What are sanctions?
The Oxford Dictionary defines a sanction as “Measures taken by a state to coerce another to conform to an international agreement or norms of conduct.” The United Nations Security Council outlines a variety of sanction types, including:
- Arms embargoes
- Travel bans
- Asset freezes
- Reduced diplomatic links
- Reductions/cessation of any military relationship
- Flight bans
- Suspension from international organizations
- Withdrawal of aid
- Trade embargoes
- Restriction on cultural /sporting links
With ongoing concerns about global security, terrorism, money laundering and bribery and corruption, the number of sanction regimes is growing—and your job of mitigating compliance risk is becoming more complex. What’s more, the costs of inadequate sanction screenings are substantial. In 2015, for example, Reuters reported that German lender Commerzbank AG would pay $1.45 billion to resolve a U.S.-led investigation of its dealings with Iran and other sanctioned countries.
Create an Effective Sanction Screening Process
Sanction, watch lists and politically-exposed persons (PEPs) always need to be on your company’s radar when it comes to protecting against reputational, regulatory, financial and strategic risks. Here are 10 best practices to follow when implementing sanction checks:
- 1. Take a top-down approach to compliance. Guidance from regulatory bodies around the world make clear that corporate leaders need to understand their organizations’ sanctions obligations to ensure adherence to sanctions regimes. Stakeholders, board members, the C-suite, senior executives and key managers must embrace a culture of compliance.
- 2. Maintain up-to-date policies and procedures, including disclosure requirements. No sanction screening policy or process can effectively mitigate risk if it doesn’t evolve with the sanctions environment. This requires keeping up with sanctions, watch lists and guidance from a number of regulatory bodies including the United Nations Security Council (UNSC), the U.S. Office of Foreign Assets Control (OFAC), European Union Common Foreign and Security Policy (CFSP) and the UK HM Treasury.
- 3. Clearly communicate these policies and procedures to employees. In addition, third parties that operate on behalf of organizations—whether as sales agents, partners or others—need to understand sanctions compliance expectations. Develop easy-to-understand materials on sanctions policies and procedures to share with the appropriate individuals.
- 4. Actively train employees and third-party agents to ensure they understand sanctions compliance obligations, as well as how to recognize and address sanctions compliance. According to guidance from OFAC, such training programs help raise awareness, but it also suggests “reviewing regulations in staff meetings, incorporating compliance requirements into operating procedures and joining with other banks to sponsor compliance seminars.” Moreover, training should be tailored to employee groups or third parties based on their level of involvement with sanctions issues. Training should include scenarios on how to handle reportable matches and include refresher training sessions as needed.
- 5. Implement a risk-based sanction screening process. There is no one-size-fits-all approach to sanction screening. Organizations must develop policies and procedures tailored to the specific nature, size and risk of their operations. Considerations include inherent risks based on an organization’s products and service and delivery channels; its size, business model and corporate governance process; and its customer profiles, geographic location and countries of operation.
- 6. Align sanction screening to third-party due diligence procedures. Organizations must undertake appropriate due diligence for their supply chains and third parties, but depending on the nature of the business relationship, an organization may carry out simplified or enhanced due diligence. Developing a comprehensive approach that includes sanction, watch list and PEP checks in the due diligence procedures helps organizations mitigate risk more effectively—right from the start.
- 7. Ensure procedures include escalation contacts, both for sanction enquiries and violation reporting. Whether changing sanctions lead to an enquiry or internal processes uncover a potential violation, the procedural documentation provided to managers, employees and third parties should include a clear path for reporting such findings.
- 8. Audit and regularly review sanction screening policies, procedures and training. Conduct ongoing assessments on the effectiveness of the current sanction screening program and determine how policies or procedures need to evolve to meeting changing requirements. Sanctions regimes evolve over time—sometimes, more rapidly than you might expect—so organizations need to have source for sanctions lists that keeps pace with change.
- 9. Reinforce policies and procedures with independent audits and testing. Outside verification helps ensure that your sanction screening program operates effectively and complies with relevant laws. Depending on an organization’s risk profile, the independent audit should take place every 12 to 18 months, and audit results should be reported directly to the board or a designated board committee.
- 10. Don’t wait for enforcement as a trigger to implement above actions. In a Financier Worldwide roundtable discussion on sanctions compliance and enforcement, Adrian Mebane, VP and Deputy General Counsel for The Hershey Company said, “Responding to a sanctioned country violation or regulatory inquiry is very invasive to a company’s operations and requires, among other things, payment of attorneys’ fees, employees’ participation in witness interviews, and comprehensive data preservation and collection efforts. And, a company could face severe penalties if found guilty of breaching sanctions regulations, including criminal and civil prosecutions, significant monetary fines, debarment, monitoring by an independent third party and reputational damage.”