Since the Russian Federation’s full-scale offensive military action against the sovereign nation of Ukraine in late February 2022, the imposition of incrementally more aggressive sanctions regulations targeting certain sectors of the Russian economy, oligarchs tied to the Putin regime, and organizations implicated in providing materiel and support to Russia’s military has been ubiquitous. These measures include, but are not limited to, sanctions regulations promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and trade controls issued by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) that have attempted to cripple the Putin regime’s ability to acquire both financing and tangible commodities to sustain its military offensive.
While a fulsome discussion of these sanctions regulations is beyond the immediate scope of this article, compliance with OFAC and BIS regulations poses a unique challenge to organizations with international exposure, especially regarding Russia, Belarus (a close Putin ally), and certain occupied regions of Ukraine (including, but not limited to, the Crimean Peninsula, and the so-called Donetsk and Luhansk People’s Republics). Notably, trade controls have also grown in prominence in connection with the People’s Republic of China, which, as of this article’s writing, seems intent on undermining US foreign policy strategy by supplying the Russian Federation with a variety of direct and indirect aid.
The sheer volume of sanctions regulations amidst rising international tensions requires organizations to adopt new policies, procedures, and specific controls to mitigate the potential for a regulatory infraction or, worse, a criminal violation. As U.S. Deputy Attorney General Lisa Monaco emphasized during remarks made last summer, the Department of Justice (DOJ) views sanctions enforcement as the “new FCPA”—an explicit allusion to the DOJ’s concerted effort over the past decade to ramp up enforcement of the Foreign Corrupt Practices Act, a statutory scheme used to hold individuals and entities accountable for the bribery of foreign government officials.[1] To that end, organizations are encouraged to consider the following in relation to their sanctions and export control programs.
Ensure the organization’s risk profile is accurate
A fundamental building block of an effective sanctions and trade compliance program is a holistic risk assessment and routine testing of internal controls. Relying on DOJ guidance concerning the evaluation of corporate compliance programs, organizations should avail themselves of the opportunity to consider: (a) the nature and extent of their international exposure, especially in sanctioned jurisdictions, taking into account the totality of their global supply chains; and (b) whether existing controls are operationally effective in preventing the possibility that the organization could violate sanctions regulations.[2] For example, organizations with considerable financial dealings with any institution or individual based in the Russian Federation should consider whether any of their activities constitute a violation of OFAC’s financial dealing prohibitions, including strict transactional restrictions targeting any dealings with specific state-owned financial institutions. Controls should be tested—and, where necessary, adjusted—to ensure that no capital outflows are made to any bank designated by OFAC as subject to one or more transactional proscriptions.
In a similar vein, a manufacturing organization that is largely dependent on exports to Russian-based entities should take heed of BIS’s intense focus on ensuring that virtually any item subject to the jurisdiction of the Export Administration Regulations (EAR), with few exceptions, require a license for export, re-export, or transfer (in-country). Even if the item is designated as EAR99, the organization should still account for the EAR’s General Prohibitions, which, among other things, prevent commodities and associated technology from being exported, re-exported, or transferred to embargoed or sanctioned countries/regions, in support of a variety of prohibited end-uses or to a wide range of prohibited end-users, including most notably military end-users.[3] In short, existing controls should be adjusted to account for actual operational risks faced by the organization on a daily basis.
Identify, remediate, and disclose potential violations
While conducting a risk assessment or periodic audit of various facets of an organization’s compliance program, potential infractions of sanctions or trade controls regulations should be identified, promptly remediated, and voluntarily disclosed to the appropriate agencies. The need for prompt, voluntary disclosure of all nonprivileged facts and information to the relevant enforcement authorities is a virtual prerequisite for any cooperation credit under new guidance issued by the DOJ last year.[4] As Monaco again starkly emphasized, organizations with a “sanctions problem” are required to “pick up the phone and call [the DOJ]” before the DOJ discovers the misconduct in question. Moreover, failure to completely disclose the facts and circumstances surrounding a potential sanctions infraction—including identifying all culpable actors—may completely negate the positive effect of the organization’s preliminary cooperation. As such, all organizations facing a potential sanctions or trade controls issue are encouraged to be completely candid with government investigators and avoid the temptation—all too common in legal circles but completely inapposite in a compliance context—to withhold salient facts or documentation in a misguided effort to maintain leverage in negotiations. As further directed by Monaco this year, this tactic risks substantially reducing or altogether eliminating a culpable organization’s eligibility for full cooperation credit.
Finally, it seems trite but necessary to emphasize that organizations that commit to implementing remedial measures must faithfully do so. The failure to adequately address compliance program deficiencies following a potential violation is an almost certain recipe for a repeat violation and unwanted government attention. Given the DOJ’s adoption of new, more objective criteria for appointing corporate monitors to oversee the implementation of compliance program upgrades, organizations that overcommit and underdeliver in a remediation context face the very real possibility that the organization itself could be subject to corporate monitorship.
Invest now in additional compliance resources
A chronic lack of resources has historically constrained the ability of the compliance function to maximize its practical utility to the organization overall. Due mainly to the misperception that compliance is a hindrance, rather than a benefit to, the organization’s operations as a whole, the compliance function is routinely understaffed, overworked, and ill-equipped to deal with emerging sanctions and trade control expectations. Given the new emphasis by government authorities on sanctions and trade controls violations and evasion, it is incumbent upon organizations to invest now in additional resources commensurate with their risk profiles and operational scales and to dedicate those resources to sanctions and trade controls compliance. All too often, organizations with tremendous international exposure in high-risk jurisdictions operate with a proverbial skeleton crew responsible for all facets of the organization’s compliance controls. The new, more intense regulatory environment demands a sea change in C-suite thinking about the compliance function. Personnel with specific expertise and familiarity with sanctions and trade controls compliance should be retained to assist the organization in identifying systemic weaknesses, remediating those deficiencies, and broadly educating the organization’s other personnel on the importance of sanctions compliance.
While far from exhaustive, we offer the preceding recommendations as the basis for a critical examination of an organization’s sanctions and trade compliance program. As government regulation continues to grow, it is imperative that compliance-conscious organizations adapt quickly to emerging expectations in the sanctions and trade controls landscape.
Takeaways
-
The uptick in sanctions and trade controls activity should cause organizations to assess the effectiveness of their current controls.
-
Sanctions evasion activity is the “new” Foreign Corrupt Practices Act; the U.S. Department of Justice has demonstrated a willingness to pursue sanctions violators zealously, especially as it relates to the Russian Federation.
-
An updated risk assessment that accounts for the organization’s exposure to high-risk and sanctioned jurisdictions is required.
-
Existing internal controls should be evaluated for effectiveness and modified or replaced where appropriate.
-
When in doubt, disclose and remediate. Companies that commit to taking specific remedial measures should follow through on their commitments to avoid additional unwanted scrutiny.