“US Government targets Nordic companies for Sanctions Evasion” a.k.a. the US publishes a tri-seal compliance note on “Obligations of foreign-based persons to comply with U.S. sanctions and export control laws”

The Tri-Seal Compliance Note from the US Departments of Treasury, Commerce and Justice, “Obligations of foreign-based persons to comply with U.S. sanctions and export control laws”, is part of the US’s approach to improving “sanctions maintenance” towards Russia sanctions and sets the groundwork for further enforcement against non-US companies. While this is a notice to companies globally, it particularly singles out Nordic and allied country-headquartered companies as examples of recent fines for non-compliance with US sanctions. 

This is not a coincidence, the re-focused US approach to enforce and target European actors is part of a desire to overcome the fragmented political and enforcement architecture that permits so much sanctions evasion to occur from Europe.  This note covers the enforcement side of US sanctions but there is also the very real risk of being directly designated under US sanctions as well. This risk is not theoretical, the targeting of Finland-based HD Parts OY and Estonia-based Gold Solution OU in the sanctions package marking the two-year anniversary of Russia’s invasion of Ukraine was a deliberate and purposeful action to target actors operating outside of the norms that have been established by the G7+ sanctions coalition.

So how should a Nordic company read this note to avoid getting in the crosshairs of the US? The best place to start is the concluding points of the guidance, so let’s take them point-by-point:

1. “Employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program.”
   1. Meaning: Implement a comprehensive program that is more than just a series of independent actions, aim for a holistic approach to satisfy the rules today and the changes that will come tomorrow.
2. “Establish strong internal controls and procedures to govern payments and the movement of goods involving affiliates, subsidiaries, agents, or other counterparties. Such controls can help detect linkages to sanctioned persons or jurisdictions that may otherwise be obscured by complex payment and invoicing arrangements.“
   1. Meaning: Screening official lists isn’t sufficient.  It is essential to write down clear policies and procedures that cover all aspects of your business and implement systems capable of identifying sanctions risks whether it is obvious or hidden. It is necessary to utilize data sources and lists that go beyond ownership and control to highlight relationships and nodes of commonality to sanctioned activity with everyone your company interacts with. 
3. “Ensure that know-your-customer information (such as passports, phone numbers, nationalities, countries of residence, incorporation, and operations, and addresses) and geolocation data are appropriately integrated into compliance screening protocols and information is updated on an ongoing basis based on its overall risk assessment and specific customer risk rating.” 
   1. Meaning: Don’t limit KYC procedures to onboarding or reviews every 5 years.  KYC is a continuous process of learning about your customer, through constantly updating and reassessing the details of your customer and their activities.  All information should be used to regularly refresh risk assessments. Knowing your customers also means ensuring it is known where they are accessing your services through having location controls, such as IP filtering and geolocation blocking. 
4. “Ensure that subsidiaries and affiliates are trained on U.S. sanctions and export controls requirements, can effectively identify red flags, and are empowered to escalate and report prohibited conduct to management.” 
   1. Meaning: Make sure that your entire business group follows the same policy, procedures, and rules and is as knowledgeable as the head office on how to handle sanctions risk.  Everyone in an organization needs to follow the “see something, say something” principle to effectively prevent sanctions risk from entering an organization, and if those risks do enter then employees must know  how to escalate the issue because they know that is the right thing to do for their job security. 
5. “Take immediate and effective action when compliance issues are identified, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.” 
   1. Meaning: Take clear and prompt action to solve mistakes, not just stating that matters were “human error” and moving on. Human error is often an indicator of an underlying system failure. The best system prevents human error from ever being a compliance issue by having risk decisions and control actions embedded into the functioning of the system.   
6. “Identify and implement measures to mitigate sanctions and export control risks prior to merging with or acquiring other enterprises, especially where a company is expanding rapidly and/or disparate information technology systems and databases are being integrated across multiple entities.” 
   1. Meaning: In mergers and acquisitions,  focus needs to be placed on sanctions and export control risk exposures as a first order of due diligence before a deal is finalized. Those risks cannot be left as an issue to be addressed  after the deal has cleared. 
7. “Parties who believe that they may have violated sanctions or export control laws should voluntarily self-disclose the conduct to the relevant agency.”
   1. Meaning: Anytime that there is any risk of a sanctions violation having been conducted by your company that likely involves a US person or US-origin goods, you should always be looking to make a full and complete disclosure of the facts of the matter. A good voluntary self-disclosure also will provide the full details of how your company has addressed the root cause of the issue and ensured that it cannot happen again.  

Adhering to these points is not easy and is a matter of experience and an appropriate approach. You don’t know how to comply just from reading the law or regulation. This article is a good start but good compliance requires specialized expertise to implement an entire program that is appropriate to the company and business, and this is where Sanctions Advisory and our colleagues in The Sanctions Consortium focus our efforts and have the expertise to deliver. 

Contact us at international@sanctionsadvisory.dk or in Denmark danmark@sanctionsadvisory.dk and Norway norge@sanctionsadvisory.no if you need help managing your sanctions risk.