding of highest risks in order to focus resources on those risks.18
-- Investing in training can be a good way to manage sanctions compliance costs. There may be upfront costs to get a good training programme up and running, as well as ongoing costs to administer and update the training. Having said that it may added that there are many benefits that can be gained from a well tailored training programme: For example,
-- Well-trained employees will expand the reach of a company's programme by deputising frontline employees to play a role in compliance.
-- Trained employees will identify potential compliance issues before they become compliance headaches.
-- A good training programme is an essential element of any compliance programme.
-- Good training requires periodic updates to keep the programme current, and it helps a company's compliance programme to stay current.
The challenge lies especially with smaller non-financial institutions that want to comply with sanctions laws and regulations to avoid breaches. It has been noticed that those corporate bodies with an increased sanctions risk, due to the potential high risk jurisdictions in which they may operate, hire compliance officers from financial institutions that are capable of developing effective compliance programmes to mitigate sanctions risk.
Gaining efficiency of the programme requires better automation in the identification of prohibited persons, individuals and entities on sanctions lists and companies they own or control, in supplying, shipping or insuring of prohibited goods to and from sanctioned countries based on the nature and use of the goods all of which need to be blocked or rejected and finally, in the evidencing and resolution of false positives produced by most sanctions technology solutions.
One way in which the sanctions compliance landscape is developing is that non US parties are becoming increasingly sophisticated about US sanctions issues. In Russia, for example, the experience is that local customers, distributors and agents that understand US sanctions issues are pushing back on claims that non US subsidiaries are subject to US jurisdiction, particularly where multinationals are seeking to invoke force majeure clauses. The Russia example is also one in which a sophisticated government and local companies have used various legal measures, such as antitrust law and retaliatory sanctions, to complicate or frustrate the application of US sanctions.
(The write is an advocate and is currently working as an associate with Azim-ud-Din Law Associates Karachi)
1. The office of Foreign Assets Control (OFAC) of the US Department of Treasury administers the controls imposed by United States. OFAC acts under US Presidents emergency powers, or under specific authority granted by legislation, to impose controls on transactions and freeze assets under US jurisdiction. These sanctions are based on the mandates of United Nations and other international agencies, and are multilateral in scope, and involve close co-operation with allied governments.
2. False positives emerge due to limitations of the design of the applications and the difficulty in matching names.
3. In recent enforcement cases including large fines, dismissal of employees and suspension of US dollar clearing services The US government now more actively uses administrative measures, which include the entity list and the FSE list for to penalise bad actors in order to restrict their access to US markets.
4. US state government are now seeking to pressure non US companies to stop doing business with Iran or Sudan through divestment measures.
5. In the recent past OFAC penalties have included the almost $1bn in fines handed down to BNP Paribas and more recently commerzbank agreed to settle for $258m for falsifying business records for sanctioned countries.
6. This recent enforcement action also demonstrates that regulators may be increasing their scrutiny of US manufacturing companies going forward.
7. OFAC introduced changed interpretation of the blocked entities in August 2014 and it accomplished this sea change in the law simply by posting a notice on its website.
8. OFAC sanctions programmes apply to US persons and permanent resident alients regardless of where they are located in the world, all persons and entities within the US AND ALL us incorporated entities, including their foreign branches. Certain programmes may apply to subsidiaries of US companies and to foreign persons in possession of goods originating from the US. Sanctions compliance for a global business can be highly complex as other international sanctions programmers, such as the European Union sanctions regimes, for example, must also be a component o the business" overall sanctions programme.
9. Based on the escalation of enforcement that has taken place during the past several years, we can expect to see regulators expand their reviews and areas of focus to include those financial institutions that have a smaller footprint than, say, the top 20 bank holding companies credit unions, casinos and money services businesses as well as large multinational non-financial services industries.
10. It had violated trade sanctions against Iran, Sudan and Cuba.
11. Other mitigating factors lowered the penalty assessment from the maximum potential fine of over $17m: Resultantly "PayPal hired new management within its Compliance Division and undertook various measures to strengthen PayPal's OFAC screening processes and measures, including steps to implement more effective controls."
12. To date, OFAC has announced six penalties in 2015 with $264m in total fines assessed. There were 23 OFAC penalties with $1.2bn in fines assessed during 2014, 27 penalties with $137m in fines during 2013 and 16 penalties with $1.14bn in fines during 2012.
13. Sanctions and its enforcement is a fact per se thereby increasing the cost of administering sanctions.
14. OFAC requirements apply to the country subject to sanctions and the property or property interest of individuals that are located in the US or in the control or possession of a US person.
15. That's why an outsider expert is needed.
16. OFAC expects companies to send detailed screening questionnaires to potential business partners to elicit information concerning ownership and beneficial interests, and holds companies strictly liable.
17. To ensure companywide compliance every business should have an independent test of its OFAC programme performed annually.
18. There are several technology vendors who offer screening solutions and it is in a company's best interest to shop around for the best value and the best solution to fit its particular needs.