Principled Guide to Sanctions Compliance Programmes

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

The past decade has seen sanctions move up the risk agenda, becoming one of the most significant risks for businesses operating across multiple jurisdictions. This has been emphasised throughout 2022 and 2023 by the expansive and complex sanctions imposed against Russia, which saw businesses across all sectors evaluating sanctions risk and compliance. Once only a real concern for regulated financial institutions, the proliferation of enforcement action against unregulated business outside of the financial services sector has forced all businesses, irrespective of the sectors in which they operate, to consider the adequacy of their sanctions compliance programmes. In addition, companies face pressure from their own business partners to ensure and demonstrate sanctions compliance downstream, particularly within supply chains. As a result of this scrutiny, never has an effective sanctions programme been more important. This chapter considers the key areas of focus that businesses and their teams should consider when developing sanctions compliance programmes.

Proportionate and risk-based programmes

Sanctions compliance programmes should be risk-based and proportionate. What is applicable for one organisation will not be appropriate for another, and enforcement agencies have noted that an adequate compliance programme will very much depend upon factors unique to each organisation (including their products, customers, geographical exposures and nature of their business).

The concept of proportionality is very important. Although on one measure, sanctions compliance may be considered as a binary ‘comply or breach’ issue, the practical reality is that a one-size-fits-all approach is not necessary or indeed cost-effective. The large-scale sanctions mitigation strategies, which regulated businesses develop to ensure they are able to effectively screen millions of customers and transactions every day, will not (nor should they) be the same strategies that are employed by smaller businesses with only a fraction of the number of customers or potential sanctions touchpoints across their business life cycles. As we outline below, assessing the sanctions risks applicable to any particular business will ensure that the most proportionate sanctions compliance programme is implemented for that enterprise, taking into account the levels of resources that are available, or indeed appropriate.

Preventive measures

Prevention is key in terms of sanctions compliance. Regulators across the world take a dim view of those institutions that fail to identify risks and seek to implement preventative measures to mitigate those risks. In this regard, sanctions compliance is no different from other financial crime compliance. However, sanctions compliance has a number of unique and specific challenges, including the constantly evolving regimes (sometimes daily) and the difficult position conflicting global regimes can create for global institutions. Being aware of the challenges that sanctions compliance poses, staying on top of worldwide developments and anticipating future changes are all key issues when identifying the preventative measures that should be put in place and to ensure that they continue to operate in an effective manner.

The development of policies and procedures, customer screening systems, the provision of training, due diligence, transaction monitoring and transaction screening are all key preventative measures that organisations should consider putting in place. As there is no one-size-fits-all when it comes to sanctions compliance, a risk assessment should be at the heart of all sanctions compliance programmes.

Recent events have also shown that those with more sophisticated and effective sanctions compliance programmes are also able to:

  • utilise learnings from the root causes of apparent violations within publicised enforcement actions to identify and strengthen preventative measures. Understanding where others have failed is a key component of determining whether your own sanctions compliance programme will be effective; and
  • react to significant geopolitical and legal changes quickly, as was shown with the rapid deployment of sanctions against Russia in 2022.

What constitutes a good sanctions compliance programme?

Sanctions are, quite rightly, a high compliance priority for many businesses, and, in recent times, regulators and enforcement agencies have provided guidance on what to consider when assessing a sanctions compliance programme. Key guidance to note includes:

  • FAQs published by the Office of Foreign Assets Control (OFAC) in respect of sanctions compliance;[2]
  • ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019);[3]
  • the Department of Justice’s (DOJ) ‘Evaluation of Corporate Compliance Programs’ (issued in 2019 and updated in June 2020 and March 2023);[4]
  • the Office of Financial Sanctions Implementation’s (OFSI) general guidance on financial sanctions;[5]
  • OFSI’s monetary penalty guidance;[6]
  • the Financial Conduct Authority’s (FCA) ‘Financial Crime Guide’;[7] and
  • EU guidance on internal compliance programmes.[8]

Sanctions authorities around the world broadly agree that the general core components of an effective sanctions compliance programme are:

  • senior management commitment;
  • risk assessment;
  • policies, procedures and internal controls;
  • training; and
  • audit.

We examine each of these five components in more detail.

Senior management commitment

Senior management commitment is at the forefront of all guidance on sanctions compliance programmes. Compliance should not operate in a vacuum, and senior management should understand the compliance programme’s purpose, the key risks faced by the organisation (both inherent and residual) and how the programme is designed to work. Senior management should demonstrate, at board level where appropriate, support for the compliance programme and those within the business who are responsible for its development and operation.

Both regulators and sanctions enforcement agencies expect senior management to review and approve an organisation’s sanctions compliance programme. This must not be just a tick-box process, and regulators will look to senior management to provide support for the compliance programme within their organisation and demonstrate compliance themselves, as well as a general culture that fosters positive and effective sanctions compliance. Senior management should set the tone for the business, undertake sanctions compliance training and regularly review sanctions risks faced by the business, providing effective challenge to the risk and compliance function where appropriate.

Senior management should not stifle or prevent risk and compliance teams from implementing and operating an effective sanctions compliance programme. Regulators and enforcement agencies are keen to see adequate resources being provided to compliance teams and that compliance and risk teams have a sufficient level of autonomy to implement policies and procedures designed to mitigate the sanctions risk identified within an organisation. However, overall responsibility for sanctions compliance should lie with a chief compliance officer, general counsel or some other appropriate member of an organisation’s executive committee.

It should be noted that where issues arise as a result of potential failings in sanctions compliance frameworks, senior management are often at the heart of any potential investigation into any failings, and as such they should ensure that they fully understand the potential sanctions risks their businesses face and be able to articulate the steps they took to ensure compliance. With the current scrutiny on sanctions compliance, it has never been more important for senior management to have sufficient understanding and oversight of sanctions compliance within their business.

Risk assessment

Internal controls, policies and procedures and training cannot be done in an appropriate manner unless a risk assessment has been conducted and the output is used to inform those elements of the compliance programme. It is only when an organisation has considered and laid out its inherent sanctions risk that it can truly start identifying controls and residual risk factors. A sanctions risk assessment will vary significantly across different business types and sectors; however, OFAC notes that a risk assessment ‘should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world’.[9] Equally, from a legal point of view, different legal requirements (including cross-border requirements) pose different challenges and risks to different businesses. Understanding the complexity of sanctions and the effects on your own individual business is vital when implementing and managing an effective compliance programme.

In the United Kingdom, the FCA is clear that ‘a thorough understanding of its financial crime risks [including sanctions] is key if a firm is to apply proportionate and effective systems and controls’.[10] Corporate resources are not infinite and one of the key benefits in conducting a risk assessment is that it enables an organisation to target resource on the areas of greatest sanctions risk (alongside other financial crime-related areas).

Risk assessments should have a broad scope and should include assessment of:

  • customer risk;
  • product risk;
  • geography risk;
  • transaction risk; and
  • delivery risk.

It is important to identify all potential sanctions risk and, in particular, where it is in the operation of your business that potential sanctions exposure may lie. As noted in ‘A Framework for OFAC Compliance Commitments’, sanctions risk not only exists in the day-to-day operations of a business but also in mergers and acquisitions, particularly where these introduce cross-border considerations. As such, assessing the applicability of various sanctions regimes to different parts of your business, customers, intermediaries, the supply chain, counterparties and the geography of each of these is important. Understanding the root causes of apparent sanctions violations (both those identified internally and those seen in enforcement cases) and how international sanctions may develop as a result of geopolitical events will also result in a more effective risk assessment.

OFAC has helpfully provided a suggested risk matrix that may be used when assessing compliance programmes.[11]

Policies, procedures and internal controls

Internal controls are the measures put in place by an organisation to mitigate the risks it has identified. Examples of internal controls that may be appropriate in the context of sanctions include:

  • policies and procedures;
  • customer and third-party screening;
  • transaction screening;
  • due diligence requirements;
  • contractual provisions; and
  • training.

Sanctions compliance programmes typically include, at their most basic, a sanctions policy and, in some cases, a compliance manual (which may cover more than one area of financial crime risk) that sets out the processes underpinning the internal controls in place, along with an appropriate internal reporting and governance structure and exceptions process.

Internal controls for any financial crime compliance programme must be able to adapt to ongoing changes and developments. This is particularly important in the context of sanctions where changes to legal regimes occur frequently (as has been seen throughout 2022 and 2023), where new entities and individuals are designated by one or more regulators and where geopolitics frequently result in changes in focus by different governments across the world. An effective sanctions compliance programme must be able to adapt to these evolutions and this should be built into the framework of the internal controls.

Although there is generally no legal obligation within primary sanctions legislation to conduct sanctions screening,[12] it is often the only practical way an organisation can ensure that it does not engage in conduct that would give rise to violations of sanctions. There are multiple screening tools available to organisations, some of which will no doubt be better suited to certain industries. However, what is important is that those responsible for the screening solution within an organisation understand why the tool was selected, how it operates, how it is calibrated to meet the needs of the organisation and its risk assessment, and how the underlying logic works. The effectiveness of sanctions screening tools, at both the customer and transaction levels, should be regularly tested to ensure it is operating within the parameters the organisation needs and expects.

Having a screening tool working in isolation is unlikely to be effective, and the importance of ensuring it is aligned to a risk assessment and due diligence requirements cannot be understated. An organisation’s risk assessment should inform how a screening solution is utilised and what is screened and when.

The importance of internal controls is not a new concept and has been a significant area of focus for regulated entities for many years. Both civil monetary penalties issued by sanctions authorities, and regulatory penalties issued by those regulating the financial sector, have heavily focused on internal controls to combat sanctions risk, and this scrutiny has been emphasised throughout 2022 and 2023 as a result of the sanctions imposed against Russia. Regulators, such as the FCA, have stressed that sanctions compliance and the testing of internal controls within organisations is a key priority area of focus and is not reliant on there being a sanctions violation. The aim of regulators across many jurisdictions is to take action proactively in assessing the adequacy of controls to ensure the risk of sanctions violations occurring is mitigated. This message is emphasised by actions taken by regulators across the world against organisations not only for actual violations of sanctions but also because of the lack of adequate internal controls in preventing violations from occurring.

Training

An organisation could design the best sanctions compliance programme ever seen, but failing to train employees adequately, not only on the programme itself but on the rationale for having it (including legal and regulatory obligations), is a sure-fire way of ensuring the compliance programme fails. While technology no doubt plays a significant role in any compliance programme, the complexity of international sanctions and the need for various controls to work alongside and in conjunction with each other means that, often, a sanctions compliance programme is only as good as the people who implement it.

Training can take many forms and what is appropriate for one organisation will not necessarily be appropriate for another. Organisations that operate across multiple jurisdictions will no doubt need a more detailed training plan than a small organisation based only in the UK, for instance. Again, the training requirements needed should flow from the outcome of an organisation’s risk assessment and we would stress that it is important to consider the root causes of sanctions violations to ensure that these are, where appropriate, addressed within the training provided.

Training may include:

  • clear communication of internal controls, policies and procedures to relevant employees;
  • internal face-to-face or webinar-based training in respect of sanctions obligations (of the organisation and individual employees), legal and regulatory requirements, internal controls and reporting obligations (both internally and externally). Many enforcement authorities and regulators expect to see training being given regularly (at least once a year) to relevant employees; and
  • external specialist training for those operating in vital roles within the risk and compliance functions and high-risk areas within a business.

Training content should be developed so that it is relevant to the particular organisation. Relevant sanctions regimes should be detailed, and, where appropriate, the conflict between regimes should be explained alongside the organisation’s stance in respect of that conflict. Role-specific knowledge should be provided, and the obligations on individual employees and on the organisation and its senior management should be made clear. Within regulated firms, it is not unusual to see sanctions training programmes developed across the ‘three lines of defence’ model (with the first line being relevant business operations or units, the second line being risk and compliance functions, and the third line being internal audit), such that training is delivered to teams operating in each of the first, second and third lines to ensure that the specific risks and issues faced by those teams are considered specifically. This also enables these firms to demonstrate to regulators that they have considered the risks of breaching sanctions holistically.

Audit

Once a sanctions compliance programme is implemented, it is important to ensure that it is regularly tested and evaluated to not only ensure it remains effective, but also to ensure that the programme is being implemented consistently throughout the organisation. Both internal and external audits are useful in this regard, and audits can be carried out on specific aspects of a compliance programme or on the programme as a whole.

Audits, whether internal or external, should be independent and should aim to identify any deficiencies in the compliance programme, make recommendations for improvement and follow up on action items to ensure audit points are closed off and remediated where necessary. Linking back to the subject of senior management commitment, it is also recommended that audit functions are held accountable by senior management and that updates and reports on findings are presented to, and considered by, senior management.

Audit functions should provide a level of challenge to the risk and compliance function and the sanctions compliance framework. The DOJ has indicated that when assessing compliance programmes generally, in the context of criminal proceedings, the following three key questions should be asked:

  • Is the corporation’s compliance programme well designed?
  • Is the programme being applied earnestly and in good faith?
  • Does the corporation’s compliance programme work in practice?[13]

These questions are equally relevant to the work of an independent audit function.

The events of 2022, with respect to the imposition of sanctions against Russia, also highlighted the importance of evaluating lessons learned in relation to how businesses cope with the increased number and complexity of sanctions. This is undoubtedly an area where auditing can provide additional value to a business, looking not only at the effectiveness of a compliance programme but also at its ability to efficiently adapt to rapid and complex changes.

Why is a sanctions compliance programme important?

Regulators and enforcement agencies across the world have made it clear, through their enforcement action, that failure to have an adequate sanctions compliance programme in place will only be to the detriment of the entity and be seen as an aggravating factor when sanctions violations are identified. In recent years, we have seen substantial fines being imposed, particularly in the United States, as a result of sanctions compliance failures. Organisations operating only within the United Kingdom, however, should not seek comfort from the fact that most of the significant enforcement in recent years has historically taken place in the United States, as the UK enforcement agency, OFSI, has demonstrated that it is also willing and able to take substantive action. In 2022, OFSI and OFAC announced their enhanced partnership to, among other things, ‘support OFSI’s move to a larger and more proactive organisation’.[14]

Actions taken by enforcement agencies in the past few years have highlighted the importance of sanctions compliance programmes. If one is not in place or is not effective, enforcement agencies will not hesitate in requiring one to be put in place as a condition of a settlement. Being forced by a regulator or enforcement agency to strengthen a sanctions compliance programme comes with a number of difficulties, including reputational damage and, in serious cases, ongoing costs associated with future monitorship by enforcement agencies. It is far better for an organisation to take the initiative and develop and implement a sanctions compliance programme on its own terms to protect the business.

Some key UK and US enforcement cases in the past few years that highlight the importance of sanctions compliance programmes and the features of these programmes as detailed in this chapter include the following.

British American Tobacco Plc

British American Tobacco Plc (BAT) agreed to pay over US$500 million for violations of US sanctions against North Korea and weapons of mass destruction proliferators.[15] The enforcement action demonstrated the importance of senior management in sanctions compliance with the actions of senior management described as having been taken to ‘purposefully obscure’ BAT’s ongoing ownership and control over a joint venture company in North Korea. OFAC determined that it was an aggravating factor that senior management had actual knowledge of a conspiracy to evade sanctions from its inception through to its ultimate termination. The size and sophisticated nature of the company was also determined to be an aggravating factor. OFAC stated that ‘without a culture of compliance driven by senior management and attendant policies and controls, firms increase the risk that they may engage in apparently violative conduct’.[16]

Microsoft Corporation

When imposing a fine of just under US$3 million on Microsoft Corporation, OFAC stated that it had taken the extensive enhancements made by the company to its sanctions compliance programme into account as mitigating factors when determining the penalty to impose.[17] As part of its general comments, OFAC noted a number of key compliance messages, including: (1) the importance of companies having sufficient visibility into end users when conducting business through foreign-based subsidiaries and distributors, thereby highlighting the importance of due diligence controls; (2) that companies with global customer bases and sophisticated technology operations should ensure their sanctions compliance programme remains commensurate with the risk posed and that appropriate technological compliance solutions are leveraged where possible; and (3) the importance of ensuring and testing adherence to the sanctions compliance programme in place.

Uphold HQ Inc

While it involved a relatively small penalty (US$72,230.32), this enforcement action is worthy of note as it highlights the importance of financial institutions ‘maintaining robust controls to screen information provided by customers to identify sanctions risk’.[18] OFAC noted the importance of ensuring that information provided at account opening and as part of ongoing due diligence should be considered for screening, particularly in relation to location information. This was also highlighted in other enforcement cases such as Bittrex, Inc where OFAC highlighted the importance of sanctions compliance controls when onboarding customers.[19] In this case, Bittrex failed to conduct screening that would have enabled internet protocol blocking controls to be put in place to prevent customers from accessing products and services when in prohibited jurisdictions.

Danfoss A/S

In this case, OFAC highlighted, among other things, the importance of maintaining effective, risk-based sanctions compliance programmes and the particular need to ensure adequate training is given to staff (including senior management), as well as the importance of considering guidance that may be issued periodically by OFAC on relevant issues.[20] Similarly, in American Express National Bank, OFAC highlighted the importance of employee training.[21]

Hong Kong International Wine and Spirits Competition Ltd

In this case, OFSI stated that companies need to consider sanctions risk broadly to include intangible economic resources and emphasised that those operating outside of the financial sector cannot seek to rely on the compliance programmes of those in the financial industry.[22] The enforcement action was an important reminder that sanctions apply to all businesses and that it is not the sole responsibility of the finance industry to ensure compliance.

Adequate procedures

When faced with potential enforcement action, one of the key questions organisations should be asking themselves is whether they had adequate procedures in place to prevent sanctions violations. ‘Adequate procedures’ are not defined in any guidance but generally speaking they are the measures an organisation has in place to mitigate the risk of sanctions violations. They are the components of a sanctions compliance programme that have been dealt with in this chapter.

It is entirely possible for an organisation to have adequate procedures in place and still experience sanctions violations; no system is perfect. However, being in a position to demonstrate to an enforcement agency such as OFAC or OFSI that your organisation had adequate procedures in place may be the difference between a breach being found to be egregious or not[23] and will undoubtedly influence enforcement agencies when they consider whether the violation has arisen from wilful or reckless conduct by the organisation and its employees. Being able to demonstrate that adequate procedures were in place, albeit a violation still occurred, could be significant in ensuring lower penalties.

In this regard, the approach to a sanctions compliance programme is similar to that which an organisation would take under the UK Bribery Act 2010 (UKBA). The UKBA provides a defence[24] to organisations if they are able to show that they had adequate procedures in place designed to prevent an offence of bribery occurring. Where the approach differs is that although having adequate procedures provides a defence against prosecution under the UKBA, the same cannot necessarily be said for sanctions violations given the use of strict liability in some jurisdictions.[25] Notwithstanding this, having adequate procedures in place is a very significant form of mitigation in the context of sanctions violations.

Consolidated compliance programmes

Sanctions compliance does not operate in isolation. It is one component of a business’s financial crime compliance framework, albeit a sometimes tricky one to design and manage. Sanctions due diligence closely aligns with that undertaken for the purposes of anti-money laundering (AML) and anti-bribery compliance and it is often the case that these are undertaken concurrently. Aligning relevant financial crime compliance programmes makes sense not only from a practical point of view, but it also has financial advantages and enables a business to mitigate its financial crime risk more effectively. Pulling together AML due diligence, screening for politically exposed persons, anti-bribery due diligence and adverse media checks means that an organisation is more likely to have a holistic view of the financial crime risks it faces and those its customers pose. The importance of due diligence across financial crime programmes and specifically to address sanctions risk has been at the heart of compliance messages over recent times, particularly as a result of the sanctions imposed against Russia, where due diligence has been key in identifying the extent of restrictions such as asset freezes.

Moreover, an organisation’s ability to articulate the potential risks a particular customer or business partner poses across the whole financial crime risk matrix gives that organisation a commercial advantage – it truly understands where its customers and business partners are, where their main places of business are and, as a consequence, where they are likely to need products and services that the organisation can provide or products and services that must be declined because of the potential increase in risk. Either way, the organisation is able to properly assess the risks. When considering this risk assessment in the context of sanctions compliance, organisations that have a mature consolidated approach to compliance will be at a distinct advantage over those that approach risk management in a siloed manner.

In an increasingly complex geopolitical environment, the most successful businesses will not only be those that know when to offer their products and services to clients, but also those that know when to say no.


Footnotes

[1] Zia Ullah is a partner and Victoria Turner is a principal associate at Eversheds Sutherland.

[4] See US Department of Justice’s guidance on ‘Evaluation of Corporate Compliance Programs’ (issued in 2019 and updated in June 2020 and March 2023), at www.justice.gov/criminal-fraud/page/file/937501/download. Although this is not specific to sanctions, it is helpful in understanding the approach enforcement agencies may take when assessing whether or not a compliance framework was adequate.

[7] See www.handbook.fca.org.uk/handbook/FCG/7/; in particular, Chapter 7, which provides examples of good practice for sanctions systems and controls.

[8] Commission Recommendation (EU) 2019/1318; although this focuses on compliance programmes for dual-use trade controls, the overarching principles are arguably relevant to any sanctions compliance programme. See https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019H1318.

[9] Office of Foreign Assets Control (OFAC), ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019), at https://ofac.treasury.gov/media/16331/download?inline.

[10] Financial Conduct Authority, ‘Financial Crime Guide’, 2.2.4. See www.handbook.fca.org.uk/handbook/FCG/2/2.html.

[11] Annex to Appendix A to 31 Code of Federal Regulations Part 501, OFAC’s Economic Sanctions Enforcement Guidelines. See www.ecfr.gov/current/title-31/subtitle-B/chapter-V/part-501/appendix-Appendix%20A%20to%20Part%20501.

[12] In the UK, the EU or the US, although the authors acknowledge that certain regulated entities may have regulatory obligations imposed on them by specific regulators, such as the New York State Department of Financial Services in the US.

[13] US Dep’t of Justice’s guidance on ‘Evaluation of Corporate Compliance Programs’. See www.justice.gov/criminal-fraud/page/file/937501/download.

[16] ibid.

[24] UK Bribery Act 2010, Section 7; see www.legislation.gov.uk/ukpga/2010/23/section/7.

[25] For example, in the UK, strict liability was imposed for financial sanctions violations occurring on or after 15 June 2022, meaning that it is not a defence for a person to say that they had no knowledge or reasonable cause to suspect that the action in question was in violation of sanctions.

Unlock unlimited access to all Global Investigations Review content