The Russian invasion of Ukraine intensified multilateral efforts from the US, European and Asian countries to isolate Russia from global markets through increased sanctions against individuals and entities in connection with the Russian regime.
In March 2022, the US Department of Justice (“US DOJ”) launched an interagency task force, Kleptocapture with a mandate, among others, to enforce sanctions against Russia.[i] On March 17, international counterpart agencies from the US, EU, France, Germany, Italy, UK, Canada, Australia, and Japan launched the Russian Elites, Proxies and Oligarchs Task Force (“REPO”), with the authority to investigate and criminally prosecute sanctions violations, seize and forfeit assets belonging to oligarchs and other associates of the Putin’s regime.[ii] By June 29, 2022 the REPO task force had reportedly blocked “more than $30 billion worth of sanctioned Russians’ assets”[iii] and restricted targeted individuals’ and companies’ access to the international financial system.
Companies are presently navigating an increasingly multijurisdictional sanctions enforcement territory, and the volatility with which new sanctions are issued in response to the war intensifies an already complex challenge of maintaining an adequate sanctions compliance program (“SCP”).
Implications for companies’ SCP
With the constant growth of the list of prohibited parties, companies need to remain vigilant of not only the customers and vendors they engage with, but also the countries and regions where they deal, and even the shipping vessels and aircraft they use.
- Regulators expect companies to react swiftly, including updating sanctions screening lists within 24-48 hours with timely reporting within 10 business days.
Key Elements of SCPs
Based on regulators’ formal guidance and previous enforcement sentences, we highlight below some critical elements of SCPs and actions companies can take now to ensure they remain compliant considering recent and ongoing events, and intensified enforcement activities.
a. Risk Assessment
A sanctions-specific risk assessment must identify any potential areas in which a company may directly or indirectly engage with a sanctioned individual, entity, country or region, or conduct sector-prohibited transactions.[iv]
- Maintain a streamlined, sanctions-specific risk assessment, focused on key territories, particularly those with a high volume of trade with Russia and based on a relatively dynamic model allowing frequent updates.
- Consider the nature and destination of exports, especially of ‘dual-use goods.’ Ensure all exports’ final destination is known. Exports to countries bordering Russia may actually be intended for Russia.
b. Senior Management Commitment
Senior Management should review their compliance department’s human and technology resources, as well as its level of visibility, authority and autonomy, to ensure it is well equipped to operate the SCP in an intensified and multijurisdictional enforcement context.
- Elevate the visibility of the SCP through local campaigns and company-wide “all hands” broadcasts.
c. Internal Controls
Based on risk assessment results, Companies should conduct a review of their policies, procedures and internal controls, to ensure they remain effective tools to prevent and detect inappropriate transactions.
- Ensure Know-Your-Customer (“KYC”) screening completeness. KYC screening must be run on complete and updated data on both sides: updated sanction-issuers databases and all available company data, including customer master file, invoices, purchase orders, shipping documents, etc. Consider engaging a third-party provider to support automated external data feeds and internal data consolidation.
- Screen all connected parties and apply system blocks. Once a match is confirmed, enforce blocks across all systems, units and geographies.
- Continuously monitor third-party universe. KYC reviews apply not only at onboarding a new third-party, but throughout the entire relationship.
d. Testing and Auditing
Companies should consider the best way to assess the efficacy of their SCP and check how efficiently it is operating across units and geographies. Any weaknesses identified during such reviews must be immediately remediated via updates to internal controls and possibly the risk assessment.
- review and recalibrate internal controls, software or other technology used in the operation of the SCP to accommodate changes in the risk assessment.
Based on the results of the updated risk assessment, and any consequent changes to internal controls, the company should assess whether additional or refresher training sessions are necessary, along with an assessment of the recipients (both internal and external) across functions and locations.
- Training should be approached not only as an ongoing feature of the SCP, but also as an ad hoc, agile response when and where the review of the SCP reveals program vulnerabilities.
Implications for Operations
From a business perspective, companies are expected to employ all available resources to prevent entering into relationships with sanctioned entities, a risk that a solid screening KYC program based on complete databases can help mitigate.
However, when a pre-existing third-party becomes subject to sanctions in the course of the relationship, the response will depend on a number of factors. These include the impact on the company’s overall operations and supply chain effects of abruptly stopping to use a vendor; the type of legal arrangement with the sanctioned party and contractual liabilities it may face from cutting this connection and potentially failing to meet its commitments to other customers; and the need to maintain the supply of critical products and services (i.e. health, security, infrastructure sectors).
- It is important to demonstrate a swift approach to an existing business relationship with a newly sanctioned entity, by taking immediate steps to enhance oversight and document the relationship, engaging legal advisors and if possible, and seeking to find an alternative vendor or partner for the supplied goods and services.
Marcela Pittelli, a Manager on FRA’s Forensic Accounting team, is also contributing author to this article.