1. Understand which regimes apply to your business

Start by mapping the sanctions regimes that apply to your business (and where). It's a good idea to reach out for legal advice at this stage to better understand regulatory compliance. Compile a clear picture of your operating environment before seeking counsel: where the suppliers are, which services you provide, whom you do business with, and more, so that your counsel will have a clear understanding of your sanctions obligation. Sanctions regime may vary according to each jurisdiction, which may mean your business will have multiple requirements to meet and can lead to confusion.

Bear in mind that over-compliance can be damaging to the sanctioned country (and have a devastating humanitarian and financial impact on innocent parties). While it's good to be diligent and err on the side of caution, it's best to stick to the requirements - no more, no less. If necessary, speak to a compliance expert to compile a clear jurisdictional requirements map with clarity on rules that apply to each territory. Consider the relevant sanctions compliance risks, as well as the reputational risks associated with doing business with each territory. 

2. Map the business touchpoints 

The Office of Foreign Assets Control (OFAC), the financial intelligence and enforcement agency of the US Treasury Department, recommends that businesses review their organization from top to bottom to determine their touchpoints to the outside world to better understand their compliance risks. This can help businesses identify which areas of their operations may be (either directly or indirectly) engaged with sanctioned persons, parties, countries and regions. 

Sometimes this requires mapping all the places where businesses interact with their external environment, which is not always obvious, but it's the best way of identifying gaps in your risk management framework. Start by mapping interactions by business unit, team, product, and process. By combining this map with a map of your jurisdictions, you'll be able to best identify where your controls need to be implemented or sharpened. 

3. Implementing the Correct Checks and Tools According to your Risks

Once you've identified where the risks lie, it's time to implement the correct controls. Businesses should implement the correct due diligence measures for their organization, including screening clients' names against Politically Exposed Persons (PEPs) and Sanctions Lists. 

Individual searches should be run against:

  • Sanctions Lists
  • FATF Black- and Grey Lists
  • Politically Exposed Person lists
  • Law Enforcement (FBI and Interpol)

OFAC, EU, Bureau of International Security, FATF blacklists, and UNSC Resolutions sanctions lists should be checked, among others. While checks should be conducted during the initial onboarding stage of new customers, employees and suppliers, ongoing monitoring will be required to ensure that risks are continually managed. 

Sanctions lists are constantly changing, and sanctions published by various issuing bodies do not always align. The definition of sanctions itself has also evolved and become more open to interpretation, and new safeguards are being implemented to meet the changing technological landscape, particularly regarding virtual assets like cryptocurrency companies and digital transactions. It's important to ensure that your screening tools are up to date. 

4. Remaining Compliant

Thus far, most of the steps were designed to ensure that businesses become compliant. One of the biggest challenges companies face will be remaining compliant, especially as new territories and individuals are constantly being sanctioned or removed from sanction lists. 

Appointing a team or a person who is responsible for relevant controls and blocks can be extremely helpful, providing that person has the correct tools, expertise and knowledge, as well as a transparent view of the company and regulatory landscape. In addition, training should be carried out, so that staff members understand their role and responsibility when it comes to sanctions compliance.

Creating a sanctions playbook and responding when the rules change will ensure that you can react effectively and quickly. The team needs the ability to add or amend controls as the landscape changes. Fortunately, there are third-party companies and automated tools like sanctions.io available that can help teams manage the risks, even as they change. 

Conclusion

Gaining complete oversight of your sanctions risk, regulatory environment, and the performance of the tools and processes you've put into place is the key to success. Every organisation has a duty to implement a robust, sensible and data-driven approach to sanctions monitoring and compliance. Knowing what the risks are and implementing an early warning system when you are exposed to more risks than you may have originally anticipated can keep your business on the right side of sanctions, even in an ever-changing environment.