The View from the Top: In mad scramble to comply with flurry of new, updated U.S., global Russian designations, don’t forget guidance to implement five core components of sanctions compliance program

The View from the Top is a new ACFCS series connecting, collaborating and sharing the knowledge of the sector’s brightest minds to light your darkest days.

By Brian Monroe
bmonroe@acfcs.org
March 2, 2022

In the last two weeks, U.S. and international sanctions programs targeting Russia, first over its threat to invade, and then its formal invasion of Ukraine, have soared.

By some estimates, more than doubling, causing compliance fretting and fumbling at banks and corporates alike as they stress and stretch their sanctions compliance resources and programs to the breaking point, that is, if they even have a formal counter-sanctions program or know something like that even exists.

The U.S., EU., Australia, Canada, Japan, Singapore and – shedding decades of neutrality – Switzerland, imposed more than 2,200 new sanctions against Russian politicians, oligarchs, banks and energy and defense firms since February 22, a torrid pace that has only increased with Russia’s rising military aggression.

Let’s give that figure some context.

While it has taken nearly a decade to reach the 2,000 mark – sanctions started to tick higher against Russia when it annexed Crimea in 2014 – it has taken less than a month to bring the total of Russia-focused sanctions to more than 4,000, according to fincrime data and technology firm, Castellum.AI. To review the full graphic, click here.

“Russia is now more sanctioned than North Korea,” the firm stated in an infographic charting the mushrooming complexity of the sanctions landscape.

But as companies try to keep sprinting along with the historic degree of sanctions sprawl – replete with intricate complexities like updated general licenses, overruled specific licenses, tempting exemptions and requirements to uncover hidden, opaque owners and slippery subsidiaries – they should realize they may not be focusing on the biggest risk of them all.

What is it?

Not having a defined, empowered and effective sanctions compliance program (SCP).

The SCP is the core and foundation of any operation’s combined efforts to monitor for blacklisted entities and jurisdictions, prevent them from becoming customers, or seize assets and report on them when found as sanctions expand and contract.

While banks have been juggling AML, OFAC for decades, uninitiated corporates may struggle on SCP particulars

For banks, this requirement is all too familiar.

For decades, depending on the jurisdiction, domestic and international financial institutions have had to create, run and remediate anti-money laundering (AML) programs, a multi-pronged and ever-expanding duty-verse aimed at identifying potential illicit finance and reporting it to law enforcement.

For many large banks, they have interwoven AML and sanctions – and other programs, like fraud, corruption and more recently, cybersecurity – programs to better screen and scrutinize potential sanctions hits and engage in broader investigations of related entities to file required suspicious activity reports (SARs).

But for large corporates outside of banking, they are not subject to AML rules, nor, potentially, might they be familiar with the intricacies of, say, looking up recently designated companies and individuals listed by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).

Nor would they likely further realize these requirements include more nuanced tethers, like uncovering and unraveling, in some cases, those with ownership stakes of more than 50 percent.

Moreover, rather than getting credit for your sanctions efforts related to Russia, if OFAC comes to your company and finds absolute insanity and chaos in a rush to understand direct and indirect exposure points to designated entities, such a mad scramble will only serve to magnify what your firm didn’t have in the first place: a strong SCP, or worse, no SCP at all.

So why doesn’t every bank and corporate have an SCP?

Well, because they don’t have to.

Yes, that’s right. While there are laws and regulations, for example, in the U.S. that require a full-fledged AML program for subject sectors, there is no federal requirement to have a sanctions-based compliance program.

The dichotomous dilemma: Why do I make an SCP if I don’t have to?

The OFAC designations, simply put, state that you can’t do business with entity X or you can’t transact with country Y – and must go through steps A, B and C if sanctions change and you find yourself with assets linked to blacklisted entities.

But here is the rub: Because OFAC has a strict liability standard for sanctions failings – just one has the risk of costing potentially hundreds of thousands of dollars – there are very few things that can lower, or even negate, your exposure to massive penalties that in recent years have run into the billions of dollars.

One of the biggest discounts, or reductions, for a sanctions violation: if the bank or corporate voluntarily reports it. The other: you guessed it, if you do, or do not, have a sanctions compliance program.

How do we know this? How do we find this holy grail of sanctions compliance frameworks?

Surely it is somewhere in all of the tangle and thicket of new and updated Russian sanctions rules?

Front and center on the OFAC website?

Trumpeting and clanging cymbals on the homepage of the Code of Federal Regulations?

No.

So that begs the question: What should your current OFAC sanctions compliance program look like and how will you be judged for failures?

In May 2019, the U.S. Treasury arm tasked with administering the country’s sanctions programs issued its most detailed and prescriptive piece of guidance yet on what it considers a strong compliance program.

To view the full OFAC guidance, click here.

The goal: An “effective” program crafted to prevent banks and corporates of all stripes from running afoul of the ever-changing requirements to not deal with blacklisted entities and rogue regimes.

OFAC, in what many hailed as a historic missive, laid out the key pieces of an SCP it believes can help large organizations that are headquartered in the U.S. or do significant business in the country to better prevent sanctions failings, identify gaps more quickly and uncover and report potential sanctions violations.

OFAC for the first time at that time framed a formalized sanctions compliance program, mirroring many of the tenets of the AML compliance program.

These included prongs such as crafting internal controls, engaging in OFAC risk assessments, adequately training staff and testing and auditing systems and human decisions to ensure gaps are closed quickly.

One key reason to create, strengthen an SCP? More leverage at the negotiating table if things go wrong

As we noted above, sanctions compliance has always been in an interesting gray area when it comes to overall financial crime compliance programs.

Unlike AML, there is no legal requirement to create a dedicated sanctions compliance program, but, if you violate OFAC rules, it’s a strict liability standard – a potential penalty only mitigated by the presence, and strength, of a sanctions compliance program.

In certain rare cases, OFAC has chosen not to issue a monetary penalty – even though it could have – because of the depth and effectiveness of a counter-sanctions program, the transparency and responsiveness of the company and commitment to remediate the root causes of the failure.

OFAC states that while each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance.

Here is analysis of the five pillars by ACFCS VP of Content Brian Monroe and Eric Young, Senior Managing Director, Guidepost Solutions and the former CCO of the BNP Paribas America’s operations, who also has more than 40 years of experience in top fincrime compliance roles. To read Young’s full review, click here.

Being the architect of an ‘effective’ SCP: breaking down, building up the five pillars

Management commitment

Monroe: Promotes a culture of compliance by ensuring SCP staffers have adequate authority, autonomy, resources and executive responsiveness for failures.

Young: Management Commitment: Isn’t this always the case, and hopefully not a surprise, how important management commitment and culture is – especially to OFAC and other regulators which discover, investigate, and then enforce major penalties for sanctions violations. Easy to say, very difficult to demonstrate the right culture.

OFAC expects senior management to:

• Review and formally approve your SCP
• Ensure compliance teams possess sufficient authority and autonomy to deploy your SCP procedures, with direct reporting lines between the SCP function and senior management
• Fund compliance with adequate resources (human capital, expertise, information technology customized to your operations, markets, and other factors affecting your company’s overall risk profile)
• Live and breathe a “culture of compliance”, including whistleblower processes, and reporting, without retaliation; and disciplines for misconduct and prohibited activities
• Demonstrate prompt corrective action over apparent OFAC and other violations – and report these voluntarily to OFAC and others
• Address the root causes of past apparent violations with systemic solutions

If your firm is global, are your filtering tools and processes enabling you to globally filter, block, and report consistently, fully and timely?

What if your SCP program and tools work well in one geography, but not universally, unintentionally allowing Russian (or other) assets to slip through?

Risk assessment

Monroe: Similar to the AML risk assessment, but done through the lens of U.S. sanctions policies, cognizant of the propinquity to rogue regimes, sanctions evaders.

Young: Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to OFAC and other violations, negatively affect your reputation and worse, enable evasion.

Take a risk-based approach when designing or updating a SCP. Ongoing “risk assessments” should identify potential OFAC issues and should drive your SCP procedures, internal controls, and training to mitigate such risks.

Risk assessment examples include:

(i) customers, supply chain, intermediaries, and counterparties;

(ii) your products and services, including how and where they fit into other financial or commercial products, services, networks, or systems; and

(iii) how the interaction of (i) and (ii) can exacerbate these risks further.

Internal controls

Monroe: As in the case of the AML transaction monitoring system, these can include the actual automated sanctions screening systems and the policies around investigating and escalating potential hits.

Young: Effective SCPs include internal controls, such as policies and procedures to identify, interdict, escalate, report, and keep records pertaining to prohibited activity by OFAC and others.

Internal controls to outline clear expectations, define procedures and processes (including reporting and escalation chains), and minimize the risks identified by your sanctions risk assessments.

For example, are roles crystal clear for your 1st line operations, businesses, 2nd line compliance, and management so that decisions to block, freeze and report Russian (or other) assets are time-critically met? What if they’re not? How would you know?

Testing and auditing

Monroe: This is typically a group outside of sanctions, either internal or external, that can review both sanctions screening inputs and outputs and scrutinize the decisions of staff to ensure potential hits are analyzed, escalated and dispositioned.

Young: Compliance and internal audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. Objective testing of your SCP ensures you can identify program weaknesses and deficiencies, especially software, systems, and other technology. And you must remediate any identified compliance gaps promptly and fully across your enterprise.

Training

Monroe: Without training on how regimes evade sanctions policies, what regions of the world this happens and in what ways – such as through trade and co-opted correspondents – there is no way analysts can make the right decisions.

Training has to be expansive, relevant, nuanced and infused with the geopolitical power shifts driving sanctions evaders.

Young: Like many other compliance requirements, training for employee awareness and execution is critical. Violations due to lack of awareness is inexcusable and can be fatal.

I’ve seen the good, the bad and the ugly of sanctions and other compliance programs over intensely stressful times in the world.

Iraq invading Kuwait; 9/11; the fallout, remediation, and transformation from painfully expensive sanctions penalties; the Russian incursion into Crimea; and now Ukraine.

What’s worse than going from bad to worse? Going from bad to ‘egregious’

When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effective SCPs at the time of an apparent violation.

For example, under General Factor E, the compliance program, OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a civil monetary penalty (CMP) on that basis.

Subject persons that have implemented effective SCPs that are predicated on the five essential components of compliance may also benefit from further mitigation of a CMP pursuant to General Factor F, or the remedial response, when the SCP results in remedial steps being taken.

Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”

Getting to the ‘root’ of the problem: Plethora of pitfalls for penalties aplenty

The guidance also laid out what OFAC has seen as some of the root causes for major penalties and enforcement actions.

Here are some of the culprits and some of my added analysis:

• Lack of a formal OFAC compliance program: If a company is not looking, it won’t find any sanctions missteps.
• Misinterpreting the applicability of OFAC regulations: Some banks have thought not dealing with OFAC simply meant scrubbing out all references to sanctioned countries. This also means knowing ownership levels to certain percent levels.
• Facilitating sanctioned transactions for foreign individuals and companies through overseas subsidiaries or affiliates: Banks have paid as high as $9 billion for this particular failure, in some cases by rogue foreign operations.
• Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC sanctioned persons, countries: Some items, like medicine and other equipment, are OK, but items that can be used for both medical equipment and weapons are off limits.
• Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-Sanctioned persons, countries: Similar to the above $9 billion penalty. In some cases, there were pockets of non-compliance, in others, stripping wires of references to OFAC hits was in the bank’s policies and procedures.
• Weak or lax due diligence on customers: If the AML, KYC or business line staffer doesn’t ask enough questions, they won’t be able to ferret out a company or individual trying to evade sanctions rules on behalf of blacklisted regimes or terror groups.
• Sanctions screening software gaps, filter faults and related poor decision-making: Apart from wholesale flouting of the rules, if sanctions screening systems aren’t tuned properly, they can create too few, or too many, alerts for analysts, wasting resources and missing actual hits.

While the challenges of complying and catching all the latest updates seem to be the most pressing priority at the moment, banks and corporates should never forget they will be judged for historical compliance practices – not just the results of an “all hands on deck” rush job now.

“Tracking and implementing changes are only as good as the foundational strength of the SCP,” Young said.