U.S. releases new sanctions compliance guidance
The U.S. Office of Foreign Assets Control (OFAC) has released new guidance on strengthening sanctions compliance programs for companies based in or conducting business in the U.S. In the same month, there have been developments in sanctions in the U.S., China, Russia, Ukraine and Iran, and signs that U.S. and EU sanctions regimes are diverging. It has never been more important for companies to improve their compliance process to mitigate the risks caused by increasingly complex global sanctions regimes.
Rapidly changing sanctions
The global sanctions landscape never stands still. Recent sanctions developments show the importance of any company that operates internationally having in place a rigorous sanctions compliance program. The U.S. has added Chinese telecom giant Huawei to a list of sanctioned companies for violating U.S. sanctions on Iran. It has also tightened sanctions against Iran by revoking waivers on some buyers of Iranian crude oil. In response, China’s foreign minister opposed the U.S. sanctions against Iran. The following week, Ukraine imposed new economic sanctions against Russia banning supplies of certain agricultural products, transport vehicles and industrial goods. Russia is expected to respond with new sanctions of its own against the Ukraine.
New OFAC guidance
In a timely move, the U.S. Office of Foreign Assets Control (OFAC) has underlined the importance of sanctions compliance by releasing new guidance on sanctions. This does not only apply to U.S. firms, but any global firm doing business with or in the U.S. OFAC “strongly encourages” firms to “employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program.
”The five principles of a good program, according to OFAC, are as follows:
1. The commitment of senior management to supporting a risk-based compliance program.
2. Carrying out routine risk assessments on third parties, including due diligence on clients, suppliers, products, services and geographic locations. This assessment should identify potential areas where a company might make direct or indirect contact with a sanctioned entity, and therefore expose the firm to legal, financial, strategic and reputational risk by breaching an OFAC sanction.
3. Robust internal controls to define appropriate procedures and minimize risks. These controls should be relevant, easy to follow and use technology if appropriate.
4. Comprehensive testing and auditing of a sanctions compliance program to ensure that weaknesses in the program are identified and corrected.
5. Delivering an effective training program to all staff and, as appropriate, relevant clients and suppliers, to ensure they understand sanctions risks.
The OFAC guidance should be useful to companies who are looking to strengthen their compliance programs. But lawyers at Latham & Watkins LLP warn that it could raise risks for companies who ignore the guidance. “The Compliance Framework … provides a ready-made menu of compliance enhancements from which OFAC may draw in resolving enforcement cases,” they write. “Companies should be aware that with the Compliance Framework, OFAC may be more assertive in seeking to impose compliance obligations as part of future settlements.”
Complex sanctions dynamic across the pond
The new guidance from OFAC has many similarities to the EU’s draft guidance on best practices for internal compliance programs, which it released in September 2018. It listed seven best practices, including management commitment, training and awareness raising, organizational structure and auditing. But it specifies certain additional responsibilities, including “a comprehensive record keeping system”, an “adequate filing and retrieval system” both on paper and electronically, and a recommendation to consult with the relevant authorities “in case of doubt or suspicion” of a sanctions breach.
While the guiding principles for companies from the U.S. and EU may appear similar, the actual sanctions each imposes often differs significantly. This is evident in their recent respective approaches to sanctions against Iran.
The U.S. recently re-imposed sanctions on Iran after withdrawing from the Joint Comprehensive Plan of Action last year. But in return, the EU updated its regulations to restrict EU firms’ compliance with the new U.S. sanctions. Although there are signs the UK’s sanctions policies could change after it leaves the EU, it has committed to supporting the EU on this issue.
This is a further reminder of the complications that sanctions pose for firms operating on both sides of the Atlantic.
What should companies do?
If a company breaches a sanction, it exposes itself to significant reputational, legal, financial and strategic risks. So, staying on top of changes in sanctions is vital for companies with a global supply chain or client base, and the best way to do that is by introducing a compliance program that monitors sanctions watchlists and media coverage of sanctions on an ongoing basis.
Technology is becoming an increasingly useful asset in companies’ sanctions compliance programs. Firms have successfully used Robotic Process Automation (RPA) and other AI-driven technology to help automate compliance checks. When sanctions regimes change and new individuals or organisations are added to a watchlist, such tools automatically alert the company to these changes so they can carry out enhanced due
diligence or even stop doing business in that area. This is more efficient and effective than carrying out regular manual checks to sanctions lists.