Compliance best practices for ever-evolving Iran sanctions

The Iranian sanctions risk landscape became even more convoluted on Jan. 10, with President Trump’s issuance of Executive Order 13902, which places additional sanctions on a much broader portion of Iran’s economy and—most notably from a compliance and risk management standpoint—places any non-U.S. company that does business with Iran in the crosshairs of U.S. sanctions where little to no such risk existed previously.

U.S. persons—including U.S. companies and their foreign subsidiaries—have been prohibited from engaging in any business with Iran for quite some time, with few exceptions. “What they’re trying to do is make it even more difficult for non-U.S. companies to do business with Iran,” says Judith Lee, co-chair of the international trade practice at Gibson Dunn.

Specifically, E.O. 13902 threatens to impose blocking sanctions on any person or entity operating in the construction, mining, manufacturing, or textiles sectors of the Iranian economy; and those who knowingly engage in a “significant transaction” for the “sale, supply, or transfer to or from Iran of significant goods or services used in connection with” those sectors. It further calls for sanctions on those who “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” Specially Designated Nationals (SDNs) or entities that are owned 50 percent or more by an SDN.

As described in a series of frequently asked questions issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the re-imposed U.S. sanctions will take effect following a 90-day wind-down period (by April 9) for these sectors.

Additionally, E.O. 13902 permits the Treasury Secretary to impose secondary sanctions against any foreign financial institution that knowingly conducts or facilitates any “significant financial transaction” in any of the sectors described, regardless of whether such transactions have a U.S. nexus. Concurrently, on Jan. 10, OFAC designated 17 specific sanctions against Iran’s largest steel, aluminum, copper, and iron manufacturers, in addition to several senior Iranian officials and third countries’ entities engaged in transactions in the Iranian metals and mining sectors.

Coronavirus impact

Iran has been one of the countries hit hardest by the coronavirus, with more than 8,000 cases confirmed and more than 50 deaths. Excluded from the Iran sanctions are transactions concerning agricultural commodities, food, medicine, or medical devices to Iran. Additionally, the coronavirus epidemic has compelled the Trump administration to ease sanctions on Iran as they relate to humanitarian goods even further. On Feb. 27, the U.S Treasury issued a general license exemption to allow for trade in medical supplies specifically through the Central Bank of Iran, reopening a channel for humanitarian trade that had been closed since September 2019.

Concurrently, the United States and Switzerland finalized a humanitarian trade agreement providing assurances for the Swiss to export humanitarian goods to Iran without fear of incurring penalties for violations of U.S. sanctions. “The Swiss Humanitarian Trade Agreement will help ensure that humanitarian goods continue to reach the Iranian people without diversion by the regime,” said Treasury Secretary Steve Mnuchin.

Broader sanctions risk

The new sanctions are just the latest in a series of overlapping executive orders imposing additional sanctions on Iran. In August 2018, President Trump announced secondary sanctions against the energy and shipping sectors (under E.O. 13846), and in May 2019, he sanctioned the iron, steel, aluminum, and copper sectors (under E.O. 13871).

The newly imposed sanctions, however, are potentially far broader in scope. From a risk management standpoint, by broadly designating the manufacturing sector, “it expands the lens of companies that have to deal with or make a calculation about their [sanctions] risk, based on the breadth of that language,” says Tamer Soliman, global head of the export control and sanctions practice at Mayer Brown.

“That’s where companies are struggling the most. A lot of times, they don’t know who their third parties are doing business with, and that’s where the trouble lies.”

Steven Kuzma, Senior Managing Director, BDO

Companies that don’t fall under the umbrella of one of the other named sectors might still face sanctions risk to the extent that they operate in Iran’s manufacturing sector. “If you think about it, what isn’t manufactured?” says Steven Kuzma, senior managing director in the forensic investigation and litigation services practice at BDO.

Unlike the technology and defense sectors that are well-versed in sanctions compliance, it’s other sectors, like consumer product, that haven’t traditionally had to think about sanctions that have a much steeper learning curve. “Their challenge is understanding what the sanctions mean to them,” Kuzma says.

Sanctions compliance best practices

Chief compliance officers seeking specific guidance on how to build a well-crafted sanctions compliance program would be remiss to ignore OFAC’s first-ever compliance framework published in May 2019. “The substance of the guidance is a useful reference point for companies,” Soliman says.

Start with implementing a sanctions compliance program. According to OFAC, a common root cause of sanctions violations is simply not having in place a sanctions compliance program. For non-U.S. companies that are new to the Iran sanctions regime, start by conducting a sanctions risk assessment by evaluating whether the business operates in any of the covered Iranian sectors and/or whether it could be engaging in any transaction that the Treasury Department may deem “significant.”

Using previous executive orders as a guide, OFAC has signaled that it will consider the “totality of the facts and circumstances” when determining whether it deems a transaction or financial transaction “significant.” Examples of factors it will consider, OFAC said, include the size, number, and frequency of transactions; the nature of the transaction; management’s level of awareness and whether there’s a pattern of conduct; and whether the transaction involve deceptive practices.

Examples of questions non-U.S. companies should be asking, Soliman says, include: “What does my risk profile look like from a sanctions-compliance perspective? Where are the potential vulnerabilities? What reasonable things can I do to manage those vulnerabilities without bringing the business to a halt?”

Conduct third-party due diligence. According to the OFAC guidance, “incomplete due diligence on customers/clients” is another common root cause of sanctions violations. The cornerstone of any effective compliance program has always been to know your customer, know your client, know with whom you’re doing business. “That’s where companies are struggling the most,” Kuzma says. “A lot of times, they don’t know who their third parties are doing business with, and that’s where the trouble lies.”

Make it clear upfront with your customers, suppliers, and intermediaries that doing business with Iran is prohibited, Lee says. Getting something from them in writing is also advisable, she says.

Additionally, the movement of goods, as well as the financial transactions around those goods, need constant monitoring, including having the ability to track goods as they work their way out of the manufacturer to the end user. “Can they track it the entire way? That’s the key to sanctions compliance,” Kuzma says.

Implement internal controls. Policies and procedures outlining the sanctions compliance program should be “relevant to the organization; capture the organization’s day-to-day operations and procedures; are easy to follow; and designed to prevent employees from engaging in misconduct,” the OFAC guidance states. It’s also important to appoint someone with primary responsibility for integrating these policies and procedures into the daily operations of the company, the guidance states. Policies and procedures should be enforced; weaknesses should be identified and remediated; and internal or external audits and assessments of the program should be conducted periodically.

Implement a global sanctions compliance program. U.S. sanctions compliance considerations become more complex in the face of conflicting statutes, such as the European Union’s “blocking statute,” which forbids EU companies from complying with the extraterritorial effects of U.S. sanctions, including Iran sanctions. Even if the business has a relatively small U.S. footprint, and even in the face of conflicting statutes, “it’s best to comply with the OFAC sanctions, if not to the letter, at least to the spirit of the OFAC sanctions,” Lee says. Given that U.S. sanctions violations come with the heftiest penalties, “you do not want to be on the U.S. government’s radar,” she says.

Automate screening and alert processes. Harnessing technology to tackle both the regulatory and operational challenges of sanctions compliance is also important. “You need to have tools and data that make sanctions compliance manageable in terms of efficiency,” says Vincent Gaudel, a compliance expert with Accuity, a payment processing solutions provider. “If you try to comply on a manual basis, it’s going to be a nightmare.”

Solutions that leverage artificial intelligence (AI), specifically, can help companies and financial institutions more accurately detect their sanctions risk exposure. “Identifying a sanctions risk is like looking for a needle in a haystack,” Gaudel says. AI helps by detecting and flagging potential sanctions risk through improved screening accuracy, thus reducing false positives and prioritizing alerts by risk severity. “The role the value of AI is to make the tools more efficient and the controls more efficient,” he says.

Centralize the monitoring of sanctions compliance. Even the most advanced technologies are only as reliable as the quality and availability of the data. So, one thing companies can do to improve their sanction compliance program is to find ways to integrate knowledge and information with other business operations and business activities, says Christian Cooper, managing director in the forensic investigation and litigation services practice at BDO.

Now that OFAC has published a framework for what it expects of companies, that puts the onus on compliance officers to do what OFAC expects. “If companies don’t do what OFAC wants them to do, it gets really hard if there is a violation to try to persuade OFAC not to give you a maximum penalty,” Lee says.

OFAC is not looking for perfection. Companies will make mistakes. Human error can occur. Things can be missed. But if U.S. companies and foreign companies with a U.S. nexus can demonstrate that the business is doing everything in its power, OFAC said it will “consider favorably” effective sanctions compliance programs when resolving a case.