Corporate compliance officers are going through tumultuous times these days, but one signal cuts through all the noise: increased sanctions enforcement is a surging priority.
Regulators are using sanctions as an enforcement tool more boldly, both in the United States and overseas. In the United States, penalties are at an all-time high with $1.3 billion imposed by the Office of Foreign Assets Control (OFAC) in 2019, and so are the number of OFAC enforcement actions: 82 last year, compared to an average of about 65 per year for the rest of the 2010s.
Regulators also want more effective sanctions compliance programs from the corporate world. They have published detailed guidance about what a sanctions compliance program should look like, and adopted new leniency policies for companies that step forward to confess sanctions errors and cooperate in investigations.
So both the threat of punishment for violations and the rewards for better compliance are rising at the same time. Meanwhile, sanctions compliance itself is growing more complex by the day, as regulators add or drop specific individuals or companies to their sanctions lists all the time.
None of that is likely to change any time soon. So compliance officers from every slice of the industry—including those at smaller companies, or those in sectors not traditionally at high risk of sanctions enforcement—need to assure that your compliance program is up to the challenge.
How? Here are three points to ponder.
1. Structure Your Sanctions Properly
First, structure your sanctions compliance function intelligently. The OFAC guidance on sanctions compliance programs talks at length about a program’s basic structure and oversight.
For example, the program should have someone who knows sanctions compliance in charge of the sanctions compliance program. That person can hold several different titles depending on the company’s specific risk profile: Bank Secrecy Act officer, export control officer, or even you, the chief compliance officer. OFAC’s point is that effective programs have someone who understands sanctions issues sufficient for the risks your company faces and has the respect and attention of senior management.
Likewise, you might want to centralize all sanctions compliance into one office or function, staffed with people sufficiently skilled to handle the nuanced questions that sanctions compliance can bring. OFAC specifically warns that decentralized sanctions compliance programs can lead to different (read: wrong) interpretations of sanctions rules.
In both examples here, the question is really whether you can marshal the right human capital to address your sanctions compliance issues effectively. If you don’t build that foundation first, all the steps you’ll take later—from new technology to policies and procedures to working with other parts of the enterprise—will be less effective than what you’d want.
2. Prioritize Due Diligence
Second, build your due diligence capability. At its core, sanctions compliance is about not doing business with certain people or businesses designated by regulators. Whether that effort is part of the Export Control Act, the Bank Secrecy Act, the Magnitsky Act, or any other law—the fundamental capability you need is due diligence.
Spoiler alert: regulators say companies need to do better at that.
For example, an official at the Office of the Comptroller of the Currency recently chided banks for mediocre compliance with the rule that they must identify the beneficial owners of corporate accounts. Or for those of you not in banking, recall OFAC’s penalty in 2018 against a Virginia electronics distributor because it had misconfigured screening software, and therefore missed the partial match of one of its customers against a sanctions watch list.
Due diligence capability requires several components. First, companies need the right data, from both internal and external sources. Second, they need the right technology to bring that data to full use: to make the best assessments of a third party and who its beneficial owners or controllers truly are.
Above all, however, effective due diligence blends that data and technology with human expertise. After the automated screening; after the artificial intelligence that eliminates false positives and negatives; after the data analytics—you still have a pool of difficult cases. Due diligence capability is about combining the right human capital (see our first point, above) with the right technology, to give the best answers possible.
3. Infuze Compliance Into Existing Processes
Third, work with the rest of the business to weave sanctions compliance into routine operations. Even if you use a centralized office to decide difficult sanctions issues, the success of sanctions compliance overall depends on the whole enterprise weaving sanctions compliance practices into daily operations.
For example, collecting data about new customers during onboarding is crucial. If you impose too many manual burdens on sales teams, they’ll try to evade you. On the other hand, a radical redesign to automate new customer onboarding might also be disruptive. Compliance officers need to explain the need for better procedures and win the support of the people who’ll use those procedures, even if that’s a painstaking journey.
Compliance officers also need to work with the legal function and senior management to develop a response plan when sanctions violations do happen. The Justice Department announced a cooperation credit policy for sanctions violations in December 2019, modeled on the FCPA Corporate Enforcement Policy: voluntary self-disclosure, cooperation in investigations, and remediation of mistakes.
Sanctions offenders are still likely to end up with deferred-prosecution agreements in that scenario, so the temptation will exist to keep quiet and hope your offense goes unnoticed. That’s a risky bet to make, and one that undermines the culture of compliance companies are supposed to have. So that means more communication and legwork from the compliance officer, to persuade the C-suite about a wiser course.
Managing Increased Sanctions Enforcement
The good news for compliance officers is that all this should sound familiar. These steps are, essentially, the same ones compliance officers needed to take in the 2000s and 2010s to build effective anti-corruption programs. The goal is different today, but the basic steps are the same.
Strong compliance leadership and a thoughtfully structured compliance function. Finding the right data and using the right technology to analyze it. Working with business units and leadership to convince them that a culture of compliance is good business.
Those are sturdy ideas, perfectly suited for the new challenge of sanctions compliance. We just need to apply them to the new increased sanctions enforcement environment that’s here to stay.