Building an Effective Sanctions Compliance Program
The Author: James Swenson, Ethixbase
Business interruption – primarily caused by supply chain disruption – was one of the biggest risks faced by companies in 2021 and 2022, according to the annual Allianz Risk Barometer. This year, 42% of global risk management experts rated business interruption as the biggest risk, a close second to cyber incidents (44%). Covid-19, the Russian war in Ukraine, mega-droughts, and floods are often cited as the major causes of global disruption across industries. But while it may be difficult for any one company to prevent a pandemic, geopolitical tension, or natural disaster, corporate resilience to these adversities can be fostered by third-party risk management.
In the current state of global upheaval and discord, however, sanctions measures introduce additional pressures for global supply chains. Companies face more than the reputational risk with sanctions violations, they face sanctions themselves that include financial penalties, criminal prosecution, frozen assets, and seized property. Ensuring sanctions compliance with an ESG framework not only blunts the force of present global threats and mitigates future ones, but it also precludes severe repercussions.
Risk assessment is fundamental to any sanctions compliance program whether the focus is anti-bribery and corruption, anti-money laundering, or the emerging regulatory regimes of modern slavery and environmental crime. Risk assessment should be documented, tested, and revisited on a regular basis because sanctions are dynamic and can change quickly, as we have seen with the conflict in Ukraine. An organization’s current view of risk may change as sanctions are implemented or lifted, especially the targeted or narrative sanctions that may involve more than simple name screening.
The primary goal of any risk assessment is to thoroughly understand a business, including its customers, suppliers, and all third parties that regularly engage with the company. It’s also critical to recognize the specific risks that impact a company’s whole industry. Customers and suppliers may be affected if sanctions on specific products, exports, or industries are imposed, such as those placed on Russia.
While it may not be difficult to identify the exposure a company has to comprehensive sanctions on countries like North Korea, it could be more complicated to assess the potential exposure to sanctions that cover regions, government entities, and individuals.
A sanctions risk assessment should include questions that go beyond whether or not an organization operates in a certain region. It should also include questions that analyze where customers are located, where suppliers and distributors operate, and who is actually behind the corporate entities contracted by a company, or the ultimate beneficial owner (UBO).
One of the largest challenges an organization faces with sanctions compliance is assessing the level of risk with the “50% rules” or narrative sanctions. Organizations or corporate entities that are not listed by name on a sanctions list may be considered sanctioned by an association. That means if a sanctioned individual owns over 50% of a corporate entity, the entity may also be sanctioned even if not listed on an official list. There are different nuances across EU, US, and UK sanctions but all require companies to screen not only corporate entities but also the directors, shareholders, and ultimate beneficial owners.
Banks have long endeavored to collect ownership and UBO information as part of Know-Your-Customer (KYC) onboarding processes, but this is a relatively new concept for many corporations and maturity levels vary widely. Many organizations do not have ownership information on suppliers, vendors, and other entities that form part of their third-party populations. If they do, information may not have been collected in a standardized way or recently updated. Organizations may also lack mechanisms to ensure changes in ownership are identified and new owners are included as part of their sanction screening process.
When the Russian sanctions targeting individuals and oligarchs were first implemented, many organizations found they could not adequately demonstrate they had processes to ensure sanctioned individuals did not have ownership stakes in third-party companies. This underscores the importance of risk assessment in understanding which third parties may be more exposed due to their geographical location (e.g., Russia, Belarus) or industry (e.g., aerospace, chemicals).
Tackling UBO Identification
There are two ways organizations are tackling the issue of UBO identification to facilitate sanctions compliance. Some organizations have taken a proactive approach by requesting evidence of ownership information from third parties. This may take the form of a questionnaire asking third parties to unwrap their ownership structure or gathering information about shareholders, directors, and other individuals with managerial control. Often, a questionnaire may also ask direct questions about nationality or whether any of the individuals are linked to sanctioned entities or individuals. Because most of this information is self-reported, organizations will need evidence that they have a process to validate the information provided.
Another approach uses publicly available information through registries or commercial aggregators to unwrap corporate entities. This method relies on public records rather than self-reported information, but it can be challenging because ownership structures can be complex and may require multiple layers of unwrapping. In addition, ownership structures can be cross-jurisdictional. For example, while ownership information is available in Russia, it may not be in Cyprus.
Regardless of the method, once the names are collected and identified, they must be added to an organization’s screening process. Names should be continuously screened and updated because the EU, US, UK, and UN are constantly adding individuals to various sanctions lists. If someone is not sanctioned today, that does not mean they will not be tomorrow.
Aspects of a Sanctions Compliance Program
In addition to risk assessment and due diligence, other components of an effective compliance program should include:
Internal controls: commitment from management, accessibly written policies, and communication of policies.
Testing and auditing: planned and coordinated testing to ensure policies and processes are sound and compliant, with deficiencies addressed as quickly as possible.
Training: staff training and support should be provided to explain policies and procedures, updated as policies and procedures evolve. Finally, companies should understand that compliance programs are dynamic and will inevitably change as geopolitical events evolve.
Has your organization and its supply chain been exposed to risks posed by recent sanction actions? Take the necessary steps to safeguard your business and implement the Ethixbase Instant Sanctions Risk Questionnaire today.