The Role of Forensics in Sanctions Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The global value chain is a far-reaching system reliant on cross-border transfers of funds, services and goods, which are increasingly subject to economic sanctions and export controls law enforcement by the Office of Foreign Assets Control (OFAC), the US Department of Justice and other regulatory authorities. Investigations involving sanctions allegations will continue to be more prevalent as sanctions are a growing foreign and security policy tool used to influence foreign behaviour and mitigate national security risks.

Parties seeking to circumvent the sanctions regulations often go to great lengths to disguise transactions using intricate payment processes, subsidiaries, intermediaries and shell corporations, among other vehicles. To combat these types of deception, organisations should implement effective sanctions compliance programmes and investigate potential sanctions violations. Thus, prudent companies will leverage cutting-edge investigative techniques, tools and consultants with specialised forensic knowledge. The purpose of this chapter is to explain key investigative procedures and best practices from a forensic accounting perspective and highlight the techniques and tools used to uncover facts and patterns in the complex web of transactions designed to circumvent economic sanctions and export control regulations. The chapter provides a combination of best practices, published guidance from OFAC and recent case outcomes to provide insight on the evolving sanctions environment and to support forensic and compliance professionals in creating, enhancing or testing an existing sanctions compliance programme (SCP).

OFAC guidance

OFAC’s guidance document, ‘A Framework for OFAC Compliance Commitments’, encourages companies to ‘develop, implement and routinely update’ a risk-based SCP.[2] OFAC strongly recommends the adoption of an SCP by all organisations subject to US jurisdiction and foreign entities that conduct business in or with the US or US persons, or that use US origin goods or services, use the US financial system, or process payments to or through US financial institutions. Forensic methodologies and tools are critical elements of effective compliance measures, such as risk assessments and compliance testing. For the purposes of this chapter, we focus on the two SCP components most relevant to forensics – risk assessment and testing and auditing – and how these components interplay with the factors OFAC considers in administrative enforcement actions.[3]

The risk assessment and testing and auditing components of an SCP should not be viewed in isolation, but rather should inform each other and continue to evolve. Not only is the regulatory environment constantly evolving, so too is the nature of a business. Because each company is unique, the risk assessment, and testing and auditing plan should be tailored to each business. Additionally, risk assessments should be refreshed periodically to take into consideration any changes in the organisation. A properly designed risk assessment and testing and auditing cycle should minimise exposure in the event of an apparent violation. Moreover, conclusions should be analysed as part of the testing and auditing process. If testing or auditing reveal that risks are higher than anticipated in one portion of the business, these results should inform the company’s overall risk assessment and compliance efforts.

As OFAC notes, a risk assessment should consider customers, products, services, supply chain, intermediaries, counterparties, transactions and geographical locations, depending on the nature, size and sophistication of the organisation. These factors should be targeted for assessment during the testing and auditing process. When determining the appropriate administrative action in response to a sanction violation, OFAC will follow and consider certain ‘general factors’ described in its Economic Sanctions Enforcement Guidelines.[4]

Implementing a testing and auditing plan as part of a risk-based SCP is a mitigating factor. However, using key forensic procedures and analytical tools as part of a testing and auditing plan can also help reduce a company’s exposure by minimising instances of aggravating conduct. For example, auditing using forensic procedures and data analytical tools on emails and shipping records can help detect and deter knowing non-compliance by employees.

Key forensic procedures and analytical tools

Data analysis

Among the most effective investigative procedures applied in testing or investigating as part of an SCP is a statistical analysis of historical and ‘real-time’ transactional data. It is critical that a company can identify potentially suspicious transactions and determine the ‘who, what, where, when and how’ by piecing together a timeline of events.

Statistical data analysis, ranging from basic pivot-table analysis to more advanced software applications and platforms to stratify, synthesise and flag data from a variety of ecosystems, is an invaluable tool. The key to effectively using data analysis is the ability to link transactional evidence buried in a multitude of data fields from disparate sources to identify hidden relationships or correlations.

With the assistance of data analytic tools, robust forensic analyses can be performed to help identify and thwart sanctions violations. The following observations from recent enforcement cases (as discussed in more detail in ‘Analysis of recent enforcement cases – a forensics focus’, below) could further inform efforts to prevent and detect potentially suspicious activities.

  • Use keyword search terms on unstructured data to assist with data analysis. Evidence regarding prohibited transactions is frequently located in unstructured data (e.g., electronic communications, such as email, voicemail and instant messages). Forensic tools can identify suspicious activity using keywords on these communications, including metadata reviews (e.g., to/from fields). These tools can also analyse system access logs to identify users who accessed the system, and can then obtain internet protocol (IP) addresses and GPS coordinates of the users. Further, a company can proactively use keyword search terms across communication channels in the normal course of business to identify suspect transactions or ‘code’ words or phrases in real time and to block those communications.
  • Anticipate potential compliance risks, especially when entering new business areas, and leverage data and IT systems to automatically block transactions that violate US sanctions. For example, companies engaging in overseas transactions for the first time should proactively identify risks, including the potential for current business partners and the countries in which they operate to become subject to future sanctions. Data analytics can flag transactions and use controls such as automated restricted-party and restricted-country screening, IP blocking and SWIFT payment analyses to prevent illegal payments, travel, shipments and services in restricted countries. Additionally, companies can improve the effectiveness of IT controls by ensuring data is complete, standardised and used consistently across the enterprise.
  • Periodically test and assess IT controls to ensure they remain effective in preventing compliance violations. Compliance control breakdowns can occur as the result of weak or out-of-date algorithms that, for example, can allow close matches to specially designated nationals lists to evade filters, flagged payments to be released without review or failures to flag IP addresses in sanctioned regions. For example, companies can apply text analytics and natural language processing to detect fuzzy matches. OFAC may consider a company’s failure to review and improve its compliance procedures to be an aggravating factor in prosecuting compliance violations.
  • Require supporting documentation for travel, shipment and payment requests to be submitted through IT approval systems, allowing automated flagging of transactions. Making it mandatory to attach supporting documents to system approval requests, such as employee expense receipts related to travel and entertainment and bills of lading related to invoices, forces requestors and approvers to substantiate the veracity of dates, locations and entity names entered into the approval system. IT systems can then perform automated matching on the verified information. For example, hotel locations supported by lodging bills can be compared to the requested travel destination to verify that travel was not to unapproved or sanctioned regions, and destinations from bills of lading can be compared to invoices to verify that deliveries and payments did not go to entities other than those on the approved invoices. These controls also leave audit trails that are helpful in detecting trends and isolating questionable transactions.
  • Verify accuracy and completeness of customers and their branches’ information. While customers can be incorporated outside of sanctioned countries, they could maintain branches in sanctioned countries. Companies should consider requesting a complete list of branches, including all the name variations and physical addresses, from each of their customers, and conducting additional due diligence on each branch. Companies should also consider using data analysis to identify discrepancies between the actual shipping addresses/payors’ names with the documented data of the customer and its branches. Companies can also consider adopting master data management to standardise naming and addresses and facilitate the discrepancy analysis.
  • Conduct sanctions-related due diligence prior to acquisitions. Sanctions-related due diligence is critical before acquisition of any entity, especially if the acquisition target is outside of the US. Companies should conduct interviews with all levels of employees to understand the acquisition target’s compliance culture and assess employees’ knowledge related to sanctions. Companies should also consider analysing all the available data at the acquisition target to detect any potential violation. Identified violations or potential violations can help companies to voluntarily self-disclose as soon as possible and plan for targeted change in the acquisition targets’ compliance governance.
  • Automate and customise the training courses received by domestic and international employees. All employees should have the same level of awareness in sanctions-related laws and regulations. Companies should consider providing online training courses with exams. Companies can analyse the exam-scoring pattern and develop customised training programmes for employees at different subsidiaries. For example, international employees may benefit from training courses developed in local language and extra introductory courses on US laws and regulations.
  • Analyse leads from business partners for potential violations. Companies’ employees may instruct business partners to modify or hide certain details related to day-to-day transactions, such as shipments, payments and cash receipts, to circumvent compliance controls. Companies should provide channels such as dedicated email addresses, mailboxes and hotlines for business partners to report potential violations. Companies may consider adopting natural language processing to analyse voice and text received. Companies can check the leads from different channels with the internal structured and unstructured data, and verify the authenticity of the leads.

Investigative due diligence

Investigative due diligence typically comprises a set of research tools and approaches that can be applied to a wide range of investigations. In sanctions-related investigations, these tools may consist of (1) documents and electronic records disclosed by a party, (2) public records gathered through desktop research or on-site searches, and (3) observational site inspections or human source intelligence. Investigative due diligence arms investigators with additional knowledge to connect dots and enhance understanding of the pool of information gathered about the subject of the investigation.

Additionally, forensic professionals leverage investigative due diligence to combine data analysis with a review of pertinent open-source data about the parties involved in the activity. Open-source data (e.g., public records, such as corporate registry details, litigation records, asset ownership details and social media) can assist with untangling the web of indirect relationships and interrelated connections involved in transactions. Investigators can consider using a case tool to consolidate and analyse all the open-source data. Although the investigative trail often begins with the company’s books and records, perpetrators usually engage in a variety of techniques to cover their tracks, such as layering and multiple transfers to intermediaries, shell companies, nominee shareholders and related parties. By using investigative due diligence, including reviews of public records and ‘boots on the ground’ interviews, investigators can uncover valuable clues regarding ownership structure and executive leadership positions of complex organisational structures.

Perpetrators may go to significant lengths to obscure beneficial ownership of companies or to disguise certain transactions, but these patterns can often be identified with common elements, such as addresses, proxies or nominees in corporate structures, or law firms or accountants used to register companies. Investigators frequently use link analysis and other visualisation tools to track the information uncovered, map the networks of bad actors, and help companies understand the potential exposure to those bad actors. Identifying patterns or connections in voluminous information requires tools to distil the information quickly and clearly into charts or graphs.

Supply chain mapping

Forensic analysis tools also enable the use of models for predictive analysis and present opportunities for global supply chain mapping. This mapping offers the possibility to identify the sanctions risk posed by third parties, such as suppliers, distributors, agents, sub-agents and customers who may be conducting business directly or indirectly with sanctioned countries or regions, or whose activities benefit sanctioned governments or sanctioned parties.

When supply chains extend to countries that actively trade with sanctioned jurisdictions, the sanctions risk may be elevated. Some primary examples of these relationships include Colombia and Venezuela, China and North Korea, and United Arab Emirates and Iran. Assessing the potential third-party risk of relationships should be a process in which data analysis and models are continually updated with new information taken from the latest enforcement actions, in addition to published advisories from the US State Department, the US Treasury Department or other regulatory authorities.

Investing in developing a supply chain risk map will produce longer-term benefits, especially for larger, complex enterprises and those with a multinational presence. The insight gained through supply chain mapping for sanctions risk will help in designing effective internal controls, training programmes and due diligence practices.

Predictive analysis

Once a supply chain is mapped for sanctions risk, predictive modelling can be leveraged with a global SCP to identify emerging trends in the evolving global sanctions landscape. For example, enterprises that deliver fourth-party or fifth-party logistics services[5] can enhance their existing contingency plans by incorporating sanctions risks in their supply chain mapping. Predictive analysis can highlight counterparties and relationships that may need to be re-evaluated or replaced in the event of a sanctions-related disruption, such as a sanctions designation or significant enforcement action. Although not widely adopted, there is a growing number of companies who are using predictive analytics.

Leveraging key forensic procedures and analytical tools, such as those described above will assist in building a ‘best-in-class’ SCP. Due to exponential growth of international transactions, reliance on manual compliance controls alone can no longer effectively protect organisations against costly enforcement actions or other risks associated with sanctions violations.

On-site interviews and inspections

Forensic investigations rely heavily on historical records to identify relevant facts and support conclusions. Interviews or on-site observations provide additional context on collected data or evidence to validate authenticity and confirm facts and circumstances leading up to the recording of transactions. Live observation of body language can also be very valuable, especially in potentially sensitive situations involving possible wrongdoing. For this reason, on-site interviews or inspections present unique opportunities for compliance personnel, investigators or those engaged to perform related testing.

In practice, live interviews can help investigators evaluate employees’ compliance policy knowledge and the effectiveness of training, which may shed light on documented decisions made by those employees. This can potentially distinguish intentional violations of policy from decisions made because of deficient training or human error. These ‘live’ meetings provide first-hand knowledge of how written policies and procedures are operating. In some cases, disparities between the written procedure and its execution might point to gaps in the procedure. Process walk-throughs can also detect procedural steps skipped by employees taking ‘shortcuts’. Interviewees can articulate why certain procedures were not performed and describe pain points or process inefficiencies that exist, highlighting the need for policy updates or additional controls.

Field interviews and observations can also detect instances when compliance processes are viewed as unimportant by employees or management, or are not adequately supported by funding, necessary equipment, information technology infrastructure or staffing. These observations may indicate an overall lack of management commitment to the programme or a failure to anticipate external stresses. For example, employees in economically developing countries, where disruptions to internet service (or even electrical power) are commonplace, may default to unapproved work arounds or off-system processes, which result in incomplete system data and failures to apply controls.

Irrespective of geography, protracted crisis may result in lengthy business interruption, high staff turnover or absenteeism. Employees may be unable to access their work location because of civil unrest, natural disaster or other widespread disruption, as exemplified by the covid-19 pandemic that began in 2020, the Myanmar military coup that occurred in 2021 and the Russian invasion of Ukraine in 2022. Thus, expertise or resources required to fully execute the SCP may not be available and employees may find themselves under increased pressure to ignore processes for the sake of business continuity. Sanctions compliance should influence the crisis response and business continuity plans for sophisticated, global organisations. Advance planning and on-site walk-throughs help to provide a clearer picture in understanding potential risks, which may not be anticipated or detected during a crisis.

In situations where on-site procedures cannot be performed, such as the travel constraints brought on by the covid-19 pandemic, interviews and inspections conducted remotely can provide satisfactory results when investigators adhere to best practices. Video conferencing allows the interviewer to gauge the interviewee’s body language and facial expression, may help to put the interviewee at ease and can provide a solution for remote sharing of documents on a shared screen. The use of mobile devices to allow a view of facilities can be effective when an in-person inspection is not possible. However, investigators generally have a limited view when a mobile device is used and the person who holds the mobile devices can manipulate what can be viewed by investigators. Investigators need to be aware of these pitfalls when conducting remote procedures and may want to consider using an independent third-party observer when possible. A keen awareness of relevant data protection or privacy laws and regulations, state and commercial secret laws and employment regulations is key to successful remote interviews and inspections.

Data preservation and collection activities are major activities in an investigation. Forensic practitioners collect data from servers and devices, such as smartphones, laptop computers, hard drives and other portable drives (e.g., flash drives). While remote collection of server data is a common industry practice, collecting data from other devices in a forensically sound way may require shipping of such devices and is often challenging and slow, especially in times when global logistics services are overextended due to the covid-19 pandemic.

Many organisations still rely heavily on hard copy documentation to conduct business. Often, the need to maintain hard copy paper trail is frequently driven by local government requirements and business norms in the country. Organisations may scan hard copy documents for electronic storage, but the quality of the scan is often inconsistent and scanned images are at risk of being altered. Best practice is to follow up with an on-site examination of the original hard-copy documentation whenever possible. A hard copy means a missed opportunity to analyse the data using text analytics. Companies should consider digitising the hard copies used in the business processes and managing the digitised data for easy retrieval and analysis.

For remote interviews, interviewers should be alert to the possibility of other individuals in the same room who may be coaching the interviewee or listening in. An interviewee may try to avoid being interviewed or answering questions by claiming technical difficulties. Remote interviews also run the risk of being recorded surreptitiously. During virtual tours of facilities and premises, investigators should expect areas of interest to the team to be intentionally excluded from the tour. If permissible, investigators can arrange to have local colleagues be present in person during remote procedures to mitigate these risks.

One major limitation of remote procedures is the inability to conduct unscheduled interviews or surprise ‘spot checks’. These cannot be performed remotely, mainly because of the coordination and logistics arrangements required to organise remote data collection, interviews or facilities inspections.

Ultimately, proper planning is key, and communication of expectations to the subject entity or individual help reduce misunderstanding over logistics. Where possible, the investigations team should corroborate preliminary results from the remote investigative procedures by supplementing the work conducted with an in-person inspection when travel is feasible.

Potential post-investigation procedures

An investigation should conclude with a final report containing findings. An opportunity exists to convert findings into formalised action plans to remediate any deficiencies. For example, when gaps in compliance knowledge are revealed, the organisation should implement role-specific or targeted training. A finding that screening systems failed to detect name variations may result in new rules within the screening system. Still other findings may require enterprise-wide initiatives and policy development.

Specific compliance errors uncovered through transaction analysis and forensic techniques, such as look-backs, are also useful to isolate incorrect compliance decisions and enhance existing training programmes and materials. The circumstances surrounding the errors are useful in forming situation-based questions and case studies for training materials, internal discussions and employee evaluations. Studying the various types of errors may also be helpful in creating automated system-generated policy reminders to help employees in following the correct steps to avoid future violations.

Action plans should include: identification of responsible parties, follow-up timelines, and procedures with features, such as scheduled action plan updates; retraining or retesting of employees; follow-up sampling of transaction activity to test controls; updated or enhanced risk assessments; and targeted disciplinary actions such as probationary periods or re-evaluation of contracts with external parties. Follow-up activities associated with an action plan should also be documented and records retained according to written policy and legal standards.

Analysis of recent enforcement cases – a forensics focus

Examining recent cases and outcomes offer insight into trends within the evolving sanctions landscape. This context is important to demonstrate the application of various forensic investigative methods and best practices, while also highlighting the practices that might have contributed towards the identification of mitigating factors considered by OFAC.

Airbnb Payments, Inc

This 2022 action[6] highlights the importance of global businesses involving internet-based services proactively implementing risk-based sanctions compliance measures, particularly at the time of entry into a new business line or region. Airbnb Payments, Inc (Airbnb) is a registered money services business, which is a wholly owned subsidiary of Airbnb, Inc. Airbnb launched its Cuba business in April 2015, following regulatory changes announced by the US government in January 2015. Extending its global customer base to Cuba appears to have outpaced the company’s ability to thoroughly manage the associated sanctions risks via its IT platforms, ultimately leading to the apparent violations. For example, when Airbnb first launched its operations in Cuba, it used a manual process to screen hosts and guests for potential sanctions issues until it was able to implement a customised IP blocking system tailored to the nuances of OFAC’s Cuba regulations. Consequently, it was not able to identify and avoid processing payments related to numerous transactions for ‘stays’ and ‘experiences’ in apparent violation of OFAC’s regulations.

Airbnb may have benefited from more thorough preparation to implement a systematic screening system to filter out risky guests or hosts before it launched services in Cuba. A company that provides internet-based services, particularly related to international travel or activity, should perform a proactive risk analysis to close any potential loopholes due to incomplete establishment of protocol before it enters a new business in a country with elevated sanctions risks.

First Bank SA and JC Flowers & Co

First Bank SA, a Romanian financial institution, settled this case[7] in 2021 along with its US parent company, JC Flowers & Co, for over US$800,000. From 2016 to 2018, First Bank processed 98 payments totalling over US$3 million through US financial institutions on behalf of parties located in Iran and Syria, which resulted in US financial institutions exporting financial services to Syria and Iran. These violations were apparently caused by First Bank’s lack of understanding of the scope of US sanctions, as the bank’s training and procedures did not address the risk that the US financial institutions could be indirectly exporting financial services through the US financial system. A portion of the violations involving Iranian parties were denominated in euros and did not involve US financial institutions. However, non-US companies that are owned or controlled by US persons, such as First Bank, are subject to OFAC’s Iran sanctions regulations, regardless of currency or location.

This case demonstrates the importance of foreign financial institutions’ understanding of the scope and applicability of US sanctions, particularly with respect to transactions processed via the US financial system and entities owned or controlled by US persons. It also demonstrates the importance of conducting effective due diligence both before and after acquisitions to monitor the activities of new subsidiaries to help limit exposure to sanctions violations.

Sojitz (Hong Kong) Limited

Sojitz (Hong Kong) Limited settled this case[8] in 2022 for a penalty of over US$5 million. Sojitz made US dollar payments for high density polyethylene (HDPE) through US financial institutions to the bank of an HDPE supplier in Thailand. The payments were made over the course of 18 months from 2016 to 2018 and totalled over US$75 million. The HDPE was of Iranian origin, and non-compliant employees handling these transactions omitted references to Iran in the transfer instructions, against the guidance of Sojtiz’s management and legal team. These employees also obscured the country of origin on transactional documents (e.g., by requesting that the HDPE supplier not reference Iran on the bills of lading). The employees also concealed the HDPE’s country of origin from the senior management at Sojitz (Hong Kong) Limited. This transaction caused the US financial institutions that processed the funds to engage in a prohibited financial transaction because they were unable to identify these transfers as violations of sanctions prohibitions.

This case highlights the risks posed by non-compliant employees, including those who may take extensive steps to conceal the origins of a transaction. It demonstrates the importance of internal controls aimed at preventing employee misconduct and limiting the ability of ‘rogue’ employees to engage in such transactions. Finally, it also highlights the importance of internal auditing and testing, as self-disclosure of such violations may be a mitigating factor when calculating penalties.

Bank of China UK

In 2021, the Bank of China (UK) Limited (BOC UK), located in London, agreed to remit US$2,329,991 to settle an OFAC enforcement action for processing transactions in apparent violation of OFAC’s now repealed Sudan sanctions programmes.[9] Between September 2014 and February 2016, BOC UK exported financial services from the US by processing 111 commercial transactions totalling US$40,599,184 through the US financial system on behalf of parties in Sudan. Despite clear references to Sudan from two customers, BOC UK’s internal customer database did not include references to Sudan in the name or address files of either customer. This resulted in the omission of any references to Sudan in SWIFT messages processed for those customers by BOC UK through US banks. Certain BOC UK personnel processing the transactions were aware that the payments were related to Sudanese entities.

For non-US financial institutions, this enforcement action stresses the importance of enacting policies and procedures to better address US sanctions regulations applicable in processing payments through the US. Furthermore, non-US financial institutions should ensure that know-your-customer information is integrated holistically throughout internal customer databases that inform compliance decisions and that potential sanctions concerns are appropriately flagged and escalated when a sanctions nexus may be present.

A closer look at supply chain issues

Recent OFAC actions highlight specific supply chain issues that can also be addressed through the use of various forensic investigative methods. Interested business entities could also refer to relevant agencies’ sources[10] for insight on the general scheme of supply chain issues and how to deal with them by learning from the best practices and practical FAQs.

Xinjiang Supply Chain Business Advisory

The multi-agency advisories in 2020[11] and 2021[12] sounded an alarm on supply chain risks associated with forced labour and other human rights abuses in the Xinjiang region of China. The advisories identify potential indicators of forced labour and labour abuses, such as:

  • lack of transparency (e.g., use of shell companies to obscure the source of goods);
  • lack of employees paying into social insurance programmes;
  • the company’s receipt of government development assistance;
  • non-standard hiring practices or use of government recruiters;
  • proximity to internment camps or adjacency to industrial parks involved in poverty alleviation efforts; and
  • use of certain internment terminology, such as education training centres or legal education centres, ethnic minority graduates or involvement in reskilling.

Evidence of these indicators can be monitored from a forensics perspective through in-person site inspections, key employee interviews, key word searches in structured and unstructured data and regular investigative due diligence procedures.

e.l.f. Cosmetics, Inc

This January 2019 case[13] illustrates the dangers of failing to perform proper supply chain due diligence. SCP and supplier audits at e.l.f. Cosmetics, Inc (Elf) failed to uncover that approximately 80 per cent of the false eyelash kits procured from China-based suppliers contained North Korean materials. Elf’s remediation measures stand out from a forensics and data analysis viewpoint, which included: (1) implementing supply chain audits that verify the country of origin of goods and services used in its products; and (2) conducting enhanced supplier audits that include verification of payment documentation for materials and review of supplier bank statements (access to a supplier’s records is best negotiated with the supplier as a condition of receiving payment). In addition, purchasers should consider performing data analytics on product components or ingredients (e.g., researching the sources of the product or its major constituent materials to determine whether sanctioned countries are significant manufacturers and, if so, whether they are located near the supplier country). As described in detail above, third-party risk assessment, supply chain due diligence and supply chain mapping assist in identifying potential red flags for sanctions-related issues.

Sanctions compliance: best practices and lessons learned

Former US Deputy Attorney General Paul McNulty issued a warning at a 2009 conference that has become a popular maxim within compliance circles even more than a decade later: ‘If you think compliance is expensive, try non-compliance.’[14] Sanctions compliance violations are among the costliest ways this lesson is learned. OFAC maintains the most active and extensive sanctions programme in the world. OFAC’s recent output has included a steady flow of new regulations, guidelines and enhanced reporting requirements for rejected transactions.

It is worthwhile to remember that OFAC considers ‘good faith’ compliance efforts in the disposition of enforcement matters. OFAC ‘will consider favorably subject persons that had effective SCPs at the time of an apparent violation’.[15] However, there is no way to predict how OFAC will apply this principle to individual cases, so compliance professionals and organisational leaders should not assume their efforts will result in mitigation of penalties.

The advice supplied by OFAC in the ‘Framework for OFAC Compliance Commitments’, and echoed here, can be traced to cases in which at least one of the five commitment areas was deficient. Focusing on the forensic and investigatory lessons that can be gleaned from the cases referenced herein, below is a series of emphatic do’s and don’ts, from a forensics perspective, for building an effective SCP, testing an existing programme or conducting sanctions investigations.

Do . . .

Sanctions compliance programme

  • Conduct comprehensive risk assessments.
  • Implement risk-based, straightforward policies, procedures and internal controls relevant to day-to-day operations and sanction concerns.
  • Enforce policies and procedures, and identify, document and remediate weaknesses.

Due diligence and screening

  • Conduct due diligence on customers, distributors, suppliers, contractors, logistics providers, financial institutions and other partners.
  • Continuously use and test automated screening software being cognisant of filter faults – prioritise alerts by severity.
  • Utilise systems to track movement of goods and financial transactions from manufacturing to end user.
  • Deploy blockchain and distributed ledger technologies to improve due diligence records.
  • Understand circumvention risk.
  • Monitor recent enforcement actions for effects on operations.
  • Establish anonymous reporting channels for employees and policies to ensure non-retaliation for whistle-blowing.

Testing and auditing

  • Assess tools, technology and data needed to monitor sanctions compliance.
  • Consider artificial intelligence to detect red flags – calibrate and test routinely.
  • Apply forensic investigative techniques on structured and unstructured data and metadata.
  • Conduct regular internal compliance audits, including at crucial junctures, for example, mergers, acquisitions and management changes.
  • Conduct supply chain audits with country-of-origin verification.
  • Perform supplier and distributor audits.

Don’t . . .

  • Conceal violations.
  • Facilitate transactions by non-US persons (including through or by non-US subsidiaries or countries).
  • Utilise US financial systems or process payments to or through US financial institutions for transactions involving sanctioned persons or countries (including US dollar payments).
  • Utilise non-standard payments and commercial practices.


The area of sanctions compliance continues to grow in importance and simultaneously challenge the programmes, tools and talents of legal, compliance and forensics professionals. As the international political trends and criminal activities driving the use of sanctions show no signs of disappearing, and worldwide economic instability continues to show vulnerabilities in the global value chain, the advantage of establishing a robust and proactive SCP will provide a significant measure of protection against potential violations. By focusing on the core commitment areas described in the OFAC guidance, drawing from best practices and tools used by forensics professionals, and studying relevant case outcomes, enterprises seeking to mitigate sanctions risk can do so with confidence that those efforts will pay off in the long term.


[1] Nate Giarnese and Tianyu You are senior managers at BDO USA LLP. Kristen McCannon Krishnamurthy and Luis F Arandia, Jr are associates and Soyoung Yang is a legal fellow at Barnes & Thornburg LLP. The authors would like to acknowledge the contributions of Linda Weinberg and Roscoe Howard of Barnes & Thornburg LLP and Nicole Sliger, Anthony Lendez, Pei Li Wong and Azzit Hussain of BDO USA LLP.

[3] A Framework for OFAC Compliance Commitments states: ‘OFAC has generally focused its enforcement investigations on persons who have engaged in wilful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-U.S. or U.S. financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization’s management, caused significant harm to U.S. sanctions program objectives, and were large or sophisticated organizations.’

[5] In using fourth- and fifth-party logistics service providers, companies outsource a majority of, or nearly all, logistics management activities. As more of the supply chain logistics function is performed by an external party rather than the company itself, compliance risk increases.

[14] Rodney T Stamler, Hans J Marschdorf and Mario Possamai, Fraud Prevention and Detection: Warning Signs and the Red Flag System (CRC Press, 12 March 2014), p. 4.

Unlock unlimited access to all Global Investigations Review content