GIR sanctions roundtable transcript: Part III
Part III of the GIR sanctions roundtable focuses on compliance trends; use of technology in compliance, investigations and enforcement; and OFAC’s and OFSI’s approaches to crypto transactions.
Rachel Barnes, a dual-qualified US lawyer and English barrister at Three Raymond Buildings in London. She is a co-editor of GIR’s Guide to Sanctions, now in its second edition.
Michael Lieberman, the assistant director for enforcement at the Office of Foreign Assets Control (OFAC) at the US Department of the Treasury in Washington, DC.
Kerry Contini, a partner at Baker McKenzie in Washington, DC focused on export controls and sanctions.
Charlie Steele, a partner at Forensic Risk Alliance in Washington, DC, who previously held positions at the Justice Department and at the US Treasury – most recently as chief counsel at OFAC.
Gayathri Kamalanathan, a partner at Slaughter and May in London, having joined in April from Danske Bank, where she was the head of litigation and enforcement.
Aimee Langley, the head of compliance at the Office of Financial Sanctions Implementation (OFSI) in London.
Trends in compliance
Barnes: Well, we’re going to leave that bumpy ride for one moment and then circle back to it. Kerry, let’s think about the front-end and compliance, so with the hope you never get to enforcement. What are the some of the things you’re seeing, the new things in compliance at the moment?
[C]ompanies really need a nimble programme that can shift with the shifting risks.
Contini: I don’t know if it’s new but more of an evolution. As everyone knows, and as OFAC has made clear, if there are any US touch points in a company’s business, OFAC expects that company to have an effective sanctions compliance programme. In addition, we are now dealing with increasing sanctions regimes and export control regimes with increasing restrictions in other countries. So, how do you make these things come together? Historically, companies would default to focusing on the US because the US had the strictest requirements. That’s not necessarily the case anymore.
It is really important to really look at all of the different sanctions regimes that may be applicable to your business and factor that into your compliance programme. One trend we’re seeing is some more regionalised sanctions programmes. Companies may have global policies, they may also have regional policies, depending on where they’re doing business and what issues come up for them. But companies really need a nimble programme that can shift with the shifting risks. This area is constantly changing. Last year, Myanmar and Belarus were not perhaps major risk areas and now they are. It’s really important to have procedures that hold up as the specific rules are changing and, for trade compliance to be communicating with other relevant functions, so not operating in a silo but talking to supply chain and ESG and these other functions to address these risks holistically.
How technology is helping companies comply with sanctions
Barnes: You mentioned that other sanctions programmes may be stricter than the US, for example, or you shouldn’t assume that, if you comply with US rules, then you’re fine everywhere else. The same you shouldn’t assume if you have complied with the UK rules, you’re going to be fine everywhere else. And we’ve got an example of that just recently with the Belarus designations at the back end of June. Actually, now the EU sanctions have got people on their designated list who are not designated by either the US or the UK. We see an example again of having to think now about the EU as for some programmes being stricter than the US or UK. The question then goes, can one person do all this? Gayathri mentioned the need to have expertise in companies but can we think beyond individuals to AI and technology to try and help us with this problem? I wonder if anyone can share any examples of how they see technology developing to help companies navigate their compliance exposure around the world.
while technology is fantastic, it really must be seen as a partnership with the human interface and experience
Kamalanathan: I’m certainly not a tech expert but I have got a lot of experience of working within organisations implementing big remediation programmes and therefore looking for different solutions. It’s obviously a critical partnership. It can enhance but cannot be a substitute for the expertise and assessment, particularly in this area. Clearly, you can use technology and the obvious spaces around fuzzy logic or name matching and things like that. One of the experiences I have had have shown that while technology is fantastic, it really must be seen as a partnership with the human interface and experience and other tools as well and checks and balances. Others may have more specific experience of technology that they can share.
Langley: I definitely agree with that. It’s about the people and their skills, as well as the technology but definitely it can be useful and complement. In terms of OFSI, we find that we can’t really be prescriptive and say companies should have X technology or should take Y approach. One of the reasons we can’t do that, even though we appreciate maybe some companies wish that we would, is just because we have to accept that all companies will be taking their own risk-based approach and they will know their own operating conditions and the different risks they face.
When thinking about the technology and how that can be used, those are really factors that need to be at the forefront of any considerations as well. I think, in the space of technology, it would be the same as general approaches that we would expect companies to take to all of their controls and due diligence, which is about looking at your company-wide risk assessment and risk tolerance, trying to identify the level of knowledge that you need to achieve your risk appetite. In the UK, making sure that the basics, like being signed up to OFSI’s e-alerts and checking their consolidated list, are all in place, but also really thinking about your particular business and the context you operate in and whether that poses particular risks around ownership and control, and trying to think about how to address those risks, which may or may not be through technology.
Kamalanathan: I would just make one other point as well and it is probably quite financial institution-focused but may apply to others. It is that your existing technology, not just in the control environment, your underlying data and the systems that your control technology is going to interact with is also really, really complex. Many financial institutions have merged with other organisations and have different platforms and systems. As you say, Aimee, it’s very difficult to sort of have a sort of prescriptive or specific approach to this because it will be so fact specific. There is a risk of over complication and different risks that could arise in that context.
Barnes: Gayathri, I mean just sticking on that: for my mind it ties in with a comment you made much earlier about this tension between the compliance risk and business risks and trying to perhaps make sure, as best you can, to embed a culture of compliance within the business. Do you see that happening with technology? We’re trying to embed control technology into the business operating technology as well.
Kamalanathan: It would help of course because there could be automatic sort of stops and barriers and alerts, and obviously it can enhance. But you’re absolutely right, that underlying culture can only come from learned behaviour, training, role modelling and your tone from not just that top layer but the middle layer that we’ve talked about that is absolutely critical to really understanding what it is that you’re being asked to comply with.
Enforcement authorities’ expectations of companies’ use of technology in compliance systems
Barnes: We’ve seen some OFAC actions against companies when their technology fails. So perhaps, Michael, you could just give us an insight as to what OFAC expects.
Lieberman: I just want to endorse everything that Aimee and Gayathri spoke of earlier. I was just thinking how they really took the words out of my mouth in so many ways. Like Aimee noted, we don’t necessarily have specific requirements with respect to technology. We expect a risk-based approach. That said, if you’re a global technology firm, your compliance solutions are going to lie in your technology most likely. And so, some recent actions that we’ve taken I think that really illustrate that would be the Apple case, the Amazon case and, much more recently, our case against SAP in Germany, where you saw some similar breakdowns there and a gap in their ability to screen where some of their technology software was going and where it was being used.
And, if you’re a global non-tech firm, the chances are that many solutions will lie in technology but there is no substitute for that human element. Some of our recent enforcement actions really do bear that out, where the issue wasn’t one of technology but what was one of controls basically and judgment and not fully understanding the applicability and scope of sanctions and how it pertained to particular processes. It is hard to see how technology could substitute for that in in some of these cases, the Nordgas case, for example, [and] some other cases that are forthcoming. The human element really remains central. I would also point to the Alliance Steel case as well, where a company was doing business with an Iranian firm, individual Iranian firm, and didn’t really realise that that was an issue until they got a new CEO, who just happened to look at that situation and say “there’s something off here”.
OFAC’s enforcement approach to cryptocurrency
Increasingly, we are seeing the fintech industry and the virtual asset exchanges and clearing houses and service providers running into some trouble where the scale of their business outpaced the ability of their compliance programmes to keep up.
Lieberman: I don’t know if you want to come around to some of the other more recent cases with respect to virtual currencies, virtual assets. I would just also point to our focus on emerging technology as an issue of focus. Increasingly, we are seeing the fintech industry and the virtual asset exchanges and clearing houses and service providers running into some trouble where the scale of their business outpaced the ability of their compliance programmes to keep up. And there, the BitGo case, the BitPay case, obviously, is what I’m speaking about. Obviously, those are going to be technology-based solutions in cases like that. That’s the entire business of the firm. And so, really having that combination of technical expertise as well as the compliance expertise and marrying that together, I might suggest is going to be a very interesting area for the compliance community and certainly going to be something that we’re going to be looking at increasingly.
Barnes: Well, that was the question I was going to ask you, Michael. What is OFAC’s approach going to be to crypto transactions and digital currency?
Lieberman: We focus on industries where we do think that there may be a gap between what their business activity is and where their sanctions understanding and controls and compliance processes and procedures are. As Aimee noted, our goal is not to play gotcha. Our goal is to promote compliance and one of the ways we do do that is through our enforcement actions and by calling attention to deficiencies. And we see those deficiencies again in situations like this, where the sanctions compliance is really lagging the business growth and, in this case also the technology growth, because in this space, there’s so much evolution and it’s so fast. I’m sure there are challenges on a number of fronts with respect to compliance and we’re certainly looking at the sanctions angle and using these cases as an example for the rest of the industry so that they can hopefully avoid the same pitfalls.
Barnes: I know an awful lot of people are going to be interested, and rightly so, in the fact that OFAC is looking at particular industries where there may be gaps. So they will be, hopefully, plugging those gaps before you start looking at them too closely. Aimee, same question really – does OFSI take a similar approach to looking at where gaps might lie and are you going to be focusing on digital currencies, crypto transactions and the like?
Langley: It is very much a similar approach. We updated our guidance back in spring 2019 to say that crypto assets are funds or economic resources, so are included. But we are certainly aware of the increase in use of crypto assets in the financial sanctions space and it is an important issue to us as well. We’re collaborating with international partners such as the US and are planning on issuing some specific crypto guidance later this year to cover these issues.
I also just wanted to say something that struck me in the general discussion which would apply to technology but also would apply to all systems and controls in the compliance space, I think, which is the need to not only look at compliance at the time a transaction happens and to look at how technology plays into that, but also to make sure that that really is regularly reviewed and does stay up to date with emerging changing risks, as Michael has said, because it’s one thing to have a breach and to have a transaction that goes through and it’s a breach and OFSI finds out about it and we’ll investigate that appropriately. But if that thing continues to happen because the firm hasn’t picked up that that risk is there and hasn’t changed things and hasn’t reflected on their systems and controls, then that one breach can become 10 breaches or 100 breaches and potentially quite quickly, depending on the nature of the work. There’s definitely a really good point there, as Michael was saying, around that that regular review which applies to use of technology but is actually probably a wider point as well and certainly would also apply in in these newer spaces such as cyber and crypto.
The use of technology as part of a compliance monitor’s role
Barnes: Well, you have brought us, Aimee, nicely back to the bumpy road of enforcement that we spoke about earlier and also what happens post enforcement with remedial actions and monitoring, etc. Charlie, I wonder if I can ask you this question, about technology and monitoring.
We’ve gone down our bumpy road. We’ve had our enforcement action. We are now thinking about remedial action and how we can use technology as part of the processes we’re going to establish going forward to make sure we don’t end up in enforcement again. Can you give us any insights on that?
Steele: It’s sort of that we’re in this new world now and the appreciation of the value and necessity of IT solutions in the compliance lane is here to stay, and a compliance monitor is surely going to be a part of that. You think about the role of a monitor. The monitor needs to be able to credibly assure the government that the target has done what it needs to do. And so, if only because of the regulator’s current expectations and expectations going forward about the use of IT to achieve that level of assurance, the monitors are certainly going to. The nice thing for the monitor is the general proposition they can just impose that burden on the target. The monitor doesn’t have to do the heavy lifting itself.
It already is part of and it’s surely going to remain part of the new world going forward. The larger and more sophisticated companies and banks and entities are held by regulators generally to a higher compliance standard because you’re held to a standard commensurate with your size and sophistication, your international reach and, certainly in the US, and that’s embodied in OFAC’s compliance commitments and also in their enforcement guidelines, that principle is very much part of the enforcement analysis and I assume the same is true in the UK. And so monitors certainly now will be part both as a player and as an overseer of this new emphasis on IT.
The use of technology in internal investigations
Barnes: I’m going to back up a little bit and ask Kerry the question again but this time about using technology in the context of internal investigations. We’re in a situation where we’ve had Charlie’s monitor monitoring and it unfortunately hasn’t gone to plan because we think we might have another problem or, for whatever reason, we’re in an internal investigation. How do you see clients trying to really harness the use of technology and tech solutions as part of an internal investigation?
Contini: When I was listening to everybody else speak, I was really glad to hear everyone focus on the human side of this. I wasn’t sure if maybe I was just old fashioned and thinking that it starts with that and the technology has to fit in once you have a good culture of compliance. I think that that also plays out in the internal investigation context because a lot of an investigation is interviewing people, you’re going to be talking to people, and yes, you will be looking for data but, if your compliance programme doesn’t already have IT solutions in place, it’s going to be especially challenging to use them in the investigation context. You may have information that you need for the investigation that is spread across 10 different systems across the company – and for multinational companies, that’s actually probably more than 10 systems – so how do you actually gather this all in one place?
Well, there are certainly ways to do it. There are forensic firms that can help with that in the investigation context. But if you didn’t already have a compliance programme that took into consideration the fact that all of this data is relevant for compliance purposes going forward, it can be very challenging in an investigation context to gather it. I want to go back to talking about the compliance programme and how, if you design a compliance programme that has the right focus on a good culture of compliance and considers how technology can be used to meet that objective, that will make your life much easier when you get to an investigation and need to all of a sudden find all kinds of data that’s strewn around the company.
Barnes: One of the things I think I’m taking from this is that we can use technology but we can’t be driven by it. We drive it, not the other way around, and that wealth of technology, data-gathering, etc., might help an internal investigation explain what happened, but you still need to be interviewing people to ask them why they did it or explain what happened and then ask why it happened. Would that be a fair assessment?
Contini: I completely agree with that. It’s just so important not to lose sight of the bigger picture. It can be sometimes very exciting, with all these new tools. You can see all their capabilities and what they can do and they can be very helpful but they can also be distracting. Keep your sight on the big picture of, how can you ensure compliance.
Self-reporting to OFAC and OFSI
Barnes: Just one last question to Michael and Aimee on that theme. If a company comes to you and says this is what’s happened, I’m presuming you’re going to want to know, when you start thinking about any enforcement action and outcome, is not just what happened but why it happened. You’re going to be wanting a very clear and frank and transparent explanation as to why.
The more that companies can identify, remediate and then prevent going forward, the more we’re able to work with them constructively
Lieberman: The most helpful disclosures that we see come in are those that have already done that legwork and identified and also remediated those gaps. Of course, our guidelines make very clear that we give substantial mitigation credit to companies that have remediated and we take that into account in our enforcement actions. We also discuss that in our public postings describing those actions. The more that companies can identify, remediate and then prevent going forward, the more we’re able to work with them constructively and, from our perspective, that’s better for the industry as a whole.
Just going back to this question about cooperation and what to tell OFAC in a disclosure, certainly the more detail there, the better. And if it’s not something that we have to issue several follow-up requests for information about or subpoenas about, certainly the better there.
Langley: I would completely agree. Our guidance gives up to a 50% discount for monetary penalty for voluntary disclosure but also it’s a significant mitigating factor. Actually, one of the slight updates that I referred to earlier in this most recent version of the guidance was to separate out cooperation and voluntary disclosure, to treat those as slightly separate things. We’ll assess the cooperation throughout the investigation, which will certainly include looking at the information that’s given to us. I completely agree with Michael as well that the more information, the better. Maybe the only small thing I would add is that because we are looking at the fact that the voluntary disclosure happened as soon as practicably possible, if you have an idea that a breach has happened but don’t have the full information yet, it’s absolutely fine to let OFSI know and let us know that you don’t have the full information and you’ll shortly be providing that once you’ve done your internal investigation and so on. That helps show that you are being transparent with us but also it doesn’t look as if you have just waited until you have crossed all the T’s, dotted all of the I’s before letting us know.
Barnes: I think that’s a great note to end on. Just to say thank you all ever so much for your insights. I found it fascinating and what I take from this is that we all need to get smarter. We’ve got the review as to, on a policy basis, how sanctions can get smarter in terms of when sanctions are applied, when licences are applied, when perhaps sanctions are lifted, but also how we all need to get smarter, both in the companies as to how they deal with compliance, how they deal with potential enforcement actions and investigations, and also how to deal with remediation. One of the most important things from all of this is that it’s the people that matter, whether you’re talking to colleagues in the company from a different country, whether you’re talking to enforcement in the context of a potential action or whether agencies are talking to each other. Thank you all very much for talking to us today.
Read the rest of the transcript:
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10