Open access peer-reviewed chapter

Perspective Chapter: Models of Sanctions Compliance and Regulatory Expectations

Written By

Denis Primakov

Submitted: 07 July 2022 Reviewed: 17 August 2022 Published: 10 October 2022

DOI: 10.5772/intechopen.107133

From the Edited Volume

Corruption - New Insights

Edited by Josiane Fahed-Sreih

Chapter metrics overview

280 Chapter Downloads

View Full Metrics

Abstract

This article is devoted to the analysis of models of sanctions compliance in different countries. In the first part, I discuss the definition of sanction compliance. Concept compliance is an institution of private law, it is a mechanism (function, system, and culture) of self-regulation for companies, and the methodology of compliance risk management is based on a risk-based approach stemming from different corporate governance and culture. A comparative methodology is based on three criteria: 1) principles of compliance; 2) the ability to interact with regulators and the ability to exclude themselves from sanctions (delisting); and 3) methods of appeal. In paragraph 1.2, I concisely describe models under the above-mentioned criteria of sanctions compliance in the US, the UK, the EU, Germany, and Russia. I carry out a comparative analysis of various models. Each of these models of sanctions compliance has its own specifics.

Keywords

  • sanction compliance
  • regulation
  • interaction
  • regulatory expectations
  • countersanctions

1. Introduction

1.1 Definition of sanctions compliance

The Basel Committee first defined the compliance function as:

“An independent function that identifies, evaluates, advises, monitors, and prepares reports on compliance risk, defined as the risk of legal or regulatory sanctions, financial losses, and reputational damage that may be incurred by the bank as a result of its failure to comply with legislation, regulation, code of conduct, and standards of good practice” [1].

Compliance is based on risk identification and assessment, self-assessment, and a compliance audit. In our case, sanction compliance builds corporate procedures for identifying and managing sanction risks. See in the Webster dictionary: compliance: “conformity in fulfilling official requirements.”

If we abstract from the literal translation of compliance as “compliance” and extrapolate it to the differentiation of ways of implementing the rule that is familiar to Russian lawyers, then compliance refers to the way of implementing this rule as “compliance”/“execution” of the rule. Unlike law enforcement and legislative activities, the method and scope of compliance are determined by the company itself. Thus, sanction compliance is a voluntary corporate activity of commercial sector organizations.

Compliance is an institution of private law, a mechanism (function, system, and culture) of self-regulation for companies, and the methodology of compliance risk management is based on a risk-based approach, stemming from different corporate governance and culture. The government (regulatory body) can only set its framework for voluntary compliance, in which it expresses its expectations on ways to comply with the legislation and its enforcement.

At the same time, the compliance documents should reflect the state’s expectations in relation to the company’s compliance with the law.

Companies are concerned about three aspects:

  1. Principles of compliance.

  2. The ability to interact with regulators and the ability to exclude themselves from sanctions (delisting); and

  3. Methods of appeal.

1.2 The U.S. sanction compliance model

The United States has historically been a champion of imposing sanctions restrictions and regimes [2]. As a result, this activity affects the functioning of financial institutions around the world, who adapt their policies, to match the expectations of the American regulators, which gives rise to the phenomenon of the “Americanization of compliance” [3]. Banks spend $270 billion per year on compliance. Some 10% or more of most bank operating costs can be attributed to compliance, and some estimates have regulatory costs doubling by 2022 [4]. Therefore, it is reasonable to start studying models of sanction compliance in this country.

The general approach to corporate compliance is expressed in a document of the Criminal Division of the U.S. Department of Justice called the “Evaluation of Corporate Compliance Program,” [5] which was published on April 30, 2019. This is the second edition of this document originally issued in 2017. This document is intended for prosecutors who evaluate the effectiveness of corporate compliance policies by answering three questions: 1) whether the compliance program is well designed, 2) whether the program is effectively implemented, and 3) whether the program works in practice.

Although the document deals generally with corporate compliance, and the principles of performance evaluation can be applied to different types of compliance, the subject of this document is the evaluation of anti-corruption programs. This conclusion can be made since the creator and addressee of the document are employees of the prosecutor’s office, which has criminal and civil jurisdiction over companies found to have violated the FCPA.

Two days after the evaluation was published on May 2, 2019 [6], the main US regulator in the field of sanctions, The Office of Foreign Assets Control (“OFAC”), published its “A framework for OFAC compliance commitments” (hereinafter – “The Framework”) [7]. From this point on, we can talk about separating sanction compliance into a separate object, which requires a special methodology.

Long before the publication of this document, experts noted problems in the communications of the agency, especially on issues of extraterritorial application. Paul Lee notes:

“The U.S. authorities failed to articulate and communicate at an early stage their expectations for extraterritorial compliance with OFAC sanctions. This failure in the 1980s and 1990s may have stemmed from policy differences among departments in the U.S. Government as to the appropriate extent of extraterritorial application, particularly as to a foreign bank’s clearing of U.S. dollars for transactions between non-U.S citizens and sanctioned countries. The U.S. Treasury Department began in 2005 to articulate a view on the appropriateness of clearing in US dollars for such transactions, it would have been appropriate for the Treasury Department–at least for retrospective enforcement t purposes–to recognize the air of benign neglect that surrounded these issues for many years” [8].

One of the essential reasons for the publication of this framework was the Exxon Mobil case (See: Exxon Mobil Corp vs. Steven Mnuchin, U.S. District Court of Northern District of Texas/CIVIL ACTION № 3:17-CV-1930-B. December 31, 2019), in which the court concluded that OFAC did not provide a clear explanation of the regulation (“fair notice of its interpretation”) [9]. The decision on December 31, 2019, provides an analysis of OFAC’s explanations of sanctions restrictions. The FAQs section administered by OFAC is “a part of OFAC’s commitment to regulatory transparency” [9, 10, 11, 12, 13]. As of June 2022, over 1000 questions were answered. But these FAQs, like the clarifications provided under general and special licenses, did not give an overall picture of the regulator’s expectations.

  1. Voluntary-compulsory compliance

The main expectation of the U.S. regulator of sanction compliance is voluntary-compulsory compliance, which is the implementation of the carrot-and-stick approach [10] mechanism, which applies to legal entities at the level of state regulation.

The first element of expectations is voluntariness. In the context of compliance, the English concept of “commitment” differs from “requirement” in that it is a voluntary commitment by a company to follow the rules, as opposed to an external requirement imposed by the state. ISO 19600: 2014 Compliance management systems — Guidelines P. 3.15 stipulates “compliance commitments” are requirements that an organization chooses to comply with.” Compared with P.3.14, which stipulates the following: “compliance requirements” are a requirement that an organization has to comply with” [11]. The framework explains:

“OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP)” [7, 8, 9, 10, 11].

On the one hand, it is assumed that this is just a recommendation; on the other hand, a rather long list of subjects who are strongly advised to implement sanctions compliance is provided:

  • All American companies (U.S. persons).

  • Foreign legal entities that conduct business in the United States or have American counterparties/partners.

  • All persons who use goods of American origin or use the services of American companies or American individuals. (For instance, 31 CFR § 560.205).

Moreover, transactions made in U.S. dollars may be subject to OFAC review, since the use of the U.S. financial system to circumvent sanctions is prohibited. This is explained in paragraph V of the root causes section:

“Many non-U.S. persons have engaged in violations of OFAC’s regulations by processing financial transactions (almost all of which have been denominated in U.S. Dollars) to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned country, region, or person. Although no organizations subject to U.S. jurisdiction may be involved in the underlying transaction, such as the shipment of goods, from a third country to an OFAC-sanctioned country—the inclusion of a U.S. financial institution in any payments associated with these transactions often results in a prohibited activity (e.g., the exportation or re-exportation of services from the United States to a comprehensively sanctioned country, or dealing in blocked property in the United States). OFAC has generally focused its enforcement investigations on persons who have engaged in willful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-U.S. or U.S. financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization’s management, caused significant harm to U.S. sanctions program objectives, and were large or sophisticated organizations” [7, 8, 9, 10].

In this regard, one expert notes: “The compliance framework, therefore, explained that the use of U.S. dollars may “often” result in a prohibited activity, such as the export of services, to a sanctioned country, but the framework did not reach the issue of whether a blanket prohibition is in place against the use of U.S. dollars in transactions with sanctioned entities, both for the U.S. and foreign parties” [12].

In a Deferred Prosecution Agreement, 2010 between OFAC and the British Barclays Bank PLC (United States v. Barclays Bank PLC, No. 10-CR-00218-EGS), it is stated that the bank’s criminal actions are more than a deception of U.S. financial institutions–they threaten the security of the American state.

Such language shifts the burden of decision-making on compliance with sanctions restrictions into commercial entities, including non-U.S. entities.

Now let us move on to the second element-enforcement of compliance. The framework stipulates that the sanctions compliance program should consist of five mandatory elements:

  1. Management commitment;

  2. Risk assessment;

  3. Internal controls;

  4. Testing and auditing; and.

  5. Training.

The five mandatory elements of the OFAC Program are identical to the five COSO elements [13, 14, 15, 16, 17, 18, 19, 20]:

  1. Control environment.

  2. Risk assessment.

  3. Control activities.

  4. Information and communication; and

  5. Monitoring.

The first mandatory element of the program–the commitment of the management, contains the obligations of the company’s management in relation to the following:

  • Allocation of adequate resources.

  • Implementation of sanctions compliance processes in current operational activities.

  • Support and formalization of the sanction’s compliance program.

  • Creating reporting channels; and

  • The ability of the sanctions policy to have oversight over the actions of the entire organization, including those of senior management.

The second mandatory element is risk assessment. Unlike other similar documents, OFAC has taken an innovative approach to the problem of risk assessment. First, it described the fact that risks can come from customers or buyers, products or services, logistics, intermediaries, counterparties, transactions, and/or geographical locations, so each company should have its own risk assessment (saying “no one size fits all approach”).

Second, the company must conduct its own periodic assessment of potential risks, and OFAC determines two events where risk assessment is mandatory: when initiating a transaction (on-boarding), and during mergers and acquisitions (M&A). Third, OFAC provides an OFAC risk matrix for financial institutions [14] based on the risk matrix of the guidelines for the implementation of the Anti-Money Laundering Act of 2005 [15].

However, the risk matrix includes not only indicators of sanctions risks for financial institutions (Sanction A), but also indicators for evaluating the effectiveness of the compliance program (Sanction B). Thus, OFAC defines low-risk criteria as:

  1. Management has fully assessed the bank’s level of risk based on its customer base and product lines. This understanding of risk and a strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.

  2. The board of directors, or a board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate and consistent with the bank’s OFAC risk profile.

  3. Staffing levels appear adequate to properly execute the OFAC compliance program.

  4. Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.

  5. Training is appropriate and effective based on the bank’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.

  6. The institution employs strong quality control methods.

  7. Compliance considerations are incorporated into all products and areas of the organization.

  8. Effective policies for screening transactions and new accounts for specially designated nationals and blocked persons (SDNs) and sanctioned countries are in place. These policies consider the level of risk of the type of transaction being screened.

  9. Compliance systems and controls effectively identify and appropriately report potential OFAC violations. Compliance systems are commensurate with risk. Records have retained that document such reporting.

  10. On a periodic basis, determined by the bank’s level of risk, all existing accounts are checked to ensure that problem accounts are properly blocked or restricted, depending on the requirements of the relevant sanctions program.

  11. Compliance systems and controls quickly adapt to changes in the OFAC SDN list and country programs, regardless of how frequently or infrequently those changes occur.

  12. Independent testing of a compliance program’s effectiveness is in place. An independent audit function tests OFAC compliance regarding systems and training.

  13. Problems and potential problems are quickly identified, and management promptly implements meaningful corrective action.

  14. Overall, appropriate compliance controls and systems have been implemented to identify compliance problems and assess performance [14].

In other words, the effectiveness criteria of the sanctioned compliance system are defined by the regulator in the program and are part of it.

Enforcement of these five elements is made through “compliance” section in the regulatory documents. At the end of settlements with violated companies, two sections began to be added. The first reference section called “Compliance considerations», which briefly provides an analysis of what compliance measures (mechanisms) the company should have used to avoid a violation or analyzes that errors in the compliance system led to the violation. The second reference section is “OFAC Regulatory and Compliance Sources,” which provides a link to this program.

For example, in an agreement with Amazon (Amazon.com Inc. Settlement. July 8, 2020) in the section “Compliance considerations”, the following explanation is given as to why the company did not properly check the spelling of geographical locations that are under sanctions (the examples of Crimea and Cuba):

“This case demonstrates the importance of implementing and maintaining effective risk-based sanctions compliance controls, including sanctions screening tools appropriate for e-commerce and other internet-based businesses that operate on a global scale. Such large and sophisticated businesses should implement and employ compliance tools and programs that are commensurate with the speed and scale of their business operations. Global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues, such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate. Moreover, companies that learn of a weakness in their internal compliance controls may benefit by taking immediate and effective action, to the extent possible, to identify and implement compensating controls, until the root cause of the weakness can be determined and remediated” [16].

In appropriate circumstances, OFAC may refer the matter to appropriate law enforcement agencies for criminal investigation and/or prosecution. Apparent sanctions violations that OFAC has referred for criminal investigation and/or prosecution also may be subject to OFAC civil penalty or other administrative action. Criminal procedures under the Department of Justice, and criminal liability are also mentioned in the International Emergency Economic Powers Act (IEEPA) 50 U.S.C. 1705(c).

The agreements that OFAC has the right to sign with companies are one of the types of “transactions with an administrative authority” (as opposed to an agreement with criminal charges–a deferred prosecution agreement). An OFAC agreement is made under certain conditions: the payment of a civil fine and the implementation of a compliance system. At the same time, it is specifically stipulated in the Economic Sanctions Enforcement Guidelines (Appendix A to 31 C.F.R. Part 501) that the fine can be reduced by 20–40% if the company did not voluntary disclose a violation but cooperated during the investigation [19].

The mandatory implementation of the five elements of sanctions compliance is reflected not only in the abovementioned references to the agreements but also in the section on corrective measures for the legal entity. For instance, in the agreement with the Italian bank UniCredit, the regulator prescribes the introduction of five mandatory elements of sanctions compliance [17].

The Appendix A to Chapter 501 (Reporting, Procedure, and Penalty Regulation) Code of Federal Regulation states fines for violations. If the OFAC Framework states that best practices are those that involve senior management in the adoption of a sanctioned compliance program and allocate the necessary resources for this. The instructions state that one of the aggravating circumstances when punishing violations of sanctions restrictions is the involvement of the company’s management in sanction violation. This is the way how the carrot-and-stick approach has been implemented [19].

  1. Voluntary reporting

The second expectation of the regulator is the voluntary nature of reporting. The American model of compliance is based on encouraging voluntary reporting of violations, and this is a continuation of the practice developed based on the example of anti-corruption compliance, for instance, 9-47.120 - FCPA Corporate Enforcement Policy [18].

So, Appendix A to 31 C.F.R. Part 501, App. A §|I(I). say the following:

Voluntary self-disclosure means a self-initiated notification to OFAC of an apparent violation by a subject person that has committed, or otherwise participated in, an apparent violation of a statute, executive order, or regulation administered or enforced by OFAC, prior to or at the same time that OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation or another substantially similar apparent violation” [19].

In the agreement with Airbnb Payments, Inc. dated January 3, 2022, OFAC justifies the reduction of the civil monetary penalty by stating that Airbnb Payments voluntarily self-disclosed the apparent violations, and the apparent violations constitute a non-egregious case [20].

OFAC may refuse to file claims against a company that voluntarily reports a violation. This is similar to the Declinations Agreement, which the Department of Justice implements under FCPA. [See: Corporate Enforcement Policy, Justice Manual 9-47.120 and Principles of Federal Prosecution of Business Organizations, JM 9-28.300], or when still pursuing, voluntary reporting is considered when calculating the fine [21].

The regulator’s expectation of voluntary reporting reflects the state’s desire, on the one hand, to facilitate limited departmental efforts (“procedural savings”), on the other hand, as a continuation of procedural savings, to reduce budget funds [22].

  1. International cooperation and participation of lawyers in sanctions risk assessment

With respect to existing compliance programs, for infringing companies that are incorporated in foreign jurisdictions, paragraph III (E) of the Annex establishes the principle of interaction between regulators in different countries regarding the evaluation of the effectiveness of a compliance program.

OFAC considers “the existence, nature, and adequacy of a subject person’s risk-based OFAC compliance program at the time of the apparent violation, where relevant. In the case of an institution subject to regulation where OFAC has entered a Memorandum of Understanding (MOU) with the subject person’s regulator, OFAC will follow the procedures set forth in such MOU regarding consultation with the regulator regarding the quality and effectiveness of the subject person’s compliance program. Even in the absence of an MOU, OFAC may take into consideration the views of federal, state, or foreign regulators, where relevant. Further information about risk-based compliance programs for financial institutions is set forth in the annex hereto” [22].

Regarding the compliance function and the provision of consulting services in the field of sanctions restrictions, OFAC back in 2017 prepared a short guidance of the provisions of certain services relating to the requirements of US sanctions laws, according to which the US person can:

  1. Provide advice to third-party unauthorized countries and be in any role, including compliance specialist.

  2. Express an opinion on the legality of individual transactions in accordance with U.S. restrictions. Also, they can request information from sanctioned individuals and conduct research on the legality of transactions [23].

Unlike the British document, the American document says nothing about client-attorney privilege (“attorney-client privilege”), but most likely this principle does not require additional references.

Thus, the principles (expectations) can be distinguished by a state approach to sanctions compliance in the United States. The first principle is the voluntary enforcement nature of the company’s compliance obligations, and the second principle is the encouragement of voluntary reporting. The third principle is the active application of civil and administrative penalties. The fourth principle is the proportionality of sanctions restrictions to business opportunities.

This principle is reflected in the U.S. Treasury Department’s Sanctions Report for 2021. Among the goals of improving sanctions regulation, it lists: “Proportionality of sanctions to reduce unforeseen economic, political and humanitarian costs.” In specific, it says the following:

“Treasury should seek to tailor sanctions in order to mitigate unintended economic and political impacts on domestic workers and businesses, allies, and non-targeted populations abroad. This will protect key constituencies and help preserve support for the U.S. sanctions policy. For example, U.S. small businesses may lack the resources to bear the costs of sanctions compliance while competing with large companies at home and abroad; uncalibrated sanctions could unnecessarily lead them to turn down business opportunities in order to avoid these costs. Better tailored sanctions can help avoid these costs and maintain the competitiveness of U.S. businesses” [24].

The program did not mention the functioning of an independent monitor, which evaluates the company for the effectiveness of compliance measures for a certain period. For example, the New York State Department of Financial Services in 2012, pending the decision to revoke the license of Standards Chartered Bank in New York for transferring transactions to the sanctioned bank of Iran. An independent monitor for 2 years has been appointed as an interim measure [See more Consent Order Under New York Banking Law §§ 39 [25]. The New York State Financial Services Act § 206(c) provides for the right to monitor bank accounts.

1.3 The UK sanctions compliance model

The UK sanction compliance model is based on the Sanction and Money Laundering Act, 2018 [26] and falls under other UK legislation, such as the Export Control Order, 2008, and the Anti-Terrorism, Crime and Security Act, 2001, which regulates issues related to sanctions (types of sanctions), law enforcement, and regulating countering money laundering by criminal means.

The explanatory note to the draft law explained that, after the UK leaves the EU, the UK will be unable to continue to use the European Communities Act of 1972; therefore, the UK will need a domestic framework of powers to continue to meet its international obligations to implement U.N. sanctions. Without this, the UK will be in breach of international law [27].

With the provision of the law, the Ministry of Finance created the Office of Financial Sanctions Implementation (OFSI), which prepared in December 2020 “General guidance on financial sanctions under the Law on Sanctions and Countering Money Laundering.” (hereinafter–the “Manual”[28]) As stated in the preface, this document prescribes the “obligations” of the submitted documents. It also reflects OFSI’s approach, OFSI to licensing and compliance.

While the American model pays attention to voluntary reporting, the British office separately imposes an obligation on “relevant companies” to inform them about suspicious individuals and transactions. “Relevant companies” include the following entities: banking and credit organizations, exchange offices, auditors, companies, and/or persons who provide advice in notary services, taxes, real estate services, holders of casino licenses, and those who are associated with the trade of precious metals. Therefore, British law combines two areas: sanctions and anti-money laundering–the arsenal of legal tools is built into the logic of anti-money laundering and FATF standards.

In relation to direct compliance, OFSI is built on a holistic approach, and the agency promotes compliance by publishing information about financial sanctions, and through interaction with companies.

Unlike in the United States, one type of response to a company that has violated a financial sanctions law is the DPA–Deferred Prosecution Agreement. This type of court agreement is well known in the American, British, and French anti-corruption practice (in French law SAPIN II it is called Convention Judiciaire d’Intérêt public). A characteristic feature of this type is that the agreement is approved by the court (as opposed to a noncriminal agreement–Non-prosecution Agreement) and it is based on encouraging the company to engage in positive post-criminal activities, establishing a zero tolerance to corruption, maintaining a full-fledged compliance system, and external supervision of the company in the form of an independent monitor.

However, the British approach has its own logic in assigning penalties for violations of the law. Criminal liability is divided into two types: imprisonment of up to 7 years for individuals in accordance with the Policing and Crime Act, 2017 of 2017, and DPA–for legal entities. Civil liability is implemented through serious crime prevention orders (SCPOs) for individuals and legal entities and fines. Consequently, only the DPA acts as a criminal law enforcement mechanism for companies, but it is not clear what methods of coercion will be applied to legal entities in case of violation of the terms of the DPA.

The next source for sanctioned compliance is the guide on penalties for violations of financial sanctions, adopted pursuant to Section 149 (1) of the British Act, which requires the supervisory authority to develop guidelines on the procedure for assigning fines and determining their amount (last updated in June 2022) [29].

In this document, OFSI says that the agency follows a holistic approach to compliance with financial sanctions, which covers the entire life cycle of compliance: “This means that we take a comprehensive approach to ensuring compliance with the regime, rather than just waiting for the law to be broken and then only responding to the a violation» [29].”

This approach consists of a combination of compliance and enforcement and covers four activities:

  • The regulator promotes compliance, publicizing financial sanctions, and engaging with the private sector. An effective compliance approach promotes compliance by reaching the right audiences through multiple channels, with messages that they can understand and respond to.

  • The regulator enables compliance by simplifying procedures and providing guidance and alerts that will help individuals and companies fulfill their own compliance responsibilities. An effective compliance approach enables cost-effective compliance, makes it easy to comply, and minimizes by designing the opportunities for noncompliance.

  • The regulator stops noncompliance by intervening to disrupt attempted breaches and by tackling breaches effectively. An effective compliance approach responds to noncompliance consistently, proportionately, and transparently, considering the full facts of the case, and learns from experience to continuously improve responses.

  • The regulator does all this to change behavior by directly preventing future noncompliance by the individual and more widely through the impact of compliance and enforcement action [29].

If the principles of inevitability, proportionality, transparency of procedure, and subjective imputation can be found in criminal proceedings, then the fixed approach, interaction or mutual influence of compliance, and law enforcement practice, reflect the latest theoretical developments in the field of compliance.

For example, in the work “Compliance Revolution: how compliance must change to survive,” [30] the author notes: “The goals of the regulator are rarely unreasonable, but regulators have little practical experience in how to implement measures effectively and in a balanced manner. On the contrary, compliance has the extensive practical experience but is removed from the development of a political program. Naturally, it is ideal when there is a combination of a dynamic learning process between the law enforcement officer and the companies, but this requires the appropriate infrastructure, trust, and extensive practice” [30].

The UK’s Joint Anti-Money Laundering Steering Group (JMLSG) has also issued guidance providing best practice recommendations for internal compliance programs [31]. The JMLSG guidelines aim to provide insight into the types of controls and processes that firms can adopt, in order to comply with sanctions obligations in an effective and proportionate manner. The guidelines emphasize that companies should take a case-by-case approach to their sanctions policies and procedures, and carefully consider the specific types of risks that their institution may face. Companies should have a sanctions policy that is clearly defined and documented, as well as supported by a regular employee training program. In addition, senior management and/or the board of directors should understand the company’s obligations and be responsible for the firm’s compliance policies and procedures [32].

The Regulatory Handbook (FCA Handbook) 2018 edition of the Financial Institutions Regulatory Authority (FCA) [33] contains a section on financial sanctions. Section 8 recommends that the company’s senior management be sufficiently aware of the firm’s financial sanctions obligations, that firms consider in which areas of their business they are most likely to provide services or resources to sanctioned entities or individuals, and that firms should have a state-of-the-art verification system appropriate to their business, and that firms should have procedures in place to determine where name matches resulting from verification processes are real, and that systems and controls should address proliferation risks.

Analysis of standards: Both the FCA Handbook and the JMLSG Manual JMLSG show that they are identical in compliance principles:

  • Management tone (commitment to compliance),

  • Risk assessment,

  • Due diligence (compliance controls),

  • Compliance procedures (availability of policies), and

  • Employee training.

In a statement “Reporting sanction evasions” published on 17 May 2022, the FCA announced a new reporting tool, akin to a whistleblower hotline, this is designed to facilitate the voluntary reporting of sanctions evasion issues or weaknesses in sanctions controls by firms or persons listed on the FCA’s registers, or companies with the UK listed securities. The FCA has called for information about:

  • Any suggestion that a firm has poor sanctions controls,

  • Actual or suspected breaches of the UK sanctions regime, and

  • The methods believed to be used by firms or individuals to breach the UK sanctions regime [34].

This new tool aligns with the concerted approach taken by the UK to strengthen its sanctions and enforcement regime in response to Russia’s invasion of Ukraine. As set out in a joint statement from the Office of Financial Sanctions Implementation (OFSI), the Financial Conduct Authority (FCA), and the Bank of England published on 11 March 2022 on sanctions and the cryptoasset sector [35], the UK regulators have announced their broad intention to work with the government and law enforcement, to share intelligence and prevent sanctions evasion. As the FCA explains in the notice, it will carefully consider any information it receives and use it to “help build up a picture of conduct risk or inform how we develop policy and work with partners to assist the UK enforcement of sanctions” [35].

The tool allows reports to be submitted anonymously, including by (i) individuals in relation to a current or previous employer; (ii) an authorized firm in relation to its own issues; and by (iii) a firm or professional with information about the conduct of another firm or individual. The question is whether it will encourage a series of potentially disgruntled current or former employees to make reports.

The new reporting tool aims to collate information relating not only to suspected or actual sanctions breaches but also to any methods that are being used to breach UK sanctions and “any suggestion that firms have poor sanctions controls.”

This last category is broadly worded but could trigger reports in relation to perceived weaknesses in the internal sanctions policies and procedures of regulated firms, the adequacy of training on sanctions policies and procedures, etc.

Voluntary reporting to the FCA through the above channels does not satisfy any duties arising out of the Proceeds of Crime Act, 2002 or the Sanctions and Anti-Money Laundering Act, 2018. In a joint statement with OFSI and the Bank of England, the FCA urged that where transactions give rise to concerns about sanctions evasion or money laundering firms should also consider their obligations to report to the UK Financial Intelligence Unit (UKFIU) at the National Crime Agency under the Proceeds of Crime Act, 2002 [35].

An additional source of sanctions compliance is the Compliance Code of Practice 2010, the subject of which is control procedures in the field of strategic exports [36]. This document highlights the following elements of the compliance program:

  1. Commitment to compliance.

  2. Appointment of responsible persons.

  3. Information and training.

  4. Compliance procedures.

  5. Check.

  6. Recording checks.

  7. Audit.

  8. Integration with effective management practices.

The British model of sanctions compliance is based on an integrated approach and seeks to combine law enforcement practices and compliance with regulatory norms on the part of companies. The British regulator has come to realize that effective compliance, that is, compliance with sanctions restrictions by companies, can be requested when the rules are clearly defined, information is brought to relevant groups, and there is a simple and clear procedure for obtaining permits and appealing. It is economically cheaper for the regulator to prevent a violation, than to work with the result of a violation, thus compliance as prevention. The British model demonstrates the transition from the carrot-and-stick approach to the holistic approach.

1.4 Sanctions compliance model in the EU and Germany

1.4.1 The EU

At the EU level, we can observe gradual changes in the regulatory approach. This is evident both in the level of greater detail of the norms, as well as in the approach to awareness and clarification. In 2008, the Committee of Permanent Representatives (COREPER II) prepared an updated report, “On best practices in implementing restrictive measures” [37]. Despite the fact that the addressee of this document is the competent authorities of the EU countries, the described problems in identifying sanctioned entities, obtaining licenses, delisting, and asset freezing (administrative and judicial), give companies an idea of regulatory wishes.

The release of this report coincided with the decision of the EU Court of Justice in the Yassin Kadi case of 2008, which was the first successful decision to exclude them from the sanction lists [38]. In its decision on his complaint, the EU Court of Justice stated that targeted restrictive measures should be subject to the rule of law requirements, including the Council’s regulations to:

  • Clearly state the grounds for inclusion;

  • Justify the need for inclusion with evidence; and

  • Respect the right to a defense and ensure effective judicial control, while respecting the principle of proportionality [38].

As explained by Sergey Glandin: “In the wake of the Kadi case, the Council of the European Union has been challenged by the court’s case-law practice, which has led the latter to start outlining the general inclusion criteria in more detail in its regulations, as well as better articulating the individual’s compliance with these established criteria in their annexes” [39].

In 2018, the council of the EU returns to the formulation of the principles of implementation and compliance with sanctions restrictions. In the updated version, the guide to the implementation and evaluation of restrictive measures (Sanctions) 2018 in the context of the EU common security policy [40] explains many aspects of compliance, although the “compliance” section itself contains just a few lines. Regarding compliance with sanctions by companies incorporated in the EU, it is stated that they cannot, among other things, use controlling companies as a tool to circumvent the ban, including those companies that are not registered in the EU, nor can they give instructions in this regard [40]. The concepts of ownership and control are given in accordance with the previously accepted definitions set out in the 2001 in the following paper: Council Regulation (EC) № 2580/2001 of 27 December 2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism.

The next source of sanctions compliance in the EU is the EU’s guide to internal compliance programs for the control of trade in dual-use products (ICP) [41]. There are seven mandatory compliance criteria, which almost coincide with the BAFA criteria [42]. Despite the fact there are only seven criteria, however, risk assessment precedes the work on building an effective compliance system.

The European Institute for Export Compliance (hereinafter referred to as “EIFEC”) prepared the Export Compliance Code in 2018. This document links sanctions and exports through the definition of export compliance:

“Export compliance is the specialized multidisciplinary framework/discipline, which covers all activities of export (i.e., goods and services, tangible and intangible items, and transfer of means of payment), that are somehow subject to export controlling regulations (i.e., dual-use, sanctions, etc.) applicable to transactions between two different states/jurisdictions/entities. It provides support to organizations in compliance risk management, that is, the risk of legal or administrative sanctions, financial losses or reputation deterioration for failing to comply with laws, regulations and legislations, and codes of conduct and good practices” [43].

The code sets out six export compliance principles developed by the Institute for the International Standard EIFEC EC1001. 00: 2011 ECPS.

The first principle, Unicuique suum (lat. “to each his own”), reflects the approach- one size does not fit all: each company has unique risks, so compliance controls and measures should relate to these risks. The second principle is a commitment to transparency, the third principle is a commitment to compliance, and the fourth principle is accountability.

An interesting fifth principle is a consistency. “All organizations act consistently with prior obligations and commitments. Organizations must be consistent in applying the export compliance principles, methods, practices, and procedures. Organizations will ensure that the same rules and behaviors are followed in all activities. If a change is made to an export compliance policy, the effects of the change must be clearly disclosed” [43]. The sixth principle speaks about the effectiveness of export compliance. These principles and the code are not mandatory for implementation, since they are formulated by a non-governmental organization, but they can serve as a guide for companies.

On 4 March 2022, the European Commission announced the introduction of the EU Sanction Whistleblower Tool [44]. According to the commission, the tool can be used to report on “past, ongoing or planned” EU sanctions violations, as well as attempts to circumvent these.

Reports to the commission can be made either directly by email or on an anonymous basis via the online platform provided through the tool. Submitted reports will, in the first instance, be examined by the commission, which will conduct a preliminary inquiry. If the commission considers that the information is credible, it will provide the anonymized report and any additional information gathered during the preliminary inquiry to the competent authorities in the relevant EU Member State(s). The national competent authorities are ultimately responsible for the enforcement of EU sanctions and may initiate formal investigations further to the information provided to them [44].

The information reported can relate to EU sanctions violations, their circumstances, or the individuals, companies, and third countries involved, which are not publicly known but are known to you. This can cover past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions [44].

1.4.2 Germany

Recently, Germany has adopted several legislative initiatives that also address compliance issues. In July 2021, the law on “Comprehensive verification of supply chains” (German: Das Lieferkettensorgfaltspflichtengesetz (LkSG)) was adopted, [45] which starting from 2023, will require companies with more than 3000 employees in Germany (and beginning in 2024–with more than 1000 employees) to comply with the principle of due diligence in their activities in relation to human rights and environmental protection. The law will apply to direct suppliers, and to a limited extent to indirect suppliers.

The Federal Office of Economic Relations and Export Control (BAFA) published the second edition of the Internal Compliance-Program (ICP) Newsletter for Internal Export Control Systems (the “Bulletin”) in 2018 [42]. The preface to the document states the following:

“The concept of compliance also means the willingness of the company’s management to take organizational measures to prevent violations of the law within the company from the very beginning. Companies meet this requirement in practice by implementing a compliance management system (CMS) that is designed in accordance with the company’s risk profile” [42].

The bulletins set out the 9th criterion for an effective program, and stipulate that these criteria are suitable not only for compliance in the field of weapons but can also be used in companies engaged in international trade.

  1. Commitment of top management.

  2. Risk analysis.

  3. Organizational structure and distribution of responsibilities.

  4. Human and other resources.

  5. Operational management and procedures.

  6. Documentation.

  7. Staff selection and training.

  8. Process control/system control (compliance audit)/information systems.

  9. Physical and technical security.

Sanctions and embargoes are described directly in the “questions and answers” section. Thus, the agency makes the following recommendation for identification:

“It is recommended to configure the test software so that the name components being tested are linked using the” and “ function, so that only data sets with a first and last name match are represented. Thus, the number of matches is reduced, which makes it easier to manually check a lot of irrelevant data sets, for which, for example, only the name appears in the sanctions lists” [42].

At the EU level, we can observe gradual changes in the regulator’s approach. This is evident both in the level of greater detail of the norms, as well as in the approach to awareness and clarification. The content in the guidelines on sanctions implementation and compliance has doubled over the last decade (from 2008 to 2018). At the country level in Europe, in particular, in Germany, compliance checks follow the essence of export controls and export restrictions, including restrictions related to dual-use goods.

Advertisement

2. Model of sanctions compliance in Russia

There are several obstacles to the development of a domestic sanctions’ compliance model, which will be discussed below. At the same time, these obstacles outline the “sovereign” model of sanctions compliance for companies, where in the absence of recommendations from the state, each company develops and implements those elements that are most relevant to it, based on its corporate risk assessment, thereby making its own contribution to the patchwork of national sanctions compliance.

2.1 A holistic approach to compliance

To illustrate this problem, we need to return to the discussion of the concept of “compliance” and the understanding that government agencies in Russia have about it. If we analyze the use of the concept of “compliance” in Russian law enforcement practice, it turns out that compliance is perceived as an obligation of all organizations to follow a certain norm (Art. 13.3).

The main problem is that these measures are prescribed for all organizations, regardless of their organizational and legal form. Let us call this a unitary approach, which differs from the dualistic approach in foreign legislation, where special legislation (norms) has been applied. (FCPA, Bribery Act, French Law Sapin II, and Kazakh law on Preventing Corruption) are aimed directly at the commercial sector.

If we are talking about antimonopoly compliance, the Russian Federal Antitrust Agency (hereafter - FAA) has achieved some success, even before the adoption of amendments to the law. However, when developing antitrust compliance measures, the FAA adheres to the same unitary approach, which does not distinguish between the specifics of antitrust regulation for companies and for state departments, obliging municipal and state bodies to engage in “antitrust compliance.”

Misunderstanding of the nature of compliance can mislead regulatory effects and effect on economic activities of business entities.

At the same time, it is necessary to recognize that Russia has not developed a regulator for sanctions restrictions, such as OFAC, OFSI, or BAFA. Neither the Ministry of Foreign Affairs of the Russian Federation, nor the Prosecutor’s Office, nor the Department of Control over External Restrictions under the Ministry of Economic Development, created at the end of 2018 (Order Ministry of Finance № 3272 of 28.12.2018), nor the Central Bank, nor Ministry of Finance can be called full-fledged regulators of sanctions policy in Russia.

2.2 Missing benchmarks and best practices

The only one group of companies, Eurochem AG, publishes on its website sanction policy since the company is incorporated in Switzerland (Zug). All large companies, including those with state-owned companies, have corporate documents and procedures dedicated to sanctions compliance. At the same time, we can note that they are reluctant to disclose information on sanction compliance.

On the website of the Moscow Exchange, for example, it is mentioned that, within the framework of compliance, the direction toward “compliance with economic restrictions” is recommended.

On the website of SBERBANK (https://www.sberbank.com/ru/compliance/ecs) in the section “Compliance,” the following information is posted:

“The control of economic sanctions in the Sberbank Group of Companies is carried out in accordance with the Policy on Special Economic Measures, which defines the goals, distribution of powers, and rules for the implementation of controls. The bank has implemented automated procedures aimed at ensuring that the parties involved comply with the relevant sanctions programs, as well as with the requirements of the applicable legislation.”

There is no information about economic restrictions on VTB’s website.

It is still impossible to find sanctions compliance policies and procedures freely available on company portals. We can find certain information about check screening carried out under economic restrictions (sanctions) in corporate documents at the second level. For example, according to P.4.30 of the terms of implementation of depository activities of JSC National Settlement Depository, it is specified:

«The depository also has the right to refuse to enter into a deposit account agreement or an agreement that is the basis for opening and maintaining an account that is not intended for recording rights to securities”....”: international sanctions and/or sanctions of foreign states applied to legal entities and individuals have been imposed on the depositor or its affiliates in the Russian Federation, individual sectors of the economy of the Russian Federation or the Russian Federation as a whole, and the laws of a jurisdiction other than the Russian Federation are applicable to such sanctions of the Russian Federation (hereinafter-Sanctions)” [46].

The reluctance to disclose documents can be explained by political reasons: Russian state bodies constantly emphasize the nonrecognition of unilateral sanctions. The constitutional court’s decision in the Kuznetsov case (Russian Constitution Court Decision from July 9, 2021) confirms the critical attitude toward restrictive measures:

“The imposition of restrictive measures against Russia and its economic entities by a foreign state in an inappropriate international procedure and in contradiction to multilateral international treaties of which Russia is a party is quite common at present [47]. “And such circumstances are recognized as” illegal per se” [47]. This decision also confirms the correctness of the position expressed by the judges of the constitutional court of the Russian Federation in 2018, that compliance with sanctions restrictions can be considered to be unfair behavior [48].

Unlike the American regulation, which provides explanations about the legitimacy of U.S. persons’ participation in compliance expertise, including sanctioned entities, there is nothing like this in Russia, and for a year, the market has been discussing the legal bills to introduce criminal liability for managers of companies and other entities for “abuse of office” committed in Russia for the purpose of compliance with international sanctions against Russia. Amendments to the Russian Criminal and Administrative Codes have been enacted, criminalizing the following activities: calls for the introduction of sanctions against Russia and Russian nationals/companies (Art.284.2 Criminal Code). The latter provision criminalizes only Russian citizens, and only if the offense has been committed within a year of being subject to an administrative penalty for a similar offense.

The lack of open access policies and regulations for assessing sanction risks, such as what happens with anti-corruption documents, hinders the development of best practices in the field of sanctions compliance in Russia and increases the risk of violations of the requirements of regulators, including Russia. In addition, the lack of public access to documents related to sanctions compliance makes it difficult to conduct an expert examination and audit.

2.3 Increasing complexity of inspections of sanctioned individuals

Over the past 8 years, after the introduction of the U.S. and European sanctions against Russia, the state has developed several protective mechanisms, but their disorderly application has led to results that the developers of these measures did not expect.

Such a mechanism was established at the EU level to counter the American sanctions on Cuba imposed by the Cuban Liberty and Democratic Solidarity Act of 1996 and on Iran imposed by the Iran Sanctions Act of 1996, the Iran Freedom and Counter-Proliferation Act of 2012 in 1996 [49]. This mechanism was designed in the Blocking Statute (Council Regulation (EC) № 2271/96 of 22 November 1996. “Protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom.” The blocking statute has two purposes:

  1. Revocation of any foreign court’s actions in the EU based on the laws mentioned in the Annex.

  2. Permission for EU producers to recover damages in court for losses caused by the extraterritorial application of these foreign laws [50].

Since the adoption of the CAATSA, and the consolidation of the concept of “secondary sanctions” articulated in Art 228, the Russian state has adopted several resolutions that give companies and banks under sanctions the right not to disclose some information about themselves.

For example, in 2018, several regulatory acts were adopted that allow specialized depositories (Federal Law № 482-FZ of 31.12.2017), insurers (Russian Government’s Regulation № 1322 of 03.11.2018), and non-state pension funds (Russian Government’s Regulation № 1155 of 28.09.2018) and investment funds (Russian Government’s Regulation № 1201 of 05.10.2018) not to disclose information about the structure and composition of the shareholders (participants) of a legal entity, including persons under the control or significant influence of which this legal entity is located.

Such measures were taken on November 23, 2018, in relation to banks (Russian Government’s Regulation № 1404 of 23.11.2018), which may be subject to sanctions. As a follow-up to this topic, on April 4, 2019, the government of the Russian Federation adopted Resolution No. 400 “On the specifics of disclosure and provision of information subject to disclosure and provision in accordance with the requirements of the Federal Law” On Joint-Stock Companies“ and” Securities Market” (Russian Government’s Regulation № 400 of 04.11.2019), which allowed banks and companies not to disclose information on 18 points, including information about persons who are members of the issuer’s management bodies, the issuer’s transactions, the banking groups that the issuer belongs to, the issuer’s affiliates, financial indicators, the volume of operations, and even the risks and organizational structure of the issuer.

Thus, key data on the management, assets, ownership structure, banking groups, and affiliated persons to the issuer, transaction volumes, and financial position are not accessible and must be verified by additional sources.

Finally, another document adopted in the form of a Government Decree in 2019 (Russian Government’s Regulation № 729 of 06.06.2019), introduced the ability to restrict access to the information contained in the Unified State Register of Legal Entities, in relation to the following entities, if:

  • The legal entity is subject to restrictive measures imposed by a foreign state, state association and/or union and/or state (interstate) institution of a foreign state or state association and /or union; and/or.

  • The legal entity is in the location of the territory of the Republic of Crimea or the territory of the city of Sevastopol.

In February 2021, the Ministry of Economic Development developed a draft law titled “On Special Administrative Regions.”(Legal bill was not published). According to this draft, the principle of investor confidentiality is introduced.

The irony is that the sanction screening aims precisely at checking sanctioned individuals and, therefore, due to the nondisclosure of certain information, compliance specialists are forced to resort to additional checks. Thus, in contrast to what is written in the document and what the developers intended to do, the risk of violating sanctions is increased.

2.4 The procedure for exceptions for interaction with sanctioned persons is complicated

Unlike the United States, the United Kingdom, and the EU, where there are certain rules for issuing general and special licenses issued by regulators, in Russia, the development of permits can be divided into two clear periods: before and after February 2022.

Until February 2022, there was practically no complete system, nor a dedicated regulator. We may notice links to getting permission in several acts. In accordance with the Decree of the Government of the Russian Federation No. 1716-83 of December 29, 2018, titled “On Measures to Implement the Decree of the President of the Russian Federation № 592 of October 22, 2018” (hereinafter referred to as the “Decree of the President of the Russian Federation”). The second similar paper is Resolution 1716-83, “On the ban on the import of goods into the Russian Federation, the country of origin or country of departure of which is Ukraine, or which move through the territory of Ukraine.” In 2019, this resolution was supplemented by Appendices No. 2 and No. 3, and accordingly, a norm with the following content appeared:

“Set that, from June 1, 2019, export of goods from the Russian Federation to the territory of Ukraine according to the list according to Appendix № 3. is carried out exclusively on the basis of permits issued by the Ministry of Economic Development of the Russian Federation”

Another example: an Order of the Ministry of Industry and Trade of the Russian Federation in 2019, which is now no longer valid, approved the procedure for confirming the conformity of gravel and crushed stone imported into the territory of the Russian Federation. According to this document, the total period for approving the issue or refusal of a permit takes approximately 3 months and is valid until the end of the calendar year from the date of its signing. However, this procedure applied only to gravel and crushed stone, which is insufficient.

In the administration of blocking sanctions imposed by Resolution № 1300 of November 1, 2018 (as of January 2021-922 individuals, 84 legal entities). The Ministry of Finance of the Russian Federation is responsible for granting temporary permits for certain operations in relation to certain legal entities that are subject to special economic measures (paragraph 4). In the case of exclusion from the list, temporary permits are also granted, but the system is still not transparent. In addition, it is inconvenient that no search engine for persons is included in blocking sanctions.

Moreover, by the Order of the Minister of Finance of the Russian Federation № 3272 of December 28, 2018 “On approval of the Regulations on the Department for Control over External Restrictions of the Ministry of Finance of the Russian Federation,” a corresponding body was established, however, it does not even have a control function. The function of this department is to develop measures to reduce the negative impact of restrictive measures in the financial sector in relation to the Russian Federation and Russian legal entities. Responsibilities are as follows: monitoring, analyzing, collecting, and processing information. In other words, this body does not have any of the functions inherent in Western sanctions regulators.

Thus, the licensing system was administered by three ministries: the Ministry of Economic Development, the Ministry of Industry and Trade, and the Ministry of Finance.

After February 2022, two more regulators appeared, the Central Bank of the Russian Federation and the government commission for monitoring the implementation of foreign investments in the Russian Federation, which administer their own licensing systems.

By the Presidential Decree of March 18, 2022, the Central Bank of Russia has been granted the right to issue permits to residents to conduct foreign economic activities, including on contributions of deposits, shares of a nonresident legal entity, as well as in the framework of the implementation of a simple partnership agreement with inversion. Also, the Bank of Russia issues permission not to sell foreign currency in the amount allocated for the fulfillment of obligations to Russian residents. Moreover, the Central Bank is authorized to provide explanations of the application of the Decree of March 18, 2022. Explanations are given in the form of Official Explanations, such as 2-OP of March 18 2022.

The Board of Directors of the Russian Central Bank makes decisions of a regulatory nature, for example, the decision of the Board of Directors of the Bank of Russia to establish a “C” type account regime for the purpose of fulfilling a resident’s obligations to a nonresident set out in Decree No. 95 of the President of the Russian Federation dated March 5, 2022 “On the temporary procedure for fulfilling obligations to certain foreign creditors.”

At the same time, the Government Investment Control Commission of the Ministry of Finance has the right to issue permits for the purchase and sale of real estate with nonresidents from unfriendly countries, or for other transactions exceeding the restrictions imposed. By the Decree of the Government of the Russian Federation dated March 6, 2022, the following documents were approved: “Rules for issuing permits by the government commission for monitoring foreign investment in the Russian Federation for the purpose of implementing additional temporary economic measures to ensure the financial stability of the Russian Federation and other permits provided for by separate decrees of the president of the Russian Federation.”

The Ministry of Industry and Trade can also issue permits for the import and export of goods that have fallen under restrictions, which is established by Government Decree No. 311-313 of March 9, 2022.

Thus, at present, we can say that there are five regulators for countersanctions. At the same time, each of these regulators has its own licensing system and adopts regulatory legal acts in its field. The multi-directed nature of making decisions on counter-sanctions, the complexity and the ambiguity of the criteria according to which permits are granted, put an additional burden on companies.

2.5 Countersanctions before February 2022

The next type of work with sanctions is the introduction of countersanctions. Russia introduced various packages of countersanctions, constantly increasing the regulatory framework on this subject. Since 2006, when Federal Law № 281-FZ of December 30, 2006, was adopted “On Special Economic measures,” which established the concept of special economic measures, the regulatory body of countersanctions has been increasing.

The regulatory framework can be divided into different blocks. The first block concerns the embargo of products from the EU, U.S.A., Canada, Ukraine, and other countries, introduced in 2014 (Russian President’s Decree № 560 of 06.08.2014) and extended every year. On the implementation of the Russian President’s Decree № 560, decrees extending the embargo were adopted, and the Russian Government Decree №. 778 was adopted, which distributes responsibilities between agencies for monitoring the Russian market during the introduction of the embargo. The rules for the destruction of products were established by Government Decree № 774 of July 31, 2015. Confiscation of sanctioned goods is part of the administrative and legal liability provided for in Article 14.2 of the administrative code of the Russian Federation.

The second block concerns relations between Russia and Ukraine. The main act in this block is a Decree of the President of the Russian Federation № 592 of October 22, 2018 “On the application of special economic measures in connection with unfriendly actions of Ukraine against citizens and legal entities of the Russian Federation.” Blocking sanctions were introduced by Resolution № 1300 of November 1, 2018 (as of January 2022–922 individuals, 84 legal entities). Resolution of the Government of the Russian Federation № 1716 of 29.12.2018 is related to this block, dated 12.2018.

The third block is a response to US sanctions. The first act was FZ-282 of December 28, 2012 “On measures of influence on persons involved in violations of fundamental rights...,” which became a response to the introduction of the Magnitsky Act (Russia and Moldova Jackson-Vanik Repeal and Sergei Magnitsky Rule of Law Accountability Act of 2012). With the adoption of the Federal Law of 04.06.2018, “On measures to influence (counter) unfriendly actions of the United States and other foreign states,” the concept of “unfriendly foreign states” was introduced. Thus, the law contains broad and flexible rules, which make it possible for the Russian authorities to impose restrictions not only against the United States and American companies, but also against affiliated organizations and individuals friendly to the United States, or with a state/organization unfriendly to Russia. Measures of influence (counteraction) are introduced and canceled by the Government of the Russian Federation by a decision of the President of the Russian Federation.

2.5.1 Counter-Sanction regulation since February 2022

Due to the Decree of the President of the Russian Federation from February 28, 2022 № 79 “On the application of special economic measures in connection with the unfriendly actions of the United States of America and foreign states and international organizations that have joined them”:

A provision was introduced for the mandatory sale by Russian exporters of 80% of foreign exchange earnings under foreign trade contracts. This requirement also applies to the proceeds already credited to the accounts of resident participants in foreign economic activity starting January 1, 2022;

  • From March 1, 2022, residents (Russian legal entities and citizens, but not local branches of non-Russian entities) are prohibited from providing foreign currency to nonresidents under loan agreements and crediting foreign currency to their bank accounts outside the country, as well as making transfers without opening a bank account using ESP provided by foreign payment service providers; until December 31, 2022, PJSCs can acquire their shares, subject to a few conditions.

The next Decree of the President of the Russian Federation from March 1, 2022, № 81 “On additional temporary economic measures to ensure the financial stability of the Russian Federation” was introduced, aiming to restrict divestment of foreign investors of their Russian assets. Decree № 81 provides for, inter alia:

  • From March 2, 2022, a special procedure, namely, obtaining approval by a special Government Commission for making certain transactions with persons of foreign states that commit unfriendly actions, was introduced. Certain transactions may not be performed if permission is not granted by the commission. In particular, these transactions include the provision of credits and loans (in rubles) to foreign investors, as well as transactions that entail the emergence of ownership of the real estate and securities.

  • From March 2, 2022, a ban on the export of cash in foreign currency exceeding 10 thousand US dollars was also introduced.

The introduction of a procedure, implying the need for permission, may complicate the efforts of international investors to divest their interests in Russian businesses and real estate. Nevertheless, currently not much can be predicted, as the enforcement practice did not develop any positions on the topic.

Further rules on obtaining permits for the performance by residents of transactions (operations) with foreign persons were approved by the Decree of the Government of Russia from March 6, 2022, № 295.

By means of Federal Law N 30-FZ from March 4, 2022 “On amendments to the Federal Law “On measures to influence persons involved in violations of fundamental human rights and freedoms, rights and freedoms of citizens of the Russian Federation“ and Article 27 of the Federal Law “On the procedure for departure from the Russian Federation and entry into the Russian Federation,” the list of persons subject to counter-sanctions has been adjusted. Now the latter includes citizens of any country, not only the United States, as well as stateless persons. Counter-sanctions include a ban on entry, seizure of assets, and suspension of the activities of Russian branches of controlled organizations.

The Decree of the President of the Russian Federation of March 5, 2022 № 95 “On the temporary procedure for the fulfillment of obligations to certain foreign creditors” from March 5, 2022, established a special temporary procedure for the fulfillment of obligations to certain foreign creditors.

Due to the named procedure, Russian citizens, and legal entities, as well as the state, its regions, and municipalities having foreign exchange obligations to foreign creditors from the list of “unfriendly countries,” will be able to pay them in rubles. The temporary procedure applies to payments exceeding 10 million rubles per month (or a similar amount in an equivalent foreign currency).

The Decree of the Government of the Russian Federation from March 5, 2022, N 430-r specified the list of “foreign states and territories committing unfriendly actions against the Russian Federation, Russian legal entities and individuals” includes 46 countries.

On 31 March 2022, a special restriction was introduced regarding payment for Russian Gas. According to the Presidential Decree “On the special procedure for foreign buyers to fulfill their obligations to Russian neutral gas suppliers, the customs authorities decide to prohibit supplies to the unfriendly states if:

  1. The payment deadline for gas supplied under a contract has passed, or

  2. Payment has not been made, or

  3. Payment was made in a foreign currency

  4. and/or not in full,

  5. and/or to an account at a bank that is not an authorized bank Gazprombank joint-stock company (an authorized bank), which opens special K-type ruble accounts and special K-type foreign currency accounts for payments for gas that has been supplied.

Advertisement

3. Comparison study

Each of these models of sanctions compliance has its own specifics. The American recommendations of OFAC outline what the U.S. regulator wants to see as an effective sanction compliance program. This model reveals the stick-and-carrot approach. This approach is based on the idea that it is advisable not only to punish the company but also to encourage it to implement elements of the compliance system.

At the same time, the allocation of sanctions compliance as sui generis is partly fair, but it is necessary to consider the generic relationship with anti-corruption compliance. The regulator’s approach to sanctions compliance is based on four principles:

  1. Voluntary obligations assumed by the company;

  2. Encouraging voluntary reporting;

  3. Priority of civil and administrative /civil penalties over criminal penalties; and.

  4. Proportionality of sanctions restrictions to the company’s capabilities.

The British model of sanctions compliance is associated with AML compliance, and from this point of view, the regulation of financial restrictions (sanctions) is based on an arsenal of methods applicable to AML. The connection with AML regulation also justifies the choice of criminal response methods for violating companies: the DPA, and in that the manual separately imposes an obligation for “relevant companies” to report suspicious individuals and transactions. The difference between the British model and the American one is also seen in the fact that the British regulator announced a comprehensive approach that takes into account not only the interests of the regulator but also the company’s ability to comply with restrictions. In the United States, the regulator, when determining what it expects from companies, still speaks from the position of a body that has the right to both pardon and punish (the “carrot and stick” approach), the British regulator goes further, and expresses its readiness to cooperate with companies, and share responsibility for noncompliance.

At the EU level, we can observe gradual changes in the regulatory approach. This is evident both in the level of greater detail of the norms, as well as in the approach to awareness and clarification. The content in the guidelines on sanctions implementation and compliance has doubled over the decades (from 2008 to 2018). At the level of European countries, in particular, Germany, compliance checks follow the essence of export controls and export restrictions, including restrictions related to dual-use goods.

When complying with sanctions restrictions (compliance), companies deal with three aspects:

  1. Principles of compliance.

  2. The ability to interact with sanctioned entities and the ability to exclude themselves from sanctions (delisting); and

  3. Methods of appeal.

As it demonstrates the indicators in the Table 1, the model of sanctions compliance in Russia before 2022 was radically different from other models. Unlike the United States, the UK, and the EU, Russia just started to develop a methodology for sanctions compliance. Currently, Russia has 5 sanction regulatory bodies seem to be excessive.

U.S.A.UKGermany/EURussia
Principles
  1. Management Commitment

  2. Risk assessment

  3. Internal Controls

  4. Testing and Auditing

  5. Training.

  6. + 15 Sec B Risk matrix

  1. indicators 1) Management tone

  2. Risk assessment

  3. Compliance Controls

  4. Compliance procedures

  5. Employee training

  1. Commitment to senior management

  2. Risk analysis

  3. Organizational structure and distribution of responsibilities

  4. Human and other resources

  5. Operational management and procedures

  6. Documentation

  7. Personnel selection and training

  8. Process control/system control (compliance audit)/communication systems

  9. Physical and technical security

None
Getting licenses and delistingThis procedure applies to all modesThe order is spelled outThe order is spelled outSome acts have separate mechanisms for obtaining permits. There are five regulatory bodies
AppealAdministrative or in the federal courtsAdministrative or in the courts of the United Kingdom, the ECHREU Court of Justice, National Courts, the ECHRCourts of the Russian Federation

Table 1.

With equal elements of the compliance system.

Thus, there is still a need to develop a methodology for sanctions compliance or to consolidate the regulatory expectations. But this raises the following question: who is the sanctions regulator in Russia?

Currently, in Russia, banking and credit, brokerage companies, mining corporations, and companies affiliated with international businesses develop their own systems of sanctions compliance measures based on the logic of AML/CFT, actively using IT systems. In this sense, “uncodified” Russian sanctions compliance is closer to the European and UK models than to the U.S. model. At the same time, when setting up compliance, they focus on the foreign experience.

In the above-mentioned book “Compliance Revolution: how compliance must change in order to survive, “ [30] it speaks about the types of regulatory maturity and compliance.

The author identifies five stages in the development of regulatory norms and compliance: 1) start up, 2) crises, 3) extension, 4) sustainability and 5) outcome-led [30].

In the models of the UK, the U.S.A., and the EU, we can see a transition from the stage of expansion to the stage of sustainability. At the stage of sustainability, there is a realization that expansive development cannot continue exponentially. Regulatory and compliance approaches are becoming more relevant to the original goals, and more detailed. Methods for improving implementation and performance include:

  • Risk-based compliance.

  • Cost-benefit analysis.

  • Principles-based regulation, and

  • Focus on the a prevention and development of corporate culture, ethics, and corporate governance [30].

In the Russian regulatory model, we can observe disorganized, and often disproportionate, policy concerning counter-sanctions. There are three approaches to counter-sanctions that have been implemented in Russia:

  1. The model of assistance to sanctioned persons.

  2. The model of countersanctions.

  3. The model of prohibition of compliance/calls for sanctions.

These approaches if the regulator implements simultaneously are costly and time-consuming for the state budget and economic actors. Sanctioned countries facing undue advantages often must choose one of the three approaches for counter-sanction restrictions, but never three at the same time. This model corresponds to the stage of the crisis. The speed of transition to the next stage depends, among other things, on determining who is the main sanctions regulator in Russia.

Regarding compliance environment, large Russian companies running activities globally follow international standards. However, we need to indicate that we are talking only about big business. Small and medium enterprises often do not have the expertise and economic resources to implement compliance requirements.

According to David Jackman’s opinion, “Compliance revolutions’ are needed,” ideally, when regulation and compliance can cooperate at the same level, but more often one of them gets ahead. If regulation is ahead of compliance, companies may face regulatory risks; if compliance is ahead of regulation, then the risk arises from unexpected interpretations of regulatory norms on the part of companies, while the regulator suffered reputational damage and loses support due to its slowness [30].

Backing to Russian experience, it is necessary to recognize that sanctions enforcement and compliance in Russia go at different “speeds,” or rather at different stages of development.

References

  1. 1. Compliance and the compliance function in banks. Basel Committee of Banking Supervision. 2005. Available from: https://www.bis.org/publ/bcbs113.pdf [Accessed: July 7, 2022]
  2. 2. The Treasure 2021 Sanction Review. Available from: https://home.treasury.gov/system/files/136/Treasury-2021-sanctions-review.pdf [Accessed: July 7, 2022]
  3. 3. David Restrepo Amariles & Matteo M. Winkler, U.S. economic sanctions and the corporate compliance of foreign banks, 51 The International Lawyer. 530-532 (Nov. 7, 2018). Available from: https://scholar.smu.edu/cgi/viewcontent.cgi?article=4570&context=til. [Accessed: July 7, 2022]
  4. 4. Stuart Brock, The Cost of Compliance, INT’L BANKER (Nov. 7, 2018). Available from: https://internationalbanker.com/technology/the-cost-of-compliance/. [Accessed: July 7, 2022]
  5. 5. U.S. Department of Justice Criminal Division. Evaluation of Corporate Compliance Programs. 2020. Available from: https://www.justice.gov/criminal-fraud/page/file/937501/download. [Accessed: April 7, 2022]
  6. 6. Press Release. OFAC Issues a Framework for Compliance Commitments. 2019. Available from: https://home.treasury.gov/news/press-releases/sm680. [Accessed: April 7, 2022]
  7. 7. A Framework for OFAC Compliance Commitments. Available from: https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf. [Accessed: April 7, 2022]
  8. 8. Lee PL. Compliance lessons from OFAC case studies-part I. Banking LJ. 2014;131:657-687
  9. 9. Exxon Mobil Corp vs. Steven Mnuchin. U.S. District Court of Northern District of Texas /CIVIL ACTION № 3:17-CV-1930-B. 2019. Available from: https://www.govinfo.gov/content/pkg/USCOURTS-txnd-3_17-cv-01930/pdf/USCOURTS-txnd-3_17-cv-01930-2.pdf. [Accessed: July 7, 2022]
  10. 10. Jackson KB, Grilli KC. “Carrot and Stick” philosophy: The history of the organizational sentencing guidelines and the emergence of effective compliance and ethics program. In: The Complete Compliance and Ethics Manual 2014. Minneapolis: Society of Corporate Compliance and Ethics; 2014. pp. 23-251
  11. 11. ISO 19600. 2014 Compliance management systems — Guidelines. Available from: https://nobelcert.com/DataFiles/FreeUpload/ISO%2019600.pdf. [Accessed: April 7, 2022]
  12. 12. Abely C. Causing a sanctions violation with U.S. Dollars: Differences in regulatory language across OFAC sanctions programs. The Georgia Journal of International and Comparative Law 48 (1) 2019: 29-83. Available from: https://digitalcommons.law.uga.edu/cgi/viewcontent.cgi?article=2468&context=gjicl. [Accessed: April 7, 2022]
  13. 13. COSO. Internal Control—Integrated Framework. Available from: https://www.coso.org/pages/ic.aspx. [Accessed: April 7, 2022]
  14. 14. OFAC Sanction Matrix. Available from: https://home.treasury.gov/system/files/126/matrix.pdf. [Accessed: April 7, 2022]
  15. 15. FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual published in 2005. Appendix M [“Quantity of Risk Matrix--OFAC Procedures”]
  16. 16. OFAC Enforcement Release: July 8, 2020: OFAC Settles with Amazon.com, Inc. with Respect to Potential Civil Liability for Apparent Violations of Multiple Sanctions Programs. Available from: https://home.treasury.gov/system/files/126/20200708_amazon.pdf. [Accessed: April 7, 2022]
  17. 17. OFAC. Settlement Agreement: UniCredit Bank AG 13. 2019. Available from: https://home.treasury.gov/system/files/126/20190415_unicredit_bank_ag.pdf. [Accessed: April 7, 2022]
  18. 18. 9-47.120. FCPA Corporate Enforcement Policy. Available from: https://www.justice.gov/criminal-fraud/file/838416/download. [Accessed: April 7, 2022]
  19. 19. US C.F.R
  20. 20. Settlement Agreement between the U.S. Department of the Treasury’s Office of Foreign Assets Control and Airbnb Payments, Inc. 2022. Available from: https://home.treasury.gov/system/files/126/20220103_abnb.pdf. [Accessed: April 7, 2022]
  21. 21. Kirkland and Ellis. Voluntary Self-Disclosure of Sanction Violations: How it Works in the US. (Part 2). 2018. Available from: https://www.kirkland.com/publications/article/2018/01/voluntary-selfdisclosure-of-sanctions-violations-h. [Accessed: April 7, 2022]
  22. 22. Van Genugten J. Conscripting the global banking sector: Assessing the importance and impact of private policing in the enforcement of U.S. Economic sanctions. Berkeley Business Law Journal. 2021;18(1):136-164. DOI: 10.15779/Z38S17ST3P
  23. 23. Guidance of the Provisions of Certain Services Relating to the Requirements of US Sanctions Laws. 2017. Available from: https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/russian-harmful-foreign-activities-sanctions. [Accessed: April 7, 2022]
  24. 24. The Treasure 2021. Sanction Review. Available from: https://home.treasury.gov/system/files/136/Treasury-2021-sanctions-review.pdf. [Accessed: August 14, 2022]
  25. 25. Consent Order under New York Banking Law §§ 39 and 44. Available from: https://www.dfs.ny.gov/system/files/documents/2020/04/ea140819_standard_chartered.pdf. [Accessed: August 14, 2022]
  26. 26. Act of the United Kingdom of Great Britain and Northern Ireland «Sanctions and Anti-Money Laundering Act» («SAMLA») of 23.05.2018 Volume c. 13
  27. 27. Sanctions and Anti-money Laundering Bill [hl] Explanatory Notes / Ordered by the House of Commons to be printed, 25 2018. Available from: https://publications.parliament.uk/pa/bills/cbill/2017-2019/0157/en/18157en.pdf. [Accessed: August 14, 2022]
  28. 28. General Guidance for Financial Sanctions under the Sanctions and Anti-Money Laundering Act 2018. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/961516/General_Guidance_-_UK_Financial_Sanctions.pdf. [Accessed: August 14, 2022]
  29. 29. Monetary Penalties for Breaches of Financial Sanctions. Guidance. 2022. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1083297/15.06.22_OFSI_enforcement_guidance.pdf. [Accessed: August 14, 2022]
  30. 30. David Jackman The Compliance Revolution. How Compliance Needs to Change to Survive. Singapore: Wiley; 2015
  31. 31. JMLSG Guidance. Available from: https://www.jmlsg.org.uk/guidance/current-guidance/. [Accessed: August 14, 2022]
  32. 32. Mitchell RD, Mortlock D, Osborn-King S. Building an effective US-UK sanctions compliance programme: What are the key components? In the Journal of Financial Compliance. 2019;3(2):171-180
  33. 33. FCA Handbook. Available from: https://www.handbook.fca.org.uk/handbook/FCTR/8/?view=chapter. [Accessed: August 14, 2022]
  34. 34. Reporting Sanctions Evasions. Available from: https://www.fca.org.uk/firms/financial-crime/reporting-sanctions-evasions. [Accessed: August 14, 2022]
  35. 35. Financial Regulation Authorities on Sanctions and the Cryptoasset Sector. Available from: https://www.bankofengland.co.uk/news/2022/march/joint-statement-from-uk-financial-regulation-authorities-on-sanctions-and-the-cryptoasset-sector. [Accessed: August 14, 2022]
  36. 36. Compliance code of Practice 2010. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/341998/10-668-codepractice-compliance.pdf. [Accessed: August 14, 2022]
  37. 37. Update of the EU Best Practices for the Effective Implementation of Restrictive Measures (doc.8666/1/08 Rev 1). Available from: https://data.consilium.europa.eu/doc/document/ST-8666-2008-REV-1/en/pdf. [Accessed: August 14, 2022]
  38. 38. ECJ № C-402/05 P и C-415/05 P Yassin Abdullah Kadi and Al Barakaat International Foundation v. Council and Commission
  39. 39. Glandin S. Evropeyskoe pravo ogranichitel'nykh mer posle pervykh rossiyskikh del v Sude Evropeyskogo Soyuza [The European law of restrictive measures after first Russian cases before the European Court of Justice]. Mezhdunarodnoe Pravosudie. 2017;2:80-93 (In Russian)
  40. 40. Guidelines on Implementation and Evaluation of Restrictive Measures (Sanctions) in the Framework of the EU Common Foreign and Security Policy (doc.5664/18). Available from: https://data.consilium.europa.eu/doc/document/ST-5664-2018-INIT/en/pdf. [Accessed: August 14, 2022]
  41. 41. Annex to Commission Recommendation (EU) 2019/1318 of 30 July 2019 on internal compliance programmes for dual-use trade controls under Council Regulation (EC) No 428/2009 - EU Guidance on Internal Compliance Programme (Icp) for Dual-Use Trade Controls. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019H1318&rid=8. [Accessed: August 14, 2022]
  42. 42. BAFA Information Leaflet about Internal Compliance Programmes (ICP) – Company-internal export control systems. Available from: https://www.bafa.de/SharedDocs/Downloads/DE/Aussenwirtschaft/afk_merkblatt_icp_en.html. [Accessed: August 14, 2022]
  43. 43. The European Code of Export Compliance (EU-CEC) 2018. Available from: https://www.exportcompliance.eu/docs/eu_cec.pdf. [Accessed: August 14, 2022]
  44. 44. Website of the EU sanction Whistleblower Tool is. Available from: https://eusanctions.integrityline.com/frontpage [Accessed: August 14, 2022]
  45. 45. Das Lieferkettensorgfaltspflichtengesetz (LkSG). 2021. Available from: https://www.gesetze-im-internet.de/lksg/ [Accessed: August 14, 2022]
  46. 46. Conditions for the implementation of depositary activities by the Non-Banking Credit Institution Joint-Stock Company National Settlement Depository, approved by the Supervisory Board of NCO JSC NSD. 2021 Available from: https://www.nsd.ru/upload/docs/disclosure/usl_cd_2021_v3.pdf. [Accessed: August 14, 2022]
  47. 47. The Russian Constitutional Court Decision on Kuznetsov 2021. Available from: http://doc.ksrf.ru/decision/KSRFDecision545537.pdf. [Accessed: August 14, 2022]
  48. 48. Russian Constitution Court Decision from 13 February 2018 № 8-P
  49. 49. Strydom H. South Africa’s position and practice regarding unilateral and extraterritorial coercive sanctions. In: Beaucillon C, editor. Research Handbook on Unilateral and Extraterritorial Sanctions. London: Edward Elgar Publisher; 2021. pp. 37-55
  50. 50. Council Regulation (EC) No 2271/96 of 22 November 1996 protecting Against the Effects of the Extra-Territorial Application of Legislation Adopted by a Third Country, and Actions based Thereon or Resulting Therefrom. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31996R2271. [Accessed: August 14, 2022]

Written By

Denis Primakov

Submitted: 07 July 2022 Reviewed: 17 August 2022 Published: 10 October 2022