Containing US, EU, and UK sanctions risks in a time of global crisis

Introduction

The spread of COVID-19 to over 180 countries is a human tragedy that is continuing to impact society in ways we could not have imagined. Companies with international trade or transactions have adapted to a new reality and, in the process, are confronting ongoing and emergent compliance challenges relating to economic and trade sanctions laws. The social distancing, quarantines and travel restrictions following the outbreak have impeded the movement of people and goods, causing supply chain disruptions, contractual disputes, loss of revenue and other challenges to business continuity. Although society is gradually beginning to reopen, the economic impact has been devastating and likely to be felt for a significant time. The attendant pressures on internal compliance resources may leave companies more vulnerable to bad actors than they are during ordinary times. All signs indicate, however, that sanctions laws will remain aggressively administered and enforced despite the pandemic, and it is now more important than ever for companies to remain vigilant in order to ensure compliance. This article begins with a brief overview of sanctions, followed by some practical insights about the heightened compliance challenges companies may face during this crisis and strategies companies can consider to mitigate their risks.

A brief overview of sanctions

Generally speaking, there are three categories of US, EU, and UK economic and trade sanctions: (1) sanctions that target certain countries (for example, the US “comprehensive” (country-wide) sanctions, which impose a ban on almost all dealings relating to Crimea, Cuba, Iran, North Korea, and Syria); (2) sanctions that target certain entities or individuals (e.g. Specially Designated Nationals and Blocked Persons (“SDNs”) or EU asset freeze targets); and (3) sanctions that target certain products, technology, services or projects (e.g. the US, EU, and UK restrictions with respect to certain Russian oil projects). Certain sanctions laws may target more than one of these categories.

Although EU sanctions are directly applicable in all EU Member States, each individual Member State is responsible for implementing sanctions and establishing penalties for violations through national legislation.  UK sanctions are primarily administered by the Office of Financial Sanctions Implementation (referred to as OFSI), part of HM Treasury, which administers financial sanctions (primarily asset freezes, but also restrictions on financial transactions involving certain countries) and the Export Control Joint Unit and the Import Licensing Branch, both part of the Department for International Trade, which administer trade and export sanctions. Violations of trade and export sanctions are investigated by HM Revenue & Customs and prosecuted by the Crown Prosecution Service.

The main regulator of US sanctions programs is the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”). The US Department of State collaborates with OFAC, is a key player in policy guidance, including licensing decisions, and has a primary role with respect to secondary sanctions. In addition, the US Department of Commerce administers often parallel export controls on US-origin goods, services, and technology. While OFAC issues civil penalties for sanctions violations, criminal penalties are handled by the US Department of Justice.

Sanctions compliance in the era of COVID-19

The pandemic has magnified the challenges of complying with sanctions laws, as companies are operating in a stressful and uncertain economic environment, and resources that otherwise would be directed to sanctions compliance may be strained. Meanwhile, the pace of regulatory and investigative activity shows no signs of slowdown.

A. New internal and external threats

Following the outbreak of COVID-19, companies with international business have had to confront significant business pressures due to supply chain disruption, quarantines and travel restrictions, and other barriers to cross-border trade and transactions. These constraints can make companies more vulnerable to sanctioned parties and other bad actors, or more likely to engage in higher risk transactions, such as transactions with customers or third parties that have close ties to sanctioned parties or corrupt government officials, or have questionable sources of wealth or payments. For example, a company whose supplier has had to shut down its factories and who urgently needs to source goods to fill an order might fast-track an alternative supplier through its vetting process and inadvertently miss that it is, say, owned or controlled by an EU asset freeze target. Even if that entity is not on the EU consolidated list, it would be considered to be sanctioned and the company’s transactions with that entity would be prohibited (if it is an EU company or potentially if there another EU nexus to the business). As another example, a company that has lost significant business as a result of COVID-19 may not apply the same level of scrutiny to payments, customers, or third parties that it ordinarily would, and might miss that a customer is a shell company owned by a Russian oligarch who has been designated as an SDN (meaning if there is a US company or there is a US nexus to the transaction, the transaction is prohibited, or even where there is no US nexus, the transaction could result in SDN designation risk or secondary sanctions risk) or that payments are derived from illegitimate sources. Further, in these circumstances, companies may not have the resources or capability to properly consider the details and nuances of particular sanctions restrictions, or the wording of a particular license or guidance from a sanctions authority, resulting in a lack of understanding of their actual legal risk. Companies should, therefore, be mindful of potential vulnerabilities presented by the current crisis, and take appropriate steps to avoid compliance pitfalls.

The new remote working environment has created some benefits, but also can complicate compliance efforts. It can make it more difficult to monitor suspicious activity and ongoing risks, and therefore harder to detect and prevent potential violations. Internal controls, including approval processes and reporting mechanisms, designed to identify or thwart unlawful activity also may be disrupted because the responsible personnel or systems are unavailable or less accessible. With more employees working remotely, there are also a greater number of potential threats internally as organizations are navigating new barriers to connectivity and becoming more decentralized, which might make it more difficult for the tone from the top to get disseminated widely or to maintain a unified culture of compliance. Many companies also have had to contend with logistical difficulties conducting audits, internal investigations, trainings, and site visits for data collection. For example, the nuances of body language may get lost when conducting an interview via a virtual platform, it may be difficult to evaluate audience participation in a virtual training, or it may not be possible to travel abroad to collect documents for an investigation. While companies are increasingly reopening, if some measure of distancing and remote working continues for the near future, some of these staffing, resource, and logistical challenges to compliance may remain.

B. Potential for increased investigations and enforcement

Despite increased vulnerabilities during the pandemic, there are no signs that enforcement authorities are easing their sanctions compliance expectations. Given the potential for increased bad conduct during times of economic crisis, one can expect a corollary increase in government investigations and enforcement following an economic downturn. Furthermore, in more recent years, sanctions have been more aggressively enforced and are increasingly being wielded as a tool to advance national security and foreign policy interests. In addition, regulators within the US (both at the federal and state levels) and worldwide are coordinating more frequently, and, in the US, sanctions investigations are more often overlapping with investigations relating to anti-money laundering, the Foreign Corrupt Practices Act, the Export Administration Regulations, and the International Traffic in Arms Regulations. For example, the criminal charges that were announced on April 20, 2020 against Industrial Bank of Korea (“IBK”) following coordinated state and federal efforts involve alleged violations of the Bank Secrecy Act and deficiencies in its anti-money laundering program at IBK’s New York branch, which allegedly permitted the processing of more than $1 billion in transactions in violation of the International Emergency Economic Powers Act. Companies should keep in mind, therefore, that their international trade and transactions could be subject to scrutiny from multiple regulators in addition to sanctions authorities, and misconduct involving one area of the law or one jurisdiction, can spiral into cross-border or interagency investigations.

C. Recent regulatory and legislative developments

1. United States

Since March 13, 2020 when the World Health Organization declared the coronavirus outbreak a pandemic, OFAC has had a steady stream of new designations and other actions, both related and unrelated to COVID-19. These actions are not all detailed here, but key developments related to COVID-19 include (1) OFAC’s issuance on March 6, 2020 of a Frequently Asked Question (#828) related to humanitarian assistance with regard to the COVID-19 outbreak in Iran; (2) the Treasury Department’s issuance of a press release on April 9, 2020 underscoring its commitment to the global flow of humanitarian aid in the face of COVID-19; (3) OFAC’s publication on April 16, 2020 of a fact-sheet on the provision of humanitarian assistance and trade to combat COVID-19; (4) OFAC’s issuance of guidance on April 20, 2020 encouraging persons to communicate OFAC compliance concerns related to COVID-19; and (5) OFAC’s issuance on June 5, 2020 of a Frequently Asked Question (#830) stating that OFAC is not targeting Iranian manufacturers of medicines, medical devices, or products used for sanitation or hygiene or as personal protective equipment for use in Iran pursuant to Executive Order 13902 for continuing to manufacture these items.

While OFAC has acknowledged that companies are shifting resources away from sanctions compliance programs and it would evaluate these issues on a case-by-case basis, companies should understand that this flexibility is not unconditional. In its guidance dated April 20, 2020, OFAC stated:

“If a business facing technical and resource challenges caused by the COVID-19 pandemic chooses, as part of its risk-based approach to sanctions compliance, to account for such challenges by temporarily reallocating sanctions compliance resources consistent with that approach, OFAC will evaluate this as a factor in determining the appropriate administrative response to an apparent violation that occurs during this period.¹” 

Importantly, OFAC indicated that a company’s decision to reallocate its resources to other areas needs to be consistent with its risk-based approach to sanctions compliance and this reallocation must be caused by the pandemic and temporary. In addition, OFAC’s guidance encourages businesses affected by COVID-19 to contact OFAC as soon as practicable if they believe they may experience delays in their ability to meet OFAC’s deadlines, including requirements related to filing blocking and reject reports within ten (10) business days, responses to administrative subpoenas, reports required by general or specific licenses, or any other required reports or submissions. Far from providing a carte blanche to companies, therefore, OFAC’s announcement signals that its compliance expectations have not eased and if companies are facing pandemic-related challenges, OFAC is willing to consider those as a mitigating factor in its assessment of the appropriate administrative response. However, companies must be prepared to show that their reassignment of compliance resources was part of a risk-based approach to sanctions compliance. Companies should, therefore, carefully consider how they are allocating their compliance resources and ensure that any decisions to shift resources away from sanctions compliance are reasonably commensurate with their risk profile and carefully documented.  

Those engaged in the international flow of humanitarian aid also should keep in mind that while OFAC has emphasized its commitment to such aid to areas affected by COVID-19²,  OFAC has not, to date, expanded upon its existing and longstanding humanitarian exemptions, exceptions, and authorizations. OFAC’s fact sheet dated April 16, 2020 highlights the most relevant exemptions, exceptions, and authorizations for humanitarian assistance and trade under the Iran, Venezuela, North Korea, Syria, Cuba and Ukraine/Russia-related sanctions programs. The fact sheet also provides specific guidance for OFAC-administered sanctions programs related to personal protective equipment, such as face shields and masks, gloves, clothing, and certain respirators and ventilators, and other COVID-19-related humanitarian assistance and trade. For transactions not otherwise covered by the existing exemptions, exceptions, and authorizations, OFAC notes that license requests will be considered on a case-by-case basis, and it will prioritize applications, compliance questions, and other requests related to humanitarian support, in relation to the people of these countries.

Further, as the Treasury Department has cautioned, such humanitarian assistance has the potential to be misused and/or diverted by bad actors. In its April 9, 2020 press release, the Treasury Department stated that “[w]hile the vast majority of US-based non-profit organizations are at low risk for terrorist financing, humanitarian organizations delivering assistance to conflict regions face a potentially higher risk of aid diversion in support of terrorist financing, corruption, or other illicit purposes.”³ OFAC also has advised organizations seeking to provide humanitarian assistance to sanctioned countries impacted by the virus to implement reasonable, risk-based compliance measures, including due diligence, governance, transparency, accountability, and other such measures. Therefore, although OFAC has articulated its support for humanitarian aid to virus-affected areas, including sanctioned countries, it has warned companies to be wary of bad actors seeking to exploit these authorizations.

On the legislative front, several bills have been introduced following the virus outbreak, authorizing the imposition of sanctions for certain pandemic-related misconduct. For example, certain bills would impose property- and visa-blocking sanctions on foreign individuals and entities involved in deliberate acts to conceal or distort information COVID-19,⁴ and would specifically target certain Chinese officials and entities.⁵

2. European Union

There also have been several EU sanctions-related developments relating to COVID-19, including the following:

• On April 3, 2020, the Council of the European Union issued a declaration that it would not allow sanctions to impede efforts to treat and contain COVID-19, while also emphasizing that sanctions have an “indispensable role” in, among other things, protecting human rights and advancing arms control measures. Specifically, the EU said that its sanctions “should not impede the delivery of essential equipment and supplies necessary to fight the coronavirus and limit its spread worldwide.” The declaration also called on other countries to clarify the humanitarian exceptions to their own sanctions regimes to make sure that they similarly do not obstruct the fight against the pandemic.⁶
• On April 3, 2020, 19 Members of the European Parliament sent a letter to the President of the European Commission, the EU High Representative for Foreign Affairs, and the President of the European Council opposing any effort to review or lift the EU’s sanctions against Russia in light of COVID-19. The Members noted that the sanctions are targeted at trade in arms, dual use goods, and certain sensitive technologies, particularly in the oil sector, and are not intended to restrict trade in “medical goods or other goods essential for public health.”⁷
• On May 11, 2020, the European Commission began publishing guidance on how to comply with EU sanctions when providing humanitarian aid related to COVID-19. The first guidance issued by the Commission focused on Syria and clarified a number of questions about the processes for the provision of such aid. Specifically, the guidance says that the provision of “food, medicines, medical equipment, disinfectants, medical assistance and other medical products, and the creation of temporary medical infrastructures” all fall within the humanitarian aid exception to the EU sanctions. Additionally, it says that humanitarian operators are allowed to liaise with persons, entities, and bodies targeted by EU sanctions if necessary, but that they should “adopt the necessary precautions and verifications to ensure that funds and economic resources” are not diverted or seized by such designated persons.⁸

These recent developments, along with others unrelated to COVID-19, such as OFAC’s recent issuance of maritime advisory guidance (covered in our separate briefing here), indicate that the US and EU remain committed to actively administering and enforcing sanctions laws during the pandemic, and companies need to be vigilant about ongoing and emergent sanctions risks. 

What can companies do to protect themselves?

Given the increased sanctions compliance challenges and ongoing pace of activity in the sanctions arena, there are several practical steps that companies can take, consistent with OFAC’s Framework for Compliance Commitments,⁹ to safeguard their business, including the following:

1. Ensure that the tone from the top remains strong and that the company’s commitment to compliance is disseminated through clear and consistent messaging from the leadership to all employees.
2. Be reasonably cautious when entering into new relationships with counterparties or third parties. Exercise reasonable risk-based due diligence, including screening parties and their owners against any relevant sanctions list, prior to entering into such relationships and periodically thereafter as appropriate. If you intend to engage in trade in a country that has a complicated sanctions regime (such as Russia or Venezuela), ensure you understand the potential sanctions risks or “red flags” that arise with respect to that regime.
3. If a sanctions red flag is identified, do not base decisions on a “general overview” or summary of the law, including any licenses or guidance. For US, EU, and UK sanctions, understanding the specific detail of the relevant law, and how that law applies to the particular situation, is vital to determine and assess risk.
4. If there is specific guidance issued by a sanctions authority that relates to your company’s particular industry, this should be carefully considered, as it provides invaluable insight into the enforcement priorities of the particular authority.
5. Ensure that contracts with counterparties and third parties contain appropriate representations and warranties related to compliance with sanctions laws.
6. If it does become necessary to divert resources away from the sanctions compliance program, ensure that there is a well-documented and sound case for doing so and consider whether it might be appropriate to engage with OFAC to request an extension, expedited handling, or other relief in connection with pending matters. Once it is safe to do so, these resources should be reinstated to their pre-COVID-19 level (or to a level commensurate with a risk-based compliance program).
7. Make every effort to maximize connectivity so that local offices are not isolated and necessary approval channels, reporting mechanisms and lines of communication are open.
8. Conduct online trainings so that employees are educated on how to identify and respond to ongoing and emergent risks.

We will continue to monitor regulatory and enforcement actions related to the COVID-19 pandemic and report on the significant developments.

Special thanks to law clerk Eddie Skolnick for his assistance in preparing this content.