It’s a Mad, Mad, Mad, Mad World of Sanctions

Best Practices for Navigating the Increasingly Complex Sanctions Environment

2

It’s a Mad, Mad, Mad, Mad World of Sanctions

In May, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) released extensive new guidance on what constitutes an effective sanctions compliance program. Coming amidst a complex sanctions environment and an increasingly aggressive approach to enforcement, the guidance provides insight into OFAC’s views on the best practices that companies should follow to ensure compliance with U.S. sanctions laws and regulations. It also serves as a roadmap for how to prevent sanctions violations from occurring, as well as how OFAC will assess the adequacy of a company’s compliance program in the event of a violation.

A webinar co-organized by RANE and Dow Jones Risk & Compliance examined some best practices that companies can use to benchmark their own sanctions compliance programs and how to leverage this guidance to adeptly navigate the regulatory and commercial risks sanctions pose. Highlights of the conversation follow.

Critical Elements of OFAC’s Guidance on Compliance Programs

The OFAC guidance published in May contains sections that detail components of a compliance program—which include management commitment, risk assessment, internal controls, testing and auditing and training—as well as a look at why compliance programs fail. It closely tracks the Federal Financial Institutions Examination Council’s (FFIEC) guidance, but in this case, it also includes companies outside of the financial sector.

The OFAC framework “put a lot of companies that maybe weren’t cued into sanctions compliance risk on notice,” said Eric Lorber, director of the Financial Integrity Network. As a result of increased awareness around sanctions obligations or potential sanctions risk, a significantly greater number of companies will

“recognize what their sanctions obligations are and act accordingly,” he added.

The core elements of OFAC’s sanctions components program map very closely to the traditional pillars of an AML program:

Management commitment:Everything in a company starts with management

commitment; this means not only focusing on upper

management but also establishing a governance

structure that makes sense for the organization to

evaluate financial crimes risk.

Risk assessment:Some of the most difficult issues in the compliance

field deal with assessing what consequences fall

in a particular zone of risks and what one can do to

mitigate those risks.

Internal controls:Development of internal policy procedures is

essential. Effective risk assessment is critical to

help organizations understand the types of financial

crimes risk that they’re likely to encounter.

Testing and auditing:Thinking about a broad sanctions compliance

program is key, as is conducting internal training so

employees can fully evaluate the program’s efficacy.

Training:Every person in an organization should understand

the role they have to play in fighting financial crime.

Compliance and independent testing also are

necessary.

It’s a Mad, Mad, Mad, Mad World of Sanctions

The Expansive Nature of OFAC’s Sanctions

OFAC’s Increased and Intentional Outreach

Specialists familiar with how sanctions work—in the financial field and otherwise—still are surprised by the far-reaching scope of OFAC’s jurisdiction, particularly for foreign subsidiaries in certain programs.

While this sanctions compliance framework represents an important step forward, Lorber noted that much of it is not new; however, this guidance is important because of its extension beyond financial institutions.

“It’s serving as a notice to exporters, to shippers, to manufacturers that they, too, should have an OFAC sanctions compliance program that’s effectively in place,” Lorber said.

CEO of Guidepost Solutions Julie Myers Wood emphasized the importance of what OFAC calls the

“root causes” of “apparent violations or systemic deficiencies”—an element particularly helpful for non-financial institutions. She said some of the biggest problems arise when large organizations with different lines of business, or a wide variety of affiliates, operate

“possibly, nominally, under a global procedure, but really in an ungoverned fashion.”

Wood added that she has seen “issues cascade from something like this, where multiple disconnected teams are operating off of different strategies, which can let clients into the group from one protected end and settle into other lines of business within the company.” It’s important to focus on root causes, she said, and then to consider how the program is structured.

The framework is just one way in which OFAC is educating the non-financial community on the scopes of jurisdiction and prohibition.

According to Zachary Goldman, senior associate at WilmerHale, OFAC makes varied efforts to inform the public about its priorities, including frequently asked questions (FAQs), congressional testimony and speeches delivered by its leadership, to name a few.

“Enforcement actions are also a type of outreach. That’s a way that a regulatory agency messages to the community of obligated entities, in this case, all U.S. persons, what the expectations are,” Goldman said.

OFAC is helping educate the private sector by adding descriptions of “what the prohibited activity was, what occurred in significant detail and what the remediation steps were and should be as a general matter going forward” in notices of enforcement action, Lorber said.

This represents a major shift from a decade ago when the background details offered were no more than a paragraph or two, making it difficult to understand both what the underlying prohibited conduct was, and what compliance lessons could be gleaned from it.

“OFAC is trying to send a message,” Goldman said, referring to three similar enforcement actions in the past year, including AppliChem and Stanley Black & Decker.

Though, Lorber cautioned against reading too much into the pace and the frequency of OFAC enforcement activity. “The lead time between suspect activity being detected and enforcement action being taken can be significant, so three similar cases in quick succession isn’t necessarily a signal.”

3

It’s a Mad, Mad, Mad, Mad World of Sanctions

Compliance Program Elements on Display in Recent Enforcements

In the past year, three enforcement actions included a U.S. parent company that purchased a foreign subsidiary that had sanctioned business. One of those was a February 2019 settlement with Kollmorgen Corp., in which OFAC sanctioned a Turkey-based individual “who directed a foreign subsidiary of a U.S. company to violate U.S. sanctions against Iran and then attempted to conceal those violations” and settled six apparent violations by the subsidiary.

OFAC’s resulting news release highlighted the target’s regular trips to Iran—something reasonable, and certainly robust, internal controls should have flagged. “That would show up in their travel system, right? Someone was paying for those tickets. What kind of airline tickets? What kind of internal control system did they really have?” asked Wood.

“Egregious conduct took place two years after the acquisition, and the Elsim employees were lying and certifying falsely. Not only did they commit a violation, but they also covered it up for the parent company,” she said.

The case stands as a solid example of why companies shouldn’t rely on diligence conducted beforehand. Post-acquisition, companies should conduct internal audits to ensure proper risk assessment, internal controls, testing and training. Additionally, it sets a tone from the top that management is committed to compliance and that diligence doesn’t stop at the acquisition.

4

It’s a Mad, Mad, Mad, Mad World of Sanctions

Beyond OFAC: Broader, Growing Compliance Challenges

FATF:The Financial Action Task Force (FATF) guidance

regarding virtual assets in June 2019 was significant

because of its membership: FATF currently

composes 36 member jurisdictions and two regional

organizations, that seem to indicate that they will

be more aggressive in prioritizing and monitoring

the space. Technically not binding, the FATF

guidance provides some uniformity around applying

know-your-customer (KYC) standards around

cryptocurrencies in a way that would satisfy OFAC.

“I think the FATF guidance is a game-changer

because it is sending the message that this is not

the U.S. and it is not just Japan. It is everywhere and

everyone is going to have to be compliant,” Wood

said.

Lorber expected that FATF would not begin

implementing its guidance on virtual assets until

mid-2020, given the time it will take to develop

its methodology and proceed through the mutual

evaluation process.

But to many, the effects already are palpable. “We

are already seeing investors from crypto exchanges

and others that are going to the venture-capital

community being asked, ‘Are you compliant with the

FATF regulations?’ Regardless of whether it has been

codified in law in a specific country, for companies,

for exchanges, for others that are dealing in

cryptocurrency, they are wise to start thinking about

these issues now and not wait until 2020,” said Wood.

Global companies and data statutes: More broadly, managing and reviewing data related

to activities in different jurisdictions is an increasingly

difficult challenge. Swiss regulators, for instance, are

enforcing stricter privacy policies around customer

data. And there are challenging conflicts of law.

Take, for example, European blocking statutes when

conducting a cross-jurisdictional investigation in

response to a U.S. regulatory or prosecutorial inquiry.

In some countries, it is a criminal offense to export

data in response to a foreign investigative request.

This puts pressure on companies at the front and

back end of sanctions compliance; it is challenging

to do enterprise-wide risk management when the

extent to which you can move data around globally is

restricted.

5

It’s a Mad, Mad, Mad, Mad World of Sanctions

Staying Sane in this Mad, Mad World

Compliance officers, who have to remain up to speed, are finding that it is difficult to keep up-to-date with federal regulations due to the sheer volume of material published. Also, regularly monitoring for the materials issued by OFAC or FinCEN (as well as other agencies) is time-consuming.

As such, compliance professionals must be able to identify and manage risk—which may not mean quoting the letter of the law but understanding when to escalate an issue to external counsel or in-house experts to conduct a deep dive.

Further, many companies are choosing to foster a more conservative risk profile, especially around volatile issues such as the Joint Comprehensive Plan of Action (JCPOA) or the easing of Cuban sanctions. Though it’s not always the best approach for business, it gives compliance officers some security in the details. Also, given the huge penalties that OFAC, the DOJ and the DFS have assessed over the past few years, de-risking may be the least-costly approach.

6

About the Experts

Zachary GoldmanSenior Associate, WilmerHale

Zachary serves as a trusted advisor at WilmerHale for

the financial services sector, technology industry and

global companies in a range of industries, aiding with

complex matters involving litigation, enforcement,

compliance, regulatory and transactional issues.

Before joining WilmerHale, Zachary was the executive

director of New York University School of Law’s Center

on Law and Security (CLS), taught as an adjunct

professor of law and co-founded NYU’s Center for

Cybersecurity.

To speak with any of the experts mentioned in this recap, please contact RANE for an introduction.

Eric B. LorberDirector, Financial Integrity Network

Eric is the director of the Financial Integrity Network

(FIN), where he advises global financial institutions

on issues related to sanctions and anti-money

laundering/combating the financing of terrorism

(AML/CFT) compliance. He also is the senior director

of the Center of Economic and Financial Power at the

Foundation for Defense of Democracies.

Julie Myers WoodChief Executive Officer, Guidepost Solutions

Julie has more than 24 years of experience working

on regulatory and enforcement issues in the public

and private sectors, including as a compliance

consultant, defense counsel, government

investigator, federal prosecutor and independent

monitor. Julie serves as the CEO of Guidepost

Solutions, a leading investigations, compliance and

security firm with offices throughout the world.

Eric A. SohnGlobal Market Strategist & Product Director, Dow Jones

Eric is a global market strategist and product director

at Dow Jones Risk & Compliance and has been CAMS-

certified since 2007. He has more than a decade’s

worth of experience in the financial crime compliance

field. In his current role, he expertly advises the

direction of Dow Jones’ product portfolio of data feeds,

online tools and due diligence reporting services for

risk and compliance professionals.

8

It’s a Mad, Mad, Mad, Mad World of Sanctions

RANE (Risk Assistance Network + Exchange) is an information and advisory services company that connects business leaders to critical risk insights and expertise, enabling risk and security professionals to more efficiently address their most pressing challenges and drive better risk management outcomes. RANE clients receive access to a global network of credentialed risk experts, curated network intelligence, risk news monitoring, in-house analysts and subject matter experts, and collaborative knowledge-sharing events.

Dow Jones Risk & Compliance is a global provider of third-party risk management and regulatory compliance solutions. Working with clients across the globe, it delivers high-quality risk data, research tools, due diligence services and compliance-led workflow solutions to help organizations meet regulatory requirements related to anti-money laundering, sanctions, anti-bribery and corruption and trade finance. Dow Jones Risk & Compliance combines the expertise of an in-house, multilingual team of researchers with industry-leading data scientists and technologists.