Post By: Oleg Kozlov, Consultant, Compliance, Forensics & Intelligence – Control Risks
Since 2014 many international companies doing business in Russia faced a severe new reality shaped by sanctions against Russian individuals and legal entities introduced by the US, EU, UK, Canada and others. The US Office of Foreign Asset Control (OFAC) of the US Department of the Treasury has been especially rigorous in enforcement: 2019 hit a record of $1.3 billion in total penalties imposed in 30 instances. Fines were paid by companies from a range of industries: Apple, GE, Allianz, PACCAR, Acteon Group to name a few. Banks faced the highest fines – Standard Charted ($657 million) and UniCredit ($611 million). For corporates this results in additional pressure that banks translate to their clients, e.g. inclusion of self-reporting clauses in contracts with clients that oblige clients to report any instances of sanctions violations. To detect and report incidents timely corporates have to implement a thorough sanctions compliance and monitoring programs.
There are several key OFAC restrictive measures related to sanctions and export control:
- Special Designated Nationals (SDN) list – the constantly updated “black list” of sanctioned individuals and legal entities with whom (or their 50%+ owned subsidiaries) any business is prohibited to the US entities or entities having any nexus to US (e.g. a representative office in the US or using payments in USD),
- List of sanctioned territories with various restrictions (Crimea and Sevastopol, North Korea, Iran, Sudan among the total no-go’s),
- Financial and sectoral sanctions (specific restrictions primarily in defence industry, oil & gas, nuclear power in Russian context).
The need to check and monitor an array of evolving requirements makes sanctions compliance for multinational companies operating in Russia an extremely challenging task.
Considerations for multinationals
Sanctions come without prior notice and require immediate and often drastic and unpleasant action, keeping compliance professionals awake in the middle of the night:
- What if your key Russian customer becomes a sanctioned SDN overnight?
- What if you realize someone in your company supplied goods or services to a sanctioned territory?
- What if you are in the middle of a long-term project with multiple stakeholders and one of the contractors is replaced by another, a sanctioned entity?
These tough questions often require external legal advice and risk assessment because many factors should be taken into account. Here are some practical tips to build and improve you sanctions compliance programme:
- Due diligence into ownership and control structures. Ensure you conduct comprehensive ownership and control research, check close associates and management of new customers and vendors against international sanction lists. It is often not enough to screen just the customer – consider the end-user of your products, third parties and end use destination. It might be worth checking this information for all individual orders in high risk areas (e.g. defence industry or oil & gas). Make sure the information you receive is verified and the screening process is documented.
- Ongoing sanctions monitoring. Sanctions change over time, new companies are added in the restricted lists and delisted on a monthly and sometimes weekly basis. Your business partner that was not sanctioned yesterday can become an SDN tomorrow – hence the need for ongoing monitoring for existing customers and vendors.
- Careful wording of contracts. Include sanctions clauses, enabling contract termination in case of changes to sanctions regimes and designations. Also ensure you have limited liability clauses and exit clauses, preferably with an opportunity to unilaterally terminate the contract within a specified notice period. Include clauses allowing you to audit third parties to understand where they move your products. Some counterparties can push back on such clauses and depending on circumstances legal council should be consulted.
- Sanctions and export control policy. Firstly, ensure there is a clear policy in place as compliance is possible only when the rules of the game are transparent and do not change hectically over time. Secondly, adjust the current procedures within your organization to reflect the requirements – this might concern everyone from Sales and Marketing to Finance and Legal.
- Regular trainings and active communication. Your policies and procedures will not work on their own – they have to be communicated and understood by all stakeholders. While e-learning has become the industry standard and provides some good metrics, such as completion rates, test scores, etc. – “old-school” face-to-face trainings enable the dialogue between Sales and Compliance, mutual questions and better understanding of why compliance is so important, which level of risk can be tolerable, what are the current procedures.
It should be understood that very likely you cannot trace every product your company produces, where and to whom it goes. Some industries have complex supply chains: intermediaries, distributors, agents and resellers make it harder to track the route your product takes and who is the end-user. A distributor makes purchases for stock, cannot predict when and to whom it will be resold and often does not want to disclose the end-user due to confidentiality or business concerns – there are multiple traps along this way.
However, you should be able to demonstrate a sufficient level of due diligence and precaution exercised in case of potential inquires from authorities, banks that provided you credit facilities or OFAC. The latter released its sanctions compliance programme (SCP) guidelines in May 2019 containing recommendations on risk assessment, internal controls, testing, auditing, training. It is critical to take a risk-based approach, focusing your compliance efforts on areas that are most vulnerable to sanctions risks, and develop procedures to ensure you have enough documented evidence of due diligence activities you could show to regulators knocking on your door. And most importantly ensure that Compliance knows the business and speaks the same language with Sales, acting in Business Advisory rather than Sales Prevention capacity.