How to Enhance Your Risk Management Capabilities
UPDATE: The spiderweb of sanctions against Russia is quickly evolving. On February 24, 2023, the one year anniversary of Russia’s war with Ukraine, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) launched sweeping new sanctions against Russia, which include a mix of industry prohibitions, also known as sectoral sanctions, and prohibitions on dealings with specific individuals, entities, and financial institutions. The sanctions include:
- Sectoral sanctions on any individual or entity associated with the metals and mining sector of the Russian Federation econom
- Sanctions on scores of individuals, entities, and vessels, including:
- 30 non-Russian individuals who have facilitated Russian sanctions evasion;
- Over a dozen Russian financial institutions;
- Russian wealth management firms;
- Arms dealers supporting Russia and Belarus;
- Russian military supply chain organizations; and
- Russia defense industry organizations, including aerospace, technology, and electronics companies.
The U.K. launched similar sanctions as well, demonstrating a joint commitment to isolate and economically hinder Russia.
[Assess your sanctions risk with AI technology and industry expertise. Learn more about Exiger’s sanctions screening and compliance services.]
Sanctions Overview: the Weaponization of Sanctions
Matthew Saxonmeyer, Exiger Associate Managing Director
Economic Sanctions are far from a modern concept: the United States’ embargo of Cuba began in 1958. But since February 2022, sanctions and talk of sanctions entered our every-day lives. This began when the Russian State Duma voted to recognize the independence of two regions of Eastern Ukraine. Consequently, navigating Russian sanctions has challenged participants from both the private and public sectors. The dynamic implementation of sanctions is further complicated by the murky waters of sanctions evasion. Maintaining a flexible, risk-based approach to sanctions risk management helps prevent your firm’s financial crime programme being snagged by what’s under the surface.
In the months following Russia’s 2022 military invasion of Ukraine, leading global economies announced an extraordinary set of increasingly severe sanctions measures against Russia (and its complicit neighbour, Belarus). These are aimed at crippling the Russian economy, and the country’s ability to further its advance into Ukraine. Spearheaded by the trident of the US, the UK, and the EU, sanctions expanded from listings of individual Russian political or military figures and private and state-owned Russian companies to networks of potential sanctions evasion enablers and restrictions on whole sectors of the Russian economy. Further, recent sanctions announcements have highlighted the regulators’ commitment to address potential evasion and circumvention attempts, with the EU and the US laying out legal frameworks for listing those that help undermine sanctions on Russian.
The Complexities of Sanctions Risk Management
Determining ownership and control is one of the most challenging aspects of achieving not only effective sanctions risk management but also AML/CTF compliance. The tsunami of increasingly complex sanctions against Russia in 2022, in conjunction with heightened regulatory vigilance on firms to ensure they are not doing business with sanctioned entities both directly and indirectly, has placed significant pressure on industry participants’ risk-based approach to Customer Due Diligence (“CDD”). This is further complicated by sanctioned persons’ attempting to evade sanctions. Ownership structures employed by sanctioned individuals are often incredibly complicated, making use of secrecy jurisdictions, complex ownership structures, or even family members or lawyers, so that on paper, an entity may appear completely clean and able to avoid an institution’s sanctions controls.
The challenge is exacerbated by variances in different regulatory approaches to sanctioned ownership and control across jurisdictions. In the US, the threshold for identifying sanctioned ownership of an entity is set at 50% or more, whereas in the EU, it’s defined as more than 50%, a subtle but importance difference, especially when dealing with US-based clients or counterparties. Moreover, in the EU and UK, control extends to instances where a listed person can exercise control by, for example holding dominating influence, majority voting rights or ability to appoint members of the board, while the OFAC’s 50% rule makes no such stipulations.
That’s not the only difference, however. If the US authorities determine that a non-US person “knowingly” facilitated a “significant transaction” in violation of their relevant sanctions programme, they could impose secondary sanctions on that non-US person. That means that even without a US nexus, entities need to be aware that they run the risk of exposing themselves to penalties from the US when they deal with sanctioned entities or jurisdictions.
Regulators have also emphasized the importance of identifying the potential involvement of third-party sanctions evasion enablers. The EU’s August 2022 guidance on control specifically covers situations involving third parties exercising control on behalf of listed persons and advises a careful examination of the nature of such relationships. The EU has also noted that while an entity might not be directly owned, controlled, held, or belonging to a listed person, they might be indirectly benefiting from that entity economically, and hence that entity would be subject to asset freeze obligations. As such, it’s essential that those operating in the financial sector are able to evidence to regulators that they have exercised the necessary level of diligence when identifying the true beneficial owners of their customers and counterparties.
Assessing and mitigating indirect sanctions exposure is also significant. Firms should have an enhanced understanding of the indirect risks associated with their products and service offerings, customers, as well as their business practices and notably counterparties. For example, an institution might be facilitating payments on behalf of entities that are interacting with sanctioned entities, or who are located in sanctioned jurisdictions, such as extending loans, trading shares, or trading in prohibited sectors. Indirect sanctions risk exposure should be understood, identified, and addressed with equal effort to direct exposure, and lack of such effort might result in the facilitation of prohibited activities, breaching regulations and even enforcement action. This highlights the importance of in-depth Know Your Customer (“KYC”) knowledge, a thorough understanding of customer and counterparty risk, as well as a company-wide commitment to keeping employees up to date with and actively reporting risk red-flags.
Sanctions Evasion – What Does a Good Mitigation Strategy Look Like?
Financial institutions are navigating a rapidly changing sanctions environment with firms having to track a wide array of strict licensing rules and regulations, and in particular asset freeze obligations, all of which must be considered on a global basis. Sanctions compliance programmes are further challenged by increasingly complex sanctions evasion techniques exploited by sanctioned persons. Effectively preventing, detecting, and mitigating such illicit attempts at evading sanctions regulations is the result of different controls working in tandem within a firm’s financial crime compliance programme.
An institution’s strong culture of sanctions compliance is key for effective programme implementation as it empowers employees throughout the organisation to detect, assess and mitigate sanctions evasion risks in line with their responsibilities. Moreover, a sanctions compliance programme should be routinely updated so that it reflects not only regulatory changes and guidance, but also a firm’s business model, geographical/sectoral areas of operation and products and service offerings. Sanctions evasion mitigation starts with a clear and unambiguous sanctions risk appetite statement which clearly outlines a firm’s risk appetite and risk tolerances towards sanctions exposure. Without this fundamental starting point, it is very hard for firms to make defendable risk-based decision about its existing as well as future customers.
KYC is key to assessing sanctions risk. This applies not just to performing due diligence at onboarding, but the continuous assessment and updating of KYC information and the feedback loop when red flags are identified in sanctions screening or adverse media monitoring alerts. When it comes to changes in ownership, regulators expect firms to complete risk-based due diligence and to correctly apply sanctioned ownership aggregation in line with differing regulatory approaches.
In this vein, firms must adopt a risk-based approach that considers the complexity, nature, and scale of their business operations as well as the customers, segments and markets and related sanctions risk exposure. Through this, sanctions compliance programmes can be optimised to help businesses detect sanctions red flags indicative of sanctions circumvention. This is evident through the approach of EU and US regulators, who take a very strict approach to such diligence checks. Any failure to complete adequate due diligence and maintain ongoing KYC could be interpreted by regulators as willful blindness, or even complicity, for sanctions breaches and circumvention offences.
Other crucial components of effective sanctions screening are smart technology, robust procedures with clear escalation routes and trained staff who are well-equipped to investigate name or payment screening alerts. Further, employing integrated artificial intelligence and machine learning models, similar to Exiger’s proprietary DDIQ software, enables firms to ensure greater accuracy to its sanctions exposure response.
A common challenge for organizations is that they only have visibility into the company name that they are working with or potentially partnering with, but not the ownership structure behind it. That is a roadblock for sanctions risk, because you need to understand who the two-legged individual is behind that entity that you’re making the payment to, and who is the ultimate beneficiary of that payment.
Unwrapping Sanctions Risk
Dan Banes, Exiger Global Head of Commercial Markets
Cognitive computing enhances an institution’s KYC process by streamlining, replicating, managing, and scaling an experienced analyst-driven process and thus empowering its approach to risk-based sanctions risk management in a cost-efficient manner.
Understanding red flags and emerging typologies is another key factor of sanctions evasion mitigation. Evasion techniques highlighted by UK and US regulators have exemplified the diversity in strategies that could be employed by sanctioned persons and their associates. These have ranged from export control evasion attempts such as transshipment identified in the FinCEN and BIS joint alert, to the exploitation of secrecy jurisdictions and countries not cooperating with the implementation of sanctions against Russia. In addition, sanctioned persons have not hesitated to use cryptoasset service providers and anonymizing tools to evade sanctions and protect their assets.
The NCA, FCA and OFSI have highlighted the use of third parties for the purposes of sanctions evasion by sanctioned persons, including close associates, family members and close contacts, which could turn into sanctions evasion enablers. To demonstrate this with a recent example, after weeks-long investigations the German Federal Criminal Police Office discovered that the $400 million, mega yacht Dilbar is owned by the sister (Gulbakhor Ismailova) of an individual (Usmanov) sanctioned by EU, UK and US authorities. She owns it via a complex web of offshore companies, registered in the Cayman Islands, Cyprus and Switzerland.
This is just one example of obscure ownership, use of third parties and secrecy jurisdictions. There are countless others lurking below the surface, waiting to be uncovered – both by regulators and industry participants. A sanctions compliance programme is empowered to detect them through comprehensive screening controls and KYC processes, by asking for further information, and communicating openly with regulators when doubts arise. This is relevant for both potential evasion attempts, as well as regulatory breaches.
The intertwined nature of the European and Russian economies, and the decades head start that recently sanctioned individuals have had to obscure their wealth and assets – likely originally for tax purposes – makes sanctions risk mitigation an incredibly difficult task. Further, firms have been under pressure to exhibit flexible risk-based sanctions compliance programmes while seeking to ensure effective sanctions implementation and demonstrate compliance to regulators.
An effective sanctions compliance programme is based on a solid foundation of in-depth KYC and transactions screening. It is held together by a clear and unambiguous risk appetite statement and kept up-to-date with regular reviews of changing regulations and relevant clients and counterparties. Comprehensive and frequently updated KYC profiles allow firms to identify sanctioned ownership and control, in addition to firms not shying away from asking customers for further information, or where necessary, challenging already provided information. Committing to a zero sanctions tolerance approach and maintaining a transparent relationships with regulators are also key in ensuring efficient sanctions risk management. Whilst Russian sanctions in particular will remain difficult to navigate, these principles will help shine a light on the risks that lie hidden in a murky world.
How Exiger Can Help
Exiger can help if you are:
- Experiencing challenges regarding sanctions screening
- Need understanding of who owns and controls your clients or third parties
- Managing sanctions alert spikes or backlogs, risk assessment, risk appetite, key risk indicators or sanctions screening software effectiveness
Our compliance and managed services experts have extensive experience in helping our clients navigate the complexities of Russian sanctions. Assess your sanctions risk with AI technology and industry expertise by learning more about Exiger’s sanctions screening and compliance services.
Exiger also offers:
- DDIQ, which automatically applies risk beyond a single entity to a full network by detecting both entity and ownership information.
- Supply Chain Explorer, the world’s first single-click supply chain risk detection SaaS platform. Rapidly surface, understand and mitigate critical threats to your entire supplier ecosystem – including sanctions risk – with a single click.
Contact us today to learn how we can help you protect your business from risks due to sanctioned entities.