New sanctions legislation signed into law this month creates significant new compliance risks for companies struggling to navigate a vast and turbulent geopolitical landscape. It’s time to reevaluate those trade sanction compliance policies.

The “Countering America’s Adversaries Through Sanctions Act” (CAATSA), signed into law by President Trump Aug. 2, expands and strengthens U.S. sanctions law, especially targeting Russia and North Korea. The bill passed with overwhelming bipartisan support and is “one of the most expansive sanctions packages in history,” House Speaker Paul Ryan (R-WI) said in a statement.

Some of the most significant provisions in CAATSA amend the U.S. “sectoral” sanctions program targeting Russia by imposing tighter restrictions (known as directives) on U.S. persons’ business activities with Russian persons operating in certain specified sectors named on the Sectoral Sanctions Identification (SSI) List. Sectors that will be most affected include oil and gas, metals and mining, and the railway.

Any company involved in Russian oil and gas projects will want to pay particular attention to the SSI List’s Directive 4, which will soon prohibit the exports of goods, technology, or services by U.S. persons in support of “new” deep-water, Arctic offshore, or shale projects worldwide, and that involve a Russian sanctioned person who holds a 33 percent or greater ownership interest in such a project. Prior to CAATSA, Directive 4 prohibited goods, technology, and services that applied only to projects in Russian territory.

The bill further authorizes the Secretary of Treasury to apply sectoral sanctions against a state-owned entity “operating in the railway or metals and mining sector of the economy of the Russian Federation,” it states.

From a compliance standpoint, the new sanctions restrictions mean that companies doing business with Russia should conduct proper due diligence to assess whether a Russian customer, supplier, or other business partner is not listed on the SSI List or is not owned by a company listed on the SSI.

Another provision of CAATSA shortens, by about half, the prohibited debt periods of the SSI List’s Directive 1 and Directive 2. Under Directive 1, U.S. persons will be prohibited from transacting in, providing financing for, or otherwise dealing in new debt of longer than 14 days’ maturity (down from 30 days) applying to Russian financial institutions. Under Directive 2, U.S. persons will be prohibited from transacting in, providing financing for, or otherwise dealing in new debt of longer than 60 days (down from 90 days) for the benefit of specified entities operating in Russia’s energy sector.

Consider, for example, a U.S. company that provides an invoice to a Russian company on the SSI list, and that Russian company takes more than 14 days to pay. The U.S. company will then be deemed to be dealing in a debt instrument of longer than 14 days. In practical terms, the amendments to these directives mean that non-banks should review their current invoicing processes and revise them accordingly. 

“You can’t even begin to put in place the right controls or practices and processes unless you have a very robust and thorough risk assessment.”
Jeremy Sorenson, Compliance Director, USAA

Many of the provisions in the law authorize for the imposition of secondary sanctions. This means that non-U.S. companies that engage in certain activities, even if such activities do not involve U.S. individuals or the United States, may still be sanctioned by the United States.

North Korea-related sanctions. CAATSA significantly expands the scope of North Korea-related sanctions established under the 2016 North Korea Sanctions Policy Enhancement Act. Specifically, CAATSA authorizes the President to impose secondary sanctions against any individual found to have engaged in the following activities:

Purchasing precious metals or other natural resources from North Korea;

Knowingly selling or transferring fuel for aircraft or other vessels designated under United Nations or U.S. sanctions;

Providing certain kinds of support and services to vessels owned or controlled by the North Korean government; and

Opening a correspondent bank account on behalf of any North Korean financial institution.

“U.S. financial institutions may want to review their correspondent banking relationships and conduct due diligence on foreign financial institutions to accurately assess risk and ensure that correspondent accounts are not being used for the benefit of any sanctioned entity or individual,” states a client alert from law firm Paul Weiss.

CAATSA further provides the President with discretionary authority to impose sanctions against individuals that engage in certain other activities involving North Korea, including:

Selling or transferring significant amounts of crude oil, petroleum products, or natural gas resources to the North Korean government;

Acquiring textiles from the North Korean government;

Purchasing or otherwise acquiring significant types or amounts of food or agricultural products from the North Korean government;

Acquiring coal, iron, or iron ore from North Korea that exceeds the limitations provided under UN Security Council resolutions; and

Facilitating human rights abuses by the North Korean government, including the use of forced labor and slavery overseas of North Koreans.

“The broad scope of CAATSA’s expanded secondary sanctions authorities heightens the risk of forming or maintaining trade, financial, or other business relationships, directly or indirectly, with North Korea,” the Paul Weiss client alert states. “Non-U.S. financial institutions may want to review their customer activity and profiles for business that is vulnerable to either mandatory or discretionary sanctions.”


A sanctions compliance program should be able to answer the following key questions:
Where are the company’s clients and customers located around the world?
How are you handling the onboarding of customers and business partners?
What data are you collecting to properly screen business partners and ensure they’re not doing business with a sanctioned entity, and how are you collecting that data?
Which transactions have an inherent high risk for sanctions activity?
Which clients execute transactions in high-risk geographies or deal with counter-parties that pose increased sanctions risk?
What is the ownership structure of the company’s business partners?
—Jaclyn Jaeger

Sanctions compliance. Due to a global web of mounting and evermore complex and competing sanctions laws, having in place a best-in-class sanctions compliance program is crucial. “It all starts with the risk assessment,” Jeremy Sorenson, compliance director at financial services company USAA, said during a recent Compliance Week Webcast, sponsored by Thomson Reuters. “You can’t even begin to put in place the right controls or practices and processes unless you have a very robust and thorough risk assessment.”

The risk assessment must be tailored to the company’s unique risk profile and risk appetite, taking into consideration a variety of potential sanctions risks posed by geography, certain transactions, and clients. Additionally, the risk assessment should be updated at least annually, taking into consideration new business partners, new markets, and recent merger and acquisition activities.

Although the compliance department should lead the risk assessment, they should not be responsible for doing all the work, Sorenson said. Instead, compliance should work in collaboration with other business units—such as legal, risk, supply chain, internal audit, sales, finance, and human resources. Better collaboration also offers the dual benefit of leveraging existing internal capabilities which, in the end, could help reduce compliance costs.

“You may decide from a risk perspective that you don’t want to do business in a certain country,” Sorenson said. Maybe the company’s risk appetite doesn’t tolerate taking that risk, but these are the sorts of decisions that must be made starting with a proper risk assessment, he said.

Because the global sanctions landscape is ever-evolving, a sanctions compliance program cannot effectively screen and track customers, vendors, and business partners without accurate and complete data. For this reason, companies should consider adopting a third-party screening solution that automates the assessment and monitoring of suspect accounts and transactions and screens for issues related to sanction and watch lists, and politically exposed persons, for example.

Even with good data management and policies and procedures in place, compliance still needs to ensure that such sanctions compliance policies and procedures are being followed and that robust internal controls are in place, including performing periodic internal audits.

Many times, the compliance department will assume that the business units are conducting proper due diligence, while the business units assume the compliance function has things under control, leaving the company vulnerable to sanctions risk. “It has to be a collaborative effort,” Sorenson said.

A best-in-class sanctions compliance program should also have the support of the highest levels of management. Multinational companies are especially vulnerable to the risk of senior-level management engaging in sanctions violations, unbeknownst to the compliance department. “You have to have a system in place to ensure that your regulatory compliance structure covers them, as well,” Rear Admiral Chris Parry, Former Director General of the U.K. Ministry of Defense, said during the Webcast.

Some companies have unspoken and unwritten policies that they wish to evade sanctions, Parry added. “I’ve come across several large companies that have explicitly said, ‘Everybody else is doing it. Why shouldn’t we? There is money to be made here.’ ” That is something to keep in mind and be cautious of.

Ongoing training and awareness of U.S. sanctions laws for all employees, and targeted training for employees dealing in high-risk areas or those responsible for identifying sanctioned parties, is also important. Employees should further be warned and reminded about the penalties for non-compliance.

Contractual clauses also help the company reduce its sanctions risks, Perry said. Consider requiring distributors and agents to certify, for example, that they comply with all current U.S. sanctions and export control laws.

In light of CAATSA and other new sanctions mandates developing all over the world, it would be a mistake to wait for a significant sanctions violation before reviewing and strengthening your sanctions compliance program.