Skip to content

Sanctions special report: helping your business build an effective risk management programme, September 2015

Market Insight
14 September 2015

Political developments at a regional and national level present a host of difficulties for enterprises engaged in international commerce. Businesses may find themselves dealing with an uncertain and potentially volatile environment, and legal restrictions may severely restrict their ability to comply with their contractual obligations and pursue their commercial objectives.


Nowhere is this more true than in the field of international trade sanctions, where fast-moving political developments have resulted in a wide range of restrictions being imposed.

Sanctions have never been more complex or dynamic, with numerous programmes in place. The map below shows the large number of countries which were subject to some degree of EU or US restriction as of September 2015.

Read More

Businesses are forced to deal with onerous restrictions against Russia, with the ever-present threat of more restrictions being imposed, while also keeping on top of the developing situation with respect to Cuba and Iran, where the possible lessening of sanctions creates welcome opportunities, but also threats.

The consequences of violating sanctions are hugely significant, with not only reputations and commercial relationships at risk, but also the spectre of criminal penalties, including huge fines for businesses – sometimes running into millions or billions of dollars – and prison sentences for individuals.

This means that it is critical to understand and manage the risks, and be able to provide regulators with evidence of the actions taken to ensure compliance. That includes having a robust and effective risk management programme.

This report will explore the key risks, summarise strategies to mitigate those risks and highlight some likely future developments.

Sanctions: what you really need to know

  • Sanctions are complex and dynamic.
  • The potential consequences of violating sanctions include fines and prison sentences.
  • The restrictions include asset freezes, restrictions on trade in certain goods and services, and bans affecting investment, financing and insurance.
  • It is essential to devise a robust and effective risk management programme. To do this you need to:
    • Understand and identify the risks to your business.
    • Conduct (and document) suitable due diligence to mitigate the risks which arise.
    • Get buy-in at all levels of your organisation.
    • Train staff and communicate your risk management effectively.
    • Contract on suitable terms.
    • Work closely with your banks and insurers.
    • Ensure your policy is kept up to date.

The nature of modern trade sanctions

While the scale and extent of sanctions is a modern development, they have a lengthy pedigree, having been used since ancient times. In fact, the first recorded use of sanctions results from a dispute between Athens and Megara, a neighbouring city state, in around 430 BC.

After the inhabitants of Megara cultivated consecrated land and killed an Athenian herald, Athens imposed what we would now recognise as trade sanctions. In particular, Megara’s traders were excluded from Athenian markets, including the ports in its empire.

Read More

Sadly, this example from antiquity also anticipates a current issue regarding trade sanctions, namely concerns about their effectiveness. The Athenian restrictions, which were imposed pursuant to a law which became known as the Megarian decree, ultimately led to war between Athens and Sparta, when Sparta ordered Athens to rescind the decree and Athens refused.

While they are commonly seen as a commercial instrument, sanctions are of course a political tool intended to address (and change) particular behaviour, usually on the part of the political or other leaders of another country. As a result, sanctions should be:

  • Targeted at the particular issue or behaviour.
  • Limited to the least onerous restrictions necessary to bring about change.
  • Timely, meaning they are imposed at the right time and increased or reduced in response to developments on the ground.
  • Certain, so they are capable of being understood and complied with.

Current sanctions can be loosely grouped into three categories, namely:

  1. Measures which will only have a limited impact on most commercial organisations, such as arms embargoes and travel bans.
  2. Restrictions which are likely to have a significant direct effect on commercial organisations, such as asset freezes and restrictions on trade in certain goods and services.
  3. Measures with a more indirect effect on commercial organisations, such as bans affecting investment, financing and insurance.

The impact of each of these categories on a business needs to be considered when devising a risk management programme, as outlined below.

Building a risk management programme


Businesses which have any point of contact with sanctioned countries, whether that is importing or exporting goods, developing resources, or supporting trade by providing insurance or financial services, need to have a robust risk management and compliance programme in place.

While the nature and extent of that programme will of course vary from business to business depending on the nature of activities and the degree of risk, it is possible to highlight some key elements which will be common to most effective sanctions programmes. These are summarised below and discussed in more detail later.

Read More

The first stage is to understand and identify the risks. That involves a review of the business operations to work out whether, for example, EU, US or other national restrictions apply. It will also involve a review of the jurisdictions where the business is active, to determine which of the sanctioned countries need to be considered.

Having identified the sanctioned countries, the next stage is to look at the particular restrictions, to work out which of them potentially affect the business.

The programme needs to mitigate the risks which arise, without ruling out lawful opportunities which the business wants to pursue, otherwise it risks losing credibility within the organisation.

Thought also needs to be given to the terms on which the business trades, as well as its relationships with its banks and insurers, to ensure the business is adequately protected and supported.

The programme needs to be embraced by the business at all levels, and communicated effectively to the front-end staff who will need to operate it, and who should be encouraged to identify areas where it can be improved.

In an environment where sanctions change frequently, with limited, if any, advance notice, and those changes may have immediate effect, it is imperative that the risk management programme is kept up to date and reviewed regularly to ensure it remains fit for purpose.

Risk assessment

The key to ensuring compliance is of course understanding the restrictions. So, what kind of restrictions have we seen, and how do they tend to be applied?

Because the asset freezes and the restrictions on trade in certain goods and services are the measures which are likely to have the greatest impact on commercial organisations, we will look at these restrictions in detail.

Read More

Asset freeze

The asset freeze has two elements, as follows:

  1. The funds and economic resources of the listed individuals and entities are frozen.
  2. It is prohibited to make funds or economic resources available directly or indirectly to or for the benefit of the listed individuals and entities.

Both funds and economic resources are broadly defined in the EU Regulations which impose sanctions. In particular, economic resources are defined as “assets of every kind, whether tangible or intangible, movable or immovable, which are not funds but which may be used to obtain funds, goods or services”.

The wide scope of this definition is demonstrated by a practical example included in Frequently Asked Questions issued by the UK’s HM Treasury – namely, a bicycle which is loaned to a person who is included on a sanctions list. When the person is using the bicycle purely for leisure activities it is not an economic resource, but as soon as they use it to earn an income as a parcel courier, the bicycle is an economic resource, and the loan is prohibited.

The asset freeze operates to exclude particular individuals and entities from international trade and finance.

The various sanctions lists including the US Specially Designated Nationals (SDN) list1 and HM Treasury’s Consolidated List2 are available online in a number of different formats so companies can carry out their own manual screening. For businesses which engage in a large number of transactions with a large number of different counterparties, software companies offer automated screening, usually in real time, and with the use of sophisticated screening tools, tamper-proof records and other useful tools.

Because sanctions are a political tool, asset freezes are commonly imposed against senior politicians and military figures, such as Laurent Gbagbo (Côte d’Ivoire), Muammar Qadhafi (Libya) and Bashar Al-Assad (Syria).

In addition, because many sanctions programmes seek to change the behaviour of a regime by restricting the flow of revenue from commercial activities, asset freezes may also be imposed against commercial entities and those purely engaged in business activities. For example, with Iran we have seen banks, insurers, shipping companies, trading companies and port operators added to lists of sanctions targets. Likewise, in Ukraine-related sanctions, we have seen banks, airlines and ports added to lists of sanctions targets. We have also seen prominent businessmen such as Alexander Babakov (said by the EU to have “heavy investments in Ukraine and in Crimea”), Sergey Chemezov (Chairman of Rostec) and Arkady Rotenberg (owner of Stroygazmontazh) listed.

People who provide assistance or support to listed asset freeze targets may themselves be listed as asset freeze targets, with disastrous commercial effects. Businesses dealing with countries or people which are subject to sanctions must assess the reputational risks to which they and their employees may be subject.

The number of individuals or entities who are included on the list of sanctions targets will of course vary hugely from one sanctions programme to another. For example, in the summer of 2015, the EU sanctions list for Iran (Nuclear Proliferation) included almost 100 individuals and 500 entities and the EU sanctions list for Syria included over 70 individuals and over 200 entities. By contrast, the EU sanctions lists in respect of Egypt and Central African Republic included only 19 individuals and two individuals respectively.

The measures apply not only to the individuals and entities who are included on various lists of sanctions targets, but also to entities which they own or control. The US authorities have made clear that for their part, they will treat a company which is owned 50% or more in aggregate by one or more individuals or entities who are included on the SDN List as if the company was itself included. There is similar EU guidance, although it is less clear that the EU will aggregate shareholdings by multiple sanctions targets.

The number of listed individuals or entities will also vary under the same sanctions programme over time. The chart above shows the speed and regularity with which individuals and entities were added to, and removed from, the EU sanctions list in respect of Libya over a six month period from March to September 2011.

One of the attractions of sanctions to politicians is that they are dynamic. They provide scope to demonstrate continued disapproval of a particular regime, by adding names to a sanctions list, or to signal that a regime is moving in the desired direction, by removing names from a sanctions list.

Lists will change not only in response to political developments, as the sanctions are intensified or scaled back, but also as a result of challenges to the sanctions by individuals or entities which consider that they have been incorrectly listed.

At the UN, the Office of the Ombudsperson, currently Catherine Marchi-Uhel, reviews requests from individuals, groups, undertakings or entities seeking to be removed from the Al-Qaida sanctions list of the Security Council’s Al-Qaida Sanctions Committee.

In the EU, there is a significant body of case law involving successful challenges by individuals and entities, although in some cases the victory has been somewhat pyrrhic, as the entity has promptly been re-listed on alternative grounds.

Compliance with the various asset freezes raises a number of particular challenges by reason of three key elements, namely:

  1. The extent of the restrictions.
  2. The number of individuals and entities which are subject to the restrictions.
  3. The regularity and speed at which the lists change.

The EU asset freeze creates a strict liability offence. If funds or economic resources are made available to a listed individual an offence has been committed. There is, however, a defence where the person can show that they did not know or have reasonable cause to suspect that their actions would violate the sanctions.

Due diligence is key. That means know your counterparty, check that they are not subject to sanctions and document the checks you carry out.

Restrictions on goods and services

The restrictions on goods and services affect a wide variety of products. Some items are controlled because of their inherent nature, for example military items, equipment for internal repression, and dual-use goods. The last category includes items which are capable of both civilian and military use, such as specialist materials (for example, maraging steel, which is used in rocket and missile skins, as well as golf club heads) and specialist equipment (for example, marine systems such as direct current propulsion thrusters which are designed to operate at depths exceeding 1,000 metres).

However, one of the key challenges which arises in respect of complying with these restrictions is that the goods and services which are restricted can also include purely commercial items. Where that is the case, the restricted goods and services tend to vary from programme to programme.

For example, in the case of Syria, there is a prohibition on the supply to Syria of certain equipment, technology or software which may be used for the monitoring or interception of internet or telephone communications, as well as a prohibition on the supply of equipment/technology to be used in the construction/installation of new power plants for electricity production. In addition, outside of the usual commercial context, there is also a ban on the supply to Syria of certain luxury goods, including paintings, race horses, caviar and luxury watches.

The treatment of commercial items varies between different sanctions programmes because the sanctions target goods and services which are inherently innocuous, but which are a source of revenue for the sanctioned regime. This may be because they are significant exports, hence restrictions at various times on the export of crude oil, petroleum products and petrochemicals from Iran, and also on the export of timber, coal and precious stones from Burma/Myanmar. Likewise, it may be because they are imports which are necessary to support domestic industries which in turn generate income, for example, key equipment for the oil and gas industry being supplied to Iran or Russia, or logging and mining being supplied to Burma/Myanmar.

In addition, because the US extra-territorial sanctions also restrict trade in certain goods and services, it is important to be aware of the differences between the EU and US restrictions. As well as differences in the particular goods which are affected, with urea and coal the subject of US restrictions relating to Iran, but not included in the equivalent EU restrictions, the EU and the US also adopt different approaches to the same types of cargoes. This has an impact on the due diligence which needs to be conducted to determine whether particular goods or services are controlled or restricted by sanctions.

The EU sanctions commonly include annexes setting out the particular items which are restricted, usually by reference to the HS Code, the internationally agreed system of classification of traded goods pursuant to the HS Convention. Each product is given a HS Code, which follows a standardised numeric language (using six digits) common to all HS countries to identify that product. To take a practical example, the restrictions affecting the supply of aluminium to Iran apply to aluminium cargoes including those falling within EU HS Codes 7601, 7602, 7603, 7605 and 7606, but not to aluminium cargoes falling within HS Codes 7604, 7607 and 7608. This means that certain aluminium cargoes (including aluminium wire, plates, sheets and strip) are restricted and others (including aluminium foil, tubes and pipes) are not, but at least those engaged in this trade have the certainty of knowing that there is a list they can check, provided they have the HS Code.

By contrast the US sanctions often focus on the end use, rather than the particular cargo. For example, US extra-territorial sanctions against Iran in place in the summer of 2015 prohibit the supply of goods, services, technology, information or support which could facilitate the maintenance or expansion of Iran’s domestic production of refined petroleum products.

This can be a particular challenge for companies which are engaged in the international transport of goods because they are one stage removed from the sale, and may not have the necessary detailed information about the nature of the goods to determine whether the goods, or the intended use, give rise to cause for concern.

As well as restrictions on the sale, supply, transfer and export of goods, there are also bans affecting technical services and brokering services. The term brokering services is used in the context of EU controls on arms exports and specifically in restrictions relating to arms brokering, but is also used to support restrictions in the context of sanctions, including the bans on supply to Iran of certain equipment and technology for key sectors of the oil and gas industry and certain naval equipment and technology.

These restrictions have created difficulties because of the breadth of the definition of brokering services. The term includes not only the arrangement of transactions for the purchase, sale or supply of goods and technology (such as classic brokering by party C of a contract between party A and party B); but also the negotiation of such transactions, which is arguably wide enough to encompass the situation where party A and party B are themselves negotiating a contract, but it has not yet been concluded.

In circumstances where the contract between party A and party B, once concluded, would be unlawful, there seems little need to criminalise the mere negotiations – but that is at least one reading of the restrictions.

Restrictions on investment, financing and insurance

Legislators in the EU and US use those economies’ pre-eminence in certain fields (for example, banking, insurance and financial services) to reduce the ability of companies outside the EU and the US to trade with sanctioned regimes by restricting the ability of entities in the EU and the US to provide those services.

To take a practical example, if a shipowner in the Far East is prepared to allow his vessel to carry cargoes to a sanctioned country, the EU can limit his ability to do so by prohibiting his P&I club from providing insurance for the voyage.

In the case of Iran, the restrictions on insurance include bans on insuring certain trades, such as the transport of petroleum products (as opposed to crude oil). They also include bans on insuring Iran, its government and public bodies, and bans on insuring Iranian persons, entities or bodies other than natural persons. There are similar bans in place in respect of Syria.

There are also bans on investing in certain industries, such as Iran’s petrochemical industry and parts of Syria’s oil industry.

The restriction which arguably affects the greatest number of businesses and transactions is the requirement in the EU that all transfers of funds to and from any Iranian person, entity or body are processed in accordance with rules which mean that advance notice needs to be given to the regulator before certain payments can be made. Depending on the nature of the underlying transaction, the amount of the payment, and whether an Iranian bank is involved, the regulator may need to authorise the payment, even though no-one on a sanctions list is involved.

The most recent example of restrictions affecting the availability of finance is the so-called sectoral sanctions affecting a number of Russian financial institutions and other organisations, including Sberbank, Rosneft and United Aircraft Corporation.

The entities which are subject to these restrictions do not have their funds blocked in the way that entities included on sanctions lists do. Instead, the sectoral sanctions restrict the ability of EU and US companies (and others who are subject to EU and US jurisdiction) to deal with debt and equity issued by those Russian entities. The restrictions also affect the ability of EU and US companies to make new loans to those Russian entities, where the maturity of the loan exceeds certain fixed periods.

Even where transactions are not restricted in law by the trade sanctions, banks are in practice often unwilling to process transactions involving countries or persons which are subject to sanctions. Therefore, when a potential transaction involves such a country or person, it is very important to check that the payment route is secure. The currency used could be significant as use of US Dollars will mean that US trade sanctions could potentially apply, as all payments in US Dollars pass through the US banking system.

Facilitation and non-circumvention

Persons who facilitate or enable an infringement of sanctions, may themselves infringe sanctions. In addition, sanctions legislation typically includes anti-circumvention provisions which are widely interpreted.

Thus, for example, an EU parent company may be liable if a non-EU subsidiary performs a contract which the EU parent would be prohibited from performing under EU trade sanctions.

Mitigating the risks

Because of the issues which the asset freeze raises, businesses need to carry out detailed ‘know your customer’ (KYC) checks on their counterparties, including identifying their counterparties, shareholders and directors in order to ensure that they are not dealing directly or indirectly with or for the benefit of, a sanctioned individual or entity. That KYC must extend to any other involved parties such as banks and insurers.

Detailed records should be kept of the checks which are conducted, so that these can be produced to a regulator or court in the event of a sanctions breach, to show the process which was followed and demonstrate that due diligence was carried out.

Read More

Businesses need to understand the nature of the goods or transactions which they are supplying, shipping, financing or insuring, including any issues relating to the end use for which goods are being supplied and the risk of onward distribution to a sanctioned destination or sanctioned entity.

Another important element is ensuring that the business contracts on appropriate protective terms. For example, the business should consider requiring its counterparty to warrant that it is not included on a sanctions list and is not acting for or on behalf of someone who is. Likewise, they should consider obtaining a warranty that the transaction does not infringe sanctions and can be performed without exposing the business to a sanctions risk.

Standard clauses are available, for example, the BIMCO sanctions clause for time charterparties or LMAA 3100 for insurance contracts, but businesses should consider carefully whether these are adequate, or whether more bespoke wording is required.

Getting buy-in

‘Top level commitment’ is a phrase that is used when considering many risk and compliance programmes, and sanctions compliance is no different. Directors and officers should understand the potential consequences for the business, and themselves as individuals, of a sanctions violation, but they should also be aware of the potential competitive advantage and other benefits of a robust sanctions compliance programme.

Enforcement activity in the US, and the likelihood of more in the UK, provides more than enough scare stories to focus the minds of senior personnel. Most eye-watering, in terms of the fines imposed and settlements agreed, have been the large number of very high profile enforcement actions in the US against financial institutions. The table below lists some of those enforcement actions.

Read More

Enforcement date Institution Fine/settlement
August 2011 JPMorgan Chase Bank US$88 million
June 2012 ING US$619 million
December 2012 Bank of Tokyo-Mitsubishi US$8.5 million
December 2012 HSBC US$375 million
December 2012 Standard Chartered Bank US$132 million
December 2013 Royal Bank of Scotland US$33 million
January 2014 Bank of Moscow US$9.5 million
January 2014 Clearstream Banking US$151 million
January 2014 Clearstream Banking US$151 million
June 2014 BNP Paribas US$964 million
July 2014 Bank of America US$16.5 million
March 2015 Commerzbank US$259 million

US enforcement against banks and financial institutions

In addition, there has been significant enforcement against organisations other than financial institutions. This includes enforcement of US extra-territorial sanctions against an oil and gas company which sold cargoes of reformate to Iran and shipbrokers who were involved in a transaction by which an Iranian entity acquired a crude oil tanker, as well as agreed settlements with two US insurers who between them provided insurance, paid claims and provided security in breach of US sanctions against Iran, Cuba, Sudan and North Korea.

Even high profile companies can get it wrong. Paypal agreed to pay over US$7.5 million in March 2015 for failing to employ adequate screening technology and procedures. In particular, PayPal processed over 100 transactions to or from a PayPal account registered to an individual designated under the US sanctions blocking the property of weapons of mass destruction proliferators and their supporters.

When deciding what level of fine to impose, regulators will consider various mitigating and aggravating factors, such as self-disclosure, taking remedial actions and co-operating with the regulator. The absence of a sanctions compliance programme is one of the key aggravating factors, and will almost invariably result in increased penalties being imposed.

In its Summer Budget 2015, the UK Government announced that it would establish an Office of Financial Sanctions Implementation within the Treasury to help ensure that financial sanctions are properly understood, implemented and enforced. It also announced that it would legislate early in this Parliament to increase the penalties for non-compliance with financial sanctions.

Training and education are key. The restrictions are complex and businesses need to ensure that those on the front line not only understand them, but also appreciate the relevance of them to the business, and to their day to day activity.

Keeping it alive

Keeping the programme updated can be a challenge, and it is important to identify an individual or team which has responsibility not only for monitoring developments, and circulating relevant updates to the rest of the organisation, but also ensuring the policy itself is up to date.

The timeline here shows how frequently sanctio

Download Thought Leadership

Download a PDF version of ‘Sanctions special report: helping your business build an effective risk management programme, September 2015’