The RegTech Pulse
The RegTech Pulse examines the latest industry and technology trends that help organizations fight financial crime and streamline payments, so money and goods can move safely and securely around the world. Industry experts across the world join the conversation to discuss their insights and share best practices. The RegTech Pulse is brought to you by LexisNexis Risk Solutions, which helps power compliant and assured client transactions to build an interconnected and trusted financial ecosystem.risk.lexisnexis.com/regtechpulse
The RegTech Pulse
Taking the Pulse of Sanctions: 2024 So Far - Part Two
Welcome back to episode two! Here we discuss recent enforcement actions by OFAC and other major regulators, and what lessons compliance departments can learn from these. We also touch on insights from the recent ACSS Sanctions and Export Controls Conference in Washington D.C., and discuss possible outcomes for the sanctions landscape depending on the outcome of the U.S. election. Once again we are joined by special guests Saskia Rietbroek, Executive Director of the Association of Certified Sanctions Specialists, and Vincent Gaudel, Compliance Expert at LexisNexis Risk Solutions.
Learn more:
DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this podcast are solely those of the speakers and do not necessarily reflect the views or positions of LexisNexis Risk Solutions. LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.
Welcome back to the RegTechPos podcast, where industry experts are discussing the latest trends in financial crime compliance. I'm your host, julia Thorne, and this is the second in our two-part series around sanctions. In today's episode, we're going to be discussing some key OFAC enforcements, new enforcement mechanisms, other regulator activities and some of the key takeaways from the recent ACSS annual conference on sanctions and export controls in Washington DC. We're also going to be looking at what compliance professionals can learn from enforcement actions and how they can use these as lessons to improve their compliance responses. Once again, I'm joined by Saskia Reitbrook, executive Director of the Association of Certified Sanction Specialists, and Vincent Gordel, compliance Expert at LexisNexis Risk Solutions. Welcome back, both of you, thank you.
Vincent Gaudel:Thank you.
Julia Thorn:Okay, so let's jump straight in. Vincent, we recently released an e-book around OFAC enforcement. So if you want to just dive into some of those enforcement actions that we've seen, some of the settlements, a little bit of the focus area and what maybe we can expect to see from OFAC in the future, Sure.
Vincent Gaudel:Thanks, julia. Ofac enforcement are always applications that are scrutinized by the industry. They are very important and an important factor why OFAC sanctions are really taken seriously, and what we have seen recently in 2023 was really a landmark year for OFAC enforcement, as we have shown in the recent infographic that we published. 2023 set a new yearly record for OFAC enforcement actions, with a combined amount of settlement that exceeded 1.5 billion dollars. So in aggregate, it was a milestone year, but we also saw some landmark actions related to different types of companies.
Vincent Gaudel:We have seen the largest settlement issued against virtual currency firms close to1 billion for the OFAC share of these. It was a combined penalty across several US regulatory agencies, but for the sanctions-related breaches and for OFAC's share of this action, it was already close to $1 billion. And we also see an interesting new record being broken last year, and that was the fine issued against a corporate not a financial institution, not a virtual currency firm, but really a corporate which receives an enforcement of 508 million US dollars. So the message is really clear when you look at the types of companies that have been fined by OFAC recently is that there is no sector that is immune from the risk of receiving an enforcement action by OFAC. We have seen various types of sectors receiving enforcement, so it's really a matter for all entities and all sectors to closely consider.
Julia Thorn:And Saskia. Maybe when we talk, we've talked about these enforcement actions. What are some of the lessons that can be learned, I guess, in terms of where people, where organizations, corporates, financial institutions have gone wrong, so where OFAC has come down on them. What are some of the lessons that can be learned from those settlements?
Saskia Rietbroek:Yeah, let's talk through a couple of cases that I think have some interesting lessons for other companies in the field. Interesting lessons for other companies in the field. There was one case last year of a Eastern European bank that got a settlement of 3.4 million dollars from OFAC. They had a client in the maritime shipping industry and then that client owned three so-called special purpose vehicles that each had a bank account on their e-banking platform and they were conducting these clients were conducting transactions from a location in Crimea. Ofac considers that you should be monitoring for IP addresses that are in sanctioned jurisdictions and this bank. They processed several payments for these customers in Crimea in US dollar payments and OFAC considers that it has jurisdiction. The US considers they do have jurisdictions as soon as you start using the US dollar payment. So they imposed this, yeah, settled this case with this bank for a pretty hefty amount of more than $3 million. So I think the lesson here is that you should be integrating IP data into your sanction screening process.
Saskia Rietbroek:Another case that I would like to mention is a case involving a US bank and this US bank. They settled with OFAC for $7 million and one of the subsidiaries of this bank, which was actually not a bank, it was a technology company. They did business with companies that were owned by a spare bank and VTB bank. Those are Russian banks that are covered by the sectoral sanctions, and the sectoral sanctions also are covered by the 50% rule. So that means that subsidiaries of banks that are sanctioned under the sectoral restrictions are also you cannot do business with them either. And this technology company accepted payments, they issued invoices, so they weren't dealing in like the typical debt right Securities, but they just issued invoices to these subsidiaries of these sanctioned banks for a communications network that they sold to them. And when an invoice is more than 90 days, if you give your client more than 90 days to pay it, it becomes like issuing a debt. So it is, yeah, quite technical and you wouldn't expect sanctions to go that far. But in this case, yeah, that got them into trouble and it was a hefty penalty there.
Saskia Rietbroek:And then one more case, going back to Vincent's point, that is not just financial institutions that can feel the wrath of OFAC. Very recently, only a couple of weeks ago, in October of 2024, a Vietnamese alcohol company had to pay an $860,000 penalty because of apparent violations of the North Korea program, and in this case, they were selling alcohol to North Korean companies, not directly, again, they were using a US dollar payment. They had no presence whatsoever in the United States, but they were using the US dollar in their payments that they accepted from these North Korean companies, and they weren't direct payments, right, you would think. Well, everybody knows that North Korea is sanctioned. These payments were made by Turkish companies, hong Kong companies, on behalf of these North Korean entities. So again, you're supposed to be doing your due diligence on companies that may have some sort of link to these North Korean entities that are, of course, sanctioned.
Vincent Gaudel:North Korean entities that are, of course, sanctioned. To continue on some of the points that Saskia was making on the need to take into account IP addresses, I think it's a really important area that has been flagged in several I think close to a dozen OFAC enforcement in the last three to four years. Like really to leverage any data point that you hold that could be indicative of a location, leverage that into your sanctions compliance control. So what we have seen the most often referred to are IP addresses, but OFAC also noted some email addresses that are the indication of comprehensively sanctioned country website addresses, etc. What we see in the enforcement action is a clear focus from OFAC to enforce the comprehensively sanctioned programs. There are a handful of countries or territories that are subject to comprehensive sanctions. There is a clear focus on enforcing violations against those programs.
Vincent Gaudel:And a quick note as well, we continue to see some enforcement action that highlights pretty significant breaches that are related to inadequate screening controls. We continue to see companies that don't have the right tools to do name matching, that implement excessively strict screening tools and that are not able to raise hits on partial correspondence that close correspondences. The tools implemented need an exact match to raise a hit, and OFAC has made it clear that this is not acceptable and we also continue to see several situations where the companies don't leverage all information they have about their third parties for their scanning controls. They miss some hits because they don't leverage all information they have. So it's really important to take a close look at the type of information that you have and that could make sense for screening purposes.
Julia Thorn:So we've talked about location. We've talked about sort of the ongoing monitoring piece. Are there any other areas in particular which regulators are focusing on? We've heard a little bit around export controls and trade compliance. We've talked about um. I know we've heard the term around um, micro embargoes and addresses. Would you be able to expand a little bit on that, saskia?
Saskia Rietbroek:Yeah, no, absolutely so. One of the things that is new here as well is that they're not just names on the different lists, but right now BIS, which is sort of the sister agency right of OFAC it's part of Department of Commerce they have started to list companies' addresses on their list. So you shouldn't just be monitoring for names, but also addresses is something that can be on the list.
Julia Thorn:And we focus very much on OFAC and, vincent, maybe I can bring this back to you Beyond OFAC, obviously, they have the big global reach and they're always the ones that we tend to focus on first. What are some of the activities that we're seeing from other regulators, or are there other regulators that are taking that extraterritorial approach like OFAC has taken in the past?
Vincent Gaudel:Yeah, indeed. So exactly how Saskia was mentioning about the BIS being the sister company of OFAC, I think it's interesting to see the expanding reach of export control measures and trade sanctions all of those regulations that are enforced by the BIS. Interestingly, until now the BIS has only issued enforcement action against exporters or corporates. We have never seen a financial institution receiving an enforcement action from the BIS, but this might actually change because we have seen the BIS recently issuing what could be understood as a warning to the financial sector by clarifying all the expectations on financial institutions to comply with the Export Administration Regulations, the EAR. So it should be expected that more enforcement will come from the BIS and potentially enforcement action against financial institutions.
Vincent Gaudel:But outside of the US, we also see other jurisdictions scaling up their sanctions enforcement mechanisms, the prime example for that being the UK. I think it was earlier this month, in October 2024, they established the Office for Trade Sanctions Implementation, the OTC, which complements the OFC for the financial sanctions implementation. It had been announced a while back, but now the OTC is established and that's another indication that more enforcement capacity is granted in the UK and we should expect more enforcement actions to come from the UK bodies as well, and lastly, on the European side of things, we have seen groundbreaking regulatory changes, but more on the IML side of things, with the IML package coming into life in the summer, and among this IML package we now have an EU-wide IML supervisor, the.
Vincent Gaudel:AMLA which will be operating from Frankfurt, and there are possibilities for AMLA to have some enforcement responsibilities in some areas, because now we have in European regulations we have seen some requirements related to sanctions being merged into the AML text. There is now a clear requirement on AML-obliged entities to set up policies, procedures and controls in relation to sanctions. So there is a possibility that as part of the supervisory function the AMLA could enforce against entities that did not implement the right set of policies and controls. Policies and controls.
Saskia Rietbroek:And if I can add a little bit about the extraterritoriality. You know, traditionally it was mainly the US right that always had the extraterritorial reach with their sanctions. I think there's been an interesting development as well in Europe in that respect. Traditionally the EU sanctions don't, and still don't, apply to foreign persons that are operating outside the EU, but since this summer EU operators or businesses are obliged legally to give their best efforts to ensure that their foreign subsidiaries outside the EU act in a manner that is aligned with the goals of the European sanctions. So there's been a lot of talk about that, how that will be enforced, etc. But I think it is a major shift in the reach of European sanctions outside Europe.
Julia Thorn:So not necessarily getting any easier for companies in the coming years. Saskia, maybe just a couple of final points from you. I know that you came back, last week I think, from the ACSS Sanctions and Export Controls Conference in Washington DC. I wondered if you wanted to share some of the insights that you had, some of the highlights from that conference, with listeners.
Saskia Rietbroek:Yeah, no, absolutely. With listeners. Yeah, no, absolutely. The ACSS conference in Washington DC was last week, on October 23 and 24. And it was a very good discussion, very high-level discussion, because we had several regulators as speakers there, high-level officials from different agencies, including BIS, ofac, department of State, and I think one of the takeaways from the conference was that BIS is broadening the circle.
Saskia Rietbroek:Like Vincent mentioned, they've been focused a lot in all their enforcement actions so far on the industry, the global exporters, the exporters, but right now, with the recent guidance that came out from BIS to financial institutions on best practices for compliance with the EAR, it looks like they're bringing in the financial sector on topics related to export controls to the EAR. This recent guidance really puts things on paper. It brought a lot of clarity for the financial institutions, but they're still scratching their heads right how to comply with this. And I mean, if you want to, if someone in compliance in a bank, you typically didn't deal with the export controls, but there's now this message saying that financial institutions should be doing more to detect controlled goods, to detect evasion related to controlled goods. So this broadening of the circle means that sanctions compliance officers can no longer say well, you know export and controls is more of my client's problem. It is a problem that the bank itself needs to worry about.
Julia Thorn:Thanks, saskia Vincent. I wondered if we could maybe close with you, and I know that I haven't prepared you for this, but is there any kind of closing thought that you wanted to share, based on the data that we've seen from OFAC in 2023, some of the regulations that we've seen in 2024 and the sanctions activity that we've seen so far, any kind of advice, I guess, for compliance professionals based on what we've been seeing, how they can maybe prepare for the future?
Vincent Gaudel:I guess the takeaway is that you should really pay close attention to the adequacy and effectiveness of your compliance programs. Actually, ofac is consistently referencing a document that they issued back in 2019, which is called the Framework for Compliance Commitments, and that document should really be taken as the blueprint at a high level for what a compliance program should look like. There are five key components to this framework. The first one is the management commitment, the tone from the top. There must be a clear commitment by the senior management on sanctions compliance. The second one and I think something that we must emphasize, especially considering the complexity of sanctions and the dynamic nature of sanctions, is the risk assessment. It's really important to have a comprehensive and up-to-date risk assessment to really map out your exposure to potential sanctions risk. That risk assessment is also critical to really inform the design of your program.
Vincent Gaudel:And that's the next key component in NOFAX framework the internal controls. With that risk assessment, you need to be able to design the right set of controls and those controls need to be checked. That's the fourth pillar right the testing and auditing of internal controls to make sure they are adequate and effectively working. And, last but not least, again it's back on the kind of the human components to compliance. It's about training. You need to deliver staff training throughout the organization to clearly have the expectation, the good practices, and for everyone in the organization to have that culture of compliance and understand the stakes of sanctions regulations and the stakes of not complying. Potentially, as we have seen, it can be a steep price to pay.
Julia Thorn:All right and, saskia, I know that you don't. None of us has a crystal ball. When this episode is releasing, it will be basically on or around quite a major event happening the US election. I wondered if you wanted to give any kind of speculation as to how different results of that election may impact sanctions policy going into 2025.
Saskia Rietbroek:Yeah, it's always hard to predict, right, and this is something that we talked about at the ACSS conference last week as well. You know what will happen after the election. What can we expect, and these were just some comments that I heard. In terms of working with allies, right, working with the European Union, the UK, the G7. Harris will probably continue, will pursue a continued plurilateral approach. You know, on sanctions and export controls, trump will probably be like will be fine to do it, so that in terms of working with allies and in terms of tariffs tariffs there was also some discussion they will probably stay under both but grow under trump.
Saskia Rietbroek:Then, with respect to export controls, there was a discussion on key technologies. You know the key technologies continue to be ratched up. You know the controls surrounding that, but under trump it will probably be more on key economic actors through the entity list. Then, in terms of human rights sanctions, we talked about that at the conference and it will probably what people expect that there will be more of a focus under Harris on those types of sanctions compared to Trump. And semiconductors both want to make more in the US, both want to focus the production in the US of those semiconductors, so that will not make a difference, whoever wins. So those are some of the things that were discussed on the post-election aftermath for people in our sanctions and export controls community.
Julia Thorn:We'll wait and see. Thanks, saskia. That brings us to the end of this episode, the two-part series on sanctions. Vincent Saskia, thank you so much for joining and sharing your insights here.
Saskia Rietbroek:Thank you very much for having me in this podcast and looking forward to seeing you all in real life again soon.
Vincent Gaudel:Thank you very much and thanks for soon. Thank you very much and thanks for listening and goodbye everyone.
Julia Thorn:This was the RegTech Pulse podcast brought to you by LexisNexis Risk Solutions. Thank you so much for tuning into this two-part series on sanctions. If you missed the first one, go back and take a listen. If you'd like to access any of the materials referenced in these podcasts the Sanctions Pulse e-book and the OFAC Enforcements ebook we will be posting links in the show notes. We hope you enjoyed this insightful discussion and we hope that you join us again soon on the RegTech Pulse.
