Third Party Risk in the Era of Sanctions Enforcement

An uptick in sanctions activity dominated the global compliance landscape in 2022. Precipitated in large measure by the invasion of Ukraine by the Russian Federation, sanctions have re-emerged as a primary means of facilitating foreign policy objectives, including a coordinated international response designed to cripple the Russian Federation’s military-industrial capacity.

These sanctions range from substantial new additions to the Specially Designated Nationals and Blocked Persons List (SDN List) maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) to robust new export controls maintained by the U.S. Department of the Commerce’s Bureau of Industry and Security (BIS). In addition, foreign jurisdictions – principally the United Kingdom  and European Union – have leveled their own punitive measures against Russian oligarchs and industry for their complicity in the Ukraine conflict. Among other things, these restrictive measures include travel bans, financial prohibitions, export restrictions, and asset seizures.

In the third-party risk management context, risk-based due diligence of an organization’s business partners – including, but not limited to, its suppliers, vendors, distributors, agents, service providers, and other intermediaries – is part and parcel of mitigating the risk of incurring liability under international sanctions regulations. While the breadth and depth of such due diligence varies considerably based on factors like jurisdiction, industry, and third-party role, the common aim of all such inquiries is to ensure that the organization has insight into the operations and ownership of the due diligence target. Where companies lack such information, the risk of violating sanctions regulations is considerable, as such laws often target both designated entities and individuals with a majority ownership stake and/or substantial control over “blacklisted” organizations.

Complying with OFAC sanctions

Foremost among the global sanctions regulations organizations should be cognizant of are those enforced by OFAC. Long considered the most aggressive and far-reaching sanctions leveled by any jurisdiction, sanctions imposed by OFAC pursuant to both congressional mandates and presidential directives target  myriad countries, regions, industries, entities, and individuals deemed to be participating in activities contrary to the national security or foreign policy objectives of the United States.

Under selective sanctions targeting the Russian Federation that were broadcast this year, OFAC imposed a series of incrementally more aggressive prohibitions that now forbid virtually any new investment by U.S. persons in debt or equity of Russian Federation-based companies and the importation of crude oil and petroleum products of similar origin. In a new development coincident with the publication of this report, OFAC recently expanded the applicability of its Russia sanctions to encompass even ancillary activities that implicate the maritime transportation of Russian Federation-based crude oil below a predetermined price cap set by the United States and its allies. The intended effect of OFAC’s recent action is to further constrain the ability of Russia to export energy products abroad, thereby reducing the critical revenue that the Putin regime relies on to fund its ongoing Ukraine excursion.

While the sheer complexity of sanctions leveled against the Russian Federation on its own merits additional attention by the compliance functions of organizations, the threat of aggressive enforcement activity by the U.S. Department of Justice raises the stakes even further. As Deputy Attorney General Lisa Monaco emphasized in June of this year, sanctions “are the new [Foreign Corrupt Practices Act],” alluding to the fact the DOJ is prioritizing enforcement of sanctions evasion activity to a much greater extent than in the past. As Monaco emphasized in the context of her remarks, the DOJ has dedicated significant investigatory and prosecutorial resources to enforcing Russian sanctions regulations, including creating a new task force – dubbed “Task Force KleptoCapture” – to prosecute intentional violations of U.S. sanctions regulations by Russian oligarchs. Monaco made it clear the DOJ would pursue such cases with “unprecedented intensity,” and explicitly cautioned all businesses with international exposure to take the issue of sanctions compliance more seriously.

Staying ahead of third-party sanctions risk

In such an era of heightened enforcement, it is imperative that all businesses with potential ties to Russia – however remote – adopt appropriate policies, procedures, and internal controls with the aim of advancing sanctions compliance as a signature operational concern. To the extent an organization’s third-party due diligence program is lacking in any way, organizations should act swiftly to identify those deficiencies now, and devote appropriate resources to remediating them before a sanctions violation arises.

For instance, to the extent a company still relies on periodic manual screening of international sanctions lists to ensure its third-party partners remain compliant, such companies should plan on transitioning to automated screening utilizing a reputable sanctions screening solutions provider. Because sanctions regulations are subject to frequent change, organizations accustomed to more ad hoc, manual screenings are likely to find that their current third-party screening practices are insufficient to meet emerging regulator expectations.  As one recent enforcement action demonstrated, even a modest interval between periodic manual screenings can result in significant violations of sanctions regulations

Because sanctions regulations are subject to frequent change, organizations accustomed to more ad hoc, manual screenings are likely to find that their current third-party screening practices are insufficient to meet emerging regulator expectations.

Even companies that have implemented automated sanctions screening should be cognizant that not all sanctions activity is list based. In some instances, international sanctions regulations prohibit companies from engaging in specified conduct. For example, furnishing maritime transportation services, engaging in certain financial transactions, etc. In these circumstances, more in-depth due diligence is required to ensure that the underlying activity itself is not prohibited by law. Companies that lack a protocol for a more in-depth examination of third-party partners for sanctions risk should consider implementing one now. If internal resources are insufficient, the company should consider outsourcing its enhanced due diligence activities to a reputable compliance solutions provider or law firm. While due diligence itself is not an absolute guarantee that a sanctions violation will not occur, companies that can demonstrate a good faith, consistent effort to comply with sanctions regulations are the most likely to benefit from leniency in any criminal, civil, or administrative proceeding.

2023 prediction

As mentioned above, sanctions enforcement activity remains a core priority of DOJ senior leadership. This emphasis is unlikely to shift anytime soon, as the Russian Federation’s Ukraine incursion remains in full force. As a consequence, ethics and compliance professionals are charged with acquainting themselves with the basics of applicable sanctions regulations both domestically and internationally as they pertain to the operations of their respective organizations.

Moving forward, any transactions with even the slightest Russian Federation nexus should be subject to scrutiny. Moreover, as sanctions regulations are subject to frequent change, organizations that lack automated continuous screening of their third-party relationships should intend on devoting resources to that effort now.  More importantly, organizations that lack a process for a more enhanced analysis of the sanctions risk involved in sizable transactions should plan on allocating resources to this effort going forward.

For the complete Top 10 Trends in Risk and Compliance

Download Here

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest
A CCO Perspective on Artificial Intelligence

8 Possible Consequences of Not Being Proactive in Risk Management

Without a proactive approach to risk management, organizations face a number of potential consequences – including total collapse. In this blog, Carol Williams outlines eight of the common symptoms made possible when organizations fail to take a proactive approach.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Forced-Labor Compliance Moves Up the Chain

Forced labor in the supply chain is not quite a new corporate compliance challenge. However, in 2023, a new crop of forced-labor laws are coming into force. This article discusses what you need to know to keep your company and supply chain compliant with changing regulations.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.