Let’s knock down one question about the U.S.-Iran nuclear deal right away: No, your company will not be opening a direct sales office on the streets of Tehran any time soon.

For compliance officers, that’s pretty much where the list of easy questions on Iran ends.

Everything else about the Iran agreement, regardless of whether you consider it brilliant diplomacy or a sucker’s bet, remains unclear to some degree. Probably efforts to thwart the deal in Congress will fail. Probably sanctions will then ease. After that, however, your carefully constructed compliance program for U.S. sanctions law will only get more complicated. Global companies will need to move from clear-cut screening (“don’t do business in Iran, period”) to more nuanced due diligence.

That brings chief compliance officers to the next question on Iran: Are your program, your technology, your vendors, and your company up to the challenge?

Assuming the deal survives Congress (likely) and comes into force, the business landscape will likely be divided between U.S. sanctions that affect U.S. persons, banks, and businesses on one side; and other regulatory regimes in Europe and Asia, where trade with Iran is already permitted, says Jeremy Paner, of counsel at the law firm Holland & Hart.

There will generally be no lawful U.S. exports of goods or services to, or imports from, Iran. Iranian banks will continue to be blocked from the U.S. banking system. That means that companies trading technology or goods subject to U.S. export controls and those that rely on the U.S. banking system in any capacity (read: everyone) must have compliance controls that address these continued restrictions.

“Europe is going to make this very complicated for the United States,” he says. As EU companies rush to do business in Iran, American businesses will not only be on the sidelines, watching them make money, they also face the threat that previously low-risk supplier arrangements and banking services with European partners will now carry illegal, embargo-busting ramifications.

The various sanction regimes against Iran were already plenty complex before the U.S. deal, says Adam Smith, a former director on the National Security Council and former senior adviser to the director of the Office of Foreign Assets Control, now an attorney with Gibson Dunn. Prepare for even more confusion as the U.S. government tightens sanctions (Russia, Syria) and rethinks them (Iran, Cuba, and Burma). “We are much more practiced at imposing sanctions than relieving them,” he says. “Regulators and he regulated community will need to work together to develop new thinking—part art, part science —to get sanctions relief right.”

A better understanding of the details of the Iran agreement may come with forthcoming regulatory guidance. While U.S. regulators will presumably clarify matters with the usual array of OFAC-issued “frequently asked questions,” insight into the European Union approach might be harder to come by.

“Historically the European Union has not issued significant clarifying guidance following its imposition of sanctions,” Smith says. “The nuances in European sanctions have often been left to the 28 member states to define for companies under their jurisdiction.”

Smith is hopeful, however, that the EU will offer some guidance in this case ad that the parties involved in the nuclear deal will be in lockstep as much as possible. “Nobody wants sanctions relief to differ in ways greater than what was negotiated,” he says.

“The sanctions world is moving from an entity-based inquiry to an entity-and-activity based inquiry. It is more like AML than it is traditional sanctions compliance.”
Adam Smith, Partner, Gibson Dunn

A question many will ask, especially given the automated nature of many sanctions compliance programs, is whether that technology is up to snuff. Can in-house GRC adapt to the task at hand?

“I can see a few potential ways that managing the pace of change created by the nuclear deal could pose challenges in GRC,” says David Houlihan, principal analyst for Blue Hill Research. “Generally speaking, GRC is good at process management and internal data aggregation, management, and reporting. The need for active monitoring of external data could stretch the limits of what is generally included in GRC. GRC doesn’t necessarily provide for sophisticated analysis of combined internal and external information.”

Older GRC implementations, especially those that have seen lots of customization, might also lack the flexibility to incorporate process or data management changes necessary to keep up with the diffuse requirements for international businesses. The potentially temporary nature of the changes, created by “snapback provisions” in place if Iran fails to live up to its end of the bargain, adds to the challenges in managing time-limited or uncertain requirements.


The following is a selection from testimony Adam Szubin, acting under secretary of Treasury for terrorism and financial intelligence, before the Senate Committee on Banking, Housing, and Urban Affairs on Aug. 5.
To be clear: when the Joint Comprehensive Plan of Action (JCPOA) goes into effect, there will be no immediate relief from UN, EU, or U.S. sanctions.  There is no “signing bonus.” Only if Iran fulfills the necessary nuclear conditions—which will roll back its nuclear program and extend its breakout time five-fold to at least one year—will the United States lift sanctions.  We expect that to take at least six to nine months. Until Iran completes those steps, we are simply extending the limited relief that has been in place for the last year and a half under the Joint Plan of Action. There will not be a cent of new sanctions relief.
Upon “Implementation Day,” when phased relief would begin, the United States will lift nuclear- related secondary sanctions targeting third-country parties conducting business with Iran, including in the oil, banking, and shipping sectors. These measures were imposed in response to the security threat from Iran’s nuclear program; accordingly, they will be suspended in exchange for verifiable actions to alleviate that threat.
As we phase in nuclear-related sanctions relief, we will maintain and enforce significant sanctions that fall outside the scope of this deal, including our primary U.S. trade embargo. Our embargo will continue to prohibit U.S. persons from investing in Iran, importing or exporting to Iran most goods and services, or otherwise dealing with most Iranian persons and companies. Iranian banks will not be able to clear U.S. dollars through New York, hold correspondent account relationships with U.S. financial institutions, or enter into financing arrangements with U.S. banks. Nor will Iran be able to import controlled U.S.-origin technology or goods, from anywhere in the world. In short, Iran will continue to be denied access to the world’s principal financial and commercial market. The JCPOA provides for only minor exceptions to this broad prohibition.
It is worth emphasizing that our sanctions authorities will continue to affect foreign financial institutions that transact with these more than 200 Iranian persons on our Specially Designated Nationals List, as well as persons who provide material or other types of support to Iranian SDNs. These measures provide additional deterrence internationally.
Sanctions Snap Back
Of course, we must guard against the possibility that Iran does not uphold its side of the bargain. That is why, should Iran violate its commitments once we have suspended sanctions, we will be able to promptly snap back both U.S. and UN sanctions, and our EU colleagues have reserved the ability to do so with respect to their sanctions as well.
For U.S. sanctions, this can be achieved rapidly—in a matter of days—from smaller penalties up to and including the powerful oil and financial measures that were so effective against Iran’s economy.  New measures could also be imposed if Iran were to violate its commitments and renege on the deal.
Multilateral sanctions at the UN also can be re-imposed quickly, and the United States has the ability to reimpose those sanctions unilaterally, even over the objections of other P5 members.
To those with concerns that Iran can accumulate minor violations over time, it is important to clarify that if there are small violations, we can address them through a variety of measures – snap back does not have to be all or nothing. This approach gives us maximum flexibility and maximum leverage.
If sanctions snap back, there is no “grandfather clause.” While we have committed not to retroactively impose sanctions for legitimate activity undertaken during the period of relief, any transactions conducted after the snap-back occurs are sanctionable. To be clear, there is no provision in the deal that protects contracts signed prior to snap back—once snap back occurs, any prospective transaction is sanctionable.
Source: Treasury Department.

“It’s unclear how much of an issue this presents at the level where this sort of information would be managed, but I expect some creativity may be required,” Houlihan says. “There may be further opportunities for GRC vendors to develop responsive offerings as well.”

Be Flexible

As companies have learned in recent months with ever-changing Russian sanctions, automated screening of OFAC’s Specially Designated Nationals List may only carry them so far.  “The SDN lists aren’t going anywhere for Iran, but banks and companies are going to have to do a more nuanced investigation,” Smith says.

The question won’t be whether entities are off the SDN list, but whether they are off the SDN list and also not engaged in other troubling behavior. “That is obviously a lot harder to do and automate than just the simple red light/green light that is the SDN list,” Smith says.

Paner also sees a melding of sanctions compliance with customer due diligence. For banks, “It is axiomatic that you need to know your customer, but what point do you need to know your customer’s customer’s customer?” he says. “OFAC will say that if you are taking a risk-based approach, you need to go as far as it takes to determine that you are not dealing with Iran.”

In Smith’s view, the Iranian deal is yet another reason why companies must unify historically siloed risk management processes. Adequate sanctions due diligence will require knowing the customers of customers, gathering beneficial ownership information, and tying together anti-money laundering controls and compliance with the Foreign Corrupt Practices Act.

“What you are going to have, at least in the short term, is a lot of hand-by-hand analysis complementing automated systems,” he says. “When things get complicated, computers fail. You need a professional in there with experience, expertise, and an understanding of the risk to make judgment calls. The sanctions world is moving from an entity-based inquiry to an entity-and-activity based inquiry. It is more like AML than it is traditional sanctions compliance.”

As for those automated systems, regulators will also want to ensure that they are up to the task.

“An important piece of all this is making sure control functions are operating correctly and in a way that a regulator can understand,” says Chrisol Correia, director of global AML at LexisNexis Risk Solutions. “As is the case with any significant change to sanctions requirements, it is going to be more difficult for institutions using heavily customized or self-built solutions to adapt quickly. These systems are typically harder to update quickly and there is often a very limited number of people who really understand how they work.”

Regulators want to make sure the institutions they oversee fully understand how their technology works and if it is configured, calibrated, and operating in accordance with the risk profile of that entity.

“Sometimes there is good reason to have silos of compliance competence in AML, sanctions, bribery, and corruption,” Correia adds. “But there is a trend to converge the operations of these different risk management and compliance areas, sharing more data between these functions and sharing resources and technology. The aim here is to just build a 360-degree view of customer risk across all these different functions’ jurisdictions and across business lines and products.”