Principled Guide to Sanctions Compliance Programmes
The past decade has seen sanctions move up the risk agenda, becoming one of the most significant risks for any business operating across multiple jurisdictions. Once only a real concern for regulated financial institutions, the proliferation of enforcement action, by the Office of Foreign Assets Control (OFAC) in particular, has forced all businesses, irrespective of the sectors in which they operate, to consider the adequacy of their sanctions compliance programmes. Add to this the pressure being brought to bear by those companies’ own business partners to outline the mitigating steps they take to ensure downstream sanctions compliance, and never has ensuring that an effective sanctions compliance programme is implemented been more important. This chapter considers the key areas of focus that businesses and their teams should consider when developing sanctions compliance programmes.
Proportionate and risk-based programmes
Sanctions compliance programmes should be risk-based and proportionate. What is applicable for one organisation will not be appropriate for another and enforcement agencies have noted that an adequate compliance programme will very much depend upon factors unique to each organisation (including their products, customers and nature of their business). All regulators and enforcement agencies appear to be aligned on this concept.
The concept of proportionality is very important. Although on one measure, sanctions compliance may be considered as a binary ‘comply or breach’ issue, the practical reality is that a one-size-fits-all approach is not necessary or indeed cost-effective. The large-scale sanctions mitigation strategies, which regulated businesses develop to ensure they are able to effectively screen millions of customers and transactions every day, will not (nor should they) be the same strategies that are employed by smaller businesses with only a fraction of the number of customers or potential sanctions touch points across its business life cycles. As we outline below, assessing the sanctions risks applicable to any particular business will ensure that the most proportionate sanctions compliance programme is implemented for that enterprise, taking into account the levels of resources that are available, or indeed appropriate.
Prevention is key in terms of sanctions compliance. Regulators across the world take a dim view of those institutions that fail to identify risks and seek to implement preventative measures to mitigate those risks. In this regard, sanctions compliance is no different from other financial crime compliance. However, sanctions compliance has a number of unique and specific challenges, including the constantly evolving regimes (sometimes daily) and the difficult position conflicting global regimes can create for global institutions. Being aware of the challenges that sanctions compliance poses, staying on top of worldwide developments and anticipating future changes are all key issues when identifying the preventative measures that should be put in place and to ensure that they continue to operate in an effective manner.
Introducing preventative measures is essential in ensuring that an organisation is complying with international sanctions. The development of policies and procedures, customer screening systems, the provision of training, due diligence, transaction monitoring and transaction screening are all key preventative measures that organisations should consider putting in place. There is no one-size-fits-all when it comes to sanctions compliance and at the heart of all compliance programmes should be a risk assessment. Understanding the sanctions risk posed by your business and its third parties is the best place to start when developing an effective sanctions compliance framework.
Equally, understanding the root causes of apparent violations of sanctions is also extremely helpful when designing and maintaining an effective sanctions compliance programme and in identifying the preventative measures that may be appropriate. OFAC has provided some helpful analysis of the root causes of sanctions violations, which include:
- lack of a formal sanctions compliance programme;
- decentralised compliance functions and lack of a formal escalation process;
- an inefficient or incapable audit function;
- failure to understand the applicability of sanctions;
- facilitation of transactions by non-US persons in respect of US sanctions;
- utilising the US financial system for commercial transactions involving persons or entities subject to US sanctions;
- inadequate sanctions screening; and
- inadequate due diligence on customers and third parties.
Many OFAC civil settlements have resulted from voluntary self-disclosures of apparent violations in which the above-mentioned preventative measures were not taken or were inadequate. Understanding where others have failed is a key component of determining whether your own sanctions compliance programme will be effective.
What constitutes a good sanctions compliance programme?
Sanctions is, quite rightly, a high compliance priority for many businesses and, in recent times, regulators and enforcement agencies have provided guidance on what to consider when assessing a sanctions compliance programme. Key guidance to note includes:
- FAQs published by OFAC in respect of sanctions compliance;
- ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019);
- The Department of Justice’s (DOJ) ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and updated in June 2020);
- Office of Financial Sanctions Implementations’ (OFSI) general guidance on financial sanctions (in particular Chapter 3 regarding compliance for businesses and financial institutions);
- Financial Conduct Authority’s (FCA) ‘Financial Crime Guide’; and
- EU Guidance on Internal Compliance Programmes.
Although these guidance documents differ in certain elements, they are broadly in agreement that the general core components of an effective sanctions compliance programme are:
- senior management commitment;
- risk assessment;
- policies, procedures and internal controls;
- training; and
We examine each of these five components in more detail.
Senior management commitment
Senior management commitment is at the forefront of all guidance on sanctions compliance programmes. Compliance should not operate in a vacuum and senior management should understand the compliance programme’s purpose, the key risks faced by the organisation (both inherent and residual) and how the programme is designed to work. Senior management should demonstrate, at board level where appropriate, support for the compliance programme and those within the business who are responsible for its development and operation.
Both regulators and sanctions enforcement agencies expect senior management to review and approve an organisation’s sanctions compliance programme. This must not be just a tick-box process and regulators will look to senior management to provide support for the compliance programme within their organisation and demonstrate compliance themselves, as well as a general culture that fosters positive and effective sanctions compliance. Senior management should set the tone for the business, undertake sanctions compliance training and regularly review sanctions risks faced by the business, providing effective challenge to the risk and compliance function where appropriate.
Senior management should not stifle or prevent risk and compliance teams from implementing and operating an effective sanctions compliance programme. Regulators and enforcement agencies are keen to see adequate resources being provided to compliance teams and that compliance and risk teams have a sufficient level of autonomy to implement policies and procedures designed to mitigate the sanctions risk identified within an organisation. However, overall responsibility for sanctions compliance should lie with a chief compliance officer, general counsel, or some other appropriate member of an organisation’s executive committee.
It should be noted that where issues arise as a result of potential failings in sanctions compliance frameworks, senior management are often at the heart of any potential investigation into any failings, and as such they should ensure that they fully understand the potential sanctions risks their businesses face and be able to articulate the steps they took to ensure compliance.
As previously stated, risk assessment is at the heart of an effective sanctions compliance programme. Internal controls (including due diligence and screening), policies and procedures and training cannot be done in an appropriate manner unless a risk assessment has been conducted and the output is used to inform those elements of the compliance programme. It is only when an organisation has considered and laid out its inherent sanctions risk that it can truly start identifying controls and residual risk factors. A sanctions risk assessment will vary significantly across different business types and sectors. Although there can be no single approach to take, OFAC notes that a risk assessment ‘should generally consist of a holistic review of the organisation from top to bottom and assess its touchpoints to the outside world’. Equally, from a legal point of view, different legal requirements (including cross-border requirements) pose different challenges and risks to different businesses. Understanding the complexity of sanctions and the effects on your own individual business is vital when implementing and managing an effective compliance programme.
In the United Kingdom, the Financial Conduct Authority (FCA) is clear that ‘a thorough understanding of financial crime risks [including sanctions] is key if a firm is to apply proportionate and effective systems and controls’. Corporate resources are not infinite and one of the key benefits in conducting a risk assessment is that it enables an organisation to target resource on the areas of greatest sanctions risk (alongside other financial crime-related areas).
Risk assessments should have a broad scope and should include assessment of:
- customer risk;
- product risk;
- geography risk;
- transaction risk; and
- delivery risk.
It is important to identify all potential sanctions risk and, in particular, where it is in the operation of your business that potential sanctions exposure may lie. As noted in ‘A Framework for OFAC Compliance Commitments’, sanctions risk not only exists in the day-to-day operations of a business but also in mergers and acquisitions, particularly where mergers and acquisitions introduce cross-border considerations. As such, assessing the applicability of various sanctions regimes to different parts of your business, customers, intermediaries, the supply chain, counterparties and the geography of each of these is important. As stated previously, understanding the root causes of apparent sanctions violations is also important and having an understanding of these root causes will result in a more productive risk assessment.
OFAC has helpfully provided a suggested risk matrix that may be used when assessing compliance programmes.
Policies, procedures and internal controls
Internal controls are the measures put in place by an organisation to mitigate the risks it has identified. Examples of internal controls that may be appropriate in the context of sanctions include:
- policies and procedures;
- customer and third-party screening;
- transaction screening;
- due diligence requirements;
- contractual provisions; and
Sanctions compliance programmes typically include, at their most basic, a sanctions policy and, in some cases, a compliance manual (which may cover more than one area of financial crime risk). Sanctions policies typically include explanations of what sanctions are, why they are applicable to the business, why it is important to comply with them, what controls the business has put in place to ensure compliance, what the obligations of individual employees are and the consequences of failing to comply with the sanctions compliance programme. Processes underpinning the internal controls put in place are often set out in a separate compliance manual or procedures document, along with an appropriate internal reporting and governance structure and exceptions process.
Internal controls for any financial crime compliance programme must be able to adapt to ongoing changes and developments. This is particularly important in the context of sanctions where changes to legal regimes occur frequently, where new entities and individuals are designated by one or more regulators and where geopolitics frequently result in changes in focus by different governments across the world. An effective sanctions compliance programme must be able to adapt to these evolutions and this should be built into the framework of the internal controls.
Although there is generally no legal obligation within primary sanctions legislation to conduct sanctions screening, it is often the only practical way an organisation can ensure that it does not engage in conduct that would give rise to violations of sanctions. There are multiple screening tools available to organisations, some of which will no doubt be better suited to certain industries. However, what is important is that those responsible for the screening solution within an organisation understand why the tool was selected, how it operates, how it is calibrated to meet the needs of the organisation and its risk assessment, and how the underlying logic works. The effectiveness of sanctions screening tools, at both the customer and transaction levels, should be regularly tested to ensure it is operating within the parameters the organisation needs and expects.
Having a screening tool working in isolation is unlikely to be effective and the importance of ensuring it is aligned to a risk assessment and due diligence requirements cannot be understated. An organisation’s risk assessment should inform how a screening solution is utilised, what is screened and when.
The importance of internal controls is not a new concept. The FCA’s predecessor, the Financial Services Authority (FSA), fined Royal Bank of Scotland £5.6 million in 2010 as a result of deficiencies in its systems and controls to prevent breaches of UK financial sanctions. One of the key findings by the FSA was that the bank failed to properly consider what policies and procedures were required to ensure it did not engage in activity that would give rise to a violation of the UK sanctions regime. The regulator found that the bank was not screening certain cross-border payments, that beneficial ownership information was not adequately recorded, and that, therefore, screening of that information was not sufficient. Moreover, screening solutions were not monitored or reviewed regularly to ensure effectiveness. Although no specific violations of sanctions were identified, the FSA determined that the lack of appropriate internal controls gave rise to an unacceptable risk that UK sanctions could have been breached. The FSA stressed that ‘adequate systems and controls relating to financial sanctions is an integral part of complying with the [now FCA’s] requirements on financial crime’. This message remains relevant today, and we continue to see action by regulators across the world against organisations not only for actual violations of sanctions but also because of the lack of adequate internal controls in preventing violations from occurring.
An organisation could design the best sanctions compliance programme ever seen, but failing to train employees adequately, not only on the programme itself but on the rationale for having it (including legal and regulatory obligations), is a sure-fire way of ensuring the compliance programme fails. While technology no doubt plays a significant role in any compliance programme, the complexity of international sanctions and the need for various controls to work alongside and in conjunction with each other means that, often, a sanctions compliance programme is only as good as the people who implement it.
Training can take many forms and what is appropriate for one organisation will not necessarily be appropriate for another. Organisations that operate across multiple jurisdictions will no doubt need a more detailed training plan than a small organisation based only in the UK, for instance. Again, the training requirements needed should flow from the outcome of an organisation’s risk assessment and we would stress that it is important to consider the root causes of sanctions violations to ensure that these are, where appropriate, addressed within the training provided. Training may include:
- clear communication of internal controls, policies and procedures to relevant employees;
- internal face-to-face or webinar-based training in respect of sanctions obligations (of the organisation and individual employees), legal and regulatory requirements, internal controls and reporting obligations (both internally and externally). Many enforcement authorities and regulators expect to see training being given regularly to relevant employees, at least once a year; and
- external specialist training for those operating in vital roles within the risk and compliance functions and high-risk areas within a business.
Training content should be developed so that it is relevant to the particular organisation. Relevant sanctions regimes should be detailed and, where appropriate, the conflict between regimes should be explained, alongside the organisation’s stance in respect of that conflict. Role-specific knowledge should be provided and the obligations on individual employees and on the organisation and its senior management should be made clear. Within regulated firms, it is not unusual to see sanctions training programmes developed across the ‘three lines of defence’ model (with the first line being relevant business operations or units, the second line being risk and compliance functions, and the third line being internal audit), such that training is delivered to teams operating in each of the first, second and third lines to ensure that the specific risks and issues faced by those teams are considered specifically. This also enables these firms to demonstrate to regulators that they have considered the risks of breaching sanctions holistically.
Once a sanctions compliance programme is implemented, it is important to ensure that it is regularly tested and evaluated to not only ensure it remains effective, but to ensure that the programme is being implemented consistently throughout the organisation. Both internal and external audits are useful in this regard and audits can be carried out on specific aspects of a compliance programme, or on the programme as a whole.
Audits, whether internal or external, should be independent and should aim to identify any deficiencies in the compliance programme, make recommendations for improvement and follow up on action items to ensure audit points are closed off and remediated where necessary. Linking back to the subject of senior management commitment, it is also recommended that audit functions are held accountable by senior management and that updates and reports on findings are presented to, and considered by, senior management.
Audit functions should provide a level of challenge to the risk and compliance function and the sanctions compliance framework. The DOJ has indicated that when assessing compliance programmes generally, in the context of criminal proceedings, the following three key questions should be asked:
- Is the corporation’s compliance programme well designed?
- Is the programme being applied earnestly and in good faith?
- Does the corporation’s compliance programme work in practice?
These questions are equally relevant to the work of an independent audit function.
Why is a sanctions compliance programme important?
Regulators and enforcement agencies across the world have made it clear, through their enforcement action, that failure to have a sanctions compliance programme in place will only be to the detriment of the entity and be seen as an aggravating factor when sanctions violations are identified. In recent years we have seen substantial fines being imposed, particularly in the United States, as a result of sanctions compliance failures. Organisations operating only within the United Kingdom, however, should not seek comfort from the fact that most of the significant enforcement in recent years has historically taken place in the United States, as the UK enforcement agency, OFSI, has demonstrated via its enforcement against Standard Chartered plc in 2020 that it is willing and able also to take substantive action.
Some key UK and US enforcement cases in the past two years that highlight the importance of sanctions compliance programmes include the following:
- Standard Chartered – OFSI
- In February 2020, following a voluntary self-disclosure, Standard Chartered, a UK based international bank, was fined a total of £20.47 million for identified sanctions violations that arose as a result of the bank making funds available for a designated person without a licence.
- In summary, the bank granted a series of loans to Denizbank AS, a majority-owned subsidiary of Sberbank, a Russian bank subject to restrictive measures under the UK/EU Ukraine sanctions regime. The restrictions applied to Denizbank AS as it was a majority-owned subsidiary of Sberbank.
- Within the notice imposing a monetary penalty, OFSI commented that firms have to understand the prohibitions and requirements contained within sanctions legislation and ensure that there are appropriate policies and processes in place to manage this risk. It further commented that there should be appropriate risk-based compliance in place to recognise the risks that arise across different jurisdictions and mitigate those risks appropriately. The note on compliance within the notice makes it clear that although OFSI does not mandate a particular standard of sanctions compliance, firms should review their due diligence and compliance processes continually to ensure that breaches of sanctions are prevented, or recognised at an early stage so that appropriate action can be taken.
- Standard Chartered – OFAC
- Separately, in April 2019, OFAC reached a US$639 million settlement with Standard Chartered over alleged violations of sanctions that were in place at the time in respect of Myanmar and Sudan and the continuing sanctions in respect of Cuba, Iran and Syria. These violations arose as a result of the bank engaging in US-dollar transactions through the US financial system that breached the various sanctions regimes.
- The settlement agreement noted among aggravating factors that the bank’s sanctions compliance programme was inadequate to manage risk and had multiple systemic deficiencies, including a failure to respond to warning signs. As part of the settlement agreement, Standard Chartered made a number of compliance commitments following a comprehensive global remediation of its sanctions compliance programme, highlighting the importance of such programmes to OFAC. These commitments were all centred around the key components of a sanctions compliance programme, as have been detailed in this chapter.
- British Arab Commercial Bank (BACB) – OFAC
- In September 2019, OFAC reached a $228.84 million settlement with BACB (suspended to US$4 million because of financial hardship), a commercial bank located in London, as a result of violations of the US sanctions regime against Sudan. These violations arose as a result of the bank engaging in US-dollar transactions through the US financial system on behalf of Sudanese banks at a time when sanctions in respect of Sudan remained in effect.
- Within the settlement agreement, various compliance commitments were made by BACB, many of which related to improvements in internal controls. OFAC identified that policies and procedures should be relevant to the organisation, capture day-to-day operations and procedures, be easy to follow and be designed to prevent employees from engaging in misconduct. OFAC also noted that internal controls should enable an organisation to ‘clearly and effectively identify, interdict, escalate and report (within an organisation)’ activity that may give rise to sanctions violations.
- UniCredit – OFAC
- In April 2019, OFAC announced that as part of a global US$1.3 billion settlement with several US agencies, it had entered into settlement agreements totalling US$611 million with various UniCredit Group banks. The settlements had arisen as a result of violations of a number of US sanctions programmes by way of US-dollar transactions being routed through the United States in a non-transparent manner.
- When the fine was published, the US Under Secretary for Terrorism and Financial Intelligence stated: ‘These banks have agreed to implement and maintain commitments to enhance their sanctions compliance. As the United States continues to enhance our sanctions programmes, incorporating compliance commitments in OFAC settlements is a key part of our broader strategy to ensure that the private sector implements strong and effective compliance programmes that protect the US financial system from abuse.’
Actions taken by enforcement agencies in the past two years have highlighted the importance of sanctions compliance programmes. If one is not in place or is not effective, enforcement agencies will not hesitate in requiring one to be put in place as a condition of a settlement. Being forced by a regulator or enforcement agency to strengthen a sanctions compliance programme comes with a number of difficulties, including reputational damage and, in serious cases, ongoing costs associated with future monitorship by enforcement agencies. It is far better for an organisation to take the initiative and develop and implement a sanctions compliance programme on its own terms to protect the business.
When faced with potential enforcement action, one of the key questions organisations should be asking themselves is whether they had adequate procedures in place to prevent sanctions violations. ‘Adequate procedures’ are not defined in any guidance but generally speaking they are the measures an organisation has in place to mitigate the risk of sanctions violations. They are the components of a sanctions compliance programme that have been dealt with in this chapter.
It is entirely possible for an organisation to have adequate procedures in place and still experience sanctions violations; no system is perfect. However, being in a position to demonstrate to an enforcement agency such as OFAC or OFSI that your organisation had adequate procedures in place may be the difference between a breach being found to be egregious or not and will undoubtedly influence enforcement agencies when they consider whether the violation has arisen from wilful or reckless conduct by the organisation and its employees. Being able to demonstrate that adequate procedures were in place, albeit a violation still occurred, could be significant in ensuring lower penalties.
In this regard, the approach to a sanctions compliance programme is similar to that which an organisation would take under the UK Bribery Act 2010 (UKBA). The UKBA provides a defence to organisations if they are able to show that they had adequate procedures in place designed to prevent an offence of bribery occurring. Guidance from the UK government indicates that establishing adequate procedures should be informed by six guiding principles:
- proportionate procedures;
- top-level commitment;
- risk assessment;
- due diligence;
- communication and training; and
- monitoring and review.
These are all areas that are relevant to an effective sanctions compliance programme and have been detailed in this chapter. Where the approach differs is that although having adequate procedures provides a defence against prosecution under the UKBA, the position is not as clear in respect of sanctions violations that can still occur and be prosecuted (or have civil action taken) even when adequate procedures were in place. Notwithstanding this, having adequate procedures in place is a very significant form of mitigation in the context of sanctions violations.
Consolidated compliance programmes
Sanctions compliance does not operate in isolation. It is one component of a business’s financial crime compliance framework, albeit a sometimes tricky one to design and manage. Sanctions due diligence closely aligns with that undertaken for the purposes of anti-money laundering (AML) and anti-bribery compliance and it is often the case that these are undertaken concurrently. Aligning relevant financial crime compliance programmes makes sense not only from a practical point of view, but it also has financial advantages and enables a business to mitigate its financial crime risk more effectively. Pulling together AML due diligence, screening for politically exposed persons, anti-bribery due diligence and adverse media checks means that an organisation is more likely to have a holistic view of the financial crime risks it faces and those its customers pose.
Moreover, an organisation’s ability to articulate the potential risks a particular customer or business partner poses across the whole financial crime risk matrix gives that organisation a commercial advantage – it truly understands where its customers and business partners are, where their main places of business are and, as a consequence, where they are likely to need products and services that the organisation can provide; or products and services that must be declined because of the potential increase in risk. Either way, the organisation is able to properly assess the risks. When considering this risk assessment in the context of sanctions compliance, organisations that have a mature consolidated approach to compliance will be at a distinct advantage over those that approach risk management in a siloed manner.
In an increasingly complex geopolitical environment, the most successful businesses will not only be those that know when to offer their products and services to clients, but also those that know when to say no.
1 Zia Ullah is a partner and Victoria Turner is a senior associate at Eversheds Sutherland. The authors wish to extend special thanks to trainee solicitor Lorena Dervishi for her assistance with this chapter.
2 Office of Foreign Assets Control [OFAC], FAQs 25 to 30.
5 See https://www.justice.gov/opa/pr/criminal-division-announces-publication-guidance-evaluating-corporate-compliance-programs – although this is not specific to sanctions, it is helpful in understanding the approach enforcement agencies may take when assessing whether or not a compliance framework was adequate.
7 See https://www.fca.org.uk/firms/financial-crime/financial-sanctions – in particular Chapter 7 of Part 1, which provides examples of good practice for sanctions systems and controls.
8 Commission Recommendation (EU) 2019/1318 – although this focuses on compliance programmes for dual-use trade controls, the overarching principles are arguably relevant to any sanctions compliance programme.
9 OFAC, ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019), at https://home.treasury.gov/news/press-releases/sm680.
10 Financial Conduct Authority [FCA], ‘Financial Crime Guide’, Box 2.3.
11 Annex to Appendix A to 31 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement Guidelines.
12 In the United Kingdom, the European Union or the United States – although the writers acknowledge that certain regulated entities may have obligations imposed on them by specific regulators, such as the New York State Department of Financial Services in the US.
13 FCA Decision Notice, dated 2 August 2010.
14 US Dep’t of Justice’s ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and updated in June 2020).
16 Split across two fines of £7.69 million and £12.77 million. These fines were reduced by the Economic Secretary of the Treasury from £11.9 million and £19.6 million originally imposed by OFSI.
17 Namely being in breach of Article 5(3) of EU Council Regulation 833/2014 and Regulation 3B of The Ukraine (European Union Financial Sanctions) (No. 3) Regulations 2014.
21 Which is relevant when OFAC determines base penalties – see https://www.ecfr.gov/cgi-bin/text-idx?SID=ccac94aaa0387efe2a9c3fca2dc5a4ab&mc=true&node=ap31.3.501_1901.a&rgn=div9.
22 UK Bribery Act 2010, Section 7.