It could get messy for U.S. companies doing business in EU

There are two phenomena converging that will likely create a new risk category that U.S. companies will have to manage.

The first is fines and penalties levied by the U.S. government against international banks in the wake of the 2008 financial crisis. Of the top 10 highest fines, five have been levied against European-based banks. And of the top 10 FCPA enforcement actions of all-time, eight have been against companies based outside the United States (seven are EU-based companies).

The second is the current geopolitical climate around Iran, after the United States pulled out of the Iranian nuclear deal, which had been agreed to by the P5+1 group of world powers (United States, United Kingdom, France, China, Russia, and Germany). U.S. companies are now banned from doing business in Iran under the prior economic sanctions regime, which has been reinstituted. The EU countries, however, have not pulled out of the deal and can still do business with Iran under the still-existing treaty. 

There is also a new EU tool that may greatly increase enforcement risk to U.S. companies: the General Data Protection Regulation (GDPR). Not only are these privacy laws antithetical to American corporate philosophy on data privacy and data protection, but there are potential penalties of up to 4 percent of a global annual revenue.

The United States has threatened to sanction any government, country, or company that does business with Iran. These are called secondary sanctions, as they are levied not against a direct adversary but secondary players (such as companies outside the United States). EU countries, meanwhile, have formally asked the United States to forgo secondary sanctions on companies in their countries. A letter, signed in early June by the finance and foreign ministers of Britain, France, and Germany, and by Federica Mogherini, the European Union’s foreign-policy chief, was sent to Secretary of Treasury Steven Mnuchin and Secretary of State Mike Pompeo. In it, the European leaders cited security interests in requesting that companies in Europe be granted an exemption from United States sanctions that would be imposed as a result of President Trump’s decision to withdraw from the Iran pact. Given the antipathy by the Trump administration toward anything that does not threaten Iran and its desire to confront the EU at every turn, the administration is highly unlikely to accede to such a request.

It is probably not a question of if, but when the United States will begin to engage in secondary-sanctions enforcement against EU or U.K. banks handling Iranian currency affairs and companies that continue to do business in Iran. U.S. regulators levied millions in fines against EU financial institutions and EU-based companies in the Oil-for-Food scandal in the early part of the 21st century, so the model exists.

How would EU/U.K. regulators react if the U.S. government were to aggressively enforce secondary sanctions against companies in their jurisdiction? One way might be increased enforcement of anti-corruption laws in EU countries. Led by the U. K. and its Bribery Act, several EU countries have passed robust anti-corruption laws and are now enforcing them more rigorously. It would certainly not be a stretch to begin to see more enforcement against U.S.-based companies as well.

There is also a new EU tool that may greatly increase enforcement risk to U.S. companies: the General Data Protection Regulation (GDPR). Not only are these privacy laws antithetical to American corporate philosophy on data privacy and data protection, but there are potential penalties of up to 4 percent of a global annual revenue.

U.K. Information Commissioner Elizabeth Denham has publicly stated her agency will not be shy about issuing large fines and penalties for GDPR violations. The EU’s distaste for Facebook, Google, and other large U.S. tech companies is well known, as both Facebook and Google have previously been fined millions for data privacy breaches under prior EU regulations. Google was hit with a $2.7 billion fine (European €2.3 billion) in 2017 for antitrust violations by EU regulators. Now under GDPR, a much wider range of U.S. companies can come under scrutiny and potential sanction by EU/U.K. regulators.

All of this means the risk for U.S. companies may significantly increase and robust compliance in the EU and U.K. will become even more critical. As the United States moves toward the Trump administration’s policy of America First, U.S. companies doing business internationally will likely be the first group to pay the cost of that strategy.