Sanctions serve as an essential tool for the U.S. government to further its international policymaking agenda and respond to a broad range of geopolitical and social issues, including human trafficking, cybersecurity, corruption, and foreign trade and investment.
While it has chosen not to enforce all of them, the Trump administration has so far imposed or strengthened sanctions on a number of countries. Sanctions on Cuba that went into effect on Nov. 9, 2017, for example, impose certain restrictions on travel and trade. These restrictions are aimed primarily at preventing the military, intelligence and security arms of Cuba’s Communist government from benefiting from American activity.
The United States also expanded its sanctions on North Korea in September 2017. Issued over the country’s nuclear program, these sanctions prohibit banks and other companies from doing business with North Korea. In addition, the sanctions specifically restrict individuals or entities from providing goods, services or technology to the country.
In August 2017, the United States imposed sanctions on Russia that target individuals and entities involved in specific activities, including undermining U.S. cybersecurity on behalf of the Russian government, committing acts of significant corruption, committing or assisting in serious human rights abuses, and providing support to the Syrian government to acquire arms. New rounds of sanctions were also imposed on Venezuela and Belarus in 2017.
In addition to the increased imposition of sanctions, the Office of Foreign Assets Control (OFAC) continues to aggressively pursue enforcement actions against non-compliant companies. While fines levied against financial institutions for sanctions violations tend to draw the most media coverage, companies penalized in 2017 come from a wide variety of industries, including technology, shipping, telecommunications and medical equipment. This trend of increasing sanction activity will continue to challenge U.S. companies seeking to develop or strengthen compliance programs and avoid enforcement actions, including civil monetary penalties. Companies will also need to address issues relating to compliance management systems deficiencies, such as policies and procedures, governance, training and reporting. Inadequate internal controls related to sanction interdiction software and know-your-customer rules need to be examined as well.
To effectively manage risk related to sanctions, companies need to consider key best practices in the following areas:
Governance. Companies must clearly delineate roles and responsibilities as they relate to sanctions compliance and ensure there is adequate oversight by senior management and the board of directors. There should be timely reporting of any compliance problems and periodic reporting on the overall status of the sanctions compliance program.
Risk assessments. Companies should perform risk assessments to identify their exposure to sanctions risks. These assessments must determine and evaluate the inherent risks that stem from products and services, customer types, and geographic origin/destination of transactions. They should also assess the existence and strength of controls for mitigating these risks. Companies with a strong understanding of their overall sanctions risk profile can develop a more effective compliance program that is commensurate with risk.
Policies and procedures. Sanctions policies and procedures must be reviewed periodically for completeness and accuracy. This helps ensure they continue to meet legal and regulatory requirements, are risk-based, and adequately identify and address all sanctions risks. A company’s overall policy framework should also include procedures for assessing the impact of new sanctions programs in a timely manner, as requirements are often effective immediately. Periodic review of policies and procedures also helps.
Reporting and recordkeeping. Companies need to understand reporting and recordkeeping requirements and should have quality assurance procedures for ensuring the accuracy of required documentation.
System validation and data integrity. For companies that rely on interdiction software to assist with sanctions compliance, it is vital to have proper independent validation of systems, including data integrity reviews. Companies should implement processes to ensure periodic review of the algorithms and sensitivity settings used by this software and review data feeds from relevant source systems for any issues with data completeness or integrity.
Independent testing. A company’s sanctions controls should be tested periodically by internal audit or another independent party to evaluate whether they remain effective.
Training. Training programs need to address sanctions requirements and the company’s procedures for ensuring compliance. These programs should also provide specialized training to individuals with additional sanctions responsibilities. Companies should have procedures to review and update their training programs periodically to address new or changing regulatory requirements or internal controls.
In addition, companies should periodically evaluate the capability maturity level of their overall sanctions compliance program and ensure it aligns with their sanctions risk profile. Sanctions compliance programs may need to be more robust if customer types, products/services and geographies warrant additional controls and measures. The maturity level may also vary based on the nature and types of the internal controls used to comply with sanctions requirements, such as automated versus manual controls, preventative versus detective controls, and the extent to which management of the sanctions program is centralized or decentralized.
Companies with strong sanctions compliance programs will be better prepared to navigate ever-changing requirements going forward, particularly as the geopolitical risk landscape remains unstable and uncertain.