The Role of Forensics in Sanctions Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The global value chain is a far-reaching system reliant on cross-border transfers of funds, services and goods, which are increasingly subject to economic sanctions and export controls law enforcement by the Office of Foreign Assets Control (OFAC), the US Department of Justice (DOJ) and other authorities. Investigations involving sanctions allegations will continue to be more prevalent as sanctions are a growing foreign and security policy tool used to influence foreign behaviour and mitigate national security risks.

Parties seeking to circumvent the sanctions regulations often go to great lengths to disguise transactions using intricate payment processes, subsidiaries, intermediaries and shell corporations, among other vehicles. To combat these types of deception, organisations should implement effective sanctions compliance programmes and investigate potential sanctions violations. Thus, prudent companies will leverage cutting-edge investigative techniques, tools and consultants with specialised forensic knowledge. The purpose of this chapter is to explain key investigative procedures and best practices from a forensic accounting perspective and highlight the techniques and tools used to uncover facts and patterns in the complex web of sanctions-related transactions. The chapter provides a combination of best practices, published guidance from OFAC and recent case outcomes, to provide insight on the evolving sanctions environment and to support forensic and compliance professionals in creating, enhancing or testing an existing sanctions compliance programme (SCP).

OFAC guidance

OFAC’s guidance document, ‘A Framework for OFAC Compliance Commitments’, encourages companies to ‘develop, implement and routinely update’ a risk-based SCP.[2] OFAC strongly recommends the adoption of an SCP by all organisations subject to US jurisdiction and foreign entities that conduct business in or with the US or US persons, or that use US origin goods or services, use the US financial system, or process payments to or through US financial institutions. Forensic methodologies and tools are critical elements of compliance measures such as risk assessments and compliance testing. For the purposes of this chapter, we focus on the two SCP components most relevant to forensics – risk assessment and testing or auditing – and how these components interplay with the factors OFAC considers in administrative enforcement actions.[3]

The risk assessment, and testing and auditing components of an SCP should not be viewed in isolation, but rather should inform each other and continue to evolve. Not only is the regulatory environment constantly evolving, so too is the nature of a business. Because each company is unique, the risk assessment, and testing and auditing plan should be tailored to each business. Additionally, risk assessments should be refreshed periodically. A proper risk assessment and testing and auditing cycle should minimise exposure in the event of an apparent violation. Moreover, the conclusions should be analysed as part of the testing and auditing process. If testing or auditing reveal that risks are higher than anticipated in one portion of the business, these results should inform the company’s risk assessment and compliance efforts.

As OFAC notes, a risk assessment should consider clients and customers, products, services, supply chain, intermediaries, counterparties, transactions and geographical locations, depending on the nature of the organisation. These factors should be targeted for assessment during the testing and auditing process.

When determining the appropriate administrative action in response to a sanctions violation, OFAC will follow its ‘Economic Sanctions Enforcement Guidelines’[4] and consider certain ‘general factors’, including the following examples of aggravating and mitigating factors:

  • Aggravating factors:
    • the conduct involved a pattern or practice of conduct (versus atypical and isolated);
    • individuals in the company ignored red flags;
    • individuals in the company had actual knowledge of, or reason to know about, the conduct ‘based on all readily available information and with the exercise of reasonable due diligence’;
    • senior management had explicit or implicit knowledge of the conduct; and
    • the conduct was part of a business process, structure or arrangement used to prevent or shield a person from having that knowledge.
  • Mitigating factors:
    • a risk-based OFAC compliance programme (including its nature and adequacy) existed at the time of the apparent violation;
    • swift action was taken to investigate the cause and extent of the violation;
    • all relevant information was provided, including the research and disclosure of any other violations caused by similar conduct; and
    • the violation occurred immediately after regulatory changes (e.g., right after names were newly added to the List of Specially Designated Nationals and Blocked Persons (the SDN List)

Implementing a testing and auditing plan as part of a risk-based compliance programme is, in itself, a mitigating factor. However, using key forensic procedures and analytical tools as part of a testing and auditing plan can also help to reduce a company’s exposure by minimising instances of aggravating conduct. For example, testing and auditing using forensic procedures and data analytical tools on emails and shipping records can help to detect and deter knowing non-compliance by employees or senior management.

Key forensic procedures and analytical tools

Data analysis

Among the most effective investigative procedures applied in testing or investigating an SCP is a statistical analysis of historical and ‘real-time’ transactional data. It is critical that a company can identify potentially suspicious transactions and determine the ‘who, what, where, when and how’ by piecing together a timeline of events from raw, structured data.

Statistical data analysis, ranging from basic pivot-table analysis to more advanced software applications and platforms to stratify, synthesise and flag data from a variety of ecosystems, holds valuable information. The key to effectively using data analysis is the ability to link transactional evidence buried in a multitude of data fields from disparate sources to identify hidden relationships or correlations.

With the assistance of data analytic tools, robust forensic analysis can be performed to help thwart sanctions violations. The following observations from recent enforcement cases (as discussed in more detail in the section that follows) could further assist in preventing and detecting potentially suspicious activities:

  • Identify third parties at high risk for sanctioned country activities and use software or data analysis (or both) to block or monitor transactions with those parties. For example, sales to trading companies that operate freely all over the world present elevated risk because there is often no transparency regarding the end user of a product sold to them. An organisation should perform its own risk-based due diligence on third parties and consider using software programmes or data analysis to block or monitor transactions for ‘red flags’.
  • Incorporate neighbouring sanctioned country activity in data analysis, including monitoring bills of lading and other commercial documents for ports of unlading. Shipping documents indicating a destination in a country neighbouring a sanctioned country – particularly Iran – may raise concerns about illegal trans-shipment. Data analysis can flag these transactions for further review. Transactions involving countries with robust global trans-shipping, such as the United Arab Emirates, should be closely scrutinised in respect of sensitivity to risk.
  • Use keyword searches on unstructured data to assist with data analysis. Evidence regarding prohibited transactions is frequently located in unstructured data (e.g., electronic communications such as email, voicemail and instant messages). Forensic tools can identify suspicious activity using keywords on these types of communications. Further, a company can proactively use keyword searches across communication channels in the normal course of business to identify suspect transactions or ‘code’ words or phrases in real time and to block those communications.
  • Consider local practices, processes and procedures for data storage and tracking, external integrated systems (e.g., on local computer drives). Businesses in many countries often use ‘offline’ spreadsheets to track transactions. While it is important to analyse data from integrated company systems, one must also consider transactions recorded or tracked ‘off the books.’ US parent companies of foreign subsidiaries with a history of, or at elevated risk for, sanctioned country transactions should consider remote monitoring of local computer drives and servers, and use of mirrored drives in periodic audits. Privacy laws in the local jurisdiction must be taken into consideration.
  • Employ an automated project proposal management system to automatically flag and block questionable projects for further review. US parent companies should have access to this system and routinely monitor it to prevent foreign subsidiaries from engaging in prohibited transactions with parties in sanctioned countries.
  • Automate travel expense process and screening. Travel expense reports can provide insight on work location. An automated travel expense report system, which screens destinations, can help prevent provision of services to sanctioned countries or denied persons. Filtering data fields and searching for unusual keywords in travel expense systems, such as ‘vacation’ (which may be an obfuscation of a business trip to a sanctioned country) can identify discrepancies in client name, address, mileage, currency, among other things. To illustrate, a travel expense report indicating travel to Armenia with receipts showing currency in Iranian rian (the local currency) could be flagged, blocked and investigated with data analysis. As part of a robust SCP, travel expenses should also be audited frequently, perhaps monthly.
  • Monitor service contracts and warranties. Companies should consider accumulating service contracts and warranties in a system or database to identify and block service contracts or warranties involving prohibited business in sanctioned countries. Companies should also consider using data analysis to identify discrepancies between service contracts or warranties and related documents (e.g., payment or travel records) and to flag potentially high-risk service contracts or warranties with countries that are near sanctioned countries.

Investigative due diligence

Investigative due diligence typically comprises a set of tools and approaches that can be applied to a wide range of investigations. In the case of sanctions-related investigations, these tools may consist of (1) documentation and electronic records disclosed by a party, (2) public records gathered through desktop research or on-site searches, and (3) observational site inspections or human source intelligence. By using investigative due diligence, investigators are armed with additional knowledge to connect the dots and enhance their understanding of the pool of information gathered about the subject of the investigation.

Additionally, forensic professionals leverage investigative due diligence to combine data analysis with a review of pertinent open-source data about the parties involved in the activity. Open-source data (e.g., public records such as corporate registry details, litigation records, asset ownership details and social media) can assist with untangling the web of indirect relationships and interrelated connections involved in transactions. Although the investigative trail often begins with the company’s books and records, perpetrators usually engage in a variety of techniques to cover their tracks, such as layering and multiple transfers to intermediaries, shell companies, nominee shareholders and related parties. By using investigative due diligence, including reviews of public records and ‘boots on the ground’ interviews, investigators may uncover valuable clues regarding ownership structure and executive leadership positions of complex organisational structures.

Perpetrators can go to significant lengths to obscure beneficial ownership of companies or to disguise certain transactions, but these patterns can often be identified with common elements such as addresses, proxies or nominees in corporate structures, or law firms or accountants used to register companies. Investigative due diligence frequently uses link analysis and visualisation tools to track the information uncovered, map the networks of bad actors, and help companies to understand the potential exposure to those bad actors. Identifying patterns or connections in voluminous information requires tools to distil the information quickly and clearly into charts or graphs.

Supply chain mapping

Forensic analysis tools also enable the use of models for predictive analysis and present opportunities in the area of global supply chain mapping. This mapping offers the possibility to identify the sanctions risk posed by third parties such as suppliers, distributors, agents, sub-agents and customers who may be doing business directly or indirectly with sanctioned countries, or whose activities benefit sanctioned governments or sanctioned persons.

When supply chains extend to countries that actively trade with sanctioned jurisdictions, the sanctions risk may be elevated. Some primary examples of these relationships include Colombia and Venezuela, China and North Korea, United Arab Emirates and Iran, Iraq and Syria, and Russia and North Korea. Assessing the potential third-party risk of relationships should be a process in which data analysis and models are continually updated with new information taken from the latest enforcement actions, in addition to published advisories from the US State Department, US Treasury Department or other authorities.

The investment in developing a supply chain risk map will produce longer-term benefits, especially for larger enterprises and those with a multinational presence. The insight gained through supply chain mapping for sanctions risk will help in establishing appropriate internal controls, training programmes and due diligence practices.

Predictive analysis

Once a supply chain is mapped for sanctions risk, predictive modelling can be leveraged with a global SCP to identify emerging trends in the evolving global sanctions landscape. For example, enterprises that deliver fourth-party or fifth-party logistics services[5] can enhance their existing contingency plans by incorporating sanctions risks in their supply chain mapping. Predictive analysis can highlight counterparties and relationships that may need to be re-evaluated or replaced in the event of a sanctions-related disruption, such as a sanctions designation or significant enforcement action. Although not widely adopted, there is a growing number of companies who are using predictive analytics. For example, in November 2018, DHL announced a US$300 million investment in emerging technologies, including the deployment of a proprietary end-to-end visibility solution that leverages predictive analysis.[6]

Leveraging key forensic procedures and analytical tools such as those described above will assist in building a ‘best-in-class’ compliance programme. Owing to the exponential growth of international transactions, reliance on manual compliance controls alone can no longer effectively protect organisations against costly enforcement actions or other risks.

Advantages of on-site interviews and inspections

Forensic investigations rely heavily on historical records to identify relevant facts and support conclusions. Interviews or on-site observations provide additional context on collected data or evidence to validate authenticity and confirm facts and circumstances leading up to the recording of transactions. Live observation of body language can also be very valuable, especially in potentially sensitive situations involving possible wrongdoing. For this reason, on-site interviews or inspections present unique opportunities for compliance personnel, investigators or those engaged to perform related testing.

In practice, live interviews can help investigators evaluate employees’ compliance policy knowledge and the effectiveness of training, which may shed light on documented decisions made by those employees. This can potentially distinguish intentional violations of policy from decisions made because of deficient training or human error. These ‘live’ meetings provide first-hand knowledge of how written policies and procedures are actually implemented. In some cases, disparities between the written procedure and its execution might point to gaps in the procedure. Process walk-throughs can also detect procedural steps skipped by employees taking ‘shortcuts’. Interviewees can articulate why certain procedures were not performed, and describe any pain points or process inefficiencies that exist, which would highlight the need for updates or additional controls.

Field interviews and observations can also detect instances when compliance processes are viewed as unimportant by employees or management, or are not adequately supported by funding, necessary equipment, information technology infrastructure or staffing. These observations may indicate an overall lack of management commitment to the programme or a failure to anticipate external stresses. For example, employees in economically developing countries, where disruptions to internet service (or even electrical power) are commonplace, may default to unapproved work-arounds or off-system processes, which result in incomplete system data and failures to apply controls.

Irrespective of geography, protracted crisis may result in high staff turnover or absenteeism. Employees also may be unable to access their work location because of civil unrest, natural disaster or other widespread disruption, as exemplified by the covid-19 pandemic that began in 2020. Thus, expertise or resources required to fully execute the SCP may not be available and employees may find themselves under increased pressure to ignore processes for the sake of business continuity. Sanctions compliance should figure in the crisis response and business continuity plans for sophisticated, global organisations. On-site walk-throughs help to provide a clearer picture in understanding potential risks, which may not be detected during a crisis.

In situations where on-site procedures cannot be carried out, such as the travel constraints brought on by the covid-19 pandemic in 2020, it is important to note that inspections conducted remotely can provide satisfactory results. The use of mobile devices to allow a view of facilities can be effective when an in-person inspection is not possible. In addition, web-based interviews provide a solution for remote sharing of necessary documents, either on a shared screen or beforehand, to facilitate discussion.

Potential post-investigation procedures

The investigation, risk assessment or testing should conclude with a final report containing findings and observations that show the way forward. If external reviewers or investigators produce a report, an opportunity exists to convert findings into a formalised action plan to remediate deficiencies. For example, when gaps in compliance knowledge are revealed, the organisation should implement role-specific or targeted training. A finding that screening systems fail to detect name variations may result in new rules within the screening system. Still other findings may require enterprise-wide initiatives and policy development.

Specific compliance errors uncovered through transaction analysis and forensic techniques, such as look-backs, are also useful to isolate incorrect compliance decisions and enhance existing training programmes and materials. The circumstances surrounding the error are useful in forming situation-based questions and case studies for training materials, discussions and employee examinations. Studying the various types of errors may also be helpful in creating automated system-generated policy reminders to help employees in following the correct steps to avoid a violation.

Action plans should include: responsible parties, follow-up timelines, and procedures with features such as scheduled action plan updates; re-training or re-testing of employees; follow-up sampling of transaction activity to test controls; updated or enhanced risk-assessments; targeted disciplinary actions such as probationary periods or re-evaluation of contracts with external parties. In some cases, follow-up visits with employee interviews or observations are advisable to assess the status of remedial efforts. Follow-up activities associated with an action plan should also be documented and records retained according to written policy and legal standards.

Analysis of recent enforcement cases – a forensics focus

Examining recent cases and outcomes offers insight into trends within the evolving sanctions landscape. This context is important to demonstrate the application of various forensic investigative methods and best practices, while also highlighting the practices that might have contributed towards the identification of mitigating factors considered by OFAC had those practices been applied by the enforcement targets.

Société Internationale de Télécommunications Aéronautiques SCRL

This February 2020 case[7] demonstrates the risks posed to providers of software services, especially when those services are routed through or hosted on servers located in the United States. Société Internationale de Télécommunications Aéronautiques SCRL (SITA), an organisation with membership open to aviation operators worldwide, provides a variety of telecommunications network and software services for the aviation industry. OFAC investigated SITA after discovering that three members were Iranian and Syrian airlines named as specially designated global terrorists (SDGTs). At the time OFAC designated these airlines as SDGTs, SITA reviewed its agreements with the airlines and terminated their access to ticketing, airfare, e-commerce and other services. However, SITA continued to provide certain messaging, check-in and baggage tracking services that benefited the SDGT airlines directly or indirectly. These services were routed through the United States, maintained on servers located in the United States or performed using a software application with US origins. OFAC deemed the provision of those services to be a violation of the Global Terrorism Sanctions Regulations.

SITA may have benefited from a more thorough review of its services and software, not just a manual review of the agreements with these Iranian airlines. For example, software and services provided to SITA’s member airlines and other third parties could indirectly benefit the SDGT airlines, depending on their commercial relationships. Comprehensive testing of usage for all software and services may have identified the ultimate beneficiaries of these products. For example, forensic analysis could include an examination of the software, the software support servers and their functionalities, and more importantly, written policies and procedures regarding software-to-server communications from sanctioned locations and obfuscated internet protocol addresses, which may have revealed where the SDGTs had received or accessed the software.

Eagle Shipping International (USA) LLC

This January 2020 action[8] highlights the importance of transactional due diligence to identify targets’ sanctions-related activities. Eagle Shipping International (USA) LLC (Eagle) manages vessels owned by affiliated companies. Following a bankruptcy proceeding, Eagles’ parent company came under new ownership, which subsequently reviewed Eagle’s sanctions compliance history. That review identified an Eagle affiliate that previously transacted with a Burmese SDN. The SDN’s interest was apparent from the bills of lading and export cargo manifests, and certain managers had raised concerns about the SDN’s involvement. In response, the shipper supplied documents naming a different party, and Eagle accepted those documents despite warnings from the vessel’s captain and the port officer that the newly named shipper did not sell the relevant product in the region. Despite OFAC having denied Eagle’s licence application seeking to authorise the transaction, the company continued to handle shipments of product from the SDN in violation of OFAC’s Burmese Sanctions Regulations. Eagle’s new owners self-reported the violations to OFAC.

Two forensics lessons emerge from this case. First, if an acquisition target has unsuccessfully applied for an OFAC licence, it is important to review any historical transactions involving parties identified in the licence application to identify potentially unlicensed transactions involving those parties. Second, due diligence procedures should include targeted email searches using sanctions-related keywords. In Eagle’s case, employees discussed the activities involving the SDN via email, providing evidence of the violations.

Apple Inc

This November 2019 case[9] reveals how minor flaws in a company’s screening process can lead to potentially significant fines. In 2008, Apple signed a contract with SIS DOO[10] (SIS), a software company in Slovenia. In 2015, OFAC designated SIS and its director and majority owner under the Foreign Narcotics Kingpin Designation Act. Apple failed to identify that SIS was added to the SDN List because Apple’s screening system did not match the uppercase ‘SIS DOO’ in Apple’s database with the SDN listing’s lowercase ‘SIS doo’, even though the addresses of the two companies matched. Apple also failed to screen the SIS director and majority owner because he was listed as an ‘account administrator’ of SIS’s App Store account, while Apple’s process screened only individuals listed as ‘developers’.

To prevent such an instance, screening software should apply less stringent matching requirements to identify potential variations in spelling, punctuation and capitalisation. Software should apply fuzzy logic and case insensitive searches to identify near matches, including addresses, not just names. To the extent that screening software does not have these capabilities, simple data analytic queries should be performed outside the system. Screening for designated persons should be as broad as possible to include all leadership positions, not just particular titles.

Apollo Aviation Group, LLC

This November 2019 case[11] demonstrates the need for procedures to track the end-use of assets leased to third parties. Apollo Aviation Group, LLC (Apollo) leased three aircraft engines to an airline, which subleased the engines to a sub-lessee that installed them on aircraft leased to a Sudanese SDN. Apollo’s lease contained a sanctions compliance provision, but OFAC noted that Apollo failed to monitor or otherwise verify the actual whereabouts of its engines during the lease term.

Effective methods for monitoring and tracking assets will vary by industry and asset type, but companies should consider the following:

  • obtaining export compliance certificates from both lessees and any sub-lessees;
  • including lease provisions that allow the lessor to verify the location of its assets and conduct end-use audits;
  • requiring periodic reporting by the lessee of the location and users of the assets, including details of the procedures undertaken to confirm those locations and end users, and supporting evidence;
  • monitoring asset location and use via access logs and geographical location logs, as tracked by embedded software; and
  • requiring the lessee to track the location of its assets as they move from location to location and during periodic physical inventory count, by scanning bar codes and updating a system accessible by the lessor.

The General Electric Company

This October 2019 case[12] highlights the importance of employing screening best practices and ‘know your customer’ due diligence. The General Electric Company (GE) accepted payment from a third party on behalf of a Canadian customer of GE. The third party, a Cuban SDN, was an entity owned by a public joint venture between the Canadian customer and the Cuban government. The third party’s cheques showed its full legal name and an acronym, but GE only screened the acronym and did not flag the SDN. GE also failed to flag its Canadian customer’s ties to the Cuban SDN, despite a long-term customer relationship that had been renewed on multiple occasions.

The lessons learned include that companies should (1) verify that the screening software incorporates fuzzy logic and common name variations for SDNs, such as acronyms, (2) train employees to screen known variations of a party’s name, and (3) periodically review – or engage a service provider to review and analyse – publicly available information about their customers’ business for sanctions-related red flags. Regularly monitoring business partners to understand interrelated parties and uncover possible indications of sanctioned country business can help to prevent inadvertent violations.

Stanley Black & Decker

In this March 2019 settlement, Stanley Black & Decker (Stanley) performed appropriate due diligence when acquiring Chinese company, Jiangsu Guoquiang Tools Co Ltd (GQ) but failed to monitor its new subsidiary’s post-closing compliance. During pre-closing due diligence, Stanley discovered that GQ engaged in sales to Iran and required GQ to agree to terminate these sales prior to closing. Stanley later discovered that GQ had continued shipments destined for Iran. OFAC noted that Stanley ‘did not implement procedures to monitor or audit GQ’s operations to ensure that its Iran-related sales did not recur post-acquisition’. OFAC more generally cautioned:

Foreign acquisitions can pose unique risks that US person parent companies need to address fully at all stages of its relationship with the subsidiary. US parent companies are encouraged to take steps to mitigate risk to sanctions exposure, including by addressing known deficiencies like unconventional record-keeping practices, and any hindrances to monitoring, auditing, or investigating the foreign subsidiary’s operations.[13]

As highlighted above, when the US parent company knows that the acquired foreign subsidiary has a history of sanctioned country activities, the US parent should aggressively monitor and test the subsidiary’s compliance on an ongoing basis. For example, the US parent company should confirm that any agreements made pre-closing were complied with and any problematic transactions or activity did in fact cease. Audit techniques incorporating investigative, forensic tools and data analytics can assist in monitoring such compliance (e.g., email review, transactional review, interviews).

Kollmorgen Corporation

In this February 2019 settlement,[14] Kollmorgen, a US company, acquired a Turkish company, Elsim Elektroteknik Sistemler Sanayi ve Ticaret Anonim Sirketi (Elsim). As in the Stanley case, Kollmorgen performed due diligence prior to closing and discovered that Elsim made sales to Iran. Despite Kollmorgen’s ‘extensive efforts’, both before and after acquisition, to prevent future transactions with Iranian customers, Elsim continued to provide services and products to Iran for two years post-closing. Elsim’s management engaged in fraud, including falsifying travel reports (i.e., employees who travelled to Iran as service providers were told to describe the travel as vacation rather than business), deleting and falsifying emails and other records, and providing false compliance certifications. Kollmorgen ultimately discovered the violations through an ethics hotline call from an Elsim employee.

As stated by OFAC, this case highlights the importance of (1) performing heightened due diligence on affiliates, subsidiaries or counterparties known to have transacted with OFAC-sanctioned countries or persons, or that otherwise pose a high risk owing to their geographical location, customers, distributors or suppliers, or products and services, and (2) implementing proactive controls when US persons acquire interests in companies with existing sanctioned country or SDN relationships. Because services can be more difficult to track than products, additional scrutiny of service providers is warranted. Additionally, as noted above, data analysis using keywords in the travel expense systems (e.g., vacation or personal) may have allowed the company to identify the suspicious travel to Iran in real time.

e.l.f. Cosmetics, Inc

This January 2019 case[15] illustrates the dangers of failing to perform proper supply chain due diligence. The compliance programme and supplier audits at e.l.f. Cosmetics, Inc (Elf) failed to uncover that approximately 80 per cent of the false eyelash kits procured from two China-based suppliers contained materials from North Korea. Some of Elf’s remediation measures stand out from a forensics and data analysis viewpoint: (1) implementing supply chain audits that verify the country of origin of goods and services used in its products; and (2) conducting an enhanced supplier audit that includes verification of payment documentation for production materials and potentially the review of supplier bank statements (access to a supplier’s records is best negotiated with the supplier as a condition of receiving payment from the purchaser). In addition, purchasers should consider performing data analytics on product components or ingredients (e.g., researching the sources of the product or its major constituent materials to determine whether sanctioned countries are significant manufacturers and, if so, whether they are located near the supplier country). As described in detail above, third-party risk assessment, supply chain due diligence and supply chain mapping assist in identifying potential red flags for sanctions-related issues.

Sanctions compliance: best practices and lessons learned

Former US Deputy Attorney General Paul McNulty issued a warning at a conference in 2009 that has become a popular maxim within compliance circles even more than a decade later: ‘If you think compliance is expensive, try non-compliance.[16] Sanctions compliance violations are among the costliest ways this lesson is learned. OFAC maintains the most active and extensive sanctions programme in the world. In 2019 and into 2020, OFAC’s output included a steady flow of new regulations, guidelines and enhanced reporting requirements for rejected transactions.

It is worthwhile to remember that OFAC considers ‘good faith’ compliance efforts in the disposition of enforcement matters. OFAC ‘will consider favorably subject persons that had effective SCPs at the time of an apparent violation’.[17] However, there is no way to predict how OFAC will apply this principle to individual cases, so compliance professionals and organisational leaders should not assume their efforts will result in mitigation of penalties. Take, for example, the SITA settlement, which resulted in a significant financial penalty even though SITA had taken steps to comply with the GTSR in terminating some services offered to the SDGT airlines.

The advice supplied by OFAC in the ‘Framework for OFAC Compliance Commitments’, and echoed here, can be traced to cases in which at least one of the five commitment areas was deficient. Focusing on the forensic and investigatory lessons that can be gleaned from the cases referenced herein, below is a series of emphatic do’s and don’ts, from a forensics perspective, for building an SCP, testing an existing programme or conducting sanctions investigations.


Compliance programme

  • Conduct comprehensive risk assessments that evaluate the full scope of business operations and ‘at risk’ or significant transactions.
  • Implement user-friendly, easy-to-follow policies, procedures and internal controls that are relevant to day-to-day operations.
  • Review existing policies and procedures to ensure they are risk-based and designed to address the full scope of sanctions concerns.
  • Enforce policies and procedures, and identify, document and remediate weaknesses.

Due diligence and screening

  • Conduct diligence on customers, distributors, suppliers, contractors, logistics providers, financial institutions and other business partners that may represent exposure.
  • Test screening lists continuously.
  • Use and test screening software and be cognisant of filter faults.
  • Utilise appropriate systems and technology to track movement of goods and related financial transactions from manufacturing to end user.
  • As appropriate, consider deploying blockchain and distributed ledger technologies to improve due diligence records.
  • Automate screening and alert processes – reduce false positives and prioritise alerts by severity using risk assessment.
  • Understand circumvention risk in countries that are not sanctioned but actively trade with sanctioned countries.
  • Monitor recent enforcement actions to determine potential effects on operations.
  • Establish channels by which employees can make good-faith reports on suspected violations without fear of reprisal.

Testing and auditing

  • Assess tools and data needed to manage sanctions compliance effectively and efficiently.
  • Leverage technology to centralise monitoring of sanctions compliance.
  • Integrate knowledge, systems and information across business operations and activities.
  • Consider artificial intelligence and machine learning to detect potential red flags and trending – calibrate and test routinely.
  • Apply forensic investigative techniques and eDiscovery approaches that use both structured and unstructured data, metadata, and pattern and trend identification techniques.
  • Conduct regular and frequent internal compliance audits at crucial junctures, including mergers, acquisitions and management changes, to identify red flags and reduce surprises.
  • Conduct supply chain audits with country-of-origin verification.
  • Review attendance records for suppliers’ and distributors’ sanctions training.
  • Perform routine and frequent supplier and distributor audits.


  • conceal violations;
  • facilitate transactions by non-US persons (including through or by non-US subsidiaries or countries);
  • export or re-export US origin goods or services to sanctioned jurisdictions and entities;
  • utilise US financial systems or process payments to or through US financial institutions for transactions involving sanctioned persons or countries (including the US dollar); or
  • utilise non-standard payments and commercial practices.


The area of sanctions compliance will continue to grow in importance and simultaneously challenge the programmes, tools and talents of legal, compliance and forensics professionals. As the international political trends and criminal activities driving the use of sanctions show no signs of disappearing, and worldwide economic instability continues to show vulnerabilities in the global value chain, the advantage of establishing a robust and proactive SCP will provide a significant measure of protection against potential violations. By focusing on the core commitment areas described in the OFAC guidance, drawing from best practices and tools used by forensics professionals, and studying relevant case outcomes, enterprises seeking to mitigate sanctions risk can do so with confidence that those efforts will pay off in the long term.


1 Nicole Sliger is a partner and Pei Li Wong is a managing director, at BDO USA LLP, and Linda Weinberg and Roscoe C Howard, Jr are partners at Barnes & Thornburg LLP. The authors would like to acknowledge the contributions of Nicholas Galbraith, Tayo Osuntogun and Kristen McCannon of Barnes & Thornburg LLP and Cameron Parrish of BDO USA LLP.

2 See

3 A Framework for OFAC Compliance Commitments states: ‘OFAC has generally focused its enforcement investigations on persons who have engaged in willful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-US or US financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization’s management, caused significant harm to US sanctions program objectives, and were large or sophisticated organizations.’

4 31 C.F.R. Part 501, Appendix A, at

5 In using fourth- and fifth-party logistics service providers, companies outsource a majority of, or nearly all, logistics management activities. As more of the supply chain logistics function is performed by an external party rather than the company itself, compliance risk increases.

6 See

7 See

8 See

9 See

10 In Slovenia, DOO is a standard corporate suffix identifying a limited liability company.

11 See

12 See

13 See

14 See

15 See

16 Rodney T Stamler, Hans J Marschdorf, Mario Possamai, Fraud Prevention and Detection: Warning Signs and the Red Flag System (Boca Raton, FL CRC Press, 12 March 2014), page 4.

17 See

Unlock unlimited access to all Global Investigations Review content