Like previous Administrations, the Trump Administration is engaging in the aggressive use and enforcement of US sanctions as a foreign policy tool, often with the backing or mandate of Congress. With the US and other major economies volleying sanctions and counter-sanctions back and forth, the current international trade environment is characterized by the frequent issuance, updating, and enforcement of expanding US sanctions targeting multiple countries (including Iran, North Korea, Syria, Cuba, Russia, and Venezuela) and multiple sectors (such as the defense, financial, energy, and high technology industries to name a few).

In this volatile atmosphere, multinational companies can inadvertently fall into the crosshairs of sanctions regulators and pay a steep price for their stumbles. As proof, just ask any of the numerous foreign financial institutions that have recently paid fines to the Department of Justice in the billions of dollars; one of the several upstream and downstream energy sector companies targeted for commercial activities in Iran, Sudan, and Cuba; any of the large European companies that have suffered the devastating impacts of a sanctions designation of a Russian oligarch owner; or the CFO of Huawei Technologies, whose alleged dealings in Iran last year resulted in her arrest in Canada for extradition to the US.

How can law departments identify and manage risks presented by trade regulation while allowing their companies to capitalize on opportunities for cross-border trade? As counsel, your job is to ensure that your company and its employees know how to guard the company against sanctions risks. This article sets forth general approaches for managing some of the trickiest sanctions issues confronting multinational companies in the global economy.

These practices include:

  • dedicating resources and developing a process for identifying and responding to sanctions risks
  • implementing procedures for screening customers, vendors, partners, and other third parties, as well as their owners, business partners, and affiliates, against sanctions restricted lists
  • ensuring sanctions compliance in the course of cross-border M&A deals, international financings, and other agreements
  • training employees to spot and report risky third parties or transactions
  • ongoing monitoring of sanctions compliance

In other words, set the right tone from the top, operationalize compliance, and don't bury your head in the sand.

Sanctions compliance Identify your risks and develop a plan

The first step in identifying your company's sanctions compliance risks is to understand that not all sanctions programs are alike. Therefore, your company's risk profile is dependent upon several factors, including the industry in which it operates; its legal, management, and support structures; and its geographic footprint. US and international sanctions regimes are increasingly complex and target not just certain countries (Iran, Cuba, Syria, and North Korea) but also certain sectors (e.g., the Russian defense, energy, and financial sector), types of transactions (e.g., transactions in Venezuelan debt and government securities), and certain individuals (e.g., money launderers, drug traffickers, and Russian oligarchs). Each of these sanctions programs are different in objective, jurisdiction, scope, and nature of the restrictions. Therefore, a sanctions program must be responsive to developing sanctions risks and enforcement priorities.

In this volatile atmosphere, multinational companies can inadvertently fall into the crosshairs of sanctions regulators and pay a steep price for their stumbles.

It is important to understand how sanctions laws may apply to your company's multinational structure and operations. It is a mistake to believe that companies operating outside of the US cannot be touched by US sanctions authorities. US sanctions principally apply to any US person, wherever located. This includes US companies and their foreign branches, US citizens and green-card holders even if they are employed abroad by a non-US company, and any person while physically located in the United States. Indeed, US sanctions against Cuba and Iran extend to overseas subsidiaries of US parent companies, for example. These regulations prohibit not only direct participation in a sanctioned transaction but also facilitation or approval of a transaction. This means, for example, that a low-level finance employee sitting in Topeka, Kansas, or a green-card holder in Singapore who approves, or even just forwards, a document related to a sanctioned transaction occurring overseas can create liability for the entire enterprise.

Understanding your sanctions risk profile also means understanding the scope and breadth of relevant US and international sanctions enforcement authorities, each of which operates from a different system of priorities and exercises broad discretion in enforcing the President's national security mandates. US sanctions programs are administered first by the Office of Foreign Assets Control (OFAC) at the US Department of the Treasury, which has responsibility for developing sanctions regulations, issuing licenses for certain transactions, and carrying out civil investigations and enforcement actions. The Department of Justice (DOJ), chiefly through its National Security Division, also enforces sanctions laws, and the FBI often supports the DOJ in investigating potentially criminal sanctions-busting activity. Note also the important role that banks play in the sanctions enforcement apparatus. Banks are the first line of defense in policing access to the international financial system and blocking or reporting suspicious transactions.

What does a risk-based compliance program look like?

Because of the variety of sanctions compliance risks across industry sectors and geographies, there is no such thing as an effective, off-the-shelf sanctions compliance program. A compliance program must be responsive to evolving risks and tailored to the organization. Some of the primary elements of a risk-based and risk-responsive sanctions compliance program are discussed below.

Third-party screening procedures

Companies that deal with large volumes of customers, vendors, suppliers, distributors, and business partners on a global basis will be expected to institute a global automated screening system to identify sanctions targets that they may encounter. In choosing a screening system, the following questions should be considered:

  • How easily does the screening software integrate into my existing SAP system(s) to enable automated screening without the need for separate manual entering?
  • Is the system capable of being rolled out and integrated into business units in far-flung regions and acquired business units?
  • How broad is the scope of the screening criteria? For instance, does it include international sanctions lists and also pull from media and other public sources?
  • How frequently is the screening criteria updated? Will it automatically re-run my existing database of third parties when the lists are updated?
  • US sanctions extend not only to listed persons but also to entities in which those persons hold, directly or indirectly, alone or in the aggregate, 50% or greater ownership interest. It is your company's responsibility to identify all such autodesignated (aka shadow-blocked) entities and other parties that may benefit from a transaction. Does the screening provider also identify companies that are affiliated with or owned by sanctioned parties? Is it designed to pierce the faade of disguised or concealed transactions and to take into account complex and opaque shareholding structures?
  • How simple is it to quickly access and digest the results of screening? How easy is it to distinguish between false positives and actual sanctions hits?

Implementation and regular updating of an automated (or at least regularized) party screening platform is one step in developing an active and responsive sanctions compliance program. Training employees to document their reviews and to respond appropriately to identified risks is equally important.

Because of the variety of sanctions compliance risks across industry sectors and geographies, there is no such thing as an effective, off-the-shelf sanctions compliance program. A compliance program must be responsive to evolving risks and tailored to the organization.

Sanctions compliance in M&A transactions and other cross-border agreements

Even once you have assessed the bona fides of a third party, and its owners, affiliates, and significant business relationships, sanctions compliance should still be an ongoing priority that is both proactively and actively managed. Compliance considerations upon negotiation and entry in cross-border agreements include the following:

  • Trade compliance representations and warranties - Most agreements require the parties to comply with applicable law, but what is applicable law for a company with multinational affiliates entering into a cross-border agreement with a similarly situated counterparty? Even though a Chinese seller, for example, might be loath to agree to comply with all US sanctions laws, it should at a minimum agree not to take actions that would place you or your affiliates in violation of those laws which apply to you.
  • Choice of law and dispute resolution- Sometimes approaching sanctions issues can raise national or political sensitivities. In some jurisdictions, compliance with unilateral US sanctions is considered to be illegal under the country's own blocking or counter-sanctions laws, as in Russia (with respect to US Ukraine-related sanctions), Canada (with respect to the US embargo against Cuba), and certain EU countries (with respect to recently re-imposed US sanctions against Iran). Where sanctions issues are a material risk, consider providing for dispute resolution to take place before an international arbitration panel in a neutral, third-country jurisdiction.
  • Force majeure and termination rights- Sanctions laws are constantly evolving, and new sanctions targets or expanded sanctions are issued frequently. Does your agreement take into account the possibility of expanded sanctions impacting the parties' ability to perform? Are changes of law or regulation considered an event of force majeure? In the event of a sanctions designation, does your agreement allow you to freely mitigate sanctions risks or even to exit the agreement? Companies with exposure in countries with unstable governments or governments that are unfriendly to the United States would be wise to engage in detailed advance contingency planning exercises on how they would respond to the most likely sanctions event and build this response into their agreements.
  • Successor liability in M&A transactions- The statute of limitations for sanctions violations is typically five years, and successor liability can arise in both stock and asset deals. Note also that an activity that is permissible when carried out by a non-US company may no longer be permissible once that company is owned by a US parent. Regulators typically provide significant mitigation when past violations are identified and disclosed as part of pre- or post-closing due diligence.
  • "Use of proceeds" restrictions in financing agreements- Such provisions can often go beyond even the expansive requirements of US law and should be reviewed carefully, especially where they reach activities carried out by overseas affiliates.

Training and empowering employees to support your compliance efforts and ongoing compliance monitoring

As would-be sanctions-busters become more creative and opportunistic, compliant companies must be more vigilant in spotting and avoiding sanctions exposure. This means training employees in a position to evaluate new customer or supply relations to spot red flags of evasive or diversionary tactics that are specific to your industry and to the specific geography. For example, employees working in certain third-countries that are known to present known risks of diversion (UAE, Venezuela, and Russia to name a few) should be trained on what factors may evidence these risks, e.g., where a customer refuses to provide details about its end-customers, ownership, delivery location, or other relevant facts. In the energy industry, for instance, traders in Iranian crude have been known to disguise related financial transactions as humanitarian trades using front companies and forging false invoices. Savvy employees of multinational corporations working in high-risk jurisdictions or industries targeted by sanctions will know not to take transactions at face value and will be on guard to the clear and present danger of, and opportunities for, illicit trade.

One way to ensure that issues are identified at the earliest possible stage is to provide an anonymous, global hotline for reporting compliance issues or concerns. In-person compliance training sessions with an opportunity for interaction and led by lawyers so that they are protected by attorney-client privilege is another good way to vet compliance concerns. Just as important is conducting regular compliance reviews to ensure that compliance procedures are being followed and documented; to spot-check for potential sanctions violations; and to prioritize business units, regions, or functions that present the greatest risks.

Expanding and evolving US sanctions laws create one of the most difficult and dangerous compliance challenges for multinational corporations. A sanctions designation or enforcement action can materially impact a company's global reputation and financial position, and can present ongoing strategic challenges in the form of steep penalties, courtappointed compliance monitors, or difficulty in obtaining financing from risk-averse financial institutions. By the same token, a flexible, proactive, well-resourced, effectively implemented, and regularly updated sanctions compliance program can provide a competitive advantage for companies in a global economy of increasing political and regulatory complexity.