EU Sanctions Enforcement

Introduction

The use of trade and financial sanctions by the European Union (EU) has become an increasingly important element of the bloc’s foreign policy. There are currently in operation 44 sanctions programmes – known as restrictive measures in the EU – in respect of 34 jurisdictions,^[2] representing a significant increase during the past decade. When considering the applicability of EU sanctions regimes to businesses operating within the bloc, as well as sanctions implemented by the United States (US) and specific regulations enacted by individual states, the scope for inadvertent breach is considerable and the consequences severe. ^[3]

It is imperative, therefore, that businesses based in or operating within the EU have an understanding of the various regimes with which they may need to comply, including those implemented by the United Nations (UN), the EU and the United Kingdom (UK), as well as the US, which has expanded the scope of its sanctions to apply to companies and individuals throughout the world.

While there has historically been limited appetite for enforcement within EU Member States, notwithstanding the impact of the covid-19 pandemic, certain jurisdictions are beginning to identify, investigate and subsequently prosecute individuals and companies for breaching the various EU sanctions regulations and there remains considerable appetite across the EU to enforce anti-money laundering breaches.^[4] Compliance, therefore, has never been more important.

The EU enforcement framework

The European Commission (the Commission) stated in 2018 that:

any rule, no matter how carefully drafted and prepared, is only as effective as its implementation. In driving forward its policy priorities, the Commission, therefore, pays attention not only to proposing new legislation but also to ensuring that it is properly applied and enforced. ^[5]

Foreign policy within the EU has traditionally been viewed as a national competence. However, over the years, the EU has developed a common foreign and security policy (CFSP) that enables the 27 Member States to present a united front on key issues, including sanctions.

The adoption of the 1992 Maastricht Treaty introduced a legal basis for the EU’s competence for sanctions, by creating the CFSP, which is governed by Chapter 2 of Title V of the Treaty on European Union.^[6], ^[7] EU sanctions are enacted as part of the CFSP either to implement UN Security Council (UNSC) Resolutions (also known as derived sanctions within the EU) or with a view to pursuing autonomous EU foreign policy objectives independently of any UNSC Resolution.^[8] Autonomous sanctions are normally introduced when the EU opts to pursue stricter measures than those required by the UNSC or if the UNSC is unable to agree^[9] to measures against a particular country.^[10] All EU restrictive measures are then published in the Official Journal of the European Union,^[11] whereupon they automatically become enshrined in EU law and are binding and directly applicable^[12] throughout the EU.^[13]

A key strand of the EU’s sanctions policy was stated by the Council of the EU in 2018:

The effectiveness of EU restrictive measures – and also the EU’s credibility – hinges to a large degree on restrictive measures being implemented and enforced promptly and without exceptions in all Member States. ^[14]

Role of Member States

The day-to-day administration and enforcement of sanctions is delegated to the competent authorities of each Member State within the EU.^[15] Put succinctly, the competent authorities of Member States are responsible for:

• determination of penalties for violations of the restrictive measures;
• the granting of exemptions;
• receiving information from, and cooperating with, economic operators (including financial and credit institutions);
• reporting upon their implementation to the Commission;
• for UN sanctions, liaison with Security Council sanctions committees, if required, in respect of specific exemption and delisting requests. ^[16]

Each Member State must determine, therefore, the penalties that it considers to be sufficiently robust to deter transgressions, and draft and issue guidance designed to provide clarity for natural and legal persons as to their sanctions compliance obligations. Thus, depending on (1) the jurisdiction or jurisdictions in which the potential transgression has occurred, (2) the nature of the breach, and (3) the authority or authorities within the jurisdiction, or jurisdictions, that consider themselves seized, the potential offence may be criminal or civil in nature, and the penalties range from fines to custodial sentences. This lack of uniformity across the bloc is not without its critics (this is dealt with further below – see section titled ‘Criticism of the EU enforcement framework’).

The delegated authority for sanctions administration and enforcement is supported by an EU-wide system of checks and balances. The European Council has stated:

The uniform and consistent interpretation and effective implementation of the restrictive measures is an essential element ensuring their effectiveness in order to achieve the desired political objectives. Member States shall inform each other of the measures taken under the relevant legal acts and shall supply each other with any other relevant information at their disposal in connection with these acts, in particular information in respect of violation and enforcement problems and judgments of national courts. ^[17]

This information-sharing requirement is enshrined in each Regulation and is designed to ensure that there is some form of consistency of approach as regards enforcement of sanctions across the bloc.^[18] For example, Council Regulation (EU) No. 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine, mandates the following at Articles 8 and 9:

Article 8

1. 1. Member States shall lay down the rules on penalties applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.
2. 2. Member States shall notify the rules referred to in paragraph 1 to the Commission without delay after the entry into force of this Regulation and shall notify it of any subsequent amendment.

Article 9

1. 1. Member States shall designate the competent authorities referred to in this Regulation and identify them on the websites listed in Annex I. Member States shall notify the Commission of any changes in the addresses of their websites listed in Annex I.
2. 2. Member States shall notify the Commission of their competent authorities, including the contact details of those competent authorities, without delay after the entry into force of this Regulation, and shall notify it of any subsequent amendment. ^[19]

The expectation of information sharing is expanded in a Note of the Council of the European Union, which states:

Member States should also exchange information with, inter alia, other Member States, the Commission, the EEAS, Europol, Eurojust, FATF, Sanctions Committees established by the UN Security Council (including the Committee established pursuant to Resolution 1267 (1999) concerning Al-Qaida) and the UNSC Counter-Terrorism Committee, as appropriate. ^[20]

Role of the European Commission

The Commission ensures that Member States implement domestic rules on enforcement and penalties in a proper and timely manner, and take appropriate action to apply and enforce these regulations. If a Member State fails to adopt the necessary implementing rules, an infringement procedure can be started by the Commission against that Member State.^[21] In its role as guardian of the Treaties, the Commission oversees the implementation of sanctions by Member States under the TFEU.

Role of the Council of the EU

Sitting within the Council of the EU, the Working Party of Foreign Relations Counsellors (RELEX) deals with ‘legal, financial and institutional issues of the [CFSP]’,^[22] with sanctions^[23] being a priority. RELEX’s mandate includes: ‘[e]xchanging information and experiences on the implementation of specific restrictive measures regimes imposed by the EU’; ‘[c]ontributing to developing best practices among Member States in implementation of restrictive measures’; and ‘[e]xamining all relevant technical issues relating to the implementation of EU restrictive measures’.^[24]

Role of the EU courts

As enforcement of EU financial and economic sanctions takes place predominantly at the Member State level, there is a limited role for the EU supranational courts in the enforcement of restrictive measures. However, both Regulations and Council Decisions are subject to judicial review by the European Court of Justice and the General Court in Luxembourg.^[25]

Criticism of the EU enforcement framework

It has been noted that: ‘Effectiveness should be the central objective of any country’s sanctions framework, and can be measured according to a range of factors, including their economic impact, whether sanctions achieve a change of behaviour in the sanctioned target, or how widely they are implemented.’^[26] It is this final aspect that, as regards the EU, courts the most controversy.

Lack of consistency

Historically, enforcement throughout the EU has not been consistent.^[27] What is agreed to be implemented at an EU level is not necessarily implemented as required at the Member State level. There are a number of reasons for this inconsistency of approach:

• Some Member States have specific departments dedicated to monitoring and gathering information, investigating breaches of the EU sanctions regimes and subsequently enforcing in appropriate cases,^[28] while in others the subject of enforcement is a more convoluted matter.
• In some countries, there may be a lack of political impetus to pursue stringent enforcement, while in others the issue may simply be one of resourcing.
• There may be domestic legal constraints or an inclination to protect the economic interests of domestic operators regarding the enforcement of sanctions.

The result is an uncoordinated and, arguably, weak EU sanctions regime, which undermines the single market, as EU companies, including EU subsidiaries of foreign companies, have ample opportunity for sanctions evasion. Even when there are clear examples of breaches of the EU sanctions regime, enforcement has not always occurred. One example of this failure is a complaint by the European Centre for Constitutional and Human Rights that a secret meeting took place between a senior military adviser to Syria’s president, Bashar al-Assad, and top Italian officials^[29] and for which no action has been taken to date.

To compound the issue, the publicised penalties for sanctions violations as between Member States are also extremely inconsistent, as are the disjointed licensing regimes throughout the bloc. The fact that there are very few Member States that release information regarding sanctions investigations or enforcement activity creates further uncertainty, particularly for corporates looking for guidance on the creation of an effective systems and controls environment designed to minimise the potential for sanctions breaches.

Scope for evasion

EU sanctions are narrow in application, broadly requiring compliance only by those with a clear EU nexus, jurisdiction, nationality or incorporation.^[30] Given the importance of the EU’s economy to international trade, this limited application of sanctions presents innumerable opportunities for those seeking to use EU products or financial services with a view to evading the broader application of US sanctions.^[31] At present, the only tool for coordination between the Member States consists of exchanging experience and developing best practices, which, given the scope for sanctions violations without a co-ordinated EU effort, is problematic. This lack of uniformity in terms of implementation across the bloc needs to be addressed (see further, below, in the section entitled ‘The future of EU sanctions enforcement’).

Following the departure of the UK from the EU, there is scope for this type of criticism to increase. Historically, the UK was a vocal proponent of EU sanctions,^[32] and played a key part in their design, implementation and direction, as well as providing valuable intelligence on which the Council of the EU has historically relied. Its departure is likely to have a detrimental effect on both UK and EU sanctions policy, implementation and enforcement going forward.^[33]

Investigating suspected breaches

In-house counsel, senior compliance officers, c-suite executives and directors are expected to understand their business to the best of their ability, including any potential exposure to sanctions. For those working in multinational organisations, this can be a particular challenge. It is imperative, therefore, for senior directors and officers to understand the business areas that are more explicitly exposed to the risk of sanctions breaches. This can only be fully recognised following the implementation of a robust risk assessment framework, including mediation of identified issues.

However, even the strongest systems and controls framework will invariably have weaknesses. Potential breaches of sanctions can arise in a myriad of ways. Transaction monitoring systems within financial institutions may identify potential matches with specially designated nationals, sectoral sanctions identifications, and entities and individuals designated by the EU, that require investigation by monitoring teams. These investigations may be straightforward or complicated, depending on the nature of the ‘hit’. More complicated will be investigations when it is not the system that has identified the potential issue, but rather identification is by way of a whistle-blower or as part of ‘business as usual’ continuing monitoring, thereby indicating potentially active deception and obfuscation by clients and, in some cases, employees.

What is required in terms of an investigation will vary depending on the initial issues identified and the manner in which the investigation unfolds. However, key considerations at the outset of an investigation may include the following:

• investigation committee: well-run investigations will normally be directed by a central investigation committee, separate from the board, that can control the focus and progress of investigatory work. Depending on the nature of the investigation, the committee may require input from various departments, including legal, financial crime, compliance, information technology, risk, human resources (HR) and operations, as well as a representative of the board;
• scoping: the scope of the investigation should be ascertained from the outset. The size and scale of any investigation will depend on a number of factors, including the potential severity of any suspected breaches of sanctions and the efficacy of the systems and controls framework within which those potential breaches occurred. Investigations that are flexible in terms of scale tend to be the most effective;
• regulatory exposure: it is important to identify which regulators in which jurisdictions would expect to be notified of the potential or actual issue. By considering this from the outset, the terms of reference for the investigation will take cognisance of regulatory expectations, which may be gleaned from guidance, judgments or enforcement actions publicised by the relevant competent authority. When considering the regulator to which a report may need to be made, corporates should consider, inter alia, their place of registration, jurisdictions with a corporate presence, the place or places where the misconduct occurred, and the nationality and location of members of staff and clients linked to the conduct;
• potential penalties: the nature of the potential exposure to the company and any implicated individuals is obviously key. This exposure may include civil and criminal penalties, the imposition of monitors on the business, reputational impact, potential for additional scrutiny from other regulators, and costly systems and controls remediation;
• internal and external communications: communications, both internal and external, should be drafted and implemented from a central point and all external communications should be reviewed by legal counsel;
• independent legal advisers (ILAs): for larger-scale investigations, consideration will need to be given to the provision of ILAs for those in the spotlight or those whose interests will not necessarily align with those of the company;
• document preservation: document preservation protocols should be implemented and, where applicable, automatic deletion of documentation protocols suspended to ensure key evidence is not destroyed. Staff being investigated should be notified of document preservation requirements;
• HR issues: consideration of employee suspension and, potentially, termination may be required; and
• regulatory reporting: at the appropriate time, it will be important to consider whether there is an obligation to report to regulators, or whether it would be in the company’s interests to voluntarily self-report. In the former case, there may be agreements, statutes, regulations or other legal requirements that mandate some form of disclosure by the company. In the latter, providing a voluntary self-disclosure may result in a reduced penalty. In either event, it is important to note that many regulators now have open lines of communication with their foreign counterparts. It should be assumed, therefore, that disclosure to one regulator will result in information being passed to other regulators throughout the world. Reporting is considered further in the next section.

Reporting, professional secrecy and legal professional privilege

Regulatory reporting

There are two distinct reporting requirements in respect of EU sanctions. The first is a general obligation that applies to everyone and requires that natural and legal persons supply their competent authority as soon as practicable with information that would facilitate compliance with the regulations. The second is a more targeted obligation that applies to specified businesses and professions. Those businesses will vary in each jurisdiction, as will the penalties for failing to comply with the reporting expectations. The manner of reporting varies from jurisdiction to jurisdiction.

Examples of information that might be reported from the perspective of a financial institution include:

• the reason for the report;
• full details regarding the customer, including name, account name, account numbers and sort codes, bank details, residential or company address, date of birth and nationality, where known;
• full details of the remitter or beneficiary (or both), which may be available from, for example, the SWIFT^[34] message. These details may include account names, account numbers and sort codes, bank details, nationalities of payers, and dates of birth, where known;
• any other information that may be available from the transfer message, which may include references, dates, goods involved, amounts and currencies;
• intermediary information, which may include the intermediary’s role in the transfer, names, date of birth, company registration information, country of operation or nationality, address or location, account name, account number and sort code, and bank details, where known;
• ultimate beneficiary information, which may include name, account name, account number and sort code, bank details, residential or company address, date of birth and nationality, where known;
• the amount of funds in question;
• the quantity of any funds or economic resources held on behalf of the customer;
• a breakdown of the prior transactions on the account;
• the nature of the investigation undertaken and any relevant findings and remedial action;
• if reporting a breach, details of the breach; and
• the sanctions regimes to which the report relates.

Certain EU regulations, including for example, Council Regulation (EU) 2017/1509,^[35] which addresses the destabilising conduct of the Democratic People’s Republic of Korea (DPRK), require that credit and financial institutions ‘promptly report any suspicious transaction, including attempted transactions’ and notify their local financial intelligence unit ‘where there are reasonable grounds to suspect that funds could contribute to the DPRK’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programmes or activities (“proliferation financing”)’.^[36] EU corporates must have a thorough understanding of their reporting requirements, therefore, both under the relevant regulations and pursuant to domestic requirements.

Professional secrecy and legal professional privilege

Notwithstanding the existence of reporting requirements, organisations are not required to provide any information to which professional secrecy or legal professional privilege attaches.

In common law systems, legal professional privilege and confidentiality are a fundamental feature of the rule of law. Documents are normally considered to be privileged if they contain confidential information supplied by a client to his or her lawyer, or advice supplied by the lawyer to the client. When litigation is reasonably in contemplation, the scope of privilege may be extended to third-party communications.

In civil law systems, professional secrecy requirements can vary. For example, in France, a relatively new rule, Article 226-13, in the Criminal Code concerning professional secrecy no longer mentions a specific profession: ‘The disclosure of secret information by a person entrusted with such a secret, either because of his position or profession, or because of a temporary function or mission, is punished by one year’s imprisonment and a fine of €15,000.’^[37] In Germany, however, the obligations of professional secrecy stem from both the German Criminal Code and the law regulating the legal profession. Section 43a of the Federal Lawyers’ Act provides:

A Rechtsanwalt has a duty to observe professional secrecy. This duty relates to everything that has become known to the Rechtsanwalt in professional practice. This does not apply to facts that are obvious or which do not need to be kept secret from the point of view of their significance.^[38]

It should be noted that certain jurisdictions do not consider that in-house counsel are able to assert professional secrecy over documents. This is something that should be considered by in-house counsel (or externally instructed lawyers) during any sanctions investigation.

Whenever sanctions issues are identified, and it is considered either necessary or appropriate to report to regulators, issues of professional secrecy and legal professional privilege will need to be considered, both in respect of historical documentation and documentation created as part of any investigation that is undertaken. Key considerations may include:

• in respect of historical documentation, for what purpose the document was created. Were legal counsel involved in the creation of the documentation? Was litigation reasonably in contemplation at the time the documentation was created?
• in respect of investigation-related documentation, whether lawyers are involved in providing advice or receiving information designed to inform any advice they give. Are lawyers providing legal advice or are they, in fact, providing commercial advice – a single document can include both. If third parties are involved (e.g., forensic accountants), is litigation reasonably in contemplation? If so, communications with, and documents created by, the third parties may also be covered by professional secrecy or privilege. When interviewing employees, does your jurisdiction consider the work-product to be covered by professional secrecy rules or privilege?

The decision as to whether to claim privilege or rely on professional secrecy when dealing with regulators is of the utmost importance. In general, regulators will expect companies to be entirely frank with them regarding the conduct in question,^[39] and the steps undertaken to investigate the issue. Asserting professional secrecy or legal privilege when communicating with regulators may raise doubt as to the scope of the investigation undertaken and the conclusions reached. In certain cases, this could affect any potential discount that may be applied to penalties issued by the regulator.^[40]

Recent enforcement decisions

Although the number of enforcement actions within the EU remains low compared to the US, there is a trend in the number of actions and the value of the penalties extracted by certain competent authorities. It is clear that EU competent authorities are interested in pursuing actions against individuals and corporates, which has been the modus operandi of US regulators for many years. Ensuring that both classes of potential defendants are prosecuted should serve to promote top-level commitment to effective sanctions compliance, as well as a risk-averse attitude to problematic activity at all levels within an organisation.

Set out below are a few of the key sanctions decisions from the past three years.

Belgium

On 7 February 2019, it was announced that three Belgian companies, AAE Chemie Trading (AAE), Anex Customs (Anex) and Danmar Logistics (Danmar), were convicted for exporting chemicals to Syria without a licence. Council Regulation (EU) No. 36/2012^[41] (as amended)^[42] prohibits the ‘transfer or export, directly or indirectly’ of equipment, goods or technology ‘which might be used for the manufacture and maintenance of products which might be used for internal repression’.^[43] In breach of this regulation, AAE, Anex and Danmar were alleged to have exported to Syria 168 tonnes of isopropanol, 219 tonnes of acetone, 77 tonnes of methanol and 21 tonnes of dichloromethane in 24 deliveries from 2014 to 2016.

The Court imposed conditional fines of up to €500,000 and suspended prison sentences for one managing director and one manager.

This case demonstrates the severity with which those in breach of sanctions can be treated, notwithstanding that there was no evidence that the dual-use goods were intended to be used for nefarious purposes and that domestic screening failures had resulted in the breaching shipments.

Denmark

On 11 November 2020, the Danish State Prosecutor for Serious Economic and International Crime announced charges against a Danish marine fuel trader, Dan-Bunkering, suspected of violating EU sanctions on Syria by delivering 172,000 tonnes of jet fuel in 33 transactions to Russian warplanes stationed there. The transactions, carried out between 2015 and 2017, amounted to 647 million kroner (€87 million). A hearing has been scheduled for 26 October to 14 December 2021. ^[44]

France

On 29 March 2019, the Sanctions Commission of the French Banking Regulator (the ACPR) conducted disciplinary proceedings against the bank Raguram International (Raguram) and rendered its decision on 8 April 2019.^[45]

The Sanctions Commission found that, between 2015 and 2017, Raguram recorded thousands of foreign exchange transactions that breached EU and French regulations for failing to identify and verify its customer base and for failing to integrate lists of persons targeted by EU regulations into its systems and controls framework, resulting in an inability to comply with EU and national asset freeze measures. Raguram had further failed to correctly report to the ACPR that it had inadequate systems and controls to ensure compliance with anti-money laundering and asset freeze obligations because, at the time of the report, it had not recognised that its controls environment was defective.

No penalty was issued, as the bank had purchased a compliance solution prior to the grievance being identified during an on-site inspection, and had implemented enhanced controls for customer identification and verification.

This decision demonstrates that competent authorities expect companies to continue to review and enhance their internal systems and controls framework. Companies that have demonstrated proactivity in terms of remediation have often received reduced penalties in recognition of their proactive approach to compliance.

Germany

In March 2021, two German citizens were convicted by the Hanseatic Higher Regional Court, a special state security court in Hamburg, for violating an arms embargo on Russia imposed after the annexation of Crimea in 2014. According to investigations, the individuals sold metal processing equipment, which could have been used in military missile production, to Russian clients. To circumvent checks on these dual-use goods, the individuals made contracts with fictitious recipients and forged documents, and the goods ultimately ended up with a defence-end purchaser. Along with a prison sentence, the main defendant was also fined more than €8 million, that being the price he received for the equipment in question. The second defendant was sentenced to two years’ probation and handed a fine. ^[46]

The Netherlands

On 18 February 2019, the Limburg court convicted Dutch company Euroturbine BV and its Bahrain-based subsidiary Euroturbine SPC for exporting gas turbine parts to Iran without a licence. It imposed fines of €500,000 and €350,000 respectively, finding that sham legal structures were established to circumvent export controls. It also imposed custodial sentences on two individuals and sentenced a third to 180 hours of community service.^[47]

On 7 February 2020, the Limburg court imposed penalties of €600,000 and more than €4 million on the same entities for breaching EU and Dutch export controls on Iran.^[48] The penalties represent the value obtained by each entity as a result of their illegal transport of gas turbine components to Iran without an export licence.

The future of EU sanctions enforcement

Sanctions are a key tool for supporting the EU’s foreign policy objectives, which include ‘safeguarding EU’s values, fundamental interests, and security’.^[49] However, for that tool to achieve its full potential, proper implementation and enforcement of sanctions by EU Member States is fundamental. Indeed, in September 2019, Ursula von der Leyen called for ‘proposals to ensure Europe is more resilient to extraterritorial sanctions by third countries and to ensure that the sanctions imposed by the EU are properly enforced throughout its financial system’.^[50]

To reinforce this objective, on 19 January 2021, the Commission published a Communication entitled ‘The European economic and financial system: fostering openness, strength and resilience’ (the Communication).^[51] The Communication ‘sets out how the EU can reinforce its open strategic autonomy in the macro-economic and financial fields by […] improving the implementation and enforcement of EU’s sanctions’ regimes, and increasing the EU’s resilience to the effects of the unlawful extra-territorial application of unilateral sanctions and other measures by third countries’. Proposals in the Communication include:

• The Commission, as the institution in charge of monitoring and coordinating the implementation of EU sanctions under the TFEU, will from 2021 contribute to the assessment of the effectiveness of EU sanctions.
• In 2021, the Commission will also conduct a review of practices that circumvent and undermine sanctions, including the use of cryptocurrencies and stablecoins. The results of this will inform possible legislative proposals or implementation guidelines from 2022.
• In 2021, the Commission will develop a database, the Sanctions Information Exchange Repository. This will enable prompt reporting and exchange of information between Member States and the Commission on the implementation and enforcement of sanctions.
• The Commission is setting up an expert group of representatives of Member States on sanctions and extra-territoriality.
• The Commission will work with Member States to set up a system to centralise notifications and the dissemination of information across Member States, and to help coordinate Member States’ replies, in full compliance with the division of competences in the treaties.
• The Commission will discuss the implementation of EU sanctions with Member States to ensure a harmonised approach in this regard.

The proposals fall short of the establishment of an EU-wide sanctions enforcement body,^[52] which could have built on the work already undertaken by RELEX.^[53] The bloc has historically been reticent, in establishing a centralised monitoring body, as it would require significant funding and a legislative mandate for which there currently appears to be little appetite. Given the focus of the Communication, it does not appear likely that such a body will be established in the near term.

To that end, the implementation and enforcement status quo looks set to remain. While this inconsistent approach has garnered much criticism and looks set to be the subject of scrutiny in 2021 and 2022, the gradually increasing rate of enforcement activity would tend to indicate that certain EU Member States are prepared to take sanctions-busting activity seriously and companies should prepare for an increased focus on enforcement of EU sanctions going forward.

Footnotes