First: Stay Apprised of New Developments
U.S. sanctions and export controls have expanded far beyond traditional military- and financial-related controls and into the fields of aerospace, maritime, energy, electronics, metals and mining, construction, biotechnology, semiconductors, artificial intelligence, and luxury goods, among others. And the list of designated individuals and entities, and impacted industries, continues to grow at a rapid pace.
Counsel to long-impacted industries and newly regulated ones must stay apprised of changes to controls. It is essential to recognize that a revised (or new) exposure risk may exist, and such risk may require clients to employ revised (or new) compliance measures. Consideration of risk includes reviewing relevant sanctions and exports designations but may also extend to indirect implications of new sanctions listings. For example, as more entities and individuals are designated, there has been a decipherable increase in middleman fraud: third-party intermediaries who help to evade sanctions and export controls at a profit. Regulators have since focused on this middleman fraud, and counsel and companies must do the same.
Second: Focus on Compliance Programs
Counsel should also assist business clients with considering whether and how to implement and maintain an effective sanctions-compliance program. Central to that analysis is identifying areas of risk, assessing a client’s risk tolerance, and evaluating appropriate compliance measures tailored to those areas of risk. This may require working with outside vendors to understand industry data and to ensure that adequate review tools are in place.
It is important to impress upon clients that the Office of Foreign Assets Control and other U.S. regulators have publicly proclaimed their expectation that companies have effective programs and tools in place to ensure compliance with sanctions designations and export controls. Regulators have stated that compliance programs ideally should include:
- Senior management “buy-in”—wherein the company’s management team meaningfully reviews and understands sanctions risks and how their compliance system operates to address that risk. Management should create a culture of compliance for employees at every level and dedicate adequate resources to the same.
- Risk assessment—in which businesses may meaningfully determine where their risk lies and enact tailored compliance measures. Where efficiencies may dictate that not every single product, transaction, or area of business can or should be screened, businesses should take a “risk-based approach” appropriate for their industry. For example, a cell-phone company may screen purchases of electronics but not cell-phone cases, understanding that only the former is more likely to carry risk.
- Systematic review—i.e., continual internal review of sanctions-designations lists and revised export-control lists, as well as the company’s own transaction and customer data. Compliance programs should be designed to detect suspicious activity beyond the obvious red flags including by analyzing customer phone numbers, passport data, email, and geolocation information. That data may either corroborate or contradict a party’s representations about their identity. Inconsistent information may be an indication of potential sanctions evasion or inappropriate purchases.
- Testing and auditing procedures—designed to check if policies, risk assessments, and compliance measures are working properly. If there are identified weak spots or problem areas, companies should make appropriate changes to their systems.
- Training—to ensure that employees understand the compliance systems and their respective roles in enforcing compliance.
Third: Conduct Internal Investigations When Sanctions Issues Arise
Should sanctions issues arise nonetheless, counsel should be prepared to work swiftly with companies to assess the scope and nature of the problem and undertake remedial action. It may be necessary to conduct an independent internal investigation. An internal investigation may aid counsel to identify the source of the problem, make informed decisions about resolving the issue, and prevent future sanctions issues. In the event of an enforcement action, a company that has conducted a thorough internal investigation may also be better positioned to advocate for no regulatory action, or a less severe penalty, discussed further below.
When conducting an internal investigation into sanctions issues, counsel may consider taking the following steps:
- Speak with key stakeholders early on to understand the potential issues and determine the scope of investigation. Identify other sources of information including compliance policies and procedures, employees involved in the company’s sanctions-compliance program, relevant corporate documents, communications, databases, and risk analyses.
- Work with your client to devise interim measures to ensure that no violations continue to occur. This may include suspending problematic contracts, relationships, or the export of particular products, as well as other action to abate the issue. Immediate cessation of the problem may help to narrow potential liability and garner credibility with regulators in the event of an enforcement action.
- Develop an investigative work plan with a proposed timeline for conducting witness interviews, document and data collection and review, and other requisite investigative steps. Upon collecting and evaluating relevant information, modify the scope of the investigation as appropriate and collect additional information if needed.
- As with any internal investigation, preserve attorney-client privilege where possible. Counsel should avoid discussing the investigation with third parties, such as outside suppliers or trade partners, to avoid waiving privilege over those topics. Investigating counsel should work in conjunction with company in-house counsel to mindfully navigate privilege.
- Consider all potentially applicable export regulations, sanctions designations, and statutory schemes, including foreign sanctions controls that may apply to the business relationship or affected goods, to assess potential liability. Note that foreign export controls and sanctions designations do not necessarily track those set forth by the United States, and thus may create different liability. Engage foreign local counsel as needed to ensure compliance abroad.
Fourth: Evaluate Potential Liability, Enforcement Actions, and Voluntary Self-Disclosure
When evaluating potential exposure and liability for clients, most instructive are recent sanctions and export-enforcement actions and resulting penalties. Regulators have publicly noted mitigating and aggravating factors key to analyzing exposure and prospective penalties under the current sanctions regimes. Analyzing a client’s exposure risk in light of those factors will best equip counsel and companies to make studied decisions about next steps. Those next steps will almost certainly include enhancing mitigators, such as strengthening compliance and taking other steps to abate the problem and prevent future violations.
If investigation uncovers a likely violation and risk of regulatory action, counsel may also discuss with clients the option of voluntary self-disclosure. Counsel should carefully weigh the potential benefits of self-disclosure, such as reduced fees or penalties, against potential enforcement risks such as more significant penalties, license revocation, and other financial and reputational costs. If self-disclosure is warranted, attorneys should carefully consider when and to which regulator a voluntary report should be made. Self-disclosure should be done as promptly as possible, highlighting the problem and other complicit actors, as well as the steps taken to remediate the issue.
In all, counseling businesses in this landscape requires careful analysis and consideration. Attorneys and their clients who engage deeply with careful compliance and remediation can continue to succeed and thrive.