How the ACSS Sanctions Toolkit Helps You Create a Compliance Program

By Scott Nance
February 26, 2022

Creating a sanctions program, especially from scratch, can be daunting. To assist organizations, the Association of Certified Sanctions Specialists (ACSS) has developed a toolkit that identifies the major components sanctions compliance systems need, explains what each component must cover, and provides templates for key documents.

The precise shape of the sanctions compliance system depends on the organization’s structure and business – there is no “one size fits all.” Still, the toolkit can be invaluable. Following are the main components of an effective program.

Sanctions Readiness Assessment

The first step in establishing a sanctions program, or in upgrading your current one, is to review your company’s position. This includes studying or revisiting applicable sanctions laws, revising or creating a sanctions policy, and appointing someone to be primarily (although not solely) responsible for sanctions compliance. The ACSS sanctions toolkit provides a draft questionnaire for guidance.

Compliance Basics

Unless your organization is unusually sophisticated, it is likely that few, if any, of your colleagues know much about economic sanctions. Before you can design and implement an effective program, you need to educate those responsible, including top management, about the fundamentals of sanctions. This includes what sanctions are, who must comply with them, and how your organization can get into trouble if it does not comply.

The sanctions toolkit provides a brief but thorough overview of the basics in the form of a short video suitable for employees at all levels.

Identifying the Applicable Sanctions Regimes

The core of a sanctions program is the sanctions laws applicable to your organization. These will always include the laws of your home country, as well as any countries in which you do business.

The laws may also include countries from which you import goods or services, especially the United States, as its sanctions may continue to apply to US-origin products even after they have been exported. The sanctions toolkit walks you through the process of identifying which sanctions regimes may apply to your organization.

Sanctions Compliance Structure

A compliance system requires an organizational structure. This should reflect the key components of a sanctions compliance program. These components include:

  • A written sanctions policy, with commitment by senior management;
  • An assessment of sanctions risks;
  • Internal controls to mitigate these risks;
  • Training; and
  • Testing and Audit.

Your sanctions compliance system must be able to fulfill each of these functions. The ACSS sanctions toolkit describes all of them and provides suggestions for organizational structures for compliance. It recognizes this will vary depending on how large and complex your organization is, among other considerations. The toolkit addresses the role of senior management in sanctions compliance in particular and even provides a draft job description for the organization’s sanctions officer.

Risk Assessment

A good assessment of the sanctions risks your organization faces is vital to the effectiveness of your compliance system. The ACSS toolkit provides a comprehensive guide to performing a risk assessment. The main steps in a risk assessment, as laid out in the toolkit, are:

  1. Establish the risk assessment process. This includes developing a written risk assessment methodology tailored to your organization, detailing who will perform the assessment (this may be an internal function or an outside consultant), setting a timetable, and establishing how often the risk assessment will be performed.
  2. Identify the risks. The main risk of sanctions is violating applicable sanctions laws, but sanctions also pose commercial and reputational risks. In general, the main sanctions risks are (a) doing business with a sanctioned party, and (b) purchasing from or selling to a party in a sanctioned country.To identify risks, the organization should map out its business and operations, especially where it interacts with outside parties such as suppliers and customers, so that it can determine where it might encounter risk. Certain factors can increase risk, such as customers or suppliers located in sanctioned countries. The ACSS toolkit includes a questionnaire that reviews many of these factors.
  3. Quantify the risks. It is advisable to quantify each risk identified. The risk number is basically the probability of the risk occurring multiplied by the severity of impact if the risk does occur. The purpose of this exercise is to identify the highest priority risks so that the organization can take measures accordingly. The ACSS risk assessment questionnaire provides one way to do this.
  4. Examine internal controls and calculate residual risk. It is probable that the organization is already taking steps to mitigate sanctions risks, such as gathering basic information on customers. The next stage of the risk assessment process is to compare the risks identified to the controls in place so that it is possible to determine the residual risk, that is, the degree of risk not mitigated by controls currently in place.
  5. Draft the report. The outcome of a risk assessment is a risk assessment report. The report should describe the risk assessment methodology, as well as the results of the assessment itself. The ACSS toolkit includes a template for a risk assessment report.

Internal Controls

Internal controls are the measures an organization takes to eliminate or, at least, reduce sanctions risks. These measures include policies, procedures and work instructions. The internal controls that are necessary will depend on the results of the risk assessment. In general, though, organizations will implement forms of the following controls. The ACSS toolkit contains models for each.

  1. General and specific sanctions policies. In addition to a general policy abiding by all applicable sanctions laws, an organization may have policies on doing business with certain countries, individuals, or entities.
  2. Screening and due diligence of business partners. Most organizations perform at least some due diligence on their customers, suppliers, and other business partners, even if it is just collecting their names and addresses. Screening involves matching the names of potential business partners against the relevant sanctions lists.Among the specific measures needed for this control are customer due diligence forms and a procedure for screening names, reviewing potential matches, and determining if there is a true hit, such as, whether the name being screened is the name on the list.
  3. Transaction screening. It is also necessary to screen outgoing and incoming transactions, including physical shipments, to ensure they do not involve sanctioned persons or countries.
  4. Risk classification. Different types of customers, service providers, agents, distributors and other third parties or transactions may represent different levels of sanctions risk. This may, in turn, call for different procedures for business partners with different risk classifications.
  5. Some transactions, especially the export of dual-use product or defense articles, may require a license. If so, there needs to be a procedure for applying for licenses and complying with their terms.
  6. Responding to bank inquiries. Because banks typically have thorough sanctions compliance systems, and routinely screen all transactions, an organization may receive questions from banks wanting to know more about individual transactions.
  7. Internal reporting. A sanctions compliance system should include periodic reports to senior management on the overall operation of the system, as well as special reports to reflect specific developments, such as potential violations.
  8. External reporting. Sanctions laws may require that an organization file reports with the relevant governmental authority when property is frozen or transactions rejected. It may also be necessary or advisable to report potential violations.
  9. Internal investigations. In cases of potential sanctions violations, it will usually be necessary to conduct an internal investigation. The procedure for doing so should identify who will conduct such investigations and who is responsible for deciding what action, if any, is to be taken.
  10. Records and document retention. Applicable laws may require that certain documents be maintained for specified periods. In addition, the organization may have its own document retention policies. All of this should be spelled out in internal procedures.


Even the best-designed sanctions compliance system will not operate properly if no one knows what they are supposed to do. For this reason, training is a key component of an effective compliance system.

To be effective, training must be tailored to provide each member of the organization the information needed to perform their roles. Therefore it may be necessary to have different types and levels of training.

All employees should receive training on the basics of sanctions laws, as well as their overall responsibilities. Employees with specific duties should receive training on the procedures they must follow.

Persons working in the sanctions compliance function need detailed knowledge, both of sanctions laws and the procedures followed throughout the organization. Finally, customized training for senior management not only acquaints them with their role in sanctions compliance, but also sends a strong signal to the rest of the organization about management’s commitment. The ACSS toolkit describes the general requirements for training and provides a sample presentation for general sanctions training.

Testing and Audit

Key components of the sanctions compliance system, such as transaction screening, should be subject to ongoing testing to ensure they are functioning properly.

  • Testing refers to the performance of specific operations within the overall system, with the aim of determining whether the internal control being examined is working as planned.
  • Audit refers to an end-to-end assessment of all aspects of a sanctions compliance system.
  • Working together, testing and audit confirm the system is working as planned, identifies any deficiencies, and provides for the implementation of improvements.

In addition, the entire system should undergo a complete audit periodically. The ACSS toolkit includes a detailed description of testing and audit, including an identification of the processes that should be subject to regular testing.

Final Thoughts

Sanctions compliance programs can be elaborate or simple, depending on the size and nature of the organization. A program that includes all of the above components, organized in a manner that responds to the organization’s sanctions risks, is likely to do an effective job of mitigating sanctions risks. The ACSS sanctions toolkit provides valuable guidance to organizations with no sanctions program and to those seeking to upgrade their system.

Scott Nance of Langley Compliance Consulting is an attorney in the Washington DC area, specializing in economic sanctions and anti-money laundering. He is a member of the ACSS Editorial Task Force.

Recent Articles