How to comply with sanctions requirements

What are sanctions

Sanctions are prohibitions imposed by several countries or governments on other governments, individuals, entities or groups to achieve a specific outcome without using armed force.

The most widely used sanctions lists include the following:

• OFAC Sanctions
• The EU Consolidated List Sanctions
• United Nations Security Council (UNSC) consolidated list of sanctions
• HM Treasury Sanctions List (UK Sanctions)
• The Australian Sanctions

If you want to read about the differences between the above sanctions lists, you can read our latest article here. 

Each entity must comply with specific sanctions lists as indicated in the national law. Non-compliance with sanctions can have adverse consequences for a company by the national regulator. For this purpose, implementing an effective sanctions compliance program is of high importance.

According to the Office of Foreign Assets Control (“OFAC”), an effective sanctions compliance framework must have the following 5 elements:

1. Senior Management Commitment

Senior Management must approve and support an organization’s Sanctions Compliance Program. It must also ensure that there is an appointed compliance officer and that the compliance unit has the following:

• Sufficient authority and autonomy to ensure the effective implementation of the policies and procedures related to sanctions compliance.
• All necessary resources, human capital, expertise, information technology, and anything else essential to execute his/her duties.

Additionally, senior Management must promote a culture of compliance throughout the organization and highlight the seriousness of potential violations by employees when entering into activities that may be affected by the company’s sanctions policies, and procedures and national sanctions laws.

2. Risk Assessment

An essential element of the Sanctions Compliance Program is to determine the inherent risks of an entity based on the specific clients, products, services, and geographic locations where the entity has operations or presence.

The assessment will assist the senior management in making risk-based decisions and controls and enable it to identify the extent of due diligence to be implemented when onboarding clients or assessing potential mergers and acquisitions. The risk assessment must be regularly updated to consider new and emerging risks.

3. Internal controls

An entity must have in place policies and procedures to identify, detect, and report activities that regulations may prohibit. In addition, expectations of the sanction’s compliance program must be clearly defined. 

Policies and procedures must be enforced and weaknesses need to be identified and remediated. Some best practices include:

• Entities must have written policies and procedures as part of the sanctions compliance program.
• The internal controls must be adequate to address the risk assessment results.
• The internal controls, including implementing policies and procedures, must be subject to internal or external audits.
• Record-keeping procedures must be adequate to address the requirements of the sanctions compliance regulatory obligations.
• In case of identification of potential weaknesses in the internal controls, the entity must take immediate and effective action to improve the controls until the deficiency is fully remediated.
• The sanctions compliance program must be communicated to all relevant staff, gatekeepers, and business units operating in high-risk areas.
• The entity can appoint personnel to ensure the effective integration of the sanctions policies and procedures into the company’s daily operations.

4. Testing and Auditing

Comprehensive and objective testing by an audit function will enable an entity to identify potential weaknesses and deficiencies in the sanctions compliance program.

The testing and auditing function must be accountable to senior management. The persons conducting the audit must be sufficiently qualified and have the expertise, skills, resources, and authority to execute his/her tasks.

5. Training

Another essential element of the sanctions compliance program is employee training. The training must be performed periodically and at a minimum annually and achieve the following:

• Provide job-specific knowledge 
• Communicate the responsibilities of each employee
• Hold employees accountable for sanctions compliance training through assessment.
• The training must include, if necessary, clients, suppliers, business partners, and other counterparties.
• The training must be appropriate and consider the entity’s products and services, customers, counterparties, and geographic locations where the company operates.
• Training must also be provided where there are specific negative testing results or audit findings to ensure that the relevant staff is in a position to prevent the occurrence of the apparent issue in the future.
• The training must be easily accessible, and materials must be available to all appropriate personnel.