Sanctions Issues Arising in Corporate Transactions
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Sanctions risk in corporate transactions has increased steadily as sanctions have become more complex and more intertwined with other areas of regulatory compliance. To further complicate the diligence required in these transactions, the footprints of transacting parties have expanded around the globe, and expectations of various stakeholders (such as investors, lenders, insurers and regulators) have heightened. Today, a simple representation of compliance with applicable law no longer adequately addresses sanctions risk. Whether the transaction involves an acquisition, establishment of a joint venture, appointment of an agent, onboarding of a customer or even a divestiture or financing, a full understanding and review of all applicable sanctions, anti-boycott and export control requirements is necessary if enforcement risks are to be minimised.
While this chapter attempts to present diligence principles and methodologies that can be applied irrespective of the jurisdictions of the parties and businesses involved, it will not escape the reader’s notice that principles of US law are featured prominently. Examination of potential US law exposure is a necessary element of almost all transaction diligence owing to the broad extraterritorial reach of US primary sanctions and related laws and regulations affecting international business, the robust enforcement of these laws, and the wide-ranging deployment of secondary sanctions designed to advance US national security and foreign policy goals. That said, diligence must, of course, cover all potentially applicable laws and regulations. A comprehensive multi-jurisdictional review is beyond the scope of this chapter, but examples of commonly encountered issues posed by EU, UK and national laws are addressed, including the challenges presented by broad multilateral imposition of sanctions against Russia as a result of the war in Ukraine.
Scope of sanctions diligence
The establishment of new business relationships poses a myriad of risks when it comes to compliance with sanctions. This is especially so given the substantial overlap of sanctions regulation and enforcement with other regulatory areas, such as anti-boycott and export control laws and regulations. In the United States, both the Office of Foreign Assets Control (OFAC) and the export control agencies have jurisdiction over trade in goods subject to comprehensive embargoes. In addition, some sanctions programmes – notably, the Ukraine/Russia-related sanctions and the Russian Harmful Foreign Activities Sanctions – were implemented simultaneously with export control measures targeting many of the same actors, first in 2014 and then increasingly after Russia invaded Ukraine in February 2022. Furthermore, there is often a high correlation between sanctions evasion, diversion of export-controlled items and corruption. Anti-boycott regulations are viewed in some jurisdictions as sanctions subject to blocking laws. In the financial sector, sanctions compliance measures often double as a means of detecting money laundering and other financial crimes, and vice versa. The result is that sanctions diligence cannot be effective if approached in isolation – rather, prospective parties to transactions should deploy a holistic methodology to ensure that all relevant aspects of transactions are reviewed. Happily, this approach is also less time-consuming and more cost-effective.
Why diligence is important
Global businesses must comply with sanctions and other legal requirements in all jurisdictions in which they do business. This has become vastly more complicated for companies with global footprints, given the volume and scope – yet nuanced differences – of sanctions and export controls adopted by numerous jurisdictions over the past year in response to the invasion of Ukraine. This explosion of new regulation has been accompanied by a steady increase in cooperation and collaboration among the United States and its allies on both implementation and enforcement of sanctions. For example, the Russian Elites, Proxies and Oligarchs Task Force, formed by Australia, Canada, France, Germany, Italy, Japan, the UK, the US and the European Commission shortly after the invasion, has focused multilateral ‘information sharing and coordination to isolate and exert unprecedented pressure on sanctioned Russian individuals and entities’.
In turn, the US agencies have turned to closer collaboration to further US policy goals regarding implementation and enforcement of sanctions and export controls. As part of these joint efforts, on 2 March 2023, the US departments of the Treasury, Justice and Commerce published a ‘Tri-Seal Compliance Note’ urging multinational companies to be ‘vigilant in their compliance efforts and be on the lookout for possible attempts to evade U.S. laws’ and reminding the public of the US government’s ‘unprecedented enforcement efforts to aggressively prosecute those who violate U.S. sanctions and export control laws’.
However, notwithstanding this trend towards more multilateral and inter-agency cooperation, even small companies that do international business face a risk of both civil and criminal penalties for violating US sanctions due to their activities abroad. Often, requirements of one jurisdiction conflict with those of another (as, for example, when efforts to impose compliance with US primary sanctions run up against EU or national blocking statutes) or apply alongside those of another (such as when US export control rules applicable to items manufactured outside the United States apply in addition to the export control rules of the country of manufacture). In addition, the increasing application of US secondary sanctions creates sanctions risks for companies even if they are in compliance with applicable local laws and not subject to US primary sanctions.
Another source of risk is the expansion ‘by operation of law’ of the list-based sanctions of several jurisdictions to entities owned or controlled by listed parties, which requires not only name screening of potential business partners but also an examination of their ownership and control.
Moreover, owing to the ‘long-arm’ reach of US export control regulations outside the United States to encompass re-exports (from one country to another) and transfers (within another country), non-US companies have not been immune from enforcement action for violations of US export controls and related sanctions. Recent examples include the imposition of fines against a Lebanese company for re-exporting engines of US origin to Syria and OFAC’s action against a dental supply company for exporting dental products of US origin to third-country distributors with knowledge that the exports were destined for Iran. Non-US companies also face the risk of being targets of enforcement for evading US sanctions or helping others to evade US sanctions, penalties for causing US persons to violate sanctions, and secondary sanctions for providing material assistance to sanctioned persons. For instance, OFAC penalised a Hong Kong company in January 2022 for omitting references to underlying transactions involving Iran in its US dollar-denominated wire payments, thereby causing the US financial institutions that processed the payments to violate US sanctions. The company settled with OFAC for over US$5 million, despite the fact that the company’s employees had acted contrary to company-wide policies and procedures, thereby demonstrating the importance of actively ensuring compliance rather than passively relying on employees to follow policies and procedures. As Deputy Attorney General Lisa O Monaco stated in her keynote remarks at the ‘2022 GIR Live: Women in Investigations’ conference in June 2022:
Every company needs to be pressure-testing its sanctions compliance program, for instance through risk assessments, technology upgrades and industry benchmarking. Every board of directors of such a company should be inquiring whether it is conducting necessary oversight of the company’s sanctions controls. Every corporate officer should be committed to ensuring they have the programs, culture, personnel and counsel to identify problem areas and navigate the rapidly changing landscape. And for anyone who seeks to evade sanctions, the warning is simple: the Justice Department is coming for you.
Long-arm reach is further extended by the broad definition of items subject to the Export Administration Regulations (EAR), which include not only US-origin items and items in the United States, but also foreign-produced items that are subject to the de minimis or foreign-direct product rules. The EAR de minimis exemption excludes from EAR jurisdiction certain foreign-made items that incorporate not more than a de minimis level of US ‘controlled content’ (itself broadly defined), which ranges from zero to 25 per cent, depending upon the nature of the item and the location of the customer to which the item is sold. The foreign-direct product rules expand EAR jurisdiction to reach certain items produced outside the United States with specified US-origin technology or software or by plants that are a direct product of specified US-origin technology. In certain cases, depending upon the end user or destination of the item, a broader scope of products would be caught by the applicable foreign-direct product rule (e.g., products destined for customers on the Entity List, military end users in Russia or Belarus, or certain end uses in China).
In the merger and acquisition (M&A) context, due diligence is a must if the risk of successor liability for sanctions and export control violations and other offences is to be assessed. Transactions structured as mergers generally pass liability for the pre-transaction activities of the acquired entity to the buyer by operation of law, but successor liability can also arise from stock purchases, as well as transactions structured as asset purchases. Of course, stock purchases that maintain the separate status of the target entity do not create successor liability for the buyer in the strictest sense of the term, but enforcement costs incurred by the target entity in connection with pre-completion violations, with the associated reputational costs, will diminish the value of the buyer’s investment in the target entity. Even in jurisdictions without successor liability, difficulties may arise when company assets may include the proceeds of previous sanctions and export control violations.
As for asset purchases, in a string of US cases, beginning with Sigma-Aldrich in 2002, the Bureau of Industry and Security of the US Department of Commerce (BIS) has interpreted the International Emergency Economic Powers Act (IEEPA) and the EAR to impose successor liability for export violations on purchasers of assets when ‘substantial continuity’ of the business results from the transaction. Notably, IEEPA is also the statutory underpinning for all US sanctions programmes except the Cuban embargo. The Trading with the Enemy Act, which authorises the Cuban embargo, contains provisions similar to the IEEPA provisions interpreted in Sigma-Aldrich, and goes a step further by purporting to impose obligations on non-US entities owned or controlled by US persons. Sigma-Aldrich thus laid the groundwork for both BIS and OFAC to impose successor liability on purchasers of assets when the purchased assets constitute a business that continues under the new owner. As outlined in Sigma-Aldrich, a finding of ‘substantial continuity’ will be supported when:
the successor: (1) retains the same employees, supervisory personnel and the same production facilities in the same location; (2) continues production of the same products; (3) retains the same business name; (4) maintains the same assets and general business operations; and (5) holds itself out to the public as a continuation of the previous corporation.
The decision in Sigma-Aldrich was not appealed and the parties entered into a settlement agreement, following which the BIS position on successor liability was applied in subsequent settlement agreements with both BIS and OFAC.
The Directorate of Defense Trade Controls (DDTC), which administers the International Traffic in Arms Regulations pursuant to the Arms Export Control Act, likewise has a long history of imposing successor liability dating back to 2003, when the DDTC entered into a consent agreement with Hughes Electronics Corporation and Boeing Satellite Systems, Inc (formerly Hughes Space and Communications). The consent agreement imposed penalties for violations that occurred several years prior to Boeing’s acquisition of the Hughes space and communications division in 2000. Since 2003, the DDTC has made regular use of consent agreements to assert enforcement jurisdiction over businesses sold by companies subject to consent agreements, whether in stock or asset transactions. The most recent agreements feature an expanded version of the standard consent agreement clause utilised for this purpose. In addition, the DDTC’s position on successor liability is further bolstered by its policy of requiring registered defence companies to agree in writing to assume responsibility for pre-acquisition export licences issued to the acquired business.
Although the US position on successor liability has been criticised by legal scholars, as a practical matter, given OFAC’s sweeping discretionary powers and the ability of US export agencies to deny export privileges, parties have tended to settle enforcement actions rather than embark on time-consuming and expensive challenges to agency authority. As a result, the risk of enforcement actions based on the successor liability concept remains an important focus of sanctions and export control diligence.
In addition to the role of due diligence in detecting potential successor liability, diligence in M&A transactions is essential if patterns of violative behaviour that may continue post-closing are to be discovered. OFAC has shown little patience for companies that have allowed violations to continue post-closing, imposing penalties in a series of recent cases notwithstanding voluntary disclosures filed by the acquirers. Root causes of violations emphasised by OFAC included being ‘slow to integrate the subsidiary into the . . . corporate family, including with respect to compliance with U.S. sanctions’ (Expedia); failure to ‘implement procedures to monitor or audit [the subsidiary’s] operations to ensure that its Iran-related sales did not recur post-acquisition’ (Stanley Black & Decker); and not undertaking ‘a fuller internal investigation’ upon receipt of helpline reports of continued sales to Cuba (AppliChem). On 30 March 2023, OFAC announced a US$30 million settlement with Wells Fargo Bank, NA, which, after acquiring Wachovia Bank in 2018, provided a former Wachovia Bank customer with software that enabled it to process trade finance transactions with US-sanctioned persons and jurisdictions. In Kollmorgen, a penalty was imposed, notwithstanding the buyer’s ‘extensive efforts’ to ensure its newly acquired subsidiary was complying with US sanctions, because that subsidiary’s management engaged in ‘egregious conduct’ by actively obfuscating continued sales to Iran in an attempt to thwart the buyer’s compliance efforts. Similarly, in Keysight, a penalty was imposed despite the buyer’s directive to its newly acquired subsidiary that continued sales to Iran should cease and the newly acquired subsidiary’s assurance that they had – although, as in Kollmorgen, the newly acquired company continued sales that were actively concealed from the buyer. However, OFAC and other agencies have made it clear that uncovering potential violations during the diligence process is not enough. OFAC’s compliance framework, issued in 2019, notes that mergers and acquisitions ‘appear to have presented numerous challenges with respect to OFAC sanctions’ but that OFAC nevertheless expects that compliance functions ‘be integrated into the merger, acquisition, and integration process’ and that ‘[w]hether in an advisory capacity or as a participant, the [buyer] engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process’. The 2021 SAP case serves as a stark reminder of the consequences of failure to address compliance gaps identified during M&A diligence and post-acquisition audits. In April 2021, OFAC, BIS and the US Department of Justice announced settlements with the German company concerning, among other things, violations of the EAR and the Iranian Transactions and Sanctions Regulations (ITSR), resulting from failure to integrate various US cloud services providers acquired in transactions dating back to 2011 into its export controls and sanctions compliance programme.
Transactional due diligence will focus on many of the same compliance issues that should be reviewed in the context of M&A activity, but for different reasons. When vetting potential agents, distributors, joint venture partners or customers, a history of non-compliance with sanctions or export control laws can foreshadow a risk of becoming embroiled in violations and enforcement actions in the future. Companies contemplating entering into a transaction with a third party with a less than stellar compliance record should take a hard look at whether the risk that the party will commit violations in the future can be adequately addressed in the agreement governing the transaction and its implementation. If the contemplated transaction is a long-term arrangement, such as a joint venture, care should be taken to ensure that the governing agreement provides a clear exit strategy if violations occur or if changes in the law render continuation of the relationship unlawful.
What your diligence review should include
Diligence in corporate transactions has both business and legal elements, and both come into play in the context of sanctions, anti-boycott and export control due diligence.
From a legal perspective, verifying compliance with legal requirements is a standard starting point. However, establishing that a target company or potential business partner is in compliance with all applicable legal requirements prior to entering into a transaction will not suffice, as new requirements and risks may take effect when the transaction is consummated, with both business and legal implications.
For example, non-US businesses that come under the ownership or control of US persons will become subject to US anti-boycott rules and certain US primary sanctions requirements upon completion of the transaction. In the anti-boycott context, the rules apply to ‘US persons’, which is defined to include ‘controlled in fact’ foreign subsidiaries, affiliates or other permanent foreign establishments of US business entities, which are termed ‘domestic concerns’ in the rules. ‘Control in fact’ is defined to consist of ‘the authority or ability of a domestic concern to establish the general policies or to control day-to-day operations of its foreign subsidiary, partnership, affiliate, branch, office, or other permanent foreign establishment’.
In the sanctions context, both the Iran and Cuba sanctions extend to non-US entities ‘owned or controlled by’ US persons. The ITSR provide that:
an entity is ‘owned or controlled’ by a United States person if the United States person:
- Holds a 50 percent or greater equity interest by vote or value in the entity;
- Holds a majority of seats on the board of directors of the entity; or
- Otherwise controls the actions, policies, or personnel decisions of the entity.
Although what constitutes ownership or control is undefined in the regulations governing the Cuba sanctions programme, the definition applicable to Iran reflects OFAC’s long-standing interpretation of the reach of the Cuba sanctions as well.
Diligence should be designed to both ferret out historical compliance lapses and identify activities that will not be permitted post-completion, as well as the effects of implementing prohibitions on the business outlook. Cessation of activities that will be unlawful under US ownership or control may have a material adverse effect on the financial outlook of the acquired business, while compliance failures post-completion will give rise to enforcement risk. Nevertheless, the parties may decide to proceed with the transaction, notwithstanding any detrimental effect on the business that would result from the need to cease certain operations post-completion. In these cases, further diligence should be conducted regarding the legal risks associated with cessation so that advice can be taken on how best to navigate any potential roadblocks, such as those posed by ‘blocking’ statutes. Several jurisdictions, as well as the European Union, have adopted blocking measures to counteract extraterritorial application of US sanctions against Cuba and Iran, while Canada has restricted its blocking measures to the Cuba embargo and German law targets foreign boycotts. Thus, advice should be taken before completion so that an appropriate plan of action can be formulated, bearing in mind recent enforcement actions against US companies that failed to prevent their recently acquired non-US subsidiaries from continuing business with Cuba and Iran. Litigation risk arising from breach of contract claims brought by parties to discontinued relationships may also be a factor.
Transactional diligence, like compliance programmes, should also be customised to fit the risks presented and the risk appetites of the parties. Some companies subject all potential agents or distributors to background checks; others only apply these requirements to relationships with third parties located in countries or regions considered high risk from a sanctions, corruption or export diversion perspective. In the absence of red flags, third-party certification of matters such as ownership and control, as well as compliance, can be considered in place of more extensive diligence.
Diligence checklists must be the subject of continuous improvement. Laws and regulations in the sanctions and export control area change frequently, and these changes usually spawn new diligence requirements, as do new enforcement actions and agency guidance.
In each transaction, care should be taken to ensure that compliance with all applicable sanctions and export controls is reviewed, based on the jurisdiction of formation and places of business, as well as products and services of the target company.
When considering doing business with, or acquiring, a company with operations outside the United States, possible secondary sanctions risk based on the nature of the target’s business must also be considered. US secondary sanctions target those doing business with numerous sectors of the Iranian economy, as well as Russia, Venezuela and North Korea, among other countries.
Relationships with customers, agents or distributors in countries or regions characterised by high risk for diversion or corruption should also be scrutinised carefully – several countries in Asia and the Middle East come to mind in this regard, although, perhaps surprisingly to some, US law enforcement officials also view Canada as a country of diversion risk. As OFAC’s April 2022 enforcement action against Newmont Corporation indicates, strong controls on dealings with suppliers is critical, including with respect to a company’s subsidiaries. In that case, Newmont Corporation’s wholly owned subsidiary, Newmont Suriname, failed to include in its purchase orders express statements that no items provided to it may originate from embargoed jurisdictions, and did not obtain country-of-origin information for the goods it acquired from its suppliers. As a result, Newmont Suriname unintentionally purchased Cuban-origin explosives and other prohibited items from a third-party vendor, in apparent violation of the Cuban Assets Control Regulations.
In light of the risk that financing of transactions can itself be the source of sanctions violations, buyers and other borrowers should screen any banks and other financial institutions providing loans and lines of credit and the like. Inversely, lenders should carefully consider the risk that any borrower would directly or indirectly use any proceeds from the lender for sanctions violations or repay a loan using the proceeds of sanctions violations. OFAC also released compliance guidance in September 2022 regarding new payment technologies such as instant payment systems that allow near-instantaneous transmission and receipt of payments. While OFAC acknowledged that ‘there is no one-size-fits-all approach to managing sanctions risks with regard to instant payment systems’, it also encouraged financial institutions to evaluate their risks based on their ‘geographic locations and the extent of [their] international presence; the location, nature, and transactional history of [their] customers and their counterparties; the specific products and financial services [they] offer; and [their] size and sophistication’.
Other often overlooked but important areas of potential liability when conducting due diligence on non-US companies include application of US sanctions and export control de minimis rules and compliance with US export controls applicable to foreign-produced items. Many non-US companies are unaware of the extent to which their products might be subject to US export controls and sanctions as a result of incorporating components of US origin or that have been manufactured using US technology or plant and equipment.
Due diligence should also be designed to uncover practices that have tended to circumvent compliance. For instance, in April 2022, OFAC settled with S&P Global, Inc for apparent violations of the Ukraine-Related Sanctions Regulations in connection with extension of credit to JSC Rosneft, a state-owned Russian oil company, in violation of the debt and equity restrictions imposed by Executive Order 13662. The extensions of credit that caused the apparent violations occurred after Rosneft failed multiple times to timely make payments to S&P, and also failed to timely respond to S&P’s requests for payment. S&P ultimately reissued and re-dated multiple invoices to continue to extend credit to Rosneft, leading OFAC to observe that ‘[t]his case underscores the importance of careful adherence to OFAC regulations, including in cases where counterparties may make compliance challenging’.
Though traditionally an exercise conducted primarily by the buyer, the increasing convergence of sanctions and export controls with other areas of law and regulation, including national security, anti-money laundering (AML) and anti-corruption, has given rise to diligence obligations for all parties to the transaction. In transactions that may be reviewed by the Committee on Foreign Investment in the United States, both parties will need to assess the export controls applicable to the target US business to assess whether mandatory filing requirements apply, and sellers will want to assess the sanctions and export control compliance history of potential non-US buyers, given new rules that ban companies with a history of violations of US sanctions and export controls from enjoying certain exceptions to the mandatory filing requirements. Investors and bankers providing financing for a transaction will want to ensure sanctions and anti-financial crime compliance by all parties, as well as compliance with export controls and sanctions by the acquired company. Representation and warranty insurers likewise will be alert for compliance lapses so that material violations can be excluded from coverage.
As much as possible without compromising compliance, diligence should be streamlined to avoid having to go over the same grounds multiple times. Particularly in the context of M&A activity, the target company’s appetite and capacity for responding to diligence requests can wane in the face of competing queries from a myriad of business and legal teams. Furthermore, the rapid pace of change in US sanctions laws (particularly in the context of recent expansion of the Russia sanctions), including the increasingly multilateral approach to international sanctions, can pose compliance risks that require a fine-tuned approach to due diligence. For instance, in the year following Russia’s invasion of Ukraine in February 2022, OFAC and BIS have each published over 50 regulatory actions involving Russia, including adding over 2,500 Russia-related targets to the Specially Designated Nationals and Blocked Persons List and over 100 Russia-related targets to the BIS Entity List, and related sanctions and export controls of other jurisdictions have likewise expanded substantially.
Efficiencies can be achieved in the M&A context by minimising the number of requests for the same information. For example, questions relating to sanctions risk assessment, internal controls, testing and auditing, compliance training and management’s demonstrated commitment to comply with applicable sanctions and export control law can be grouped with similar questions about other relevant compliance matters. Further efficiencies can be achieved if the various subject matter experts reviewing the responses to diligence queries coordinate their efforts to avoid having multiple reviewers pore over the same document. In addition, compliance efforts may be fine-tuned by being consolidated, where possible, across multiple sanctions jurisdictions and by proactively accounting for rules that have been announced but are not yet effective.
When onboarding business partners, deployment of multiple work streams should be avoided. Questions relating to sanctions, anti-corruption, AML and export compliance should be consolidated into one online or paper form rather than sprinkled throughout a variety of documents and certification. OFAC has signalled approval of this holistic approach. In a release regarding its 2019 enforcement action against Apollo Aviation Group, LLC, OFAC emphasised the importance of know-your-customer (KYC) diligence – traditionally the purview of export and AML compliance guidelines – in the context of sanctions compliance, noting ‘the importance of companies operating internationally to implement Know You [sic] Customer screening procedures and implement compliance measures that extend beyond the point-of-sale and function throughout the entire business or lease period’.
What to do if historical breaches are uncovered
If the diligence process uncovers historical breaches, the parties must decide how to proceed.
If compliance issues are discovered while conducting a background check of a potential customer or distributor, the way forward will depend on whether a relationship is off-limits as a result of the discovery (for example, if the party is on an asset freezing or other applicable sanctions list) or whether a trustworthy relationship can nevertheless be achieved in spite of historical issues (perhaps by imposing and monitoring adherence to various compliance terms and conditions).
In the M&A context, in many cases the seller will learn of the historical breaches first while preparing responses to the buyer’s diligence queries. At this point, it will be important to consider whether a disclosure should or must be filed. In the United States, most disclosure processes are voluntary rather than mandatory. However, given the substantial reduction in potential fines for sanctions and export control violations that are voluntarily disclosed, many companies will decide to make a disclosure so as to reduce potential exposure. In some instances, the violation may be deemed not to warrant disclosure (such as a minor record-keeping violation), in which case the seller may elect to implement corrective action and disclose the matter to the buyer but not to the relevant agency.
That said, recent changes in the BIS policy regarding voluntary self-disclosures to that agency have complicated the decision-making process. Voluntary self-disclosure has traditionally been applied as a mitigating factor when assessing civil penalties in enforcement actions. However, in April 2023, the Assistant Secretary for Export Enforcement announced that, going forward, BIS will consistently consider failure to disclose a ‘significant possible violation’ as an aggravating factor. As a result, companies are now on notice that self-disclosure will result in a ‘sharply reduced penalty’, while by failing to disclose a significant possible violation, ‘they risk a sharply increased one’. The new policy was not accompanied by guidance on how the agency intends to define ‘significant’ for these purposes, thereby making it difficult to make the necessary assessment. Some have argued that the new policy disincentivises self-disclosure. On the other hand, the Assistant Secretary’s announcement also emphasised various benefits of disclosing apparent misconduct by others, such as exceptional cooperation credit in both pending and future enforcement actions and monetary awards available to whistle-blowers. Given the likelihood that both the seller’s and the buyer’s employees will be aware of potential violations discovered during the due diligence process, the risk that enforcement agencies will become aware of possible violations that are not voluntarily disclosed will be heightened – and this factor, in turn, will have to be weighed by parties that may be inclined not to disclose.
Neither OFAC (which has substantially similar guidelines for assessment of civil penalties) nor the DDTC has publicly adopted a similar new approach to penalty assessment. Likewise, the Department of Justice has not announced any change in its approach to assessment of criminal penalties. Of course, a decision on whether to disclose potential criminal conduct is not to be taken lightly in any context, but the decision in the SAP case, announced in late 2019 and described by the Department of Justice as the ‘first-ever resolution pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business Organizations’, does illustrate the benefits of disclosure in appropriate circumstances, in the form of substantially reduced penalties, at least under current policy. Whether other agencies will follow the BIS lead remains to be seen.
However, there are circumstances in which disclosure is mandatory (for example, the requirement under the International Traffic in Arms Regulations to disclose violations involving arms embargoed countries, such as China). In addition, in some jurisdictions there may be mandatory obligations to report known or suspected breaches of AML laws or terrorist financing prohibitions, as well as specific obligations to report known or suspected breaches of sanctions. Moreover, EU regulations giving effect to sanctions laws are accompanied by general obligations to report information that would facilitate compliance.
If the filing of a disclosure is determined to be warranted or required, or if an enforcement action is commenced during the period of diligence, the buyer and its counsel may wish to have input into the disclosure or response to the enforcement action. In these circumstances, a joint defence agreement may be considered as a means of protecting privilege. In the absence of a joint defence agreement, sellers should keep in mind that legal privilege does not attach to responses to the buyer’s diligence queries. Furthermore, depending upon the jurisdiction, disclosures to one’s own in-house counsel likewise may not be protected, in which case it may be prudent to channel compliance diligence regarding potentially sensitive matters through external counsel.
Both parties can and should take steps to remediate compliance breaches and enforcement risks identified during diligence.
In the lead-up to a merger or acquisition, a seller that discovers historical breaches bears primary responsibility for stopping the unlawful conduct and beginning to implement corrective actions. However, while some remediation steps (such as disciplining employees involved in the misconduct) can be taken fairly quickly, other more systemic responses (such as overhauling compliance programmes and procedures) may be best left to the buyer, particularly if the buyer has a robust compliance programme that it intends to roll out to the newly acquired business. In these instances, the seller may choose to only implement those short-term remediation measures required to ensure that no further breaches occur prior to the closing.
The buyer, however, is responsible for lapses that continue or occur on its watch, and several recent OFAC enforcement actions discussed in this chapter (Keysight, Expedia, Stanley Black & Decker, AppliChem and Kollmorgen) illustrate the importance of regular compliance monitoring in the context of integrating newly acquired businesses. Therefore, it is not enough merely to have compliance policies and procedures and provide training; companies must also monitor compliance with their policies and procedures if they wish to avoid enforcement action.
This can be of particular concern for newly acquired non-US companies. For instance, as the Keysight and Kollmorgen cases highlight, parent companies should be particularly careful when acquiring non-US companies that have pre-existing relationships with sanctioned persons and jurisdictions that may continue despite directives from the parent company to the non-US subsidiary that these relationships be terminated. As in both Keysight and Kollmorgen, the non-US subsidiary may even undertake efforts to conceal continued business with sanctioned parties from the parent company by falsifying corporate records. Because of the risk that non-US subsidiaries may continue to do business with sanctioned parties, it becomes particularly important for companies acquiring non-US companies not simply to rely on certification from non-US subsidiaries that they have ceased the business, but also to take proactive steps to ensure that the business has actually ceased by insisting on parent company visibility into the newly acquired non-US subsidiary’s corporate records. Although in both Keysight and Kollmorgen the buyer did not have knowledge of its newly acquired subsidiary’s continued sales to Iran, in Kollmorgen OFAC detailed the buyer’s ‘extensive efforts’ to ensure post-acquisition compliance and determined the violations to be non-egregious (imposing a base penalty of only US$7,434 rather than the US$750,000 that would have been imposed if OFAC had found the violations egregious). In finding the violations non-egregious, OFAC credited the buyer’s ‘extensive and preventative remedial conduct’. However, in Keysight, in which OFAC did not make a similar finding as to the buyer’s post-acquisition compliance efforts, OFAC found the violations egregious and imposed a base penalty of US$1,051,460 (half the statutory maximum) – the lesson being that the more post-acquisition diligence that is conducted, and the more remedial measures that are implemented, the more likely the buyer is to receive leniency from OFAC should violations continue to occur post-closing. The SAP case also illustrates the benefits of remediation. As noted by the Department of Justice, ‘SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated.’ The disclosure, cooperation and remediation culminated in a non-prosecution agreement with the Department of Justice and administrative agreements with OFAC and BIS.
In the context of agreements with customers and other third parties, the parties must decide the extent to which a breach of compliance obligations triggers termination rights. The agreement should also clearly address the role that each party will play in remediation, in the absence of a triggering breach.
Supplementing diligence with compliance representations and covenants
Agreements recording corporate transactions, whether with business partners or buyers or sellers of businesses, contain numerous clauses designed to allocate risks associated with past or future violations.
All agreements should contain basic representations and warranties about the identity and ownership of the parties. To the extent that an agreement is intended to govern a relationship between the parties going forward, it should include covenants of both parties to advise the other if its circumstances change (e.g., if it or any of its owners is added to a sanctions list), as well as covenants to comply with applicable sanctions and export controls, related information exchange and termination rights, and, if applicable, rights and obligations of the parties in connection with any required remedial action.
The OFAC enforcement action against Apollo illustrates the importance OFAC assigns to regular compliance monitoring in the context of customer relationships. Although the party to whom Apollo leased aircraft engines failed to comply with lease provisions that prohibited the transfer of the engines to a country subject to US sanctions, and the violations were disclosed voluntarily, OFAC nevertheless penalised Apollo, noting that:
Notwithstanding the inclusion of this clause, Apollo did not ensure the aircraft engines were utilized in a manner that complied with OFAC’s regulations. For example, at the time, Apollo did not obtain U.S. law export compliance certificates from lessees and sublessees. Additionally, Apollo did not periodically monitor or otherwise verify its lessee’s and sublessee’s adherence to the lease provision requiring compliance with U.S. sanctions during the life of the lease.
Caution should be exercised, however, as including unmanageable audit requirements in agreements with customers and other third parties can come back to haunt companies that do not avail themselves of their audit rights. This is another area in which collaboration between various compliance functions within a company can add value. For example, personnel who conduct periodic audits for other purposes, such as financial or quality control, can be trained to incorporate checks for sanctions and export compliance into their audit process.
In the M&A context, representations and warranties regarding past compliance are critical, but there is a tension between the objectives of the buyer and seller in negotiating these clauses. Sellers will often prefer to couch these representations and warranties with varying degrees of materiality and knowledge qualifiers, while buyers may favour more robust disclosures.
Purchase agreements typically also contain various provisions under which a buyer may seek indemnification from a seller for breaches of representations and warranties. These clauses impose monetary limitations on recovery, require claims to be made within a certain time, and exclude claims for known exceptions disclosed to the buyer. Occasionally, however, the parties may agree to include special indemnity provisions relating to potentially significant issues. However, it is important to understand that the indemnification clauses, read in the context of the representations and warranties, will define the limits of the seller’s responsibility to reimburse the buyer for costs associated with pre-completion compliance lapses. As a result, buyers must satisfy themselves during the diligence process that they are willing to bear any enforcement risk not covered by the negotiated indemnity or representation and warranty insurance, which typically excludes coverage of damages arising from known material violations.
Ongoing diligence expectations
In the end, irrespective of the scope of the representations and warranties that may be negotiated, or how ‘clean’ the results of a diligence review may be, the enforcement agencies have made clear their expectation that acquirers should conduct further diligence post-completion and that parties to commercial agreements should monitor compliance for the life of the relationship. For instance, OFAC’s US$862,318 settlement with First Bank SA and JC Flowers & Co in August 2021 arose from First Bank’s alleged violations after being acquired by JC Flowers, and JC Flowers’ failure to ensure that First Bank understood the full scope of US sanctions applicable to financial institutions without a physical presence in the United States. Among other things, OFAC clearly expects buyers to conduct heightened diligence of parties known to do business with countries or entities subject to OFAC sanctions, appoint management personnel who are committed to compliance, conduct regular audits and risk assessments, provide ongoing training, and respond to red flags promptly. In the context of commercial relationships, OFAC expects risk assessments, exercise of caution when doing business with entities with known contacts with OFAC-sanctioned entities and jurisdictions, compliance monitoring throughout the life of the relationship, training, KYC screening procedures and, when applicable, the obtaining of compliance certification.
In light of these ongoing diligence and compliance expectations, buyers evaluating potential mergers or acquisitions and parties contemplating commercial transactions should ensure that their pre-completion due diligence includes not only an assessment of the legal and business risks discussed in this chapter, but also an evaluation of their capacity to meet the expectations of regulators for ongoing diligence and compliance, as well as the enforcement risks they will face if these expectations are not met.
 Barbara D Linney is a partner and Orga Cadet is an associate at Baker & Hostetler LLP.
 US ‘primary’ sanctions are those that proscribe behaviour of US persons (and, in the case of Cuba and Iran sanctions, non-US entities owned or controlled by them). ‘Secondary’ sanctions are those that do not proscribe conduct but rather impose consequences on persons engaging in activities identified as contrary to US national security or foreign policy.
 See ‘Global Advisory on Russian Sanctions Evasion Issued Jointly by the Multilateral REPO Task Force’ (March 2023) at https://finance.ec.europa.eu/system/files/2023-03/230309-repo-global-advisory_en.pdf (last visited 17 April 2023).
 Office of Foreign Assets Control (OFAC), ‘Department of Commerce, Department of the Treasury, and Department of Justice Tri-Seal Compliance Note: Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls’ (March 2023).
 OFAC, ‘OFAC Settles with Chisu International Corporation for $45,908 Related to Apparent Violations of the Cuban Assets Control Regulations’ (April 2022) (apparent violations against a ‘small company largely overseen by a single individual [that] failed to understand U.S. prohibitions on dealings in Cuban property or engaging in transactions related to merchandise of Cuban origin outside the United States’).
 See OFAC, ‘Revised Guidance on Entities Owned by Persons Whose Property and Interest in Property Are Blocked’ (2014); European Commission Opinion of 19 June 2020 on Article 2 of Council Regulation (EU) No. 269/2014; Office of Financial Sanctions Implementation, ‘UK Financial Sanctions: General guidance for financial sanctions under the Sanctions and Anti-Money Laundering Act 2018’ (December 2020), at 17. While OFAC prohibits certain dealings with non-listed entities based on ownership considerations (generally, 50 per cent or more ownership by one or more blocked persons), it merely cautions against dealings with non-listed entities that are only controlled – but not 50 per cent or more owned – by one or more blocked persons. In contrast, the United Kingdom prohibits dealings both with non-designated entities owned by one or more designated persons and with non-designated entities that are only controlled by one or more designated persons.
 See, e.g., Bureau of Political Military Affairs, US Dep’t of State, BAE Systems plc Consent Agreement (2011); Bureau of Political Military Affairs, US Dep’t of State, Qioptiq S.a.r.l. Consent Agreement (2008). See also Bureau of Industry and Security, US Dep’t of Commerce (BIS), Order Relating to Ghaddar Machinery Co., SAL (2019) (Ghaddar).
 OFAC, ‘DENTSPLY SIRONA Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (2019) (Dentsply).
 See Ghaddar (footnote 7); Dentsply (footnote 8).
 OFAC, ‘OFAC Settles with Sojitz (Hong Kong) Limited for $5,228,298 Related to Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (January 2022).
 US Department of Justice, ‘Deputy Attorney General Lisa O. Monaco Delivers Keynote Remarks at 2022 GIR Live: Women in Investigations’ (June 2022).
 15 C.F.R. §§ 730–774.
 Sigma-Aldrich Business Holdings, Inc., Case No. 01-BXA-06, US Dep’t of Commerce (29 August 2002) (Sigma-Aldrich).
 International Emergency Economic Powers Act (codified at 50 U.S.C. § 1701).
 ibid. The Export Administration Regulations also include the US anti-boycott rules. See 15 C.F.R. Part 760.
 See Sigma-Aldrich (footnote 14), at 6, 7 and 12.
 Trading with the Enemy Act (codified at 50 U.S.C. § 4301).
 Sigma-Aldrich (footnote 14), at 9.
 See, e.g., BIS, Order Relating to Sirchie Acquisition Company, LLC (2010), and related Settlement Agreement (2009); Dentsply (footnote 8).
 22 C.F.R. §§ 120–130.
 Arms Export Control Act (codified at 22 U.S.C. 2778 (2014)).
 Bureau of Political Military Affairs, US Dep’t of State, Order, In the Matter of Hughes Electronics Corporation and Boeing Satellite Systems, Inc., and related Consent Agreement (2003).
 See, e.g., Bureau of Political Military Affairs, US Dep’t of State, Order, In the Matter of 3D Systems Corporation, and related Consent Agreement, § 5; and Bureau of Political Military Affairs, US Dep’t of State, Order, In the Matter of Honeywell International Inc., and related Consent Agreement, § 5.
 See ‘Sample 5-Day Notice’ (for Buyer), ‘Updating a Registration: Notification of Change for Mergers, Acquisitions, and Divestitures’, Directorate of Defense Trade Controls, at www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=fc8aaa9adb74130044f9ff621f9619c3#tab-mad (last accessed 25 June 2020).
 See, e.g., OFAC, ‘OFAC Settles with Keysight Technologies Inc., as Successor Entity to Anite Finland OY, with Respect to Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (2020) (Keysight); OFAC, ‘Expedia Group, Inc. (“Expedia”) Settles Potential Civil Liability for Apparent Violations of the Cuban Assets Control Regulations’ (2019) (Expedia); OFAC, ‘Stanley Black & Decker, Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations Committed by its Chinese-Based Subsidiary Jiangsu Guoqiang Tools Co. Ltd’ (2019) (Stanley Black & Decker); OFAC, ‘AppliChem GmbH Assessed a Penalty for Violating the Cuban Assets Control Regulations’ (2019) (AppliChem); OFAC, ‘Kollmorgen Corporation Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (2019) (Kollmorgen).
 OFAC, ‘OFAC Settles with Wells Fargo Bank, N.A. for $30,000,000 Related to Apparent Violations of Three Sanctions Programs’ (2023).
 Kollmorgen (footnote 26), at 3.
 Keysight (footnote 26), at 1–2.
 OFAC, ‘A Framework for Compliance Commitments’ (May 2019), at 4–5.
 OFAC, ‘OFAC Settles with SAP SE for Its Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations’ (2021) (SAP). See also, ‘SAP Resolves Allegations of Export Control Law Violations with US$3.29 Million Administrative Settlement, Bureau of Industry and Security’ (2021); US Department of Justice, ‘SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ’ (2021); Non-Prosecution Agreement between SAP and the US Department of Justice (2021), available at www.justice.gov/opa/press-release/file/1390531/download.
 Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560.
 Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560; Cuban Assets Control Regulations, 31 C.F.R. Part 515.
 15 C.F.R. § 760.1(b).
 15 C.F.R. § 760.1(c).
 31 C.F.R. §§ 515.329 and 560.215.
 31 C.F.R. § 560.215(b)(1).
 See, e.g., Council Regulation (EC) No. 2271/96 of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom (as amended by Commission Delegated Regulation (EU) 2018/1100 of 6 June 2018); and, for the position in the United Kingdom, see the European Union (Withdrawal) Act 2018 and the Protecting against the Effects of the Extraterritorial Application of Third Country Legislation (Amendment) (EU Exit) Regulations 2020 (in force 10 January 2021).
 Foreign Extraterritorial Measures Act, R.S.C. ch. F-29 (1985), as amended by Bill C-54, proclaimed in force 1 January 1997; Foreign Extraterritorial Measures (United States) Order, 1992, as amended, SOR 96-84, 5 January 1996.
 Foreign Trade and Payments Ordinance, § 7 (Boycott Declaration) (Germany).
 OFAC, ‘Acteon Group Ltd. and 2H Offshore Engineering Ltd. Settle Potential Civil Liability for Apparent Violations of the Cuban Assets Control Regulations’ (2019); AppliChem (footnote 26); Stanley Black & Decker (footnote 26); Kollmorgen (footnote 26).
 OFAC, ‘OFAC Settles with Newmont Corporation for $141,442 Related to Apparent Violations of the Cuban Assets Control Regulations’ (April 2022).
 OFAC, ‘Sanctions Compliance Guidance for Instant Payment Systems’ (September 2022).
 OFAC, ‘OFAC Settles with S&P Global, Inc. for $78,750 Related to Apparent Violations of the Ukraine-Related Sanctions Regulations in 2016 and 2017’ (April 2022).
 31 C.F.R. § 800.401.
 31 C.F.R. §§ 800.219 and 802.215.
 OFAC, ‘Apollo Aviation Group, LLC (“Apollo,” now d/b/a Carlyle Aviation Partners Ltd.1) Settles Potential Civil Liability for Apparent Violations of the Sudanese Sanctions Regulations’, 31 C.F.R. Part 538, 3 (2019) (Apollo).
 BIS, ‘Clarifying Our Policy Regarding Voluntary Self-Disclosure and Disclosures Concerning Others’ (18 April 2023), available at www.bis.doc.gov/index.php/documents/enforcement/3262-vsd-policy-memo-04-18-2023/file.
 US Department of Justice, ‘SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ’ (2021); Export Control and Sanctions Enforcement Policy for Business Organizations, US Department of Justice (13 December 2019), available at www.justice.gov/nsd/ces_vsd_policy_2019/download.
 22 C.F.R. § 126.1(e)(2).
 See, e.g., the anti-money laundering reporting requirements that must be implemented in EU Member States in accordance with Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (OJL 156, 19/6/2018), at 43–74.
 See, e.g., the UK reporting obligation as extended by the European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017.
 See, e.g., Expedia (footnote 26); Stanley Black & Decker (footnote 26); AppliChem (footnote 26); Kollmorgen (footnote 26).
 See Keysight (footnote 26); Kollmorgen (footnote 26).
 US Department of Justice, ‘SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ’ (2021).
 See Apollo (footnote 48).
 See, e.g., Stanley Black & Decker (footnote 26); Kollmorgen (footnote 26).
 See Apollo (footnote 48), and discussion above at ‘Streamlining diligence’.
 OFAC, ‘OFAC Enters Into $862,318 Settlement with First Bank SA and JC Flowers & Co. for Apparent Violations of Iran and Syria Sanctions Programs’ (August 2021).
 See, e.g., Kollmorgen (footnote 26); Stanley Black & Decker (footnote 26); Expedia (footnote 26); AppliChem (footnote 26).
 See Apollo (footnote 48) and discussion above at ‘Supplementing diligence with compliance representations and covenants’.