Sanctions as the New FCPA and Steps to Mitigate Your Risks

Increased Focus on Sanctions Compliance

As the U.S. government increased its involvement in the Ukraine conflict over the past year, the Biden Administration made it clear that economic sanctions would be utilized as a key tool to hinder the Russian military and isolate individuals tied to the Putin regime. Just this past March, Deputy Attorney General Lisa Monaco, in a speech to the American Bar Association’s National Institute on White Collar Crime, stated that, “in today’s world, sanctions are the new FCPA.” She also announced plans for the U.S. Department of Justice (“DOJ”) to hire at least 25 new prosecutors focused on national security matters like sanctions and that DOJ will begin issuing joint advisories with the U.S. Departments of Commerce and Treasury “to inform the private sector about enforcement trends and to convey the department’s expectations as to national security-related compliance.”

U.S. Sanctions and Their Impact on the Private Sector

Very simply, sanctions are issued by the U.S. Office of Foreign Asset Control (“OFAC”), essentially making trade with specific individuals, entities, and countries a criminal offense for U.S. nationals, U.S. companies, and foreign companies that do business with the United States (including only through using U.S. currency). Export restrictions, also issued by OFAC, are limitations on the export of certain goods by U.S. companies to another jurisdiction.

The Russia sanctions regime is impacting U.S. companies more severely than other major sanctions programs (such as those targeting Iran, North Korea, Syria, or Sudan) because commercial ties between the U.S. and Russia have become fairly mature since the fall of the Soviet Union. Even with setbacks and Putin’s increasingly hostile rhetoric towards the West, U.S. businesses had still considered Russia a secure, if not safe, market due to the importance of Russia to U.S. exporters, with more than $90 billion in revenue coming from Russia in 2017.

U.S. companies were relatively unaffected by the other major sanctions regimes mentioned because they generally had less presence in these jurisdictions, historically. It was the risk of secondary sanctions on non-U.S. companies in those geographies that arguably had the highest impact, such as Gulf Cooperation Council countries with established trading relationships with Iran and the Sudan; or Chinese and Southeast Asian countries with maritime trade routes along the Korean peninsula.

Another factor making Russian sanctions a particular headache for compliance chiefs at U.S. companies is the speed at which sanctions were imposed following Russia’s invasion of Ukraine. Since February 2022, OFAC has added over 2,500 Russia-related targets to the Specially Designated Nationals and Blocked Persons List ranging from Russian government officials to high net-worth individuals and leaders in business sectors, many of whom are themselves invested and involved heavily in many U.S. businesses. 

Lessons Learned from Microsoft’s April OFAC Settlement

The most recent sanctions settlement by a major U.S. corporation was released earlier this month, with Microsoft settling with OFAC and the U.S. Bureau of Industry and Security (“BIS”) for $3.3 million related to potential violations of sanctions and export laws pertaining to Russia. To put this settlement into context, $3.3 million is very minor in the realm of OFAC enforcement actions.

In the Enforcement Action Release, OFAC and BIS provided comments on Microsoft’s Compliance Framework that other US corporations should view as meaningful takeaways. Overall, OFAC credited Microsoft for its prompt self-disclosure of potential violations and extensive cooperation with investigators once violations were discovered. Other specific remedial actions taken by Microsoft that companies should consider to be leading practices are:

1. Rectifying issues in its screening technology and methodology to ensure relevant alerts were raised while also increasing its resources to fully investigate raised alerts.
2. Requiring Russian service contracts to be cleared by the High-Risk Deal Desk, a new function that provides additional compliance screening.
3. Implementing an “end-to-end” screening system that gathers data when an outside party makes its first contact with the company and screens its data on a recurring basis.
4. Implementing an internal team to assist its contractors and employees in reviewing and researching potential restricted parties.
5. Expanding its detailed sanctions compliance training for certain employees and jurisdictions.
6. Adopting a new “Three Lines of Defense” model to supervise its trade compliance program, which emphasizes management oversight and compliance monitoring.

The key takeaway when looking at Microsoft’s remediations is that Microsoft recognized it had not addressed ever-increasing sanctions risks in mature markets, and in response it moved to update the end-to-end process for reviewing both current and new customers in markets with increasing risks.

Steps to Update Your Sanctions Compliance and Export Controls Program

Not every company has the resources and immediate cause (i.e., identified credible sanctions violations concerns) to begin an overhaul of its sanctions compliance and export controls program, but many do recognize the risks of potential exposure. For these companies, what should be done to begin addressing compliance program gaps? Below are four high-impact recommendations that could make an immediate difference:

1. Refresh your risk assessment and reassess your processes for considering compliance risks. Sanctions and export regulations are constantly changing, and it would be prudent to review your risk assessment plan and reprioritize/deploy resources as needed. The DOJ has noted in guidance for evaluating corporate compliance programs that performing reviews of risk assessment processes is a best practice. Consider engaging an independent advisor to review your risk assessment processes, risk registers, and risk ranking methodologies to ensure sanctions and export risks are being mitigated appropriately.
2. Policies limiting work-related communications outside of email and company sanctioned messaging programs should be drafted and rolled out globally. Communications were a key topic in the DOJ’s updated guidelines for effective compliance programs, issued this past March. The guidelines included recommendations that company policies ensure communications are accessible and reviewable by investigators.
3. Prioritize sanctions and export compliance training for first line employees. A company’s compliance training program is one of the first areas the DOJ and OFAC review when assessing gaps and a risk-based approach should be taken in training programs. First line employees, such as sales and customer account management staff, generally have the most information at hand to help identify indicators of sanctions evasion and as a result, training for these individuals should be regular, focused, and incorporated into compensation models.
4. Work with an advisor to update export due diligence procedures. In some cases, the procedures of shippers and other third parties can be very helpful in providing information on end users and customers operating in high-risk areas. However, not all third parties can be relied upon. As export requirements and limitations become more complicated, the need for end user investigation will be greater and due diligence programs should be tailored to an exporter’s specific risks. Engage an independent compliance expert to provide recommendations for how to immediately update and implement changes. Also, be ready with an external investigations provider to supplement due diligence bandwidth at critical times.

BIS and OFAC have made it clear that they will hold U.S. companies accountable for the activities of their foreign subsidiaries, distributors, and resellers. It is a company’s responsibility, no matter how big or small, to ensure its foreign affiliates and sales teams adhere to all sanctions and export control regulations under U.S. law. Unfortunately, however, there is no one-size fits all approach. Specific updates to controls and processes depend on a company’s business model and its own operational reach.

Lessons learned from the recent past show that no matter the Administration, the importance of understanding and complying with sanctions is unlikely to decrease for the foreseeable future. It is the responsibility of each company’s leadership to ensure compliance leaders have the tools needed to mitigate risks and identify gaps in controls as regulations and the global business environment change.

Written by: