How do international sanctions work?

A guide to understanding and using sanctions lists

Sanctions are a diplomatic tool used to promote international peace and security and to combat violations of international law and terrorism. They do this by applying economic pressure on a country or regime by restricting dealings with the regime, as well as certain individuals and entities. The goal of using sanctions is to pressure a regime to change its behaviour regarding certain political, military, or social issues. 

Sanctions are legal limitations put in place by individual countries like the United Kingdom or the United States, or by international institutions, such as the United Nations (UN) and the European Union (EU). They may include various forms of trade barriers, from tariffs and restrictions on financial transactions to broad embargoes. 

Do you need a sanctions tool?

You don’t always need a sanctions tool, but you do still need to comply with sanctions. All businesses must comply with sanctions laws. This means no company or individual can do business with a sanctioned person or company. They can’t take payments from them, they can’t sell them anything, and they can’t offer assistance which could enable the entity to evade sanctions. Breaching sanctions rules is a criminal offence. 

Some businesses will use an automated sanctions tool which collates and updates data from all the main sanctions list. While this can be a good solution, it is not always cost-effective for smaller companies or those who only need to make occasional checks.

You can do a sanctions assessment yourself. This means checking the customer’s details against various sanctions lists in order to be sure there is no match and they aren’t on any sanctions lists.

What are sanctions lists?

Sanctions lists are databases of information published by a national government or international organisation, which designate certain individuals or entities as being subject to sanction. These lists might include information such as date of birth, names or aliases, or last known locations, along with reasoning as to why the individual or entity is on the sanctions list. The quality of data on these lists can vary widely, however. It can also take a long time to update or change sanctions lists.

It might be surprising to know that actually, most countries in the world do not have their own sanctions lists. Only 22% of countries actually publish their own, independent sanctions lists. The vast majority rely on other lists like those published by the EU and the UN.

That’s why it’s vital to always refer back to these main lists from the EU and UN, as well as lists published by the US and UK, when making an assessment as to whether or not someone is on a sanctions list. Not every country will publish their own list. 

A person trying to evade sanctions might explain they are not on their country’s sanctions list. But that could be because their country does not have a sanctions list. 

The US sanctions list

US OFAC SDN sanctions list is the most important in the global sanctions landscape due to the importance of the US financial system. The list also has high-quality information and is easy to access, with multiple fields which create a comprehensive picture of the target. 

OFAC also provides a built-in search tool to help navigate the more than 10,000 entries on the sanctions lists. 

The EU sanctions list

The European Union maintains a consolidated list of “persons, groups, and entities” who are subject to EU sanctions. All 27 EU member states must decide upon and implement EU sanctions, meaning the sanctions apply to all member states. Some EU countries will only follow the EU list, meaning there is no additional national list to consider. 

Other sanctions lists to consider

When building a comprehensive sanctions compliance programme, it is important to consider your risk exposure. For international companies with clients potentially anywhere in the world, the potential for risk exposure can come from anywhere.

The most comprehensive approach for international companies will require the widest consideration of sanctions lists. If your business only checks customers against the EU list for instance but the client is from outside of the EU or is actively trying to evade sanctions, a sanctions breach could still happen given that all 27 EU member states must approve new sanctions.

The more sanctions lists which are consulted, the better. The French sanctions list: the Tresor Registre Des Gels is a useful list to incorporate into sanctions assessments. The French list also includes detailed explanations regarding why a subject is listed for each entry, which allows users to fully comprehend the reasoning behind each entry. 

The Holy See (Vatican City) also maintains its own sanctions list. Although the Holy See is not a member of the EU, or even the UN as a matter of fact, the country’s sanction list is a frequently updated and valuable tool for ensuring comprehensive sanctions compliance. 

It’s not only the UN and EU that levy sanctions. Other international organisations such as the African Union and Arab League occasionally issue their own sanctions. Saudi Arabia, Qatar and South Africa also issue their own sanctions lists.

Building a sanctions compliance programme

Sanctions compliance is something every business should consider. However, maintaining compliance does not necessarily have to be complicated or expensive. Undertaking a check of a customer who could be a risk, either because they’re unknown or from a high-risk jurisdiction, helps to ensure compliance with sanctions rules. 

Remember to always maintain a written record when undertaking a sanctions check. Record who was checked, how, when, and against how many sanctions lists. Showing a ‘paper trail’ of sanctions checking may be required as a defence if you are targeted by those trying to evade sanctions. 

Next steps for business on sanctions compliance

  • Ensure there is an updated sanctions policy, alongside a sanctions risk assessment
  • Put staff through sanctions training so they understand sanctions risks, who is at risk, and how to make a check
  • Put in place an onboarding system such as Omnitrack or make sure your own client onboarding system has the functionality to ensure sanctions checks have been done.
  • Communicate to staff who the responsible individual for sanctions compliance is
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.