Skip to content

Navigating sanctions compliance in third-party risk management

The proliferation of international sanctions regulations have dominated the legal landscape largely since the decision of the Putin regime to launch an unprecedented attack against the sovereign nation of Ukraine in early 2022. Since that time, sanctions regulations have been adopted by both individual nation-states and transnational global organizations with increasing regularity to punish the government of the Russian Federation for its aggression and constrict its ability to wage offensive warfare.

Relying on individual sanctions list designations, sector-specific restrictions, and more general transactional prohibitions, international sanctions regimes have been adopted by a broad coalition of countries collectively seeking to dissuade the Russian Federation from pursuing its current course by diplomatic rather than military means. This precipitous increase in sanctions activity has required organizations operating internationally to account for sanctions as an integral component of a contemporary ethics and compliance program. Faced with the prospect of crippling administrative penalties, exclusion from participation in public procurement activities, unquantifiable reputational damage—and even criminal liability in the most egregious cases—such organizations have invested significant resources into a host of procedural safeguards designed to enhance the quality of existing sanctions compliance programs.

What are sanctions?

Broadly speaking, the term “sanctions” refers to any set of laws or regulations enacted by an international body or nation-state to punish the targeted individual, entity, or country for engaging in activities that are deemed contrary to international law and/or global political stability. Sanctions regulations take many different iterations, including but not limited to, financial or economic sanctions (in the form of direct and indirect financial dealing prohibitions, transactional restrictions, industry-specific restrictive measures, and asset freezes), travel bans, and import/export restrictions. While the details of sanctions regimes vary considerably by jurisdiction, the ultimate goal of such measures remains the same—namely, to coerce the sanctions target into abandoning a problematic course of action and deter others from pursuing a similar path.

Practically speaking, sanctions regulations restrict the ability of individuals and entities to engage in specified conduct with a sanctioned party. In the case of sanctions regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) for instance, inclusion on the ubiquitous List of Specially Designated Nationals and Blocked Persons (“SDN List”) operates to prohibit U.S. Persons from engaging in any commercial dealings or other transactions with a designated person. This prohibition also extends to any entity owned fifty percent (50%) or more in the aggregate by one or more SDN List parties, effectively precluding any entity or individual closely associated with a designated individual from materially benefiting from circumvention efforts. In a similar vein, European Union (“EU”) “restrictive measures”—when targeted towards a specific individual or entity—can completely frustrate the ability of third parties to engage in any transactions whatsoever that involve the assets of a designated party, as well as entities owned or controlled by such parties.

What is involved in the sanctions screening process?

The sanctions screening process is a core component of an organization’s due diligence efforts, designed to mitigate its overall exposure to third party risk. Faced with the prospect of entering into a contractual relationship with a specific counterparty, the organization proceeds to collect basic information from that counterparty concerning its organizational structure, current beneficial ownership status, financial wherewithal, and legal and regulatory history (among other things). The organization then screens both the prospective counterparty and its owners against the broadest possible array of global sanctions lists available to ascertain whether a company or any of its beneficial owners are sanctioned parties. Potential matches against global sanctions lists are then evaluated for relevance to the contemplated transaction in conjunction with the legal and compliance functions of the organization. Notably, sanctions screenings of an organization’s existing contractual counterparties are also conducted at regular intervals to ensure that the organization keeps pace with frequent sanctions list changes.

Why are sanctions screenings important?

Basic sanctions screenings are an indispensable element of an organization’s third party due diligence efforts and are increasingly mandated by global regulators and enforcement authorities charged with the administration of sanctions laws and regulations. This is particularly true in the United States, where OFAC has issued “A Framework for Compliance Commitments” that speaks to the importance of periodic screening as a proverbial first line of defense against potential sanctions infractions. Notably, given the growing sophistication and complexity of circumvention and evasion schemes, effective sanctions screening now requires the identification and vetting of all beneficial owners that may be affiliated with a prospective business partner. The failure to collect and properly utilize this information as part of the initial and recurring screening processes is an almost certain recipe for a sanctions violation resulting from misapplication of the ownership and control rules that are often ancillary to primary sanctions regulations themselves (e.g., OFAC’s Fifty Percent Rule and the EU’s restrictive measures “control” test).

What are common sanctions screening challenges?

Apart from the identification of all beneficial owners and affiliates/subsidiaries of sanctioned entities, a recurring challenge unique to sanctions screening is the degree of precision needed to properly vet individuals and entities against global sanctions lists. A number of enforcement actions brought in recent years by the U.S. government have emphasized the role that so-called “fuzzy logic” plays in generating potential matches, including a series of violations involving one of the world’s largest cell phone manufacturers that originated from the failure of its screening system to account for lower-case name variations in identifying sanctioned parties. In addition to issues of precision, organizations also face issues related to the frequency of recurring sanctions screenings. This is particularly true for organizations whose commercial activity occurs regularly in global hotspots, where additions and modifications to sanctions lists can happen almost daily, if not weekly. As one relatively recent OFAC enforcement action involving a U.S.-based financial institution emphasized, such organizations must be familiar with the re-screening capabilities of any system they choose to employ for sanctions compliance purposes and adjust the frequency of such screenings to fit their unique risk profile.

A survey of relevant enforcement activity

In recent years, the enforcement of global sanctions regimes has grown exponentially as governments increasingly resort to more punitive measures in an effort to combat the scourge of sanctions evasion by unscrupulous actors. In the United States in particular, the enforcement of sanctions regulations has largely supplanted proceedings initiated under the auspices of the Foreign Corrupt Practices Act (“FCPA”) as a major prosecutorial objective, leading the current Deputy Attorney General to refer to the enforcement of sanctions regulations as the “new FCPA.”

On December 23, 2023, OFAC announced the settlement of an administrative enforcement action involving a domestic insurance company over repeated violations of Ukraine-/Russia-Related sanctions emanating from the provision of coverage to an entity owned by a SDN List designee. According to information made available by OFAC in the aftermath of the announcement, the domestic insurer failed to exercise “due caution or care for its sanctions compliance obligations” by neglecting to ensure that complete beneficial ownership information concerning its customer was incorporated into its screening program. As a consequence, the domestic insurer unwittingly collected insurance premiums totaling approximately $308,391 from a foreign entity owned by a known SDN List designee for over two (2) years, and even processed an insurance claim in the foreign entity’s favor. While the entity ultimately agreed to pay the relatively modest sum of $500,000 in administrative penalties to settle the allegations against it, OFAC was quick to leverage the enforcement action as a case study in sanctions compliance program deficiencies, specifically noting that organizations are obliged to implement and maintain effective sanctions compliance controls that incorporate “all relevant available information” necessary for the conduct of responsive sanctions screening.

More recently, the U.S. government has also underscored the importance of foreign person compliance with U.S.-issued sanctions regulations. While historically only U.S. Persons have been subject to compliance with OFAC-administered sanctions regimes, a recent uptick in global circumvention activity—often aided by persons not ordinarily subject to U.S. jurisdiction—resulted in the issuance of a new tri-seal joint compliance note by the Departments of Commerce, Justice and the Treasury. The note presciently warns foreign persons that they are prohibited from “causing or conspiring to cause U.S. persons to wittingly or unwittingly violate U.S. sanctions, as well as engaging in conduct that evades U.S. sanctions.” To that end, foreign persons that intentionally: (1) obscure or omit reference to the involvement of sanctioned parties or jurisdictions in financial transactions involving a U.S. person; (2) mislead a U.S. person into exporting goods ultimately destined for a sanctioned jurisdiction; or (3) route a prohibited transaction through the United States or the U.S. financial system, risk being held civilly and/or criminally liable for their misdeeds.

The bottom line for compliance professionals

The decision to prioritize the enforcement of sanctions regulations over other competing legal regimes should be a clear indicator to compliance professionals of the need to devote substantial time and resources into bolstering the effectiveness of current sanctions compliance programs. Organizations that are still reliant on manual screening processes must act swiftly to adopt automated screening solutions capable of accounting for the most recent sanctions list designations. Entities that have already adopted such solutions must be engaged in continuous assessment and improvement efforts designed to enhance the capacity of those systems to detect a sanctions violation before it occurs. By taking action now to ensure an organization’s sanctions screening process is sufficient to meet emerging expectations, global companies can more efficiently mitigate a major source of third party compliance risk.

Volkov Law

The Volkov Law Group is a premier boutique law firm specializing in corporate compliance, internal investigations, and white-collar defense. The attorneys at the Volkov Law Group bring over 40+ years of combined experience in government, big-law firm, federal prosecution, corporate monitoring, and corporate consulting. They specialize in: Anti-Corruption Compliance and Enforcement; Compliance Strategies And Programs; Criminal Investigations And Prosecutions; Internal Investigations; Government Relations; and Training.

Implement a tailored Third-Party Risk Management solution