The world of U.S. economic and trade sanctions has never been more volatile and uncertain than it was in the 2010s. From the “new” sectoral sanctions that targeted globally connected Russian conglomerates in 2014, to the 2016 establishment of the Joint Comprehensive Plan of Action (JCPOA) commonly known as the Iran nuclear deal, to the U.S. designating the world’s second-largest aluminum producer as a Specially Designated National (SDN) in 2018 and its unilateral withdrawal from the JCPOA in the same year, the risks sanctions compliance professionals (SCPs) have grappled with have been challenging to say the least. In early 2020, tensions between the U.S. and Iran rose to a new high. The U.S. assassinated an Iranian major general and head of Iran’s elite paramilitary force, and subsequently issued new secondary sanctions targeting additional sectors of Iran’s economy as a continuation of its maximum pressure campaign. Thus, economic and trade sanctions will continue to be a prominent foreign policy tool in the new decade. The following are strategies SCPs can focus on to keep up with the sanctions environment.

Question the Norm of Regulatory Expectations and “Market Practice”

Corporate entities should comply with the “spirit of the law,” but the “letter of the law” is equally important

In 2019, a record was set by the Office of Foreign Assets Control (OFAC) for the decade: 26 settlements totaling approximately $1.3 billion.¹ Considering that the second highest amount, approximately $1.2 billion, was recorded in 2014—which included the landmark BNP Paribas settlement that was almost 80% of the total settlements amount—it is clear there has been a significant increase in OFAC sanctions enforcement. There have also been more enforcement actions against nonfinancial sector firms for sanctions violations.² Sanctions enforcement actions usually focused on banks willfully removing sensitive information from wire payments, causing their U.S. correspondent banks to breach U.S. sanctions.

Therefore, SCPs must keep abreast of the regulatory expectations on future sanctions controls as well as acceptable industry norms or market practices inferred from such enforcement actions, and calibrate their compliance programs and advisory accordingly. Since September 2017, OFAC began elaborating on the specific risks its enforcement actions highlight, the practices to manage these risks, and identifying associated learning points for SCPs. In May 2019, OFAC published, “A Framework for OFAC Compliance Commitments,”³ which articulates the essential components of a sanctions compliance program and how these would be considered when both evaluating sanctions violations and resolving investigations that result in settlements. SCPs should benchmark this against their institution’s compliance programs as appropriate.

Consider the enforcement on Apollo Aviation Group, LLC (Apollo) in November 2019. Apollo had leased aircraft engines to a company, which subleased them to another company, and that company installed them on an aircraft leased to an SDN airline company.⁴ Many would argue that Apollo had done all in its capacity and acted in good faith in managing its sanctions risks and compliance obligations, considering that aviation industry standards for sanctions compliance were not expected to be comparable to that of the financial services industry. However, the regulatory bar has risen. OFAC expected Apollo to have processes in place to monitor its lessee’s compliance to the terms and sanctions prohibition clauses stated in the lease agreements.

With the increase in enforcement, SCPs should also consider professional legal opinions, be it from in-house or external counsel, as a secondary check on the SCP’s assessment of compliance with regulations, with a particular focus on whether any established market practice can withstand regulatory scrutiny and enforcement. Corporate entities should comply with the “spirit of the law,” but the “letter of the law” is equally important. This is especially true for U.S. primary sanctions where OFAC’s civil enforcement authority applies on a strict liability basis.

Consider the now largely revoked Myanmar sanctions. In 2013, comprehensive restrictions against U.S. persons providing financial services to Myanmar were removed as Myanmar held elections and made democratic political reforms. In addition, general licenses were issued to allow U.S. dealings with Myanmar’s major banks that were on the SDN list, which owned most bank accounts operated by the Burmese people. However, firms that wanted to trade with Myanmar or finance such trades continued to face challenges because the bulk of Myanmar’s import/export trade took place via a port operated by an SDN’s company, and there was no general license authorizing dealings with that SDN.

From a policy perspective, the U.S. administration wanted to support Myanmar’s economic growth to induce continued political reform efforts and had no intentions of restricting trade with Myanmar considering that the sanctions program never had a comprehensive trade embargo component. Moreover, it was arguable whether trades between two commercial parties via the port would materially confer benefit to the SDN that owned the company operating the port. Despite the above considerations, the payments going through the U.S. financial system concerning trades of goods via that port, which would entail payment of port charges, were prohibited by the letter of the law. In December 2015, OFAC—recognizing the challenges the restrictions posed in enabling the previously stated foreign policy objectives—issued General License 20 which enabled U.S. persons to conduct transactions that were “ordinarily incident” to exportations to or from Myanmar of goods, technology or nonfinancial services. In today’s enforcement climate, the risks of not getting the letter of the law right would be even higher.

Reconsider Regulatory Monitoring and De-Risking

Today’s sanctions are much more complex in design compared to five or six years ago. Gone are the days when SCPs simply had to deal with comprehensive embargo restrictions against certain countries and screen for blacklisted persons to comply with list-based sanctions. For one, there has been popular use of sectoral-style sanctions (which policymakers view as “smart sanctions” as they can zero-in on specific activities of targeted entities and limit unintended impact although they are more challenging for the industry to implement). Moreover, sanctions are prevalently accompanied by detailed subsidiary legislature, which SCPs have to analyze and monitor separately. Finally, sanctions regulations now change at a tremendously increased pace.

Due to these factors, SCPs must strategize how to monitor such ever-changing and complex sanctions regulations and how to turn these regulations into easily understood and actionable advice for their institutions in a sustainable manner. For example, regulatory blacklists frequently designate and delist entities and often apply to entities owned or controlled by blacklisted entities, even if these entities themselves are not actually listed. Therefore, investments should be made in automating the tracking, refreshing and loading of blacklists for screening, and in list feeds from vendors that research and collect intelligence on undesignated entities with sanction-adverse media reports and securities issued by sanctioned parties. For smaller-sized institutions without dedicated sanctions policy personnel to monitor regulatory changes, SCPs can leverage client bulletins issued by law firms, which frequently analyze the latest sanctions regulations.

In the era of smart sanctions and prolific use of general licenses to control the impact of preceding sanctions granularly, no entity or country is too big to sanction. Therefore, SCPs must also carefully assess the potential impact their institutions’ businesses could face by taking a rough, inexact de-risking approach. The costs of doing business and costs of forgoing business have both risen significantly in today’s environment; thus, the challenge will be for SCPs to assess and recommend a proper balance and risk appetite for the institutions they serve.

Increase Cross-Industry Collaboration

As previously mentioned, there has been more active enforcement on nonfinancial sector firms for sanctions violations. Correspondingly, there has been more OFAC outreach and guidance⁵ to nonfinancial service industries. While the risks have generally increased for more industries and players, this has also fostered a compliance environment where there are more opportunities for synergies across industries. As general sanctions compliance awareness and standards increase, SCPs across different industries, firms and institutions can collaborate more and pool knowledge to increase effective risk management.

For instance, petroleum trade involves various players from commodity trading firms, energy companies, banks financing the trades and intermediating payments, shipping companies that provide vessels for charter and transporting the goods, and so on. Traditionally, each player will do its own monitoring and due diligence for sanctions compliance. For instance, the banks financing the trades would obtain information on the buyers and sellers and conduct sanctions screening. The banks may also monitor movement of vessels involved in transporting the goods. Likewise, the commodity and trading company, which is the buyer or seller, would complete its own screenings and monitoring on its counterparty, which are shipping companies and vessels engaged to move the cargoes. Imagine if the SCPs in these firms could share and exchange information from their respective due diligence efforts for risk management purposes or even cross-leverage each other’s monitoring efforts. The cost savings and efficiencies derived from such shared monitoring could be tremendous.

However, this is easier said than done and that reality remains in the distant future. Issues with existing data privacy and information-sharing restrictions, as well as regulatory obligations for individual monitoring and accountability for compliance, need to be addressed. In addition, collaboration initiatives and channels would probably have to be established at a more macro level, such as between regulators of respective industries and business bodies, for this to take off in scale. However, SCPs can start small by establishing their own individual networks with counterparts from other industries via networking events, compliance workshops and forums, or via existing business partners where there is an established and trusted relationship.

SCPs will need to devote more time and resources to understanding the latest typologies for sanctions evasion and design institutional controls to detect them

Look Beyond Screening and Leverage Technology

As the usage and intensity of sanctions increases, targeted criminals and illicit actors will also evolve and innovate to counter sanctions effectiveness. Correspondingly, SCPs will need to devote more time and resources to understanding the latest typologies for sanctions evasion and design institutional controls to detect them. In an environment where compliance resources are always limited, SCPs would need to prioritize higher yield risk management activities. For example, rather than spending significant time and effort assessing and approving risks for a listed company that discloses an Iranian project contributing to 0.5% of its bottom line in its annual report, SCPs should divert more resources to risks flying under the radar. This could include transactions of companies exhibiting shell-like characteristics in high-risk jurisdictions known to be hotbeds for companies trading on behalf of Iranian companies.

To achieve the above, SCPs also need to look beyond screening. While screening will always be an important and fundamental control in sanctions risk management, its effectiveness is limited for detecting under the radar sanctions evasion risks. Instead, SCPs will need to consider a more analytical form of controls, which in some cases may only be performed on a post-transaction basis, to mitigate such risks. As it is not possible to do an in-depth review for all transactions, a bank’s SCP may consider performing research and analytics of public and institution data to pick out red flag indicators that can then be used to select and prioritize transactions for enhanced review.

To keep up with prevailing typologies⁶ and design effective controls to counter such typologies, SCPs may need to develop cross-disciplinary financial crime skillsets. For instance, the usage of shell and front companies as well as the obfuscation of goods are also typologies used for money laundering/tax evasion and trade-based money laundering/proliferation financing respectively. Developing broader skillsets will enable SCPs to appreciate such typologies and be aware of institutional processes or controls they can cross-leverage to mitigate risks.

In addition, SCPs will need to leverage technology to automate or streamline operational and time-intensive tasks. That way, resources can be freed up for more value-adding analytical and judgment-based review. For example, technologies to help reduce screening false positives have been available in the market for many years and these offerings continue to be enhanced on an ongoing basis. Using artificial intelligence to perform simple discounting of false positives is also gaining popularity.

Technology can also help increase the scale of implementation of analytical review so that more risk can be covered. An example would be the analysis of vessel voyage routes. While there are databases that can provide information and reports on vessel voyage, the efforts involved can be substantial when there are multiple vessels to monitor, and the monitoring period required for the vessels also differs across transactions. Technology that can provide automated tracking and ping on multiple vessels based on user-set parameters, as well as provide graphical visualization of vessel routes and automatic identification system signals, will enable SCPs to focus on analyzing output of data and on risk decision making.

Conclusion

In the new decade, sanctions will likely continue to be a prominent fixture in the U.S.’ foreign policy toolkit and there are certain strategies that SCPs can undertake to stay on top of their game. SCPs should constantly question what are the regulatory expectations and acceptable market practices in this extremely dynamic environment, rethink how they can monitor regulatory changes sustainably and carefully assess de-risking strategies as sanctions grow in scale and complexity. Greater cross-industry collaboration and the effective use of technologies will also help SCPs become more effective. 

Kelvin Kairong Toh, CAMS, head of FCC sanctions, HSBC Singapore, Singapore

The views expressed are personal and do not represent the views of any of the author’s affiliated institutions.

1. “Civil Penalties and Enforcement Information,” U.S. Department of the Treasury, https://www.treasury.gov/resource-center/sanctions/CivPen/Pages/civpen-index2.aspx
2. In 2019, there were 16 out of 26 settlements that were with nonfinancial services firms, although in terms of monetary amounts, settlements with financial services firms still accounted for 99% of the penalties.
3. “Publication of ‘A Framework for OFAC Compliance Commitments,’” U.S. Department of the Treasury, https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20190502_33.aspx
4. “Enforcement Information for November 7, 2019,” U.S. Department of the Treasury, https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20191107_apollo.pdf. Apollo had included relevant sanctions prohibition clauses in its lease agreements with the first company. It also self-discovered the usage of the engines on aircraft operating in sanctioned country territory through review of engine records post-expiry of the earlier engine leases, where they undertook corrective action to ensure that remaining engines still on lease to the first company were not used in a similar fashion. No Apollo personnel had knowledge of the sanctioned nexus prior to that.
5. “Iran Sanctions,” U.S. Department of the Treasury, https://www.treasury.gov/resource-center/sanctions/Programs/Pages/iran.aspx. OFAC issued advisories to the civil aviation industry and maritime petroleum shipping community on sanctions evasion techniques used by Iran in 2019.
6. Analysis reports from strategic think tanks are also a good reference.