Sanctions Risk Management – Key Lessons to Ensure Effective Compliance
The record penalty of 9 billion USD issued by US authorities to a European bank has set a new standard. With the 12th EU sanctions package and reinforced efforts to crack down on violations on either side of the Atlantic, what should be expected in 2024?
We have looked at why companies have been fined by US and UK authorities, whether due to negligent or intentional breaches, and what recent investigations in Norway tell us about the accuracy and maturity of sanctions screening.
Just before Christmas, the EU launched its12th sanctions package. A few days later, the European Banking Authority announced a consultation on its guidelines for internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.
EU sanctions are only binding within its jurisdiction, that is for EU companies and individuals, both within the Union and abroad, and all entities that operate in the EU. Even if sanctions are not extraterritorial measures, international experts recommend that all companies, even those directly trading directly with Russia, be mindful of the increased focus on targeting circumvention risks.
”Sanctions risk assessment should be a common practice for both financial and non-financial companies by now. The EU Commission prescribes it, as do national authorities exemplified by the FSA in Finland and Lithuania among other countries. It is a fairly safe bet that European companies could be subject to more sanctions by OFAC, We are also seeing that OFAC is increasing expectation on Voluntary Self-Disclosure,”
says Lars von Ehrenheim, Director Financial Crime Prevention
Current issues
In July last year, the Financial Times reported a surge in Kazakh imports big enough to make up 40% of Russia’s trade gap, making Kasakhstan into a major sanctions circumvention hub, together with e.g. Armenia, Turkey and others.
According to media reports in November, UK and Swedish companies continued trading with Russia. More than 100 UK companies have admitted breaching British sanctions against Russia.
In the same month, investigations by Swedish media revealed that about a dozen Swedish multinationals continued to export to Russia after the invasion of Ukraine. Companies operating across a number of sectors including medtech, drilling and mining equipment, security services, trucks, electronics, packaging, access and security technology, materials engineering, forestry, specialised steel, bearings, farm machinery. Tests carried out by the Norwegian Financial Supervisory in 2023 show that sanctions screening accuracy in Norwegian is relatively low or unsatisfactory.
Why companies are fined
Our analysis of reasons why companies have been fined by US authorities in recent years suggests a large share being intentional circumvention. Among the fines for breaching sanctions regulations imposed by US authorities in recent years, a few cases stand out; BNP Paribas (8,9 billion USD), Binance (>4 billion USD) and British American Tobacco (250 million USD). But perhaps of greater importance and interest than the size of the fines is understanding why companies have acted in breach of regulations, if intentionally, due to negligence or because of other reasons.
We have looked at available data on the reasons for why companies have been fined by US authorities. According to high level data, these include intentional breaches, ignoring regulations, active cover up, continued trading by way of intentional fixing of SWIFT messages to enable dealing with sanctioned countries (including e.g. Iran, the Dubai and Cuba), and operating through an unregistered money services business, or a local subsidiary.
Looking at the cause for sanctions breaches identified as negligence, penalties have been issued due to lacking sufficient sanctions compliance program, lacking control over IP addresses, negligence on group level as regarded handling of non-resident persons accounts on branch level.
Limited information is available in the public domain to get a comparative perspective on fines in the UK. With regards to trade sanctions, as of August 2023, it was announced that the Office for Trade Sanctions Implementation (OTSI) will use its new Disclosure enforcement power which will allow for publishing of details of certain financial sanctions breaches, including persons/entities.
A brief review of nine cases shows that 2 out of 9 suggest unintentional breach of the sanction’s regime and/or, a lack of internal procedures. In these cases, mitigating and immediate actions were taken regarding prevention and remediation. In 7 out of 9 cases it appears responsible parties had poor knowledge of operations/actions, internal routines and overall regulations and/or were aware of risks but failed to take mitigating actions.
The perhaps most noteworthy sanctions case in the UK involves the Standard Chartered Bank, which in 2019 agreed to pay USD1.1 billion to U.S. and British authorities over financial transactions that violated sanctions against Iran and other countries.
More than 200 investors filed a lawsuit against Standard Chartered for allegedly untrue or misleading statements about its sanctions non-compliance between 2007 and 2019. As reported by Reuters and other media, in November, Standard Chartered lost its battle to exclude from a trial allegations it broke U.S. sanctions against Iran in a “more widespread and systematic” way than it previously admitted. This after more than 200 investors are suing Standard Chartered for allegedly untrue or misleading statements about its sanctions non-compliance between 2007 and 2019.
What about the Nordics?
Little data is available on how well Nordic companies are managing their sanctions risks programs. Recent Swedish media investigations on the potential trade sanctions regulation risk aside, more specific data to refer to is based on work conducted by the Norwegian Financial Supervisory Authority (NFSA).
The NFSA conducted a thematic review on sanctions screening in 20 banks and subsidiaries of foreign banks operating in Norway. The review involved testing of the accuracy of screening tools used by the banks against actual as well as manipulated data, to compare results. Comparable tests have also been carried out on global level, where screening tests result in an accuracy rate of 97% on actual (unmanipulated) data and 90% accuracy on manipulated data.
The results show that a majority of the Norwegian banks demonstrated relatively low or unsatisfactory customer screening accuracy and even less with regards to transaction screening, which constitutes a risk of breaching sanctions regulations according to the NFSA.
Ensuring accuracy
The scope of the sanctions regimes has and will develop at a high pace and this requires both intelligence and vigilance as well as a good control systems in place. Companies that since before were already in the need to upgrade their sanction screening and transaction monitoring, can expect that costs to meet requirements on increased sanctions measures may likely increase accordingly.
The 12th and updated EU Sanctions Package in December 2023 includes further restrictions including i.e. transit ban extension and notification requirements for the transfer of funds outside the EU. Until May 2024, the European Banking Authority (EBA) will run its public consultation on two sets of Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. This will cover individual measures, i.e. targeted financial sanctions, and sectoral measures, i.e. financial and economic measures or embargoes.
With these guidelines, it is the first time that EBA creates a common understanding, among payment service providers (PSPs), crypto-asset service providers (CASPs) and their supervisors, of the steps they need to take to be able to comply with restrictive measures.
Based on experience working with sanctions programs with clients in the financial sector, von Ehrenheim says organisations are advised to look at the accuracy of what is triggered automatically and what will have to require manual controls and to update key components of their sanctions monitoring programs to ensure efficiency. Uncertainty around for example UBO issues such as the 50% rule and how to assess different ownership stakes is still common. Challenges noted in the Framework for OFAC Compliance Commitment remain, such as using outdated screening lists, incomplete data screening and not accounting for alternative spellings of names.
Recommendations
Work to mitigate the risk for breaches of international sanctions should be based on a structured risk assessment, focusing on typologies or risk scenarios and includes frequently occurring circumvention schemes. A typical cause for sanctions compliance programs is the ability to ensure that there is a proper risk-based and proportionate compliance program for sanctions, which as demonstrated can result in hefty fines.
According to Lars von Ehrenheim, international sanctions have been viewed as a set of requirements subordinate to AML/CTF. However, the fines and outreach of active supervisors and scope of enforcement actions indicates otherwise.
Forward-looking analysis of exposure and potentially geopolitical risk can be a survival factor for business.
As a risk area, international sanctions need designated and skilled resources as well as a good understanding of risk assessment techniques and how to tailor controls to different business exposures, trade finance or other export business require something else than a transactional banking business.
