November 25, 2020
By: Julie Myers Wood, CEO, Guidepost Solutions*
To say U.S. sanctions compliance for companies participating in today’s global economy has become more complex in recent years would be a colossal understatement.
Sanctions compliance expectations for just about every kind of company or organization have markedly increased as the U.S. Office of Foreign Assets Control (“OFAC”) and other U.S. agencies like the Department of Justice (“DOJ”) step up their scrutiny against supply chains in particular. OFAC has gone so far as issuing formal, written guidance on how they expect a sanctions compliance program (“SCP”) to work, and the DOJ has also issued guidelines. Both make explicit that firms with strong compliance controls will receive a better enforcement outcome.
In this article, we will focus more specifically on how we can harness technology and expand on these past principles to make your compliance program more streamlined; identifying and intelligently using other sources of data to understand your customer’s behavior; and taking proactive steps to satisfy requirements set forth in the guidelines issued by OFAC and DOJ.
Recent OFAC Actions targeting the Supply Chain
The scope of U.S. sanctions programs is widening at its fastest pace ever. Often, the majority of sanctions efforts were dedicated to programs against North Korea and Iran, or malign actors. In many of these cases, OFAC was concerned that bad actors had silently intermingled themselves within the supply chain.
In February 2019, OFAC penalized e.l.f. Cosmetics Inc. because they dealt with a supplier in China who sourced materials upstream from North Korea. In pursuing a similar tactic against bad actors in the supply chain, OFAC also made designations that forced bold shake-ups of key global supply chains. This can be seen in the designation of Oleg Deripaska, – technically the largest aluminum producer in the world by virtue of company ownership.
We now see OFAC making bold moves more frequently in geographic regions that are central to many company supply chains, particularly against multiple Chinese entities that are key participants in the shipping sector.
The following major OFAC actions have reverberated across supply chains around the world just in the past 12 months:
- Designating (and then later delisting) Cosco Shipping Tanker Dalian, a subsidiary of one of the world’s largest shipping organizations that has an energy-carrying fleet of over 1.5mn gross tons;
- Designating six individuals and two government entities, with ownership of at least 11 publicly traded companies in the Xinjiang Province, and issuing an advisory warning against the use of forced labor in Xinjiang;
- Placing numerous export controls against technology companies in China, including Huawei, ZTE, and other firms located in China and Hong Kong; and
- Recently placing prohibitions on transactions with Chinese social media companies such as TikTok and WeChat, including prohibiting downloads.
What Can You Do to Protect Your Supply Chain?
There are a number of steps that companies can take with regard to their supply chain in order to mitigate the risk of OFAC sanctions. In the past, we have advised companies to undertake several key actions to protect their supply chains. These actions included:
- Implementing a proper Know-Your-Supplier and Know-Your-Customer (“KYC”) program;
- Understanding both the upstream sources for your suppliers as well as the ultimate end users of your buyers and their activity in sanctioned countries or with sanctioned persons;
- Screening your suppliers and buyers, including their beneficial owners; and
- Tracking your shipments to ensure they do not transit, transship, or divert to or through a sanctioned country.
In addition to the above, we also recommend that companies also consider:
Ensuring coverage over your entire business
It is important for an organization’s compliance controls result in the screening, tracking, and KYC of suppliers and buyers throughout the organization. In order to effectively achieve these controls, one must first obtain detailed knowledge of the organization’s structure, technology, databases and sources of information so controls can be designed and deployed to cover all points of contact with the organization. The best filter and KYC program in the world do not amount to much if those programs are failing to screen certain third parties.
Take the lessons learned by Societe Internationale de Telecommunications Aeronautiques (“SCRL”), who was penalized by OFAC for providing telecommunications services to three Iranian carriers subject to terrorism-related OFAC sanctions. While SCRL had a sanctions compliance program, the failure to adequately assess their products and systems resulted in a lack of knowledge on the part of the organization that the services SCRL provided involved transmitting information through the U.S. on behalf of these sanctioned carriers. OFAC described SCRL’s compliance program as “primarily reactive,” which allowed the oversight to actually continue for almost five years. Had they ensured their compliance program covered all their products and services, SCRL might have avoided the hefty fine of $7.6M they paid to the Treasury Department.
It would be extremely difficult to sum up every firm’s organization under a single model for purposes of sanctions compliance program. Each company has different divisions, different technology platforms, and different suppliers and customers. Instead, we encourage organizations to pose the following questions when designing a sanctions compliance program:
- Have we conducted a risk assessment through the organization, and identified our riskiest business units, operations, or technology areas?
- Do our departments share the same supplier or customer-base; if not, how different are these groups?
- Does our organization use a single IT system with all buyers and suppliers in a single location, or do we have multiple systems (and potentially information siloes) for which we have to account?
- Do we have different departments involved in deal-making, shipping, and accounting, and are those departments adding new parties to a transaction such as a new vessel or a different bank at each stage of the transaction?
- Do our systems collect all the information we need for sanctions screening and compliance purposes, including information on ownership, third parties, and countries of origin and destination?
At a high level, the more consolidated the enterprise in terms of the foregoing, the easier it is to perform screening. But a completely unified and consolidated technology and business structure may not be an available option, particularly for large or complex organizations. We recommend the following actions in order to ensure no areas of sanctions risk are missed:
- Conduct, at least on an annual basis, a full accounting of any technology used to store customer and supplier information, make shipments, process payments, and provide continued services to customers (such as warranty updates) and ensure all technology has a screening component
- Create policies and procedures within your organization to ensure new products, lines of business, and technology systems are evaluated by the compliance program so that they may be subject to adequate sanctions controls; and
- Embed your technology offices, no matter how large or small, in the compliance framework to build a culture of compliance across the organization.
Enhance your investigations with outside data
There is an incredible amount of internal and external data that can point to sanctions compliance concerns, but the trick is to identify the right external sources of data and fuse them under one roof. Let’s look at some examples of data that may be useful for making compliance decisions, and how organizations can use it to enhance KYC and investigations.
- Vessel Ownership and Movement History – An organization may frequently ship or receive goods. Thus, it is important to make sure shipping vessels aren’t subject to sanctions, owned by a sanctioned person, or did not travel to a sanctioned country. In particular, OFAC has increasingly focused on ensuring that firms examine a vessel’s movement history (often called AIS for the transponder frequently used to broadcast this data) and to make sure the vessel is not engaging in deceptive practices to evade sanctions;
- Ownership Information – One purpose of a KYC program is to ensure a supplier or buyer is not owned by a sanctioned person. Databases that provide information on ownership are useful in both confirming your KYC, as well as conducting investigations into new parties during a transaction; and
- Customs Data – A relatively new entrant to the world of compliance, customs data providers are an extremely powerful source of due diligence when it comes to understanding suppliers, buyers, and third parties. These providers aggregate information provided by various governments, which show the transaction parties and direction of goods. They can provide a quick snapshot of a party that will then allow a compliance department to instantly raise red flags if the company has a history of suspicious shipments or shipments to sanctioned countries.
At a basic level, each of the sources of data above, on their own, can greatly improve sanctions investigations. One way to tie these sources together is through the implementation of good policies and procedures, which set clear guidelines for when the systems should be used, and training around how to use them properly. Unsurprisingly, training programs and policies and procedures are also two tenets of OFAC’s framework for SCPs.
However, these systems can also be used in conjunction – and creatively. For example, databases of ownership information can be used to help normalize data in an organization’s systems, matching the names of parties disclosed on an invoice to an actual company and registration. Not only does this linked effort allow a company to perform a more thorough sanctions screening of a third party, but it also allows an organization to screen that third party organization’s physical and legal owners if they are listed in the database as well.
Take another example – an organization receives an invoice and bill of lading from a buyer which provides the name of a vessel and end-user. Compliance can both screen the vessel to see if the goods arrived at the appropriate country, and also check the customs data to see if that data corroborates the shipment. On the flip side, if an organization is onboarding a supplier and that supplier says their business activity is in one location, but their customs data shows them dealing in a completely different place, this might raise a red flag to the organization.
While the frenetic pace of sanctions changes makes a compliance team’s job more difficult, utilizing best practices to ensure your compliance program covers the entire organization and better leveraging available data can help ensure companies reduce their vulnerabilities and are less likely to end up as OFAC headlines.
*Julie Myers Wood, CEO of Guidepost Solutions, has more than 25 years of experience in the public and private sector working on regulatory and enforcement issues from many perspectives, including as defense counsel, consultant, government investigator, federal prosecutor, and compliance consultant. She is currently the chief executive officer at Guidepost Solutions, a leading investigations, compliance, and security firm with offices throughout the United States, as well as England, Colombia and Singapore. Ms. Wood focuses on regulatory compliance and investigative work. Ms. Wood regularly serves as an independent monitor/consultant appointed by the U.S. government. She also regularly assists companies in a proactive matter, assisting with culture and process changes across a wide range of organizations and industries. Prior to joining the private sector, Ms. Wood held several high-level positions with the U.S. government including at the Departments of Justice, Homeland Security, Treasury, and Commerce, as well as at the White House.