With countries increasingly using sanctions as a foreign policy tool, as well as a means of combating money laundering and terrorist financing, many companies today are struggling to manage sanctions screening and risk. Long gone are the days when the responsibility of a sanctions compliance officer was to simply check names in transactions and onboarding documentation.
The constant shifting of geopolitical developments makes it a challenge to effectively monitor continual changes in watchlists across all organizations and regions. Compounding the politics are major marketplace disruptions such as cryptocurrency. Many companies are expanding their offerings with various innovative products and services like crypto, further stressing their sanctions compliance programs (SCP).
What’s more, increasingly complex ownership structures employed by both legitimate enterprises and illicit actors have led to often-impenetrable veils, with the rise in ownership layers using intermediaries across multiple jurisdictions. Some sanctions evaders are sheltering assets in out-of-reach jurisdictions, which serves as a reminder that a SCP must contend with varying sanctions regimes as well. While there are some consistencies between different jurisdictional regulations, variances lie in the minutiae and oftentimes confusing and/or conflicting details. For example, the U.S., UK, and EU have differing approaches to aggregating ownership for sanctions risks, leading to situations where a beneficial owner may be indirectly sanctioned in the U.S. but not in the UK. Despite these disparities, companies are expected to comply with each and every sanctions regime in the jurisdictions within which they operate.
To navigate these complexities, companies are implementing more advanced screening methods to monitor their transactions, under regulatory guidance provided by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). This includes selecting and integrating a reliable, right-sized sanction screening software package, customizing and strengthening controls, enhancing country data, integrating and maintaining multiple watchlists, leveraging system APIs, implementing internet protocol (IP) blocking, staying abreast of industry evolution, and applying other advanced analytical methods to flag customer and transaction-related sanctions risks.
Increased Scrutiny and Big Fines
Keeping pace with sanctions laws and regulations across jurisdictions is a high-stakes game. In recent years, we have witnessed a dramatic increase in the number of sanctioned entities and individuals, along with further dedication of resources by sanctioning bodies to prosecute non-compliance, including record high fines.
- In 2022, OFAC imposed its largest fine at the time on a financial entity, $24 million. The fine came as a result of a joint resolution between OFAC and the Financial Crimes Enforcement Network (FinCEN), targeting a cryptocurrency exchange.
- Also in 2022, OFAC announced an even larger fine on a non-financial entity, totaling $508 million, as part of the settlement agreement with a tobacco company to resolve its apparent violations of U.S. sanctions against North Korea. This settlement reflects the statutory maximum penalty.
Such cases demonstrate the potential financial and reputational consequences for non-compliant individuals and entities. With sanctioning bodies continuing to invest in their investigative and prosecutorial functions, we should expect to see enforcement actions increase into 2024 in the form of cancellations of business licenses and/or even criminal charges, as well as fines for non-compliance.
There is no one-size-fits-all when it comes to a suitable SCP. While the jurisdictional nuances, rapidly evolving landscape, complex ownership structures, sophistication in financial crimes, rising cost of compliance, and competing priorities pose challenges to the timely upkeep and maintenance of a company’s effective SCP, the consequences of stepping on a sanctions landmine can have far-reaching impacts on an institution, making it impossible to ignore the challenges. To help address this situation, OFAC encourages organizations to develop, implement, and routinely update a risk-based approach to sanctions compliance. The agency extends favorable consideration to organizations that have implemented an effective SCP at the time of an apparent violation, predicated on five essential components of compliance:
- Management commitment
- Risk assessment
- Internal controls
Varying factors of a fit-for-purpose SCP should also be considered, including a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.
Adding to the regulatory scrutiny, in March 2023, the U.S. Department of Justice Criminal Division updated its “Evaluation of Corporate Compliance Programs” (ECCP). The ECCP serves as guidance to prosecutors in helping to make informed decisions about whether and to what extent a SCP is effective at the time of the offense, as well as at the time of any charging decision or resolution, for the purposes of determining the following:
- The form of resolution or prosecution
- The monetary penalty, if any
- Compliance obligations (e.g., monitorship or reporting) to be contained in any corporate criminal resolution
While the long-term solution to some of these challenges includes greater support and synchronization from governments, such as aligning their laws, guidance, and enforcement, the question for companies is what to do in the meantime.
What Does Effective Compliance Look Like?
A solid SCP undoubtedly relies on adopting a proactive and dynamic approach to sanctions, as well as leveraging industry insight to effectively develop, implement, manage, and mitigate the risks associated with sanctions compliance. The key components are outlined below.
- Management Commitment
As with all things, commitment from the top is essential to achieving individual and organizational success. The engagement of senior executives and the board is a critical factor in weaving an adequate program into the fabric of an institution’s operations. Their commitment to compliance should include evidence of the following actions:
- Reviewing and approving the organization’s SCP
- Granting authority and autonomy to the appropriate compliance officer to deploy the SCP in a responsible manner
- Establishing direct reporting lines between the SCP function and senior management
- Funding adequate and experienced human capital for both compliance and technology functions
- Instilling a culture of compliance throughout the organization to drive a robust and meaningful SCP
- Demonstrating the seriousness of compliance, generally, through their behavior and actions
- Risk Assessment
It is recommended that organizations take a risk-based approach when designing or updating a SCP. Organizations need to conduct a routine and, if appropriate, ongoing “risk assessment” to identify potential and likely issues that impact their business. The results of a risk assessment are integral to informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks. A holistic review of an institution’s risks ought to be performed and considerations given to:
- With whom are organizations doing business?
- What products and services are being offered, including consideration of geography and methods of delivery?
- Where are products and services derived from?
- How diligent are the sanctions compliance programs of companies under review for potential mergers or acquisitions?
Developing a risk assessment methodology to identify, analyze, and mitigate risk is critical to any institution’s compliance program in general and its SCP in particular.
- Internal Controls
The purpose of internal controls is to minimize and mitigate the risks identified by the organization’s risk assessments. An effective SCP should define policies, processes, and procedures pertaining to OFAC compliance (including reporting and escalation chains) in order to identify prohibited activity and prevent potential misconduct. An institution should have evidence of the following controls for its SCP:
- Development and implementation of policies, procedures, and related controls
- Adequate controls that address the results of its risk assessment and profile
- Confirmation with routine audits of the enforcement of policies, procedures, and compliance through its internal controls
- Assurance that recordkeeping policies and procedures account for requirements pursuant to OFAC
- Immediate and effective action to address all identified weaknesses
- Socialization of SCP policies and procedures with leadership and appropriate stakeholders, along with accountability
- Steps by responsible parties to ensure that SCP policies and procedures are woven into operations across the organization
While both testing and auditing are required means for an organization to evaluate the effectiveness of a SCP, there are differences between the two. Testing is a real-time review of the effectiveness of controls, such as whether they are working as intended. An audit is more comprehensive and forensic in assessing the overall approach to the program. Procedures and related controls should be tested and audited routinely to help identify deficiencies and inconsistencies to be addressed, keeping in mind that regulators are far more favorable to self-identified issues. An institution should have documentation of the following activities related to their testing/audit programs:
- The testing and audit functions are accountable to senior management.
- There is a commitment from management to provide adequate human capital and expertise.
- An institution’s leadership has ensured that testing or audit procedures are appropriate for and commensurate with the level and sophistication of its SCP.
- Immediate and effective action is taken to address all identified weaknesses.
Sanctions training is essential to a successful SCP and shows a commitment to upholding a compliance culture where all essential employees are held accountable. A satisfactory sanctions training program should provide immediate (upon onboarding) training, as well as periodic mandatory training to correct and provide the required knowledge and responsibilities for each role in the institution. Additionally, it should be tailored to an organization’s risk profile. An institution’s training program should demonstrate the following:
- There is a commitment by management to ensure that adequate information and instruction is provided to essential parties during training.
- The training programs are appropriate for the institution’s products and services.
- The training calendar, including frequency of courses, is commensurate with the organization’s risk profile.
- Immediate and effective remedial training is provided to individuals upon learning of non-satisfactory test results.
- Accessible resources and materials are provided to all essential personnel.
While the rules may be confusing and fluid, the consequences of running afoul of the rules can be damaging and severe enough that you need to have a game plan to keep your sanctions program current and up to date. It is welcoming to note that OFAC has outlined the framework described above to define the essential components and behavior of an institution’s sanctions compliance program. The rigor of assessments, application of controls, mitigation of risks, and testing/auditing should be commensurate with an institution’s size, complexity, and business activities.
|How Treliant Can Help
Implementing and assessing your sanctions screening program is crucial, and Treliant is ready to help. We have a highly experienced team, led by former chief risk and compliance officers and regulators. We provide international coverage delivering projects throughout North America, South America, Europe, and Asia. Our engagement model is adaptable by design and can be tailored to your organization’s needs. We provide advisory consulting services, as well as flexible staffing models such as managed services or staff augmentation. Please visit our website to learn more or contact us.