Considering the rapidly changing export controls and sanctions landscape, companies need to ensure their compliance programs respond to the latest-breaking risks and demands from regulators. While the scope and volatility of trade sanctions may seem daunting, companies can protect themselves from costly violations by proactively bolstering compliance programs.
Export controls and sanctions risk can exist in any cross-border transaction involving foreign jurisdictions, people, or products. A responsive sanctions compliance program needs to 1) Respond to specific risks based on your organization’s operations; and 2) Demonstrate to regulators that you have prioritized compliance and leveraged the tools available to you.
The encouraging part is that you can strengthen an export controls and sanctions compliance program without incurring significant costs by implementing a few practical measures.
If you are concerned about your sanctions risk, but aren’t sure where to start, ask yourself the following questions:
1. Do you understand which regulations apply to your business?
It is imperative to know which regulations and laws may apply to your business. Understand which government regulators (OFAC, BIS, DDTC, EU, OFSI) exercise jurisdiction over your business, products, information and services. For example, are exported items subject to the International Traffic in Arms Regulations (ITAR) (defense articles and defense services) or Export Administration Regulations (EAR) (dual-use and general commercial goods) and has the company classified those items accordingly under the Munitions List and Commerce Control List, respectively? The penalties for non-compliance differ depending on whether exported items are subject to the ITAR or EAR.
Be familiar with your geography and high-risk jurisdictions/transshipment countries of concern. For example, BIS and FinCen published a joint alert listing transshipment countries of concern including, but not limited to, Armenia, Brazil, China, Georgia, India, Israel, Kazakhstan, Kyrgyzstan, Mexico, Nicaragua, Serbia, Singapore, South Africa, Taiwan, Tajikistan, Turkey, United Arab Emirates, and Uzbekistan.
2. Do your compliance policies provide a digestible and practical roadmap for your compliance program?
We recommend that businesses involved in cross-border transactions should follow the key elements of an effective export control and sanctions compliance program. OFAC, DDTC, and BIS all provide separate guidance for an effective compliance program but contain overlapping themes:
- Senior management commitment - policy statement
- Risk assessment
- Internal controls
- Handling violations and taking corrective action
- Monitoring, testing, auditing
- Training
Additionally, compliance policies and manuals should act as a roadmap for your company’s sanctions compliance program. These policies should:
- Reflect requirements of regulatory guidance
- Encompass all business cycles with sanctions compliance risk (e.g., sales, procurement, supply chain, etc.)
- Clearly identify and explain compliance risks
- Detail mitigating controls
- Designate compliance roles and systems
- Provide real-life examples to help employee comprehension
- Identify records to retain and related storage systems
- Be disseminated/readily available to employees
- Be periodically updated based on regulatory, system, and business changes
Regulators expect a risk-based compliance program that is tailored to the business and is routinely updated. Organizations should continually assess their export controls and sanctions compliance risks in a rapidly changing environment. For instance, consider changes in operations, locations, products, services, business relationships, etc. Companies should also monitor regulatory guidance and enforcement actions as a good sanctions compliance program is one that can respond nimbly to regulatory changes and guidance.
3. Is your company exercising due diligence best practices on a transaction- and system-wide basis?
Organizations should be vigilant about different warning signs and risk factors on a per-transaction basis. BIS “Red Flags” and Know Your Customer guidance found in Supplement No. 3 to EAR Part 732 is a great resource for ascertaining potential red flags. For example, any transactions with Russia and Belarus are high risk due to the significant OFAC and EAR restrictions involved.
Companies should utilize enhanced due diligence for higher-risk jurisdictions, customer types, and significant relationships. Business partner due diligence should include several components, including:
- Documents and electronic records provided by the business team members
- Independent research of publicly available information and media
- In-person visits, inspections and verification
- KYC’s Customer – End Users
- End Use verification
- Screening and re-screening parties
4. Are you enhancing the use of your company's data and IT systems?
Every organization has data, and regulators expect that organizations will utilize available data in their compliance programs. Companies should ask themselves if they understand the extent of their organization’s data, and whether they are able to leverage that data to control sanctions compliance risks. For example, most companies closely track customers and sales, but do they also retain information on their distributors and agents, freight forwarders, shipping routes, and the origin of all the components in any branded products built by third-party manufacturers?
Retaining all available data and entering it into IT systems in a standard format allows companies to automate transaction analysis for sanctions risk, screen third parties against restricted entity lists, and respond to demands of regulators. Failure to take such measures can lead to enhanced penalties in the event of a violation, whether intentional or not.
Key essential measures to implement for data and IT systems include:
- Integrate IT systems and automate restricted party screening when possible
- Standardize data format across IT systems to allow for full-business cycle analysis
- Require supporting documentation, including for customer onboarding, travel, shipment, and vendor payment request. This allows for automated matching, e.g., bill of lading to invoices to verify delivery location
- Generate dashboards to alert for potential risks
- Perform keyword searches on systems and emails for “code words” pointing to potentially prohibited transactions
- Periodically test and enhance IT controls
5. Are your employees equipped with the necessary training, resources, and skills to effectively execute your compliance program?
Your people are the front line against potential export controls and sanctions violations. Personnel in key roles perform due diligence on customers, authorize contracts and transactions, and can perform audits and inspections of your compliance activities and those of third parties. It is critical that these personnel remain well-versed in evolving compliance risks and your company’s risk response.
Compliance trainings should include:
- Sanctions and export controls (including EAR and ITAR, as applicable) compliance awareness training for all employees/contractors – front line of defense
- External trainings for key relationships
- Job-specific training that is risk-based and tailored to employee roles
- Multiple formats – online, in-person with Q&A, etc.
- Knowledge checks and exams
- Periodic evaluation of training content – is it keeping up with changes in regulations and the sanctions environment? Has it been updated for changes in business?
- Continuous reinforcement – periodic training reinforced with sanctions compliance communications
Additionally, organizations should perform quality assurance, audits, and inspections of both their own company and key compliance functions as well as those of their business team members. Audits should be conducted by personnel that are qualified and independent. Some key elements of such activities include:
- Perform focused internal or external audits of your sanctions and export controls compliance program
- Examine your key internal controls, ensure they are operating as designed
- Test system/IT controls – e.g., automated screening, transaction holds
- Conduct random records spot checks to ensure appropriate record retention
- Audit/Inspect/Visit your business partners (e.g., freight forwarders, distributors, contract manufacturers, warehousing providers)
- Establish a process to implement corrective actions – tracked milestones, deadlines and accountability
- Create a feedback loop – communicate results, observations, recommendations and enhancements to key stakeholders
- Establish a reporting hotline – mechanisms/channels for employees and business partners to report suspected violations for follow up
In today's dynamic global trade environment, companies should prioritize the development and enhancement of their export controls and sanctions compliance programs to effectively manage risks and adhere to regulatory demands.
While the complexity and unpredictability of trade sanctions can be overwhelming, organizations can safeguard themselves against costly violations by taking proactive measures. This involves tailoring compliance programs to address specific risks associated with their operations and demonstrating a strong commitment to compliance to regulators. Importantly, enhancing these programs doesn't have to be financially burdensome; practical steps can be taken to strengthen compliance efforts.
For companies uncertain about their sanctions risk, a good starting point is to critically assess their current compliance posture by asking targeted questions about their operations and risk management strategies.