While the UK’s Office of Financial Sanctions Implementation (OFSI) doesn’t mandate any particular compliance strategy, in recent enforcement notices it has made clear the importance of firms maintaining a compliance programme based on an understanding of their risk exposure.
The US Office of Foreign Assets Control’s (OFAC) Framework for OFAC Compliance Commitments also "strongly encourages" organisations subject to US jurisdictional oversight "to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program".
While this advice isn’t legally binding – not least for entities operating outside of the US – it can serve as a useful blueprint for managing sanctions risk. In it, OFAC highlights five essential components of compliance as being management commitment, risk assessment, internal controls, testing and auditing, and training
Firms operating in the regulated sector will be familiar with principles like these, given longstanding obligations under UK legislation to prevent, recognise and report money laundering. Given this, it can be useful to explore how best practice related to anti-money laundering (AML) compliance can inform sanctions compliance.
The risk-based approach
In its AML and Countering the Financing of Terrorism (CTF) guidance, the Joint Money Laundering Steering Group emphasises the importance of a risk-based approach to sanctions compliance. This is echoed in the second of OFAC’s five principles, which recommends that firms carry out periodic or ongoing assessments of their sanctions risk exposure. An effective risk assessment will identify a business’s touch points to the outside world, such as through their products, services, geographic reach, customers and supply chain, and assign risk categories to these.
After building up an understanding of its risk exposure, a firm can then define its risk appetite: for example, by documenting which categories of exposure it has no or limited appetite for. This acts as a foundation for a documented risk-based approach, which will allow the firm to apply increased scrutiny to areas of its business which carry the highest risk. This is a vital step in managing a compliance programme as it also enables a firm to deploy its resources more appropriately.
Allocating resource to mitigate risk
An appropriate allocation of resource helps a firm more efficiently mitigate risk. This is important as ensuring a robust programme may require investment in people and technology. While specific exposure to sanctions will vary between industries and geographies, all firms with a UK nexus must ensure they adhere to the UK Sanctions list. It may be appropriate for a business therefore to employ tools, such as sanctions screening software, in order to ensure they avoid doing business with sanctioned entities. For this to be effective, businesses must be confident that they know the identity of third parties such as customers and suppliers. Some sanctions will also apply to a designated individual with a qualifying degree of ownership or control of an entity, creating a requirement to also understand the ownership structure of third parties.
A common mistake in AML compliance is to view this role as a tick-box exercise that only involves basic information gathering. However, legal persons and opaque corporate structures, such as nominee relationships, can be used by sanctions evaders to obfuscate ownership. It is therefore important that teams conducting third-party due diligence are effectively trained, resourced and incentivised to spot evasion typologies and apply added scrutiny where necessary.
An effective assurance framework
An effective AML compliance framework will follow a three lines of defence model. The first line usually sits in a business’s operating units, allowing risk to be owned and managed at source. A second line function usually concentrates specialist financial crime expertise, owning the firm’s compliance policies and procedures. It may also monitor and carry out independent oversight of the first line risk functions. The firm’s internal audit function will operate as a third line of defence, providing assurance to senior management who ultimately hold responsibility for the firm’s risk management responsibilities.
Deploying a similar model can bolster a firm’s defences against sanctions breaches by providing layers of protection against deficiencies, and entrenching a framework that allows its leadership to play an active role in managing sanctions risk.
Strong governance and a culture of compliance
It will be no surprise that good governance plays a key role in determining the success of a firm’s ability to manage risk. Senior management involvement is vital to maintaining a robust governance structure by setting and enforcing the values of a business, thus in its thematic review of financial crime risk, the Financial Conduct Authority highlights the importance of management in embedding a strong compliance culture.
By enforcing a culture of compliance, not only will management achieve greater buy-in to a firm’s compliance activities, it's also more likely to play an active oversight role in managing sanctions risk across the firm.
Looking ahead on sanctions compliance
In OFSI’s most recent annual review, it highlighted increases in its enforcement capabilities, as well as 172 cases it had under investigation. That these will likely involve sanctions across the UK’s various regimes serves as a reminder for firms to manage all sanctions risk they're exposed to, despite the prominence of Russian sanctions in the media. That said, in a written submission to a Treasury Select Committee earlier this year, it also noted its expectation of enforcement action specifically related to Russia sanctions to begin this year.
In December last year, the UK Government announced the creation of a new Office of Trade Sanctions Implementation, responsible for the civil enforcement of trade sanctions. Once established, its duties will include monitoring compliance with trade sanctions, sending a further signal that the Government is taking enforcement seriously.
Firms seeking to reinforce their sanctions compliance programmes can take inspiration from some of the fundamental principles which have developed within AML best practice – by ensuring programmes are risk-based, well-resourced and effectively monitored. These components should be driven overall by strong governance, and management promoting a firmwide culture of compliance.
For more insight and guidance on this topic, get in touch with Sarah Wrigley or David Trotter.
This article was first published in ThoughtLeaders4 Disputes magazine (issue 13).
Learn more about how our Financial Crime services can help you
