Many compliance professionals are familiar with OFAC (Office of Foreign Assets Control) and UN (United Nations) related sanctions but what is less known is that some of the measures within them are not too dissimilar to foreign policy efforts in 1806 by Napoleon Bonaparte, the French military leader. His policy, known as the Continental System/Continental Blockade, was aimed at the British and was one of the earliest attempts at comprehensive sanctions through his Berlin Decree. This embargo prohibited all trade and correspondence with Britain, including the confiscation of any vessel and goods arriving directly at French ports.
Sanctions, as we see them today, took shape following the 1945 Charter of the UN, specifically under Article 41 of Chapter VII, which gave the UN the ability to issue sanctions. One of the first to be issued was in the 1960’s on Southern Rhodesia, known as Zimbabwe today.
Whether they are ‘targeted’ (at individuals/entities), ‘sectoral’ (relating to industry sectors) or ‘economic’ (aimed at countries), they can be used for a broad number of reasons. These range from driving foreign policy to constraining terrorism. The effectiveness of sanctions, particularly economic sanctions, remains a point of contention amongst some.
In recent years, there has been an ever-increasing use of sanctions. Measures are not limited to simple name additions to lists and managing sanctions today can in fact be a complex and challenging affair. The modern sanctions compliance officer needs not only to know what sanctions are in force but also have an understanding of the world within which we live in today.
The Art of Circumvention
Countries such as the DPRK (Democratic People’s Republic of Korea), often referred to as North Korea, has found itself under continued tightened sanctions and has become adept at sanctions circumvention. The March 2020 UN Security Council Panel of Experts report highlighted, amongst other things, that North Korea continues to access the international financial system. Methods included the use of shell and front companies, the use of diplomats and representatives based overseas and the continued use in recent years of cyberattacks and cryptocurrencies.
The cyberattacks, aimed at financial institutions and cryptocurrency exchanges around the world can be difficult to detect and have become increasingly sophisticated, the Panel noted. It is not only such attacks that have allowed access to the financial system, despite significant sanctions. The report detailed simpler methods and it is through these that financial institutions could easily be unwittingly processing transactions in violation of sanctions. In one example, a third party was used to obfuscate a payment relating to the purchase of luxury vodka. The owner of a human resources company, Aspen Resources Pte Ltd, paid $14,000 to a Belarus spirits manufacturer for a buyer named Hongkong Jiaming Industrial Co. When asked by the Panel about the transaction, Aspen Resources replied that their company is not involved in commercial trading and the payment in this case was for an acquaintance who “has problems paying out from China due to currency controls”.
Iran, another country that has faced significant sanctions, found itself subject to further restrictions in October 2020 by OFAC, who sanctioned eighteen of the country’s major banks and then went on to sanction its oil sector for links to terrorism and gasoline sales to Maduro’s regime in Venezuela. It was also implicated in the widely reported Halkbank case involving one of the largest banks in Turkey. The prominent case involved gold transactions which culminated, in part, in 2018 with the conviction in the United States of Mehmet Hakan Atilla. Atilla, a Halkbank executive, was accused of facilitating international gold trader Reza Zarrab’s complex money laundering and sanctions evasion scheme. Zarrab, along with others, were charged in 2016 for conducting transactions worth hundreds of millions of dollars on behalf of the Iranian government and entities.
Two diagrams drawn by Zarrab, which were included as exhibits in court documents in February 2018, painted an intimate picture of the complex network of transactions involving front companies and banks that allowed the scheme to take place.
Whereas North Korea may have resorted to more clandestine methods to evade sanctions, Iran has used convergence, particularly with Venezuela, another country that has found itself under tighter sanctions. Venezuela, which has been struggling to access finance, was said to have paid Iran in gold bars for technical assistance to revive its oil industry following sanctions. Nine tonnes valued at approximately $500 million was said to have been sent on Iranian flights using the country’s carrier, Mahan Air, earlier in the year. Iran-Venezuela relations stretch beyond recent sanctions related activity and an understanding of these types of relationships today can help compliance professionals, especially where sanctions risks converge with others such as terrorism and organised crime.
It is not only sanctions circumvention and evasion that organisations need to contend with. Management of sanctions programmes may sound simple in theory but there have been repeated practical failings, sometimes even on the basics.
Amazon.com, Inc’s recent settlement for sanctions shortcomings should serve as a note of caution for those in not only e-commerce but the growing FinTech industry also.
The settlement amount was small at a mere $134,523 in July 2020 but Amazon found itself in OFAC’s spotlight for failings in what may appear to be the basics of a sanctions compliance programme. It was found that persons located in Crimea, Iran, and Syria had placed orders and conducted business on Amazon’s websites for goods and services where the transaction details indicated they would be provided to persons in Crimea, Iran, or Syria. It was also found that Amazon had accepted and processed orders on its websites connected to persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria – all countries widely known to have been subject to sanctions.
The reasons behind these failings were due to Amazon’s automated sanctions screening processes failing to fully take into account all transaction and customer data. For example, in some cases, orders had specifically referenced sanctioned countries, cities within sanctioned countries and common alternative spellings for sanctioned countries. Other examples included failure to spot orders shipped to the Embassy of Iran located in other countries and even failing to flag correctly spelled names and addresses of persons on OFAC’s SDN (Specially Designated Nationals) list.
Another small settlement this year was for $583,000 with OFAC in September 2020 by DBTCA (Deutsche Bank Trust Company Americas). The case highlighted the importance of not only getting the basics right but also the use of all relevant data in systems, as well as the need for compliance staff to exercise diligence.
In DBTCA’s case, not only did it fail to stop 61 payments that were sent to accounts at Krayinvestbank (a designated financial institution) because it had not added the bank’s SWIFT BIC (Business Identifier Code) to its screening system but the system was also calibrated so only exact matches to designated entities would flag for manual review.
In the same settlement, it was also detailed how DBTCA appeared to have violated Ukraine related sanctions when it processed a payment involving property interest of IPP (IPP Oil Products (Cyprus) Limited), an entity that was on OFAC’s SDN list. Although the payment instructions hadn’t made explicit reference to the name on the SDN list or a location subject to comprehensive sanctions, the payment was in relation to a series of purchases of fuel oil involving IPP. The settlement found that, at the time, DBTCA would have had reason to know that IPP had potential interest in the transaction connected to the payment it was processing, which tied in with the date of IPP’s designation by OFAC, due to the notice provided by the United States counsel of what was referenced as “a non-accountholder party (“the Entity”)”.
DBTCA was said to have accepted only a verbal assurance from the Entity’s United States counsel and processed the payment approximately one hour after the Entity first contacted DBTCA, without taking steps to independently corroborate the representations made by the Entity.
I have experienced first-hand how both complex and basic situations can be mismanaged in sanctions compliance if skill and due care is not taken.
At one bank, a payment in GBP from an individual in the UK to a business in the UK flagged a sanctions screening match on the word “Pomeranian” in the payment reference. The payment was initially suspected to be connected to Iran because the latter part of the word Pomeranian sounds similar to Iran. A Pomeranian is a fairly common breed of dog.
When asked for my opinion on the payment, after some basic checks, I concluded that the beneficiary was a well established pet store in the UK – they even had Pomeranian dogs for sale on their website in the public domain, the remitter was a UK individual, neither of the parties nor the payment had any ties to Iran. I had even questioned whether the match criteria within the system was correct. Despite this, another member of the compliance team instructed bank staff to ask further questions to the client (the remitter in this case) in order to ascertain if the payment related to Iran – the client confirmed the payment was for the purchase of a Pomeranian dog, just as I had already concluded.
Although the case involving the Pomeranian dog may appear to be anecdotal, only in September 2020, reports emerged that PayPal had stopped payments to merchants with references to the word “Tardigrade” in the product name or description. The Tardigrade is a microscopic animal and the seller in this case sold merchandise designed around it. “Tardigrade Limited” happened to be the name of an OFAC sanctioned entity connected to arms dealing. Simple diligence would have quickly shown a clear distinction between a merchant selling air fresheners and mints designed around a tiny animal and an arms dealing entity.
Whilst the above examples are basic in nature, I have worked on other more complex cases and the following are some examples of guidance I have given to sanctions compliance professionals in managing more complex scenarios.
Individuals, entities and countries under sanctions will not typically approach a financial institution to open an account, they have become adept at circumvention and evasion techniques, so only checking against sanctions lists may not be sufficient in itself. Although it is common knowledge that certain trade and maritime transactions may pose higher sanctions risks, capital markets-related transactions can also pose risks and sometimes it may become difficult to unwind trades or positions. It is importance to not only know what sanctions are in place but why they have been instituted – this may expose previously unknown or unaccounted for risks.
A closer partnership between AML (Anti-Money Laundering) and sanctions compliance professionals may aide in managing risks across both disciplines better, as both can cross paths. As part of due diligence efforts in sanctions compliance, you may have the benefit of seeking clarifications and asking further due diligence questions, something that may not always be afforded to AML professionals where there may be a material risk of tipping off, depending on the circumstances.
Sanctions have come a long way since the Napoleonic Wars. Increased access to data and technology, both for those imposing sanctions and those that become sanctioned, means that not only are the threats and risks evolving but so are the means to manage them.
The continued mainstream adoption of Virtual Assets, both from a user as well as regulatory perspective, has potential for increased instances involving sanctioned individuals, entities or countries. In August 2020, The U.S. Department of Justice (DOJ) filed a civil forfeiture complaint against 280 cryptocurrency accounts connected to hacks of exchanges by North Korea. In the same month, the DOJ also made its largest ever seizure of cryptocurrency accounts connected to terrorists. From Bitcoin remittances in the United States to Cuba using a clandestine network of “crypto enthusiasts” converting to local currency using a Cuban exchange called BitRemesas to Venezuela’s DeFi (Decentralised Finance) platform, BDVE, which aims to bypass sanctions, cryptocurrency could prove to be a popular choice for sanctions circumvention attempts.
Both United States and the EU recognise the threat of cyberattacks, which can not only have an impact on the economic but also national security. The United States put in place a regime related to cyber threats as far back as 2015 from a sanctions perspective, with the EU following suit some years later in 2019.
In July 2020, the EU (European Union) imposed its first ever cyber sanctions against six individuals and three entities related to cyberattacks. Then in October 2020, both the EU and UK imposed sanctions against two individuals and one entity in relation to a cyberattack against the German Parliament in 2015. Cyber-related sanctions have not been limited to Europe. Also in October 2020, the United States designated a Russian government research institution which was said to be connected to malware attacks.
The modern day sanctions compliance professional should not only know what sanctions are in force, but importantly, should keep up to date with geopolitics, world events, commerce, trade and technology – they can all be intertwined with sanctions risks.