In the US and around the world, there is an extraordinary increase in focus on global compliance, especially in light of recent changes to the Iran sanctions landscape. The reach of emerging sanctions programs now extends to a much wider range of industry sectors, transaction types and companies. This expansion of sanctions and concern about enforcement is unlikely to recede at any point in the near term, absent a dramatic intervening event, such as Iran’s development of a nuclear weapon or a military strike on that country. Accordingly, to mitigate potential exposure, now is the time for companies to implement global risk management best practices.

A growing recognition of the danger posed by a nuclear Iran and the fluid nature of the Iran sanctions environment have significantly raised the stakes for any company with a potential nexus to Iran. The nature of risk management has changed in the wake of recently enacted international and national Iran sanctions regimes, and the unprecedented regulatory, political, media, shareholder and stakeholder group focus on adherence to these sanctions. Addressing this risk requires more expansive understanding of these dimensions on an enterprise-wide basis, given the increasing emphasis within the sanctions regimes on both direct and indirect exposure to Iran or entities doing business in Iran. Running afoul of Iran sanctions, or being perceived to have run afoul of the sanctions, carries with it potential investigations or legal penalties, as well as potential profile risk to the public image of a company. Violations or perceived violations also pose business risk that can dissuade consumers and counterparties, and the risk of policy and political consequences from government attention.

While legal risk often has a directly measurable financial consequence, profile risk, business risk, and policy and political risk can have just as much impact on the bottom line and market position of a business, even where these other aspects of risk are not as readily quantifiable. Examples of the consequences of exposure to these types of risk include Congressional oversight investigations and hearings, enhanced regulatory supervision, bad press and negative publicity, and activist shareholders. Profile, business, and policy and political risk are also manifested through increased counterparty due diligence. Regulators are actively approaching private sector parties to identify indirect exposure to Iran, and seeking support from the private sector in ensuring sanctions are effective. Having advance warning of these potential areas of risk (including indirect exposure to sanctioned parties) is a necessary first step to managing the growing business risk.

In this environment of heightened focus on Iran, it is critical that companies understand the sanctions landscape: the rules of the road, enforcement trends, and tools for navigating the current environment.

Much as the creation of FinCEN and post-9/11 changes to the regulation of financial institutions through the PATRIOT Act shaped a new compliance posture, the growing awareness of the danger of a nuclear Iran and the dynamic nature of the Iran sanctions landscape counsels in favor of a new approach to global risk management.

Best Practices and Global Compliance Strategy

Sanctions are becoming increasingly complex as more nations impose restrictions on parties that do business in Iran, and elements of the Iranian regime become increasingly creative in developing strategies to evade those sanctions. Given this reality, having a proactive strategy to identify exposure through a dynamic or active search process rather than through reliance on government lists (which often lag government investigations) offers the most effective compliance strategy.

Managing risk in the landscape of Iran sanctions requires the implementation of best practices that are structured to capture and address the full range of potential exposure. Under the various new sanctions regimes, particularly that of the US, companies may face severe legal, profile, business, policy and political risk both for their direct ties to Iran and for their indirect ties via third parties1. The key factor is whether the connections to Iran of such third parties are “knowable,” and companies are being held to account by regulators, Congress, the media, shareholders, and stakeholder groups both for their actual knowledge and their constructive knowledge of essentially any credible public information.

Merely assuring that a particular customer, counterparty, or other supply or distribution chain party is not named on a governmental list of prohibited parties does not mitigate the full scope of risks to which a company might be exposed. US authorities, for example, typically consider any entities owned or controlled by a prohibited party to be themselves prohibited, regardless of whether the owned or controlled entity is actually listed. However, there is often a time lag between the discovery of linkage to Iran and the listing of the linked party.

Companies are being held responsible for their direct and indirect interactions, even with unlisted parties, because the ties of such third parties to Iran are often “knowable” through the use of commercially available databases. Indeed, one such service, World-Check2, has on dozens of occasions identified parties with material exposure to Iran (among other problematic relationships) that have subsequently been subject to specific sanctions and designations by the US Government.

Accordingly, best practices require that companies develop, implement and operate a system of procedures and controls to identify and interdict any potential connection, direct or indirect, to Iran. This system should be proactive; and to fully address the risk of exposure, it must incorporate regular collection, synthesis and review of all credible public information related to Iran beyond the static governmental lists of prohibited parties. Commercially available databases such as World-Check are often highly efficient. It is critical that companies actively use such databases to screen their customers, clients, counterparties and other participants in their supply and distribution chains, and integrate the results of these searches into their business policies and procedures for maximum effect.

The Architecture of Iran Sanctions

As the international community endeavors to prevent Iran from developing a nuclear weapon3, a global architecture of sanctions against Iran has been established. The various international and national sanctions that comprise this framework have differing geographic reach and substantive provisions, but operate as a whole to more closely restrict and confine Iran’s access to capital, credit and resources for development of its petroleum and natural gas reserves.4

The Iran sanctions architecture requires a sophisticated compliance approach to identify and mitigate risk. An unprecedented degree of international cooperation regarding how best to effectuate sanctions programs has resulted in the development of what can be characterized as three interrelated categories of sanctions. The components of this architecture consist of (i) United Nations Security Council Resolution 1929; (ii) European Union sanctions, national sanctions regimes in Australia, Canada, Japan, South Korea, the United Arab Emirates, and elsewhere; and (iii) the US Comprehensive Iran Sanctions, Accountability and Divestment Act.

Category 1: United Nations Security Council Sanctions

United Nations Security Council Resolution 1929 (“Res. 1929”)5 forms the base of the sanctions architecture, both because it has the widest coverage in terms of the number of countries to which it applies and because it is cited as the legal basis for many of the other sanctions regimes. Res. 1929 technically has legal authority over all UN Member States. With that said, because of the need to reach consensus among the Security Council members to enact such a resolution, the actual proscriptions of Res. 1929 are the least severe of the various regimes.

As a general matter, Res. 1929 places limitations on Iran’s ballistic missile programs, bans the sale to Iran of certain types of heavy weaponry and weapons platforms, and imposes a travel ban on certain Iranian nationals who have been implicated in human rights abuses. Res. 1929 also includes language that urges, but does not compel, states to exercise vigilance over certain transactions involving Iran when there is a potential nexus to nuclear weapons proliferation. In addition, Res. 1929 calls upon all states to take measures that would essentially prevent the provision of financial services (including insurance or reinsurance) “if they have information that provides reasonable grounds to believe that such services, assets or resources could contribute to Iran’s proliferation-sensitive nuclear activities, or the development of nuclear weapon delivery systems.”

Category 2: European Union and Other National Sanctions Regimes

The second broad structural element of the Iran sanctions architecture has a more limited scope of geographic coverage than Res. 1929, but imposes far stronger sanctions. In those countries that have imposed specific sanctions, the most frequent approach involves the development of a list of Iranian nationals and entities banned from receiving travel visas, freezing assets of those nationals and entities, placing restrictions on new development activities in Iran’s energy sector, and imposing some controls on financial flows between the respective jurisdiction and Iran.

By way of example, in addition to a visa ban and asset freeze on certain designated Iranian persons, the European Union sanctions6 include a prohibition on the nationals of EU Member States from selling, supplying or transferring to Iran (or Iranian-owned enterprises outside of Iran) key equipment and technology for use in refining, liquefied natural gas, exploration and production.7

European Union sanctions also include a range of new restrictions on financial ties with Iran that require enhanced internal controls and expanded transactional diligence processes. EU Member States generally may not enter into new medium- and long-term commitments for public and private financial support for trade with Iran, and are directed to “exercise restraint” in entering into new short-term commitments for financial support for such trade. EU Member States may not enter into new commitments to provide financial assistance to the Government of Iran, including through international financial institutions, except for humanitarian and developmental purposes. Significantly, the new European Union sanctions require enhanced monitoring over any transactions involving Iran, including specific provisions for vetting, processing, disclosing and reporting transfers of funds to and from Iran. European Union sanctions also prohibit the provision of insurance or reinsurance to entities subject to Iran’s jurisdiction, except for the provision of health and travel insurance to individuals.

The European Union’s adoption of Iran sanctions was coordinated closely with the US. This coordination was designed both to show an international consensus on the need to impose sanctions, as well as to facilitate cooperation by EU Member States with the US sanctions. This cooperative approach has already led to commitments by several major European firms that they would wind down their business operations in Iran.8

Category 3: United States Sanctions

Given that the US and Iran have not had formal diplomatic relations since April 7, 1980, it should come as no surprise that the most stringent component of the global Iran sanctions architecture is the US sanctions regime. These sanctions broadly prohibit commerce by US persons with entities in Iran or owned or controlled by the Government of Iran. US sanctions also are intended to have extraterritorial impacts, including penalties on any foreign person who makes certain types of investments or provides other support for Iran’s domestic energy production. As detailed below, the recently enacted Comprehensive Iran Sanctions, Accountability and Divestment Act expanded US sanctions against Iran, in a manner that requires a global risk management approach for any company with a nexus to the US  

The Comprehensive Iran Sanctions, Accountability and Divestment Act

The Comprehensive Iran Sanctions, Accountability and Divestment Act9 (“CISADA”) which became US law on July 1, 2010, substantially expands the scope, reach and intensity of US sanctions against Iran. Accordingly, both US firms and foreign firms with a nexus to the US or to US parties need to understand the new sanctions landscape and to take appropriate compliance measures to address any potential exposure.

A patchwork of US law, regulation and policy10 generally prohibits US persons11, wherever located, from engaging in most commercial transactions with the Government of Iran, entities owned or controlled by the Government of Iran and entities involved in Iran's energy and banking sectors (“Iran”), as well as Specially Designated Nationals12. CISADA is aimed at imposing sanctions on a far wider range of commercial ties between foreign firms and Iran’s banking and energy sectors.13 CISADA targets both direct ties with these and other Iranian entities, as well as indirect ties in which a third party serves as a conduit or other intermediary in connection with Iran. CISADA seeks to make Iran incur substantial economic costs for its attempts to develop nuclear weapons and its support for terrorism by further cutting off Iran from access to the international financial markets. CISADA more directly targets foreign firms and is structured to leverage the US financial system to amplify the cost and risk that such companies face when doing business with Iran.

To achieve this objective, CISADA has established a legal and regulatory structure that imposes enhanced reporting and diligence requirements, new penalties and heightened enforcement on entities that do business (directly or indirectly) with Iran. CISADA is also structured to identify and draw unwanted Congressional, regulatory, media, shareholder and public pressure on those companies doing business with Iran, separate and apart from sanctionable activity. This combination of both new restrictions and expanded identification of entities doing business with Iran requires enhanced diligence procedures.

A central focus of the US Treasury Department and US State Department has been the development of cooperative agreements with governments around the world, and seeking to capture all available data streams related to funding flows that have a nexus to Iran. In this regard, the US Government has developed much closer coordination with a number of jurisdictions that have had historically close business and commercial relations with Iran, including Dubai, Germany, Italy and Russia.

Some of the key provisions of CISADA include:

Banking relationships

New restrictions on banking relationships with a nexus to Iran or affiliated entities require both enhanced counterparty due diligence and a more granular approach to risk management. Under both CISADA and the Iranian Financial Sanctions Regulations (“IFSR”)14 issued pursuant to the legislation, the Treasury Department will impose strict conditions on (or prohibit) the opening or maintenance of US correspondent or payable-through accounts for foreign banks doing business with key Iranian entities.15 Targeted foreign banks are those that knowingly16 facilitate the Government of Iran's efforts to develop weapons of mass destruction and support for terrorism; do business with Iranian companies that are subject to UN Security Council sanctions; or launder money or support the Central Bank of Iran's efforts in support of Iran's weapons of mass destruction activities, Iran's role in international terrorism and Iranian entities subject to UN Security Council sanctions. In addition, CISADA and the IFSR target foreign banks that facilitate "a significant transaction or transactions or provide[] significant financial services for" the Iranian Revolutionary Guard Corps (“IRGC”) or its affiliates, or a financial institution that is designated by the US under the International Emergency Economic Powers Act ("IEEPA") in connection with Iran's proliferation of weapons of mass destruction or support for terrorism.

CISADA clarifies that these new restrictions on correspondent and payable-through accounts apply to the foreign subsidiaries of US banks, extending coverage of the law to any person owned or controlled by a US financial firm from engaging in a transaction benefiting the IRGC or any of its agents or affiliates who are blocked under IEEPA.

Along with issuing regulations concerning the treatment of such correspondent and payable-through accounts, CISADA17 also directs Treasury to issue regulations that would do one or more of the following: (1) require the US financial institutions maintaining such accounts to audit their foreign financial institution clients to ensure that they do not engage in these prohibited activities; (2) require US financial firms to report to Treasury regarding any transactions with respect to any such prohibited activity; and/or (3) require the US financial institutions maintaining these correspondent or payable-through accounts to certify that their foreign financial firm clients are not knowingly engaging in the specified activities. To date, Treasury has not yet issued regulations to implement this provision, but banks have been expanding their due diligence processes to guard against exposure to potential risk.

Energy sector

New restrictions on activities related to Iran’s energy sector require that companies better understand their counterparties and distribution chains to ensure that they do not inadvertently provide a benefit to Iran. CISADA expands the range of activities covered by the existing US sanctions, increases the number and types of penalties for violations of the sanctions, and attempts to curtail the President's ability to forgo investigations and enforcement of potential violations. Until the enactment of CISADA, US sanctions on Iran were largely limited to the prohibitions on commerce by US persons noted above and to the rather narrow set of sanctions established by the Iran Sanctions Act that were required to be imposed on persons (both US and foreign) who made an “investment” of more than $US20 million annually in Iran’s energy sector.18

CISADA expands the sanctions related to Iran’s energy industry. CISADA requires the President to impose sanctions on any person who “sells, leases, or provides to Iran goods, services, technology, information or support” for the production or exportation of refined petroleum products with a fair market value of $US1 million dollars or more, or an aggregate annual value of $US5 million or more.19 Of critical importance, this new requirement affirmatively includes inclusion of “goods, services, technology, information or support,” as well as services (including financing) that “could directly and significantly contribute to the enhancement of Iran’s ability to import refined petroleum products.”20 This is functionally different from prior US sanctions regimes, which specifically excluded the provision of goods, services, or technology from their coverage.21 This new provision of law affords far wider latitude to US regulators in seeking to impose sanctions.

Reports and Notifications

CISADA amplifies the extraordinary increase in concern about Iran that has been exhibited in political circles, the media, shareholders and outside stakeholder groups. Through various disclosure requirements, even when there is no legal penalty imposed, a person engaged in sanctionable activity could still be exposed to profile risk, business risk, and policy and political risk.

One key example of this approach is language in CISADA that limits the President’s authority to forestall investigations of alleged violations or to waive the imposition of penalties on violators. CISADA requires the President to make public his findings as to the name of the offender, the facts underlying the violation, and the rationale for not enforcing the sanctions. In the current environment, the release of such information is very likely to lead to Congressional investigations and hearings as well as stakeholdercould still be subject to severe consequences because of its exposure to profile, business, and policy and political risk, even without the imposition of a legal penalty.

CISADA seeks to leverage the extraordinary increase in focus on Iran sanctions compliance by regulators, Congress, the media, shareholders and stakeholder groups. CISADA requires the identification and public disclosure of the countries and companies that have made, or are making, certain types of investments in Iran.

This attempt to “name and shame” is intended to enhance the profile, business, and policy and political risk for any company doing business with Iran, and includes the following mandatory reports22:

  • CISADA directs the President to submit to Congress annually a report on the dollar value amount of trade between Iran and each G-20 member country.
  • The President is required to submit to Congress a report on “investments in the energy sector of Iran”23 from January 1, 2006, through 60 days after the date of enactment (September 1, 2010). This report also must contain an estimate of the volume of energy resources that Iran imported during the report period, as well as "a list of all significant known energy-related joint ventures, investments, and partnerships located outside Iran that involve Iranian entities in partnership with entities from other countries." One-hundred-eighty days after submitting this report (March 1, 2010), and then every 180 days thereafter, the President is required to provide an updated report on this issue.
  • The President is required to submit to Congress a report on any activity of an export credit agency of a foreign country that would violate the sanctions imposed by the US with respect to Iran's energy sector. CISADA requires the President to update this report as new information becomes available. If the US Export-Import Bank is considering entering into a co-financing arrangement with any foreign export credit agency identified by such a report, prior to approving the transaction, the President must submit a report identifying the export credit agency of the foreign country and the beneficiaries of the financing.

Iran Sanctions Enforcement Trends

While international enforcement of Iran sanctions is somewhat of a patchwork of different countries enforcing sometimes different sanctions within the context of their own perceived national interests, it is clear that the US Government is taking a harder look at Iran sanctions enforcement than it has previously. Given the extraterritorial focus and impacts of US sanctions, and the interconnected nature of the US financial system to the global economy, the US enforcement posture has international impacts. group activism concerning the target company. As a result, a company engaged in sanctionable activity Since enactment of CISADA, there have been several public signals that suggest the US Government24 intends to enforce Iran sanctions in a more vigorous and sustained manner. Four of the most prominent examples are:  

  1. The Administration and the US Treasury Department have publicly acknowledged the acceleration and intensification of a highly successful, albeit quietly conducted, campaign led by Under Secretary of the Treasury for Terrorism and Financial Intelligence Stuart Levey to convince Iran’s trade partners, and those who facilitate such trade, to wind down their Iran related activities;  
  2. Under Secretary Levey has also been leading a global outreach campaign focused on ally development and cooperation, including by engaging with Azerbaijan, Bahrain, China, Dubai, Lebanon, Malaysia, Russia and Turkey, as well as many EU Member States, Japan and Australia;  
  3. For the first time ever25, on September 30, 2010, the US State Department imposed sanctions on a firm (Swiss-based Naftiran Intertrade Company) for violating the Iran Sanctions Act in connection with its activities in support of Iran’s refined petroleum sector26; and  
  4. The President issued an Executive Order27 blocking the property of eight senior Iranian government and security officials, and adding their names to the Specially Designated Nationals (“SDN”) list maintained by the Treasury Department, because of their involvement in serious human rights abuses.

While these public signs are significant, given the often confidential nature of sanctions enforcement, another indicator of the seriousness with which the US Government is approaching Iran sanctions is the market reaction to perceptions of how seriously the US will enforce the sanctions. A growing number of firms have announced that in light of the new sanctions, they are presently, or soon will, wind down their Iran-related operations and not reopen them. A recent State Department list28 of such firms included: Tupras (Turkey); Total (France); Royal Dutch Schell (Netherlands); Independent Petroleum Group (Kuwait); Reliance (India); Vitol (Switzerland); Glencore (Switzerland); Trafigura (Switzerland); Lukoil (Russia); Lloyds (United Kingdom); and NYK Line [shipping] (Hong Kong).

Notwithstanding these announcements, many other firms continue to support Iran’s energy sector29, potentially violating CISADA. There is particular concern in the US about Chinese (and to a lesser extent Russian) firms that might enter Iran and replace the European and Japanese firms that are pulling out. While the US Government has intensified its monitoring of this space, given the complex bilateral relationships, it remains an open question whether, and if so how, the US will seek to punish Chinese and Russian companies that are engaged in sanctionable activities. The manner in which the US addresses these potential violators will provide a strong signal as to this aspect of the US Government’s enforcement posture.

Absent some intervening event that would require more dramatic action, such as the discovery that Iran has achieved a nuclear weapons capability, the determination of a certain time by which Iran will achieve such a capability or a military strike on Iran, continued monitoring and enforcement of CISADA is expected for the foreseeable future.

Moreover, there is a strong bipartisan consensus in the US that Iran must not be allowed to develop nuclear weapons, and broad bipartisan majorities30 supported passage of CISADA. Vigorous enforcement of sanctions is considered to be one of the key ways in which to prevent Iran from achieving nuclear capabilities and to restrict the Iranian regime’s support for terrorism. There are already indications that this Congressional focus on pressuring Iran to cease its nuclear activities and stop supporting terrorism is going to be sustained, if not increased.

Many key Members of the US Congress have shown a strong desire to keep pressure on the US Government to enforce CISADA globally (without providing any sort of safe harbor for Chinese or Russian companies), and to find other ways to expand pressure on Iran. Among the many statements and actions taken by key Members of Congress to advocate for sustained, tough sanctions enforcement, on August 3, House Foreign Affairs Committee Chairman Howard Berman (D-CA) and Ranking Member Ileana Ros- Lehtinen (R-FL) established a Bipartisan Iran Sanctions Working Group whose mission is to help “ensure that US and international sanctions on Iran are fully implemented, effectively enforced and, ultimately, have the intended effect of bringing about Iran’s termination of all activities contributing to its pursuit of a nuclear weapons capability.”31

Members of Congress have also introduced follow-on legislation, including measures which would supplement CISADA by, among other things, requiring SEC-registered companies to disclose their energy and banking relationships with Iran32, banning the CEOs of foreign companies doing business with Iran from receiving US visas33, punishing the US parent entity for the activities of a foreign subsidiary that would violate current US sanctions if they were conducted by a US person34 and conditioning the issuance of US permits for offshore oil and gas drilling to certifications that the prospective lessee is not involved in the development of Iran’s energy sector35.

Similarly, both the media and stakeholder groups are expected to continue, if not expand, their efforts to draw attention to those companies that appear to be violating Iran sanctions. Stakeholder groups are also likely to intensify their ongoing efforts to urge the US Government to enforce CISADA aggressively, and to convince companies around the world that the serious risk of doing business with Iran is not worth the potential benefits.

At least one of the major stakeholder groups, United Against a Nuclear Iran36, has compiled a registry of Iranian businesses, and has called for consumers not to patronize those firms that continue to engage in commerce with Iran. This effort is related to provisions of CISADA that expressly authorize public pension fund managers to divest from holdings in (i) companies engaged in sanctionable activities in Iran’s energy sector as well as (ii) financial institutions that extend $US20 million or more in credit to another person, for 45 days or more, if that person will use the credit for investment in Iran’s energy sector.37 CISADA also provides for a similar safe harbor under the securities laws that allows private fund managers to divest from such companies.38 In both cases, the respective fund managers are authorized to divest based upon “credible information available to the public.”

Compliance Considerations

As the nature of risk evolves, it is critical that the way in which companies monitor and evaluate risk adapts to the new landscape. Much as the post-9/11 expansion of the Bank Secrecy Act forced financial services firms to implement procedures and systems to better know their customers and better account for transaction flows, the new architecture of Iran sanctions creates a similar dynamic both for financial services firms and for a broader range of companies across the energy and commercial sectors.

The recent changes to the Iran sanctions landscape, along with the dramatically intensified focus on compliance with such sanctions, requires enhanced compliance procedures and controls. In the current and projected Iran sanctions environment, increased due diligence is critical to mitigating legal exposure and profile, business, policy and political risk.

Exposure has evolved beyond merely the potential for interactions with designated bad actors (SDNs). With the increase in regulatory, political, media, shareholder, and stakeholder group focus, it has become necessary to monitor the full spectrum of potential interactions with Iran, direct and indirect. Thus, while comparing the names of potential parties and counterparties to the Treasury Department’s SDN list remains necessary, such a review is not sufficient to ensure compliance and to guard against the full spectrum of risk.

Regulators, political leaders, the media, shareholders and stakeholder groups are holding companies accountable for their interactions with Iran based on what those companies should know, not just what they actually do know. Accordingly, any company with potential nexus to Iran, either directly or through an intermediary, counterparty, distribution chain or supply chain, needs to implement an enterprise-wide system that can identify, interdict and address any potential exposure.

In light of the current and projected enforcement posture, and especially because of Iran’s welldocumented use of cut-outs, false flags and other deceptive practices to hide its involvement in international commerce39, companies must take enhanced measures to know their customer. This means drawing upon the full range of publicly available data about Iran, not solely relying upon the SDN list eventually to be updated to reflect the latest developments. It also means ongoing monitoring of both the sanctions landscape and a company’s own activities to assure continued compliance.

As sanctions policy with Iran evolves, continued monitoring of developments in this space is crucial to understanding, assessing, and addressing risk.