Learning From BAT's $635M North Korea Sanctions Fine: 5 Key Insights

BAT's 2023 Sanctions Penalty: Here's What Happened

On April 23, 2023,  the US Department of the Treasury's Office of Foreign Assets Control (OFAC) announced that London-based BAT will pay a cumulative penalty of more than $635m for apparent sanctions violations. It's also historically significant. Why? It's OFAC's largest-ever fine for a non-financial institution.

Reputationally, it's a car crash too. From the UK's Financial Times to  Germany's Deutsche Welle, negative headlines proliferated worldwide. BAT's communications team surely burned the midnight oil to manage the crisis.‍

So what did BAT do to receive this historic penalty? ‍

This happened: Between 2009 and 2019, BAT and its subsidiary, BAT Marketing Singapore (BATMS), admitted to violating US sanctions by supplying millions of dollars of cigarettes to North Korea's Singaporean embassy. The tobacco likely made its way to the isolated communist nation in Kim Jong Un's fleet of ghost ships stealthily crisscrossing the world's oceans.

The US treasury accuses BAT of an 'elaborate scheme to circumvent US sanctions.' In summary, these were the general steps:

• Step 1: In 2007, to comply with sanctions regimes, BAT divested its stake in a joint venture with a North Korean state-owned company and announced that it was now not involved in tobacco sales to the country.
• Step 2: BAT continued to conduct business in North Korea through a third-party company based in Singapore (which it controlled).
• Step 3: Tobacco payments from North Korea went through the third-party company ($415 million approx.).
• Step 4: North Korean purchasers used shell companies to make these payments, so US banks (which processed the transactions) would not know about the connection to North Korea.
• Step 5: The third-party company sent the proceeds to BATMS (the Singapore subsidiary) and BAT.

AML professionals reading will have observed that this case isn't just about sanctions evasion: It's also a story of elusive shell companies and hard-to-identify UBOs (facets also common in the layering stage of money laundering). ‍

This diagram published by the US Treasury shows how North Korea layered the origins of the payments. 

‍

‍

5 Key Insights from BAT's 2023 Sanctions Penalties

It's important to remember that no one is suggesting that BAT isn't committed to a culture of complying with sanctions laws - it's a complex global organization with more than 50,000 employees. Mistakes happen. And things do slip through the net.

That's one reason sanctions compliance is also about continuously improving processes (like sanctions screening). We will now reveal the following insights from the BAT case:

• Insight 1: Internal Controls are Critical
• Insight 2: The Challenge of Overseeing Third-Party Entities
• Insight 3: The Importance of Sanctions Risk Assessments
• Insight 4: Continuous Monitoring & Sanctions Screening is Vital
• Insight 5: Fostering a Compliance Culture

Insight 1: Internal Controls are Critical‍

A key takeaway from BAT's $600m+ sanctions violations fine is that having robust internal controls is critical for organizations to prevent and detect potential sanctions violations.

And its importance is clear as day: OFAC identifies internal controls as a vital facet of any Sanctions Compliance Program (SCP) in its Framework for OFAC Compliance Commitments.

Some of the most important internal control measures include

• Well-documented policies & procedures
• Segregation of duties (with checks & balances)
• Transparent reporting & escalation channels
• Effective internal whistleblowing programs
  

We don't know the specifics of the BAT case. But an internal controls failure in BAT's global sanctions compliance program was likely a significant contributing factor to the breach.

Insight 2: The Challenge of Overseeing Third-Party Entities

The historic BAT penalty from OFAC highlights the importance of effectively managing sanctions compliance with third-party entities. There are two parts to this.

Firstly: How companies access new (and ongoing) business relationships with third-party entities such as distributors, suppliers, and contractors. The following are essential for staying compliant with sanctions regimes:

• Conducting due diligence (e.g., sanctions screening)
• Performing Ultimate Beneficial Owner (UBO) checks
• Ongoing monitoring
• Reporting & whistleblowing programs
  

Secondly: How companies internally stay compliant when doing business with third-party entities. In the BAT case, something severe occurred within the organization, so much so that OFAC described the events as a 'seven-year conspiracy.' They also said the world's second-largest tobacco company 'maintained control over all relevant aspects of the North Korean business.' 

As is apparent from the BAT case, the challenge for compliance professionals overseeing third-party entities is external - and possibly internal too. 

And a key takeaway is this: Internal compliance measures and effective oversight are also crucial for mitigating risks associated with third-party entities.

Insight 3: The Importance of Sanctions Risk Assessments

The specifics of BAT's sanctions violations case are confidential. However, given what is now in the public domain (the BAT penalty is OFAC's largest-ever fine for a non-financial institution), it's highly likely that BAT's global sanctions risk assessment was failing. Again, we can't be sure - but clearly, something broke.

And this is essential to remember: Sanctions Risk Assessments (SRAs) are only as effective as the quality and accuracy of the information and data used to inform them. 

The frequency of risk assessments taking place is also crucial. And the frequency question is an active debate within the sanctions compliance world. The OFAC framework calls for executing a regular, periodic SRA. But - and you know what's coming next - what is 'regular'?

Companies can choose how frequently they perform an updated SRA - it's up to them to interpret OFAC'S 'regular' suggestion. 

There are calls within the compliance world that real-time risk management should be encouraged (and is probably the future, given the advances in RegTech). After all, the world of sanctions is highly dynamic, reflecting the constantly shifting geopolitical landscape. 

Insight 4: Continuous Monitoring & Sanctions Screening is Vital

The 2023 BAT sanctions violations case also serves as a stark reminder that sanctioned criminals - and even state actors, such as from North Korea - are doing everything possible to evade sanctions. 

In fact, the world is rife with this problem. 

And continuous monitoring and sanctions screening is fundamental in protecting businesses and organizations from unknowingly getting caught up in nefarious sanctions evasion plans. 

You can learn everything there is no know about sanctions screening in our Ultimate Sanctions Screening Guide.

Insight 5: Fostering a Compliance Culture

As mentioned in the article, no one is suggesting that BAT's compliance culture is wavering - mistakes happen, and all companies must continuously improve their sanctions compliance programs. Global multinational businesses and organizations may especially struggle to create consistent programs in all the jurisdictions where they operate (as was the case with Microsofts' Russia sanctions breaches and penalties)

And to reduce the likelihood of employees making errors or acting illegally, it's fundamental that compliance and internal communications teams collaboratively build in-house programs that foster a culture of compliance across the whole organization. 

To learn more about how companies can foster a culture of compliance, the sanctions.io article, Microsoft's 2023 Sanctions Penalties: 5 Key Learning Points, has some valuable insights. 

Final Thoughts

A key theme runs through this article: Sanctions compliance is not just dotting the i's and crossing the t's externally. As BAT discovered - it's as much about recognizing the internal threats too.

To learn more about how sanctions.io can strengthen the sanctions compliance program within your organization, you can take advantage of our free, no-obligation discovery call with our team. Book here. We enable intelligent AI-powered sanctions, PEP, and criminal watchlist screening for your AML, KYC & trade compliance screening needs.

You can read sanctions.io's Ultimate Sanctions Screening guide to learn more about sanctions screening.