When was the last time you performed a gap analysis of your organization’s sanctions compliance program?
Potential sanctions violations could be waiting just around the corner. Meanwhile, U.S. regulators expect international companies to have sophisticated sanctions and export controls programs. This is especially true for those that engage with U.S. persons, U.S. goods or the U.S. financial system.
Here are some thoughts on managing the risk proactively.
Annual Risk Assessments
Effective compliance is built on risk assessments. Conduct assessments early and often, at least annually, and consider the risks posed by the customers, products and geographies with which you do business. Take into account the relative strength of your organization’s compliance controls in light of recent audit or compliance testing findings. And develop an action plan that responds to any deficiencies observed. Overall resources should be allocated in accordance with areas of highest risk.
Don’t overlook the commercial risks associated with sanctions. Examples include delayed or seized shipments, difficulty obtaining financing, lost business opportunities and litigation risks. Non-U.S. companies that do business with U.S. persons or U.S.-regulated companies should think carefully about how sanctions risks could impact their partners and resolve issues ahead of time. This is doubly important for those that seek financing from U.S. sources—sanctions weaknesses often get highlighted during due diligence.
Here are some other (non-exhaustive) examples of best practices for building a world-class sanctions compliance program. How well does your organization stack up?
- Make governance and escalations key features of your compliance program. Responsibilities should be well delineated with clear lines of authority for decision-making. Don’t forget to keep records of decisions and management meetings.
- Know your customer (KYC) and customer due diligence (CDD) procedures should help identify high-risk customers (HRCs). Enhanced procedures for customers with high sanctions risks should be documented with clear steps for assessing and responding to sanctions red flags.
- Develop a comprehensive map of data flowing through, and stored within, various systems for the purpose of sanctions screening. From a sanctions perspective, relevant information can be related to customers, accounts, third parties, transactions or other activities involving property or any direct or indirect provision of value.
- Training should be delivered regularly to employees on sanctions risks and procedures specific to their roles—including directors and senior management.
- Due diligence is critical to uncovering transactional risks presented by counterparties and for tailoring covenants in deal agreements. Due diligence questionnaires should probe for sanctioned countries, sanctions targets or entities owned or controlled by sanctioned persons. Even indirect dealings with sanctions targets can pose risks. Take for example an intermediary that sells a company’s products into a sanctioned country.
- Transparency and accuracy are virtues. Information should never be removed from payments, trade documents or databases to disguise sanctioned countries or persons. Doing so can lead to significant reputational costs; delayed, rejected or frozen transactions; and informal blacklisting by banks, suppliers and other parties due to perceived risks—not to mention potential regulatory consequences.
- Conduct internal investigations under attorney-client privilege and, if appropriate, self-disclose potential regulatory violations with the aid of legal counsel. Train your staff on crisis management protocols, dawn raids and restrictions on communications with regulators or the media. It never hurts to be prepared for the unexpected.
This list is just a start. Your sanctions controls should stay current with changes in the enforcement and regulatory environment. Sanctions regulations are among the most complex and dynamic of any area of law. Appoint a dedicated person to monitor changes to regulations, emerging risks, enforcement actions and other trends. New information should be shared with internal stakeholders in a timely, actionable manner and incorporated into policies, procedures and training as necessary.
When in doubt, seek guidance from a lawyer with expertise in the field.