Corporate Crime and Investigations: Sanctions, Investigations and Enforcement

Tom Cummins:

Hello. Welcome to the Ashurst Legal Outlook. This episode is part of our corporate crime and investigations miniseries. Today we're going to talk about sanctions, investigations, and enforcement. I'm Tom Cummins and I'm delighted to be joined by my colleague Sophie Law, Olivier Dorgans, and Alexander Dmitrenko. Sophie works with me in London on UK sanctions. Olivier is an EU sanctions expert while Alexander leads our firm's US sanctions practice. Okay. Well, that's the introductions. Well, let's start at an obvious place, which is how do investigations start when you're dealing with sanctions issues? Sophie, do you want to comment on that?

Sophie Law:

Sure. Sanctions investigations can start in a number of different ways. And by investigation, we mean either an internal investigation or one that's been prompted by an approach from a regulator. So firstly, an investigation can start because a business discovers a breach or a potential breach and wants to investigate to find out what's happened, to confirm what's gone wrong, or even if it is a breach. A business could find out about a potential breach in which they've been involved in through a third party, such as a party involved in the activity or the transaction that they've been involved in all because of something that a whistleblower has said.

And I suppose the third way an investigation can start, is if you've been approached by a regulator perhaps requesting information about a particular transaction or activity or because a third party's reported a breach that you've been involved in. And the substance in response to an investigation will depend on how it started and the result. But generally, there'll be a fact finding stage, perhaps a notification to a regulator and then some remedial steps.

Tom Cummins:

And sticking with you, who actually does the investigating in the UK if you're in the realm of external investigations?

Sophie Law:

It's a fairly complex picture in the UK and it largely depends on the type of sanction or activity that's an issue. There are a number of different enforcement authorities. First, taking financial sanctions, so that's an asset freeze or a capital markets restriction. There are both criminal and civil enforcement options. OFSI, so the Office of Financial Sanctions Implementation is the primary authority EU would investigate breaches of financial sanctions, and it has the power to impose civil monetary penalties. We understand that OFSI also works closely with the National Crime Agency whose corruption unit investigates bribery, corruption and sanctions of evasion. However, as I said, breaches of financial sanctions can also be a criminal offence, so OFSI, or the NCA may refer a case to law enforcement for criminal prosecution.

And finally, on the financial sanctions side, the serious fraud office can investigate and prosecute cases which involves sanction breaches alongside serious or complex fraud or bribery and corruption. And on the trade sanctions side, HMRC is responsible for enforcement and it will investigate and decide whether or not to pursue a breach. It's fair to say it's more experienced than OFSI. It will often seek to reach compound settlements with parties who breached triggered sanctions, but it also has the power to prosecute breaches.

Tom Cummins:

Okay, thank you. So even in the UK, which is one jurisdiction, we've got quite a complicated picture, lots of different actors at work. Olivier, let's go across the channel and talk about the picture in the European Union. Who investigates sanctions, breaches in the different member states.

Olivier Dorgans:

One of the difficulties of the EU approach to enforcement is the fact that, as you know, while EU sanctions are adopted at the EU level, enforcement is left to each of the 27 member states. So that leads to 27 different ways of approaching enforcement. And that has led in the past to massive discrepancies in the ways in which sanctions violations are approached by the national competent authorities. For instance, violations of sanctions can only administratively sanctioned in some member states, while in other member states it can lead an individual to jail and can see significant fines being levied against a corporation.

The EU has decided to tackle that issue, especially following the numerous waves of sanctions against Russia by trying to harmonise and put together a common playing field. There was three steps that were taken in May of last year. The first was the addition of sanctions to the list of EU crimes, which notably facilitate the ability of member state to seize assets which have been gained as part of circumvention of the sanctions. The second is a work in progress of a directive that will lay out minimal rules for violations or minimal penalties for violations of EU sanctions. And this will allow the issues to be tackled similarly in each of the member states.

And the third step taken by the EU is the thoughts being given to the creation of an enforcement agency at the European level, or at least an agency that would oversee enforcement actions taken by the various national competent authority. There's been debate at EU level whether or not these powers should be given to a stand-alone agency or whether such oversight powers could be given to the money laundering authority that is being created as part of the latest round of regulations on money laundering. Ultimately what we see at the EU level is first the fact that there are discrepancies in enforcement action that leads to limited enforcement at EU level, but also a strong desire to push for a more unified approach and a stronger enforcement.

Tom Cummins:

That makes sense. Thank you Olivier. And Alexander, turning to you. I think when most people think about sanctions enforcement, the might and reach of the US authorities comes to mind. Do you want to just give us an overview of how US sanctions enforcement works?

Alexander Dmitrenko:

Great question, Tom. Thank you. Well, sanctions enforcement in the US has been priority for the US authorities, but also it's been leading as a regulator in the world. And that's partially because the US has secondary sanctions which apply globally without any US nexus, but also because the US dollar is and remains to be the key currency of world trade. So the way the enforcement works is the OFAC is the regulator that imposes the rules and then enforces them. So has two big arms of teams, one team creating the rules, the other team enforcing the rules. And both of those teams have been increasing in numbers and increasing in their budgets in terms of how much they're expecting to be bringing as revenue. I hope that's a good introduction to the OFAC generally.

Tom Cummins:

That's very helpful, thank you Alexander. I think now that we've set the scene, what the audience might really appreciate is some discussion of some of the strategic issues that come up if you are faced with a sanctions investigation. And probably the obvious question that would come up first if you identify an issue in your organisation is that, do I have to go and tell somebody? Do I have to go and report to an authority of some description? Sophie, what's the thinking on that in the UK?

Sophie Law:

So in the UK the answer really depends on who you are and what the breach is. There are a number of different categories of organisations that have specific obligations to report certain matters to OFSI. So certain regulated professions including banks, auditors, accountants, estate agents described as relevant firms in the legislation have obligations to inform OFSI if they know or reasonably suspect that a person is a designated person and has committed offences under financial sanctions regulations and where the information comes to them in the course of carrying on their business. Now on top of that, banks and financial institutions have additional reporting obligations. Unsurprisingly, given their connection to the financial system, they also have to report any activity relating to frozen bank accounts. So that's bank accounts related to designated persons. And another consideration outside specifically the sanctions regulator and legislation is if you are a regulated body, do you have your own regulator you need to report to? So for example, banks and financial institutions, you have an obligation to report to the FCA, lawyers, for example, the SRA.

Tom Cummins:

Thank you. And Olivier, is the picture similar in the EU when you're making that assessment of whether you should or are obliged to report?

Olivier Dorgans:

Well, I think a distinction here should be made between entities which are subject to specific money laundering reporting obligations such as banks, insurance company, financial institution more generally and certain professions such as lawyers and accountants and other regulated professions. For these, the question is not so much whether or not you get credit for self-reporting but whether or not you can be sanctioned for failure to self-report suspicious activity. And as we know, the violations of sanctions can often lead to money laundering offences, be it violations of individual sanctions or sectoral sanctions. So as a result, the questions of enforcement is tackled differently by subjected entities to money laundering obligations and certain types of industrial company which are not. If you are talking about entities which are not subject to specific money laundering obligations and do not have an obligation to file suspicious activity reports, then the question of self-reporting is a very tricky one from an EU standpoint because you do not get credits for cooperation or you do not get credit for a potential fine that could be levied against you.

That is very true in countries such as France, for instance, that have implemented deferred prosecution agreements for certain types of subject matters such as corruption or money laundering. But DPAs are not available for violations of sanctions. So as a result while you do get credits for self-reporting corruption offences or money laundering offences or tax evasion offences, you will not get credit as part of the DPAs for sanctions offences simply because DPAs are not available for sanctions or offences. So as a result, unless you are subjected to a money laundering reporting obligation, the questions of self-reporting should be thought about very carefully by economic operators because contrary to what you may see in other countries, you do not get credit for self-reporting.

Tom Cummins:

Thank you, Olivier. And Alexander, turning to you, you and I have been involved in a number of matters where we've had to counsel clients as to whether they should report sanctions issues to OFAC. And one of the questions that often comes up is, are the US authorities going to find out about this issue some other way? For instance, if a financial institution has to make a report, what's the analysis there in terms of that strategic call?

Alexander Dmitrenko:

Thank you Tom. Indeed, you may recall a couple of calls very recently when we discussed those points and exactly the questions come up particularly in the secondary sanctions realm. Again, as a reminder, companies that are not US companies, so non-US players, they don't have the obligation to self-report to the US regulator because the US regulator doesn't have the direct jurisdiction over them even due to secondary sanctions. However, the reporting may occur if someone else finds out, and typically it's the banks who find out about potential violations. If banks do find out, those financial institutions who work in the US, they nearly daily send suspicious activity reports to the US regulator, to the OFAC, in which they can point fingers and say, "We believe there's suspicious activity or potential violation."

Unlike points made by Olivier just now, the US does offer various incentives for coming and self-reporting on yourself, especially if you are a first time violator and if your violations is non-egregious, that is all maybe very helpful in bringing down the potential penalty to a very minimum. Frankly, one of my cases that went down from nearly 200 million to about 4 / 5 million ultimately. It may also be no violation at all if you have various elements that can support you. But to your point, Tom, it's not just that we can have someone else pointing a finger at you. I would agree with Olivier, you need to first think, do you have a jurisdiction? So if you take a position that there is no jurisdiction, you don't have liability and there's no one else pointing a finger at you, it really ultimately is $1 million or $100 million question, whether you will as a good corporate citizen, may prefer to file a disclosure with the US government or not.

And you may prefer to do so because if you have other US exposure or because again, you may be fearing that someone else will report on you first and then you don't get any credits for self-reporting. So those are taken into account and they're very, very fact specific. So there is no one answer if at all, but it is a very, very important question to ask, especially before making that reporting because once it's made, then the whole corporation and all of the other elements will come into play and it's a long process, difficult process, expensive. So if it can be avoided without violating the law, then it probably would be one of the considerations.

Tom Cummins:

Yep. No, that makes sense. And one of the questions I think that arise in the strategic context is has there actually been a breach in the first place and one basis upon which there may not be a breach is if somebody who did something that was technically contrary to sanctions didn't know or have any reasonable cause to suspect that they had breached sanctions. And Sophie, our law in the UK has evolved on this point when it comes to financial sanctions quite recently. Hasn't it?

Sophie Law:

Yes, absolutely. When we were part of the EU and all the way up to June last year, that was the position in the UK. But since June last year, there has been strict civil liability for financial sanctions breaches. So that means that it will no longer be a defence if you didn't know or you didn't have reasonable cause to suspect that what you were doing was a breach of financial sanctions. The standard of proof here is on the balance of probability. So OFSI still has to prove that on the balance of probabilities, the breach occurred, but that defence is no longer available to you for financial sanctions. And that leads to a very interesting position where there's now a difference between financial sanctions and trade sanctions, which are a very significant area of the current regime in respect to Russia. So as trade sanctions, it will still be a defence if you had no knowledge or reasonable cause to suspect that what you were doing was a breach of sanctions.

Tom Cummins:

Yeah. Whereas I think Olivier, that concept of only being liable if you knew or had reasonable cause to suspect that you're breaching sanctions, that is very much still at the centre of the EU sanctions architecture.

Olivier Dorgans:

That's correct. That prevails in the EU, both with respect to individual sanctions and sectoral sanctions. The legal instruments, the regulation that are used by the council and the commission to adopt sanctions all contain clauses, which allows companies to not be prosecuted or at least that puts company in a place where they wouldn't be prosecuted if they had no reasonable cause to suspect that they were either entering into or maintaining a business relationship with a company or an individual that was sanctioned or if they were operating in a sector that was subject to sectoral sanctions. But interestingly, a lot of European companies are also subject to UK sanctions or US sanctions that have a strong extraterritorial reach.

So as a result, it's putting this company between a rock and a hard place in the sense that while they can benefit from the no reasonable cause to suspect under the provisions of EU sanctions, they can face strict liability for individual sanctions in the UK or for individual and sectoral sanctions in the US, as I'm sure Alexander will explain in a minute. So as a result, we often see companies be extremely diligent on the basis of strict liability regime even though there's no such strict liability regime when it comes to sanctions in the EU.

And it's interesting because that has an impact in the ways in which they address the due diligence to conduct with respect to their counterparties and also when they address final users rule as well. When we look into sectoral sanctions or export control provisions, we see more and more companies that have an international reach abide by US or UK standards when EU law doesn't have such strict expectations.

Tom Cummins:

Thanks Olivier. And Alexander, Olivier has teed you up to comment on the position in the US - obviously a strict liability regime there. Can you just explain how that plays out in relation to enforcement issues?

Alexander Dmitrenko:

Well, thank you. Indeed, strict liability, and again, in the US we're functioning in two different regimes in a way. One that is US primary sanctions for those who have US nexus and the regime that isn't. So let's presume, because I suspect a lot of our listeners who would be potentially keen to hear about the latter, the non-US parties are potentially being exposed to the US regime. So first of all, there are no defences. So there's no defence to a potential violation, but there are various ways in which the regulator will take into account what a company has been doing or has done to address sanctions, risks generally. And typically one of the very first questions, if not the first question from the US regulator when you go to them with a potential concern or violation admission, is what are the policies and procedures around the sanctions?

Are they real or are they paper policy? Who are the sanctions experts internally or externally? Are you using anyone from law firms to help you? Have there been any training by Ashurst or anyone else who has that expertise to tell not only the legal team but critically business teams as well? One area in which I think a lot of companies do find trouble is how those policies and procedures go through the entire pyramid of the corporates. Meaning do they reach all the departments? Do they go to all the subsidiaries and how that is being taken into account? And ultimately I think what we see with the regulators, they'll acknowledge and they will give a lot of credit to companies that have taken a very careful view and internally implement very careful procedures and policies and have strong sanctions and compliance departments. And if there is a problem, how quickly remedial measures were taken into account.

And if there is an issue with all the employees, again, vis-a-vis the full company policy, that will be a very different picture as opposed to a company generally being not fully compliant. So I think while you have no defences generally and strict liability as a regime, you can prepare yourself. You can allow yourself to be in a position that is defendable and to allow yourself to tell the regulator it's not the company culture that has exposed the company to a potential violation. It may be a rogue employee, may be a mistake - sometimes a mechanical mistake, but that is something that companies are continuously willing to look into and frankly, we see a lot of enhancement in that area in the last few years where policies and procedures have grown in the sanctions area.

Tom Cummins:

Thank you. That's really valuable insight I think in terms of what corporates are doing to mitigate this risk when it comes to sanctions. As we move into the final part of this podcast, I wonder if I can get two minutes from each of you on predictions for what we're likely to see in the year ahead when it comes to sanctions, investigations and enforcement. Sophie, I'll start with you. What's on your radar?

Sophie Law:

So I think as the pace of new sanctions slows, we'll inevitably see authorities and regulators turning their attention to enforcement and OFSI, the UK financial regulator has indicated that enforcement is absolutely a priority for them. They've indicated that they're scaling up their workforce. I think in their report at the end of last year, they indicated they were aiming to be at 100 full-time employees, and that's a huge increase from maybe only 30 or 40 before the invasion of Ukraine. They're indicating that they're trying to move from a reactive to a proactive compliance and enforcement model. And as I mentioned earlier, they increased their enforcement powers to move to a strict liability test for civil breaches of financial sanctions, and that really encourages greater attention on enforcement.

I think there's also likely to be a big focus on sanctions evasion and circumvention. The recent designations of a number of individuals and corporates referred to as oligarch-enablers in April, and that is individuals and entities who have said to have knowingly assisted Russian oligarchs to hide their assets or evade the effect of financial sanctions. And the UK government described that move as part of a crackdown on circumvention and evasion. So I think we can certainly see that there's going to be more coming down the track targeting evasion and circumvention. And I think the UK government has also indicated that there's going to be more money available for sanctions enforcement as part of their economic deterrence initiative. I think they said that there's going to be an additional 50 million pounds in funding there.

Tom Cummins:

Yeah, thank you. And as with so many things in commerce where you put the resources is often the best evidence of where the priorities lie. Olivier, a couple of thoughts from you on predictions for the years ahead.

Olivier Dorgans:

Enforcement, as I've mentioned earlier, will definitely be an area of focus for the EU. I think it's also due to the fact that as was highlighted by Sophie and Alexander, enforcement is at the heart of the actions of the UK and the US in terms of sanctions. So I think the EU does not want to lag behind the UK and the US and other western countries in that sphere. Interestingly, I think an analogy should be drawn here with other economic crimes areas such as corruption and money laundering where we've seen efforts being undertaken with respect to transnational enforcement. I have a few examples in mind, the Airbus case being one of the very good illustrations of an enforcement that was jointly led by the SFO, the DOJ and the French prosecuting offices.

So while we're not at that stage yet when it comes to sanctions, then we first have to put together as a regional union, common playing field rules for economic actors across the various 27 member states. That's, I believe the goal of the European Council and European Commission to reach the level of enforcement that we have been accustomed to from the US and that we are seeing from the UK. And then be in a position where it can more effectively cooperate on the enforcement of the sanctions' violation of companies that are operating in multiple jurisdictions and are accordingly subject to multiple sanctions rules.

Tom Cummins:

A lot to look forward to and watch out for in the European Union, I think. And finally, Alexander, what are your predictions?

Alexander Dmitrenko:

Last but not least, speaking on behalf of the US, allow me to read three points shared by my colleagues. Enforcement itself is a priority similar to other regulators. US is hiring new prosecutors. If you're looking for a good job, interesting job, and you're a US citizen, maybe a good time to switch gears and focus on sanctions, and I promise you it'll be a fun experience. The other thing is obviously the US regulators are treating sanctions as what they call a new FCPA. That means that they're approaching this new FCPA regime of sanctions as the core element of the DOJ functioning. That means, again, resources - people and functionality are going to be there, and that also means if we see the FCPA trajectory, that there will be cooperation within the regulators. We've seen this being done in the FCPA context, we probably will see this being done in the sanctions' context, particularly as we see across the UK and the EU and the US sanctions, some similarities. They're rolling out in sync, particularly focusing on the Russian sanctions. That probably will come and we'll see it a bit more of this.

Sounding off on that, as Sophie mentioned, the closing the circle around the Russian oligarchs and the Russian companies that have already been sanctioned to remove the ability to utilise foreign financial systems and continuously work around the sanctions, so circumvent them or evade them, et cetera, that will be the focus. We've seen this now mid-April action where companies and individuals from more than 20 countries have been added to various lists because of their support, engagement or being owned directly and indirectly by the Russian oligarchs or others who have already been sanctioned. Last three points. I think when we take a step back and think about, well, what is all the sanctions we're talking about? We obviously think about geopolitics, they're closely related. And we are, again, not news for anyone, we live in a bipolar world, increasingly bipolar world where there is centre of gravity towards China Plus, and there's centre of gravitas for the US plus Europe and UK.

That also will educate and will tell us where certain regimes may go up and down, in terms of such sanctions priorities.

It will seem feasible that Russia and China will continuously to be sanctions targets from the European, US and the UK perspectives. One country that may be softening in terms of sanctions is Venezuela.

We've seen some softening there.

But last point I wanted to mention is in the contracts. We mentioned during the webinar today, how do you mitigate the risks? And we're looking at the regulator in particular. But we don't believe in a world where regulators are constantly in our presence. We should think somewhere out there lurking around.

But we do see every single day is the contracts. Contractual relationships with our counter parties, with the banks, with the whole world of what we do as business. Those countries have increasingly been focusing on sanctions compliance as well to prevent sanctions violations and to protect the potential escalations as they impact you. Those now have grown from maybe one paragraph to a couple of pages in some cases, and that trend will continue to be seen and I think that's where we will see a lot of attention from clients that will be very careful in how to approach some such compliance vis-a-vis their the contractual relationships.

Tom Cummins:

Yes, thank you. It's a great practical point to end on. I like that you offer both legal insights and career advice to US citizens who may fancy a change of direction to work in sanctions enforcement.

Thank you very much to each of you for your remarks. I think that was very interesting. The three takeaways I take from what we've been discussing I think are increased scrutiny and focus on sanctions enforcement, both from authorities. But I think also from the general public that has expectations about seeing sanctions being enforced given that there has been so much coverage of it in the newspapers and on television. Secondly, I think seeing more and more formal and informal cooperation and coordination between sanctions authorities in different jurisdictions working together to ensure that sanctions policy is enacted as effectively as possible. And then finally, this focus on going after facilitators of sanctions evasion, the enablers of the activities of business people and others who are targeted by sanctions. Another thing is something that's really come to the fore when it comes to Russia over the past year and we're likely to see more activity in that area.

I hope you've enjoyed this podcast as much as I have. I'd like to thank our panelists, Sophie, Olivier, and Alexander for their time today, and thank you for listening. We hope that you found it informative and interesting. To make sure you don't miss out on any of our other episodes, subscribe to this podcast and Ashurst's other podcasts on Apple Podcasts, Spotify, or wherever you get your podcasts. And while you are there, feel free to leave us a rating and a review. Until next time, thanks very much for listening and goodbye for now.

If you enjoy Ashurst Legal Outlook, why not check out our other two podcast series as well? Ashurst Business Agenda tackles the big strategic issues that business leaders face, and ESG Matters at Ashurst, reveals how business leaders are rising to mounting environmental, social, and governance challenges. You can listen and subscribe to Business Agenda and ESG Matters wherever you get your podcasts.