Corporate crime and investigations: How to avoid a sanctions investigation (and prepare for the regulation of tomorrow)

15 January 2024

In the second episode of this mini-series, we tackle sanctions risk – including the robust systems and controls that firms require, recent enforcement actions, guidance from regulators, and unfolding geopolitical issues to watch out for.

Hear an international expert panel share invaluable updates for compliance professionals and organisations seeking to mitigate the risks of a sanctions investigation.

Ashurst host Tom Cummins is joined by colleagues in Paris (Olivier Dorgans), Tokyo (Alexander Dmitrenko), and London (Sophie Law and Matt Russell). Together, the group outlines the systems and controls that firms require (including comprehensive risk assessments, considering different sanctions regimes, robust screening processes, and staying updated on guidance from regulators). They also highlight recent enforcement activities and the implications for systems, controls, and due diligence.

Read our article on the FCA review of sanctions systems and controls.

Geopolitical challenges are considered (such as those involving China, Israel and Russia), amidst heightened scrutiny over transactions in certain sectors and regions. And the panel concludes by looking ahead: discussing the prospects for enforcement and the growing importance of data-driven supervisory assessments and internal audits.

To follow this continuing mini-series about corporate crime and investigations, subscribe to Ashurst Legal Outlook on Apple Podcasts, Spotify or wherever you get your podcasts. 

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Listeners should take legal advice before applying it to specific issues or transactions.




Hello and welcome to the Ashurst Corporate Crime and Investigations podcast series. This is a series in which we discuss various aspects of corporate crime and investigations, and as part of this series, we will bring the discussion, debate, and insight shared in our 2023 investigations focused events. My name is Tom Cummins and I'm joined today by Sophie Law in London, Olivier Dorgans in Paris, Alexander Dmitrenko in Tokyo, and Matt Russell, also in London, one of Ashurst's consulting team. So let's kick off episode two on the subject of how to avoid a sanctions investigation. This podcast episode is part of our investigations focus series.

Matt, I actually want to start with you as the consultant in the virtual room. Can you give us an outline of the systems and controls which you think firms should typically have in place to deal with sanctions risk?


Yeah, of course, Tom, and I suppose like all good systems and controls that address financial crime, the organisation needs to start with its risk assessment. So informed by the nature of the business and its global footprint, the risk assessment should consider which sanctions regimes are relevant and where there may be potential breaches that are more likely to crystallise within that organisation, and in doing so, it should take into account all the relevant, latest guidance that may have been issued by the authorities that are relevant to the business, such as OFAC, OFSI or those in the EU. And that risk assessment in turn should inform the nature of the resources that need to be deployed, both in terms of people and the technology and where they're deployed within the organisation, and obviously one of the key technologies that an organisation will use to manage its sanction risk will be the process for screening customers, counterparties and payment. And there are a number of elements of a good screening process, and I highlight four of them. So you have list management, data quality, the actual maintenance of the engine itself, and then the management, the alerts that it generates.

So in terms of list management, clearly it's important that there's a process to ensure that the right lists are being managed, also being used, but also the extent to which any internal lists are being generated, and more importantly, kept up to date. And particularly where you may be using a third party vendor, how do you know that they're keeping those lists up to date?

Second area is around data quality, and obviously the effectiveness of the screening process and the screening engine is only going to be as good as the data that's coming in. So it's important that there are processes in place to ensure that that data quality is monitored and remediated on an ongoing basis.

Which then brings us to the third piece, which is that screening tool or the screening engine, which is arguably the most important piece of this particular process, and clearly there needs to be processes around that to ensure that the organization's periodically testing for effectiveness of that tool, so how well are the fuzzy matching rules working, but also the extent to which an organisation may be using third parties to benchmark the effectiveness of that tool.

And then finally, the alert management. So, what is the process to ensure that alerts are being reviewed on a timely basis and that the quality of the alert handling is as robust as the tool itself, and more importantly or equally importantly, ensuring that all of those decisions to determine whether something's either a false or a true positive are correctly documented.

And I suppose the last component of that sort of systems and control would be the monitoring and testing to ensure that all of those elements, both in terms of the technology, but perhaps more broadly within the organisation, the policy, ensuring that that's actually being applied in practice. So I think those would be the key components of that control framework.


Thanks very much Matt. And I know the Financial Conduct Authority has released the recent report assessing how banks put in place and comply with their obligations around systems and controls, and I think there's an article on that on our website. I'm actually going to go to Sophie next though, because I know it's not just the FCA, which has called out some issues with systems and controls. We've seen some OFSI enforcement activity in relation to that as well, haven't we, Sophie?


Yes, that's right. At the end of August, OFSI published an enforcement notice in relation to Wise payments and a number of the issues that the FCA called out around systems and controls in their report were also a feature of the Wise enforcement notice.

So just briefly what happened? So an individual was designated by OFSI and a company owned by that individual had a business account at Wise. Overnight, as is often the case in financial institutions, Wise's screening systems are updated and it was screened and there was a potential name match. So the account was immediately suspended, which stopped money coming in and out, but it didn't critically for these purposes restrict activity on the debit card, and this meant that the following morning, less than 24 hours after the individual was designated, an employee of that company was able to withdraw 250 pounds in cash using the debit card.

Now as it turned out for Wise payments, they followed their processes but that the name alert wasn't reviewed until the following day, and actually the escalation to the sanctions specialist team wasn't picked up until a couple of days later after the weekend, until the Monday morning, and it wasn't until then that the debit card was cancelled, although there was no further activity on the card. So OFSI obviously didn't impose a fine on Wise for the breach, but it did say that it was moderately severe and it decided to publish the enforcement notice anyway, and it said that that was because there was inadequate systems and controls at Wise.

So unsurprisingly, the notice has been the subject of much discussion since it was published. Not only was it the first use of OFSI's disclosure, or name and shame powers, since they were brought in last year, but it was also the first enforcement action by OFSI for a breach of financial sanctions under the UK's Russia regime since the invasion of Ukraine last year.

So there's a couple of points which emerged from this. The first is probably the obvious one, why did OFSI choose this case? There are probably many hundreds that sat on their desks given the facts and the low value. Second, there's a point about voluntary disclosure. So Wise voluntarily disclosed the breach, and although this was a mitigating factor, OFSI said, some have questioned whether the decision to name and shame will act as a deterrent to others who might previously have considered voluntary disclosure.

So is there anything we can take from the notice to help us avoid an OFSI investigation? First, as Matt's already alluded to, review your sanctions policies and procedures and are they appropriate to your sanctions risk? Secondly, calibrate your screening tools properly. That's clearly a key issue for both OFSI and the FCA. Now, OFSI, considered the number of mitigating factors, voluntary disclosure, full cooperation by Wise and a number of remediation steps. Now, these won't help you avoid an investigation, but they'll probably make your life easier if you do end up there.


Thank you very much, Sophie. And due diligence and assessing who you're dealing with is an absolutely fundamental part of avoiding or mitigating the risk of a sanctions investigation coming your way. Olivier, I believe there's been some recent EU Commission guidance which is intended to assist operators in achieving that.


That's correct, Tom. The EU Commission published a guidance a few months ago, and that guidance is a summary of several bits and pieces that the EU Commission and member states authorities have put together in terms of their expectation in terms of due diligence. Interestingly, this due diligence advice is structured around the idea of trying to prevent circumvention of EU sanctions, but it's broader in its scope.

It is structured around three main takeaways. The first, which is quite obvious for EU and, more globally, sanctioned specialists is the necessity for economic actors to map their sanctions risks and also their sanctioned circumvention risks, and the EU Commission provide for very specific guidance and gives a very concrete example.

For instance, it notes that should you for instance, be operating in the semiconductor sector and should you see an increase in sales in countries which are not targeted by sanctions, you may wonder whether these countries may be circumvention countries. So by way of example, if you are selling semiconductors, given the fact that the sale of semiconductors to Russia is strictly restricted or potentially entirely prohibited and if you see an increase in the sales of semiconductors to an Indian reseller for instance, you may need to question whether such reseller may actually be circumventing sanctions and reselling prohibited semiconductors to Russia.

The second element is the good practices that you should deploy in terms of due diligence, and again, these are things which are quite obvious to sanction specialists, but the EU Commission reminds economic actors that they should be very thorough in the identifications of the entirety of the stakeholders, the financial flows, the goods which are involved, especially in geography which are subject to economic sanctions. Say if you want to continue operating in Russia, you should have enhanced due diligence on all of your counterparties, all of the financial flows going to Russia or from Russia as well as the goods that you are commercialising in the country.

Last, but not least, is what you should be doing when you identify one or several red flags. And here again, the Commission is extremely precise and gives you some perspective on what you should as an economic actor be doing when you identify a red flag. Say as part of your due diligence, you identified a sanctions board member or a sanctions senior executive or a minority sanctioned shareholder, how do you handle such red flag? Or for instance, if you identify a potential risk of circumvention, what sort of mitigation measures should you be taking? If you are sending semiconductor to an Indian reseller and if you suspect that such semiconductors will then result to Russia, how do you mitigate the risk, for instance, by using an end user certificate?

So this is extremely useful guidance. It's not very novel because it's kind of a summary of things that the Commission have laid out in the last few years, but it's an extremely useful starting point for a company that want to address sanctions risks and more specifically sanction circumvention risks.


Thank you very much, Olivier. And that theme of trade sanctions and circumvention risk is one I also want to pick up with Alexander, because I know that the authorities in the US are looking at things with a very similar lens, aren't they, Alexander?


They're indeed Tom, and the reason for that is, and I'll continue what Olivier was saying, is the focusing on Russia's ability to continue the war and using the foreign Western technology to do so. Obviously, analysis has been done by identifying some of the elements and some of the items that were discovered during the ongoing war, and discoveries led to believe that quite a lot of foreign technology that shouldn't be in Russia's hands is there nonetheless. So in September this year, the big five, the expert enforcement five, Australia, Canada, New Zealand, UK and the US, have released what we would think of truly unprecedented packages of sanctions and expert controls focusing particularly on the prevention of diversion.

The way they've done this, and they have received the partnership from the Global Export Control Coalition, it's 39 members, which includes European Union and Japan, where I'm sitting right now, to support the concept that all of the market participants have to be aware in dealing with certain prioritised items, as to where they're going and who's the end user and how they're going to be utilised.

So the trade control is now basically split. They have 45 prioritised codes called harmonised system, which is shared with all of these 39 members, and they've split them into various priority categories, and the highest category has nine codes. To keep things more focused for us for our discussion today, what is the recommendation from the governments as to how to avoid investigations and how to avoid to be on the bad side of investigations?

There's a few things that they mentioned, and there's really three patterns here that are critical to emphasise. One is if you're dealing with a company that never received before those items prior to February 24th, 2022, that's a red flag. If the company did receive some of the items and now is asking for higher priority items to be sold to them, again, red flag. Another red flag, obviously, if the company, your counterparty might have been purchasing these items, but suddenly post February 2022, there is a huge spike in the demand in export of those items. Those really are critical red flags that have been identified.

So the regulators, particularly US regulator, have issued supporting guidance and even language that the companies can use to ask who is the end user and to make written assurances that the items are not going to end up in the wrong hands, and they are looking at jurisdictions. Those are, which would deem as the platforms with the potential misuse and potential circumvention against. It's a former USSR republics in Central Asia, Georgia, Armenia, as well as Turkey, China, India, UAE and some other Gulf countries. Quite a long list, and those lists, I think you will see more and more companies and individuals from those countries coming up also in the sanctions enforcement and expert controls enforcement.

Tom, this will continue to be the focus as the West is tightening up its loopholes for Russia to be able to continue the war technologically as well as economically.


Thanks very much Alexander, and I think some really good practical resources and tips there in terms of things to think about when seeking to avoid a sanctions investigation. Sophie, let me just come back to you briefly, because I'm conscious many of our listeners will be in the UK and I know that the UK financial sanctions authority has recently updated its guidance around due diligence in the context of financial sanctions. Could you just explain very briefly what has happened there?


Yeah, sure. So OFSI updated its enforcement and monetary penalties guidance back in March earlier this year. And they added a new section with guidance relating to ownership and control, and as many of our listeners will know, ownership and control is critical for any sanctions analysis, because asset-freeze sanctions generally bite not just on the individuals who are on the asset-freeze list, but on companies entities owned or controlled by those designated persons. And that's where the difficulty comes in and that's where we get a lot of questions from our clients, how much due diligence do I need to do to get an answer about whether or not an entity is owned or controlled by a sanctioned person or entity? How much will OFSI expect me to do and when can I stop? When can I be sure I've got the right answer? So unfortunately there's not a straightforward answer to this question, but OFSI did add some additional guidance in its guidance document.

So what does that say? So firstly, if there is a breach of sanctions, and if that's arisen because of an incorrect assessment of ownership and control, OFSI won't just jump to a big monetary penalty. It will look at the degree and quality of research that you've done and due diligence around ownership and control, and if you took all reasonable and appropriate steps, but notwithstanding that you've got the answer wrong, they may well treat that as a mitigating factor and not jump immediately to a fine. They might use one of their other enforcement options as they did in the Wise payments case I mentioned earlier.

Secondly, OFSI expects to see any evidence of decision-making around that assessment, so keep records of how you've assessed that information, how you've reached your conclusions. That will often be by reference to internal policies and procedures that are in place, but that won't always be the case. There's no one size fits all answer. It's all down to the degree of sanctions risk of a particular transaction or an entity.

And thirdly, OFSI expects parties to scrutinise information about ownership and control. Who's provided you with that information? Where have you got it? Can it be backed up by information in the public domain, or on the other hand, is there information in the public domain that contradicts it? OFSI really expects people to consider and scrutinise that information as part of that decision making process. It also expects to see regular checks and ongoing monitoring. It's not just a do it once and that's it, you've ticked the box. You have to really go back and check to see if that information still stands up.

And OFSI also helpfully listed out a number of factors which in any given scenario might indicate formal or de facto ownership or control. I won't go through each of them. I'd encourage people to look at the guidance, but internal policies and procedures should definitely be considering those factors when they're assessing ownership and control.

So the updated guidance certainly isn't going to solve all of the ownership and control issues, but the guidance is a really good place to start. An organisation should ensure that the issues identified in the guidance are reflected in their internal sanctions policies and procedures.


Thanks, Sophie, and thanks to everybody for some interesting thoughts on stuff that has been happening to date. I wonder if I could now ask you to try and look into the future and answer the question of, if I'm a busy compliance professional or if I have responsibility for sanctions in my organisation, what developments in the future do you think I have to be particularly alive to in order to mitigate the risk of getting caught up in a sanctions investigation? And I think for that purpose, Alexander, can I come to you first?


Sure. Thank you, Tom. I think our compliance professional peers have a difficult task, because there's a lot on their desk and it's a lot of fires happening. But I wanted to maybe use this opportunity to go back on the bigger picture, what are the trends we're going to see end of the year and into next year? And really I think next year from the US perspective will be defined by the presidential election and midterms. That will be the focus, and I think from the foreign policy perspective. That's where the sanctions definitely fall into. It will be China, Israel, and Russia.

China is where Democrats and Republicans are united on a tougher stance on China and we'll likely see a few more geo-economic elements coming in. We've seen multiple chip technology and CMIC lists, et cetera. I, unfortunately being again in Asia and seeing that it's a bit of concern around Taiwan especially, I suspect that there will be continued bifurcation of the world. It'll be more bipolar as we would probably see more in coming years, with China being in one side and US on the other side.

Israel is another hot topic, obviously, and that will also be followed by sanctions, not only on Hamas, but also how Hamas is being sponsored financially. And there'll be a lot more attention and scrutiny on cryptocurrencies.

Last but not least, the overarching concern and support for Ukraine to allow Ukraine to win and to make a big progress. I mentioned earlier about export controls, but the sanctions will continue to be the main focus here. And I suspect, and I'll say this, that Ukraine's victory or major progress will bode well for President Biden. So I presume there will be attention paid from the DOJ currently and, of course, and they'll already in November, they already started with a bang, a long list of people, individuals, and companies, not just in Russia, but in UAE and Turkey and other places, have been put on the list again to cut Russia's ability to finance the war and continue the war.


Thank you so much, Alexander. Olivier, what about from your perspective?


So a lot of the points that Alexander just mentioned are also equally applicable to the EU. Perhaps going back to these convention risks that I was mentioning, China is a country where we expecting to see more and more focus from the EU regulator, notably as a circumvention platform. As we know, China and India and a lot of non-Western countries have not imposed sanctions against Russia. A lot of European companies have subsidiaries or branches in China, which makes it quite difficult for them to control the circumvention risk. So that's clearly an area of focus, at the very least from an enforcement perspective.

Also, to go back to what Alexander was just mentioning, the Middle East and the unfolding situations in Israel and Palestine, so it's probably going to lead to individual sanctions being imposed against several political or army leaders. This may also carry consequences for Iran, and there's a growing pressure on the EU Commission to tighten both individual and sectoral sanctions against Iran for their support of Hamas and Hezbollah.

Perhaps more specifically to the EU, given how exposed it is to Western and Central African countries, the various coups in Niger and Gabon, as well as the political instability in the area and the development of Islamic terrorist movements in Sub-Saharan African areas, is going to lead to an increase of both individual and sectoral sanctions, and that's something that European companies should be on the lookout for, because that's going to significantly increase in the coming months.

Last is the various rounds of sanctions. I think there's a bit of sanctions fatigue for EU economic operators. There were several rounds of sanctions being imposed and the penultimate round of sanctions, the 11th round of sanctions has not necessarily received the attention it should have from economic operators. So a piece of advice to EU economic operators should be to be more carefully scrutinising the various rounds of sanctions against Russia, because there's an impression that Russia is not subject to pretty much the widest ranging sanctions, but that's not necessarily the case, and we have EU economic operators that still operate in Russia or have exposure to Russian interests. So as a result, simply paying attention to the unfolding around the sanctions is something that a company should have in mind.


Thank you, Olivier and Sophie, what about in the UK? What's on your radar?


So I think, similarly to what Olivier said, I think a number of the points that have already been raised by Olivier and Alexander will also be of concern in the UK, in particular the focus on third countries in respect to circumvention and issues around crypto, and I think there's probably an element of sanctions fatigue as well in the UK for UK businesses. So I'll just pick up on a couple of very specific UK-focused points.

I think the prospects for enforcement is certainly something to mention. As I said, we've now seen the first bit of Russia related enforcement action from OFSI. We also have seen, similarly, the first public enforcement action about trade sanctions from HMRC. There was a 1 million pound fine relatively recently, and we also learned quite recently that almost 130 companies had voluntarily disclosed sanctions violations to the UK government as of May this year, according to a Freedom of Information Act request. I think that probably means that we'll certainly see probably some more serious sanction enforcement coming down the line, as well as some more name and shame examples, similarly to the Wise notice.

I think the other area, again quite UK-centric, where we'll see some developments, is around ownership and control. Many people will be aware of the recent court of appeal judgement in the Mints case where the judge made some non-binding comments suggesting that every company in Russia could be regarded as controlled by President Putin and therefore the target of UK financial sanctions. As I said, they're non-binding, so they don't have any effect yet, but they could be followed by other courts. They're persuasive and the implications could be significant. I think there's been some statements from the government subsequent to that judgement being handed down, which indicates that the wide reading of the legislation given by the judge was probably not the government's intention. So I think legislative change in that area is likely to be required to adjust the control test in some way. There's a number of options that could be done. It's not clear which way the government will go, but I think we can be sure there will be some change in this area.


Thanks, Sophie, very much something that people are watching in the UK sanctions world. Finally, Matt, what about some horizon scanning from you?


So I suppose I'd probably go back to the FCA report that you referred to earlier, Tom, where we've provided some commentary, and in many respects that was, I think a good example of example, the UK regulators data-driven approach to supervisory action. And they focused in this particular instance on the customer or counterparty screening technologies that organisations had in place. We know that they're going to be moving their attention to payment screening, so again, I'd expect organisations either to be on the receiving end of those sorts of inquiries or to be thinking themselves about how effective those payment technologies are.

But then I think it leads us on to thinking about some of the other stakeholders within an organisation that probably should be upping their game, given the focus of the regulator. And I'm thinking particular of internal audit, because if the regulator is using quite innovative and technology-driven approaches to be able to do their supervisory assessments in relation to this area, then I think it means that internal audit themselves need to raise their game also and think about how do they get comfortable that the technologies that are core to sanction screening are doing what they should be doing.
So I think to my mind, it's both recognising the regulator is going to be more data-driven in terms of its supervisory activities, in terms of sanctions, but also therefore what is the organisation themselves doing? And I think particularly internal audit in that regard.


Well, that's all we've got time for. Many thanks to Alexander, Sophie, Matt, and Olivier for joining me on this episode, and if any of our listeners want to get in contact with any of us, then our details are on the Ashurst website at ashurst.com.

If you'd like to learn more, look out for the next podcast in the series where we will be discussing AI use in investigations, a new frontier. To ensure you don't miss any future episodes, do subscribe to Ashurst Legal Outlook podcast series, now on Apple Podcasts, Spotify, or your preferred podcast platform. And while you're there, please leave us a rating or a review. Thank you for listening.

Keep up to date

Listen to our podcasts on Apple Podcasts, Spotify or Google Podcasts, so you can take us on the go. Sign up to receive the latest legal developments, insights and news from Ashurst.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Listeners should take legal advice before applying it to specific issues or transactions.