While the sanctions that have been put in place as a result of Russia’s aggression in Ukraine have grabbed most of the headlines, the reality is that navigating sanctions compliance has always been tricky. There is no lack of threats and risks out there, and U.S. businesses need to take steps to ensure due diligence in decreasing these risks by not engaging with sanctioned entities.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) publishes a Specially Designated Nationals (SDN) list of businesses, individuals and other organizations that are sanctioned (often referred to as “blocked”) from doing any business with the United States or its citizens and companies. This is primarily designed to combat threats to national security, such as terrorism, money laundering, cybercrime and weapons proliferation.
Notably, according to the U.S. Treasury, any assets (such as owned companies) of blocked individuals or entities are also sanctioned. That means there are entities that U.S. companies should not be in business with who are not listed by name on the SDN list but are still considered blocked due to their ultimate beneficial owner (UBO). As a result, the process of remaining compliant is more complex than simply checking a list for the names of partners and suppliers.
Since non-compliance with sanctions can result in hefty fines and severe damage to a company’s reputation, risk professionals need to know about the OFAC SDN list and how to navigate it in order to reduce sanctions risks. The following are specific steps for how businesses can ensure they are following best practices in screening the list and reducing associated risks.
1. Review customer backgrounds and monitor the SDN list regularly for changes. Before bringing a new customer under contract, you should be sure to do your homework to see if there is a good chance working with them will put you in violation of sanctions policies. Examine that customer’s history: review public statements, known partners and reported transactions. If information is not easily accessible, request it during the negotiation and/or due diligence part of the contract process. Current customers should be carefully reviewed as well, and doing so before contract is up for renewal will help you recalculate the cost of the risk involved with that customer when it comes time to renegotiate.
The OFAC updates the SDN list whenever an individual or business is removed or added. There is no set timetable for these updates, so checking it often to make sure a previously safe supplier is not now blocked is a smart move. This can be done manually, though that is time-consuming and opens the door for mistakes due to human error. Many tools automate this review of the SDN list, which can save time. Risk professionals should also scan for alerts or instances of a new supplier or partner on a sanctions list during, or preferably before, onboarding processes.
2. Preserve a clear audit trail with close documentation. Any time a check for compliance is conducted, document that action and its results. This helps employees make sure nothing slips through the cracks (or efforts are repeated, such as checking the same company or list multiple times because an employee did not realize that someone else already did it, for example). Any red flags or risks found should be recorded and passed on to the team who can act on them. These processes make compliance checks smoother and help decrease business risk while creating an audit trail if one is ever needed to show due diligence toward complying with regulations.
3. Routinely update and improve screening processes. It should be company policy to routinely conduct additional scans and update internal data systems when checking the SDN list for changes. In fact, this might be the difference between catching a potential risk early and missing it until it is already a big problem.
How can you upgrade your screening processes? Make sure you are looking at both customers and counterparties and checking them against multiple data sources like those provided by Sayari, Moody’s and other third-party data providers. Relying on one could leave blind spots in what should be a robust screening process. And it is always recommended to have a third party audit the sanctions compliance processes in place—this will help you find areas that need to be improved and provide certification of your programs.
4. Utilize technology improvements and prioritize action to preempt violations. Technology can improve the ability to detect sanctions risks earlier. Notably, AI and machine learning technologies can process incredible amounts of data about a customer and identify details that signify an increased risk of sanctions violations much faster than traditional processes. Everything from financial reports, customer bases, historic performance and even news reports on a customer can be analyzed by AI models and flag companies with increased risks, either immediately or down the road.
Focus efforts on clearing high-risk transactions and entities more closely tied to your company’s core activities (e.g., check major suppliers before smaller ones), as well as suppliers and partners that are located in high-risk regions or industries. Once you know those are in the clear, you can go down the list and focus on the next largest potential risk.
5. Lean on employees by increasing training and awareness. The best way to successfully infuse risk management, and in this case sanctions-specific risk awareness, into the day-to-day work of your employees is to do so on multiple fronts. Provide training to new employees but also hold annual, semi-annual or quarterly training for all employees to share current best practices when it comes to meeting sanctions compliance. Arm those employees with the latest technology that allows them to assess and address supplier and partner compliance risks— the lists to be checked, the means of tracking and managing third parties, and the automation tools tracking and facilitating the whole process (if those are available)—and routinely audit your processes.
Companies that build risk management in all its varieties into the culture of their organization—and clearly communicate its importance—are often the most successful in avoiding sanctions violations. Staying compliant with these detailed regulations and the shifting landscape of who is sanctioned and who is not can be difficult. In order to minimize your business risk, make sure your risk management processes and software are up to the task. Integration with your other processes, careful and regular monitoring of sanctions lists and watchlists across the world, as well as keeping up with UBO lists are all vital for all companies looking to steer clear of fines and penalties.