In response to an unprecedented rise in the number of international sanctions and the increasing complexity of the restrictive measures imposed, recent years have seen corporates and financial institutions implement ever more advanced IT solutions to assist with sanctions compliance.  

Indeed, enforcement authorities around the world now mandate the use of electronic screening and risk based compliance systems to ensure compliance and limit the risk of sanctions violations.

However, having spent many years putting in place robust compliance systems (at the center of which are complex transactional and counterparty screening tools) businesses now seeking to deal with Iran face the prospect of having to unwind those same systems to take into account the fact that Iran may soon be open again for international business. Below we look at the impact that the lifting of sanctions may have on existing IT compliance infrastructure.

Background

In July 2015, the "E3/EU+3" countries (China, France, Germany, the Russian Federation, the United Kingdom, the United States and the EU High Representative for Foreign Affairs) and Iran agreed a Joint Comprehensive Plan of Action (“JCPOA”) on Iran's nuclear programme which brought to an end many months of negotiations and has ushered in a new era for Iran, with potentially significant new opportunities for business around the world.

Under the terms of the JCPOA, there will be a conditional phased lifting of most sanctions, including in the trade, technology, finance and energy sectors. In exchange, Iran has agreed never to "seek, develop or acquire any nuclear weapons”, and has consented to continual monitoring by the global nuclear watchdog, the IAEA of designated nuclear sites.

The phased removal of sanctions poses challenges for businesses that will need to ensure they understand what is and is not permitted and the their IT systems are upgraded/updated accordingly. 

When will sanctions be lifted?

The terms of the JCPOA have been approved by the UN Security Council and domestically by the Iranian Parliament (Majlis). In addition, both the US and the EU have begun to lay the legal groundwork for the eventual lifting of sanctions against Iran.

However, the JCPOA does not result in any immediate sanctions relief; that will only come on the "Implementation Day", which is  yet to be set and is contingent on Iran meeting its obligations as verified by the IAEA, although  it is widely anticipated that sanctions will be lifted (on a phased basis) in the first half of  2016.

Until then, sanctions remain in force and any breach could lead to criminal and/or civil penalties for those involved. As such, corporates and financial institutions must continue to screen both counterparty and transactional information thoroughly and IT solutions are essential for the intensive processes involved to ensure compliance.

What can my business do now?

Until Implementation Day, it is important to remember that sanctions remain in place and the EU and US authorities are committed to their enforcement. It remains a breach of the sanctions to participate knowingly and intentionally in activities the object or effect of which is to circumvent the sanctions.

Accordingly, any preparatory steps taken in anticipation of a lift in the sanctions should be expressly limited to that specific preparatory purpose.

Whilst there is no embargo on travelling to Iran for meetings, the EU restrictions on payments to Iranian Persons and dealing with blacklisted persons remain. Consequently, care should be taken to carry out full screening and due diligence on any potential business contacts in the region, including agents and persons they represent, to avoid inadvertent dealings with blacklisted persons and assets.

What’s the position following Implementation day?

On Implementation Day, under the terms of the JCPOA, the EU will suspend most of the existing sanctions including those relating to finance, banking, insurance, oil/gas, shipping, transport and precious metals.

Some (but not all) persons/entities currently subject to the asset freeze will be removed from the list of designated persons/entities (i.e. the sanctions blacklists), freeing up large quantities of previously frozen capital.

However, certain Iranian banks will remain on the sanctions blacklists, so care should be taken to ensure all counterparties are subject to full due diligence and screened against the blacklists when carrying out business in Iran.

The sanctions prohibitions in relation to arms and military equipment and certain metals and software will also remain in place for a further period of up to eight years until the Transition Day.  Limited asset freezes will also remain. The full extent of the remaining sanctions will only be clear following Implementation Day.

From a contractual perspective, parties seeking to agree deals in connection with Iranian interests should include sanctions clauses (e.g. providing an orderly exit) in the event sanctions remain an issue and/or are reinstated.

One critical issue to note is that the JCPOA will not involve the removal of US sanctions that prohibit trade and commerce between US persons and Iran. Instead, the US Treasury's Office of Foreign Assets Control (OFAC) will maintain most of the sanctions that involve US persons or the US financial system. However, the JCPOA envisages that, from the Implementation Day, OFAC will license certain activities by US persons and there will be a relaxation of US secondary sanctions which apply to non-US persons.

In recent years the EU and the US have moved on a coordinated basis as regards foreign policy towards Iran with largely similar sanctions having been imposed. However, that will not be the case following Implementation Day where US entities/persons will be subject to greater restrictions than their EU counterparts. What is in effect a two-speed sanctions relaxation will mean that global business with US operations will have to consider carefully the extent of their new obligations and reflect any applicable restrictions as part of sanctions systems and controls going forward.

From a systems and IT implementation perspective it is this issue (i.e. the divergence of the EU and US positions) that is likely to cause the greatest challenges.

Can sanctions be re-imposed?

The JCPOA includes a dispute resolution mechanism with tight deadlines which is directed at preventing the parties taking steps to undermine the deal, and aimed at resolving issues swiftly should they arise.  Ultimately, all of the existing restrictive measures can be re-instated "in the event of significant non-performance by Iran of [its] JCPOA commitments" (the so-called "snap back" provisions).

It is this possibility that should lead businesses to tread carefully with respect to Iran and include full and robust contractual protections in the event that sanctions are re-imposed. It is anticipated that legal and compliance teams will be involved in negotiating detailed representations/warranties, sanctions terminations rights and sanctions conditions precedents to ensure businesses are adequately protected.

Should sanctions be re-imposed, businesses will need to ensure that they can re-implement more stringent measures and/or historic IT policies/systems swiftly. Should sanctions be lifted, it would be sensible for businesses to archive their IT compliance systems in such a way that they can be revived on short notice with limited disruption to the ordinary course of business.

Corruption risk

In addition, many of Iran's key businesses and assets are subject to state control. As such, negotiations are likely to involve public officials and this increases the associated risks including for potential bribery/corruption offences. Businesses should remain vigilant and ensure proper policies and procedures are followed to limit exposure to potential UK Bribery Act and US Foreign and Corrupt Practices Act offences.

In addition businesses will need to ensure that accounting and expense processes limit the potential for corrupt practices and identify red flag issues when they arise.

Going forward

Many businesses have for a number of years simply refused to carry out any business with Iran. This meant that the positon was relatively straightforward and any screening technology employed could simply be targeted at and reject all Iranian business.

Indeed, banks and other financial institutions (that have spent recent years “de-risking” and stopping all business with certain high risk/sanctioned countries), are likely to remain reluctant to handle Iran-related transactions, especially while US sanctions remain in force.

However, given the vast potential of the Iranian markets, businesses across various sectors are already laying the groundwork to commence business operations in/with Iran as soon as possible. It is those entities in particular that should be preparing now how best to update their electronic systems and controls as should an issue arise this will form a critical part of any defence/dialogue with the enforcement authorities.

Either way, following Implementation Day, detailed counterparty due diligence extending up/down the ownership chain (and associated electronic screening) will remain a key part of client take on and new business approval processes.