As we wrap up our series about sanctions investigations with this post, our Global Sanctions Investigation Group has blogged about key issues that companies should keep in mind as they tackle global sanctions investigations that are inherently high-risk matters. But do you need to passively wait around for the sanctions enforcement storm to batter your company and its trade compliance team? The simple answer is a resounding no.
Companies worried about sanctions compliance and potential investigations should heed Benjamin Franklin’s famous dictum: an ounce of prevention is worth a pound of cure. Reacting to regulatory scrutiny is always more stressful, costly, and damaging than ensuring a trade compliance program is fit for purpose and that it will decrease the chances that a company will face scrutiny in the first place.
A key way for a company to be better positioned for such scrutiny is to use gap assessments to determine key business risks, and to adjust and update a trade compliance program to address those risks. Reviewing the efficacy of a compliance program on a regular basis is also vital given the ever-evolving legal landscape in sanctions and related areas of law, with expanding prohibitions and ever-changing lists of designated individuals and entities.
Compliance programs have to evolve alongside the law. Even businesses with carefully designed compliance programs should not fall into complacency in the current dynamic sanctions environment; they cannot take a “set-it-and-forget-it” approach. Certainly, many regulators – especially in the United States – have made it clear that gap assessments are a vital part of any compliance program – see here (Office of Foreign Assets Control), here (Bureau of Industry and Security), and here (Department of Justice). In the EU, the European Commission has also published detailed guidance on conducting risks assessments of possible sanctions circumvention (here).
Below, we discuss how to evaluate sanctions compliance programs for weaknesses and/or gaps.
Understanding Sanctions Risks Generated by Business Operations
Before a company can determine the suitability of its compliance program, the team conducting an assessment needs a good understanding of business operations and what sanctions risks are involved. This part of the exercise requires identifying business that may implicate risks such as the following:
- Operating in a sanctioned jurisdiction, whether that be sales to such a country or setting up manufacturing operations there;
- Dealing directly or indirectly with business partners, customers, or suppliers that are operating in sanctioned jurisdictions or may be designated parties;
- Purchasing supply chain inputs that are commonly known to originate from sanctioned parties or jurisdictions;
- Manufacturing and/or exporting goods, software, or hardware controlled under military or dual-use export controls; and
- Financing projects in sanctioned jurisdictions or involving designated parties.
A gap assessment has to take into account how a business operates now and perhaps also what its immediate plans are that could implicate sanctions risks. Relying on a historical understanding of business operations is risky because it will likely be out of date or inaccurate.
Reviewing the Efficacy of a Trade Compliance Program
Once a company’s primary compliance risks are understood, the gap assessment team can turn its attention to the nuts and bolts of the trade compliance program. This requires reviewing the program to see if it has key aspects such as written compliance policies and programs, restricted party screening and due diligence measures, product classification procedures, and training.
This should not be a “check the box” exercise. The assessment has to consider how these different measures are implemented in practice at a global level and also by particular businesses within a company, with a focus on operations identified as implicating elevated sanctions risks. For example, an assessment should test whether ad-hoc screening that may have been in place so far is really sufficient for a company on a global basis or for a specific subsidiary, and/or whether it makes sense to move to automated screening. Furthermore, this process needs to confirm that compliance measures reflect current trade restrictions and prohibitions—what may have worked a few years ago may no longer address new business services prohibitions or export controls that have been implemented in the meantime.
Getting into the nitty-gritty of an assessment often means interviewing selected employees, to test their understanding of compliance risks and how a company’s compliance program is meant to mitigate them. Conducting in-depth reviews of sample transactions can also add significant value to a gap assessment. One of the final steps of a gap assessment can be undertaking a dry-run of the policies and processes to determine whether red flags are identified and that proper escalation features (to senior management or legal counsel) are employed. Completing these steps will ensure a gap assessment appropriately measures whether the actual performance of a compliance program is appropriate for the organization in question.
Ensuring Appropriate Legal Input
Strictly speaking, a gap assessment can be completed by internal specialists or other non-lawyers but there can be significant benefits to involving outside legal counsel in these efforts. Given the legal and technical nature of many sanctions and export control measures, the Global Sanctions Investigation Group often finds we can provide value insights into what legal restrictions and prohibitions are relevant for a company as well as explain regulators’ expectations. Furthermore, involving legal counsel in the assessment process incorporates the benefit of keeping findings under legal privilege, which can be important if violations are identified.
Separately, a thorough gap assessment will consider whether legal input is appropriately incorporated as part of a trade compliance program. Strong sanctions compliance programs will embed relevant due diligence processes within the operational arm best placed to execute them. Depending on the organizational structure and departmental capabilities of the business, aspects of sanctions compliance may be embedded within procurement, finance, ethics and business integrity, or a stand-alone compliance function. However, legal counsel should generally be involved in decision-making in various aspects of a trade compliance program, given that the extent and scope of prohibitions under sanctions laws is not always clear cut.
Remediating Gaps Found as Part of the Assessment
The end-product of a gap assessment typically ranks gaps that have been identified by order of priority in terms of the level of sanctions risks involved and proposed remediation. This process is a cost-effective way to assess and improve the efficacy of a company’s compliance program and identify potential sanctions non-compliance before an enforcement case begins. Remediation can run the gamut from updating policies and procedures to enhancing training to automating screening.
A gap assessment can also spot past instances of non-compliance. This gives companies an opportunity to remedy the issues before a regulator starts an investigation. Such discoveries may also lead a company to initiate an internal investigation and consider whether it should avail itself of any voluntary disclosure programs. There is no question that it is best for companies to get ahead of compliance lapses rather than hoping they will not cause problems in the future.
If you find yourself in the situation of starting an investigation, you can review this series from its beginning to keep in mind the best practices to implement and pitfalls to avoid in a global sanctions investigation. Our Global Sanctions Investigation Group stands ready to support clients in navigating these complexities.
