Sanctions: Your Questions Answered

What does it mean to comply with international sanctions on Russia?

Thank you to everyone who came along to our sanctions webinar last week. You can listen again to this webinar here, and share it with anyone in your organisation who may be working on sanctions compliance.

We know sanctions is a complex and confusing issue that many businesses are still grappling with. We will soon be releasing a new course on sanctions called Sanctions: Complying with International Restrictions, as well as a new guide to financial penalties and the strict liability offence within the UK sanctions regime.

To help, we’ve collated and answered the questions we’ve received in about sanction compliance into this blog.

You can also preview our new sanctions compliance training here.

How far do the restrictions go? For example should I refuse to act for a UK resident taxpayer of Russian origin, if he sells real estate in Russia?

This is something many businesses have been grappling with, and there’s not necessarily an easy answer. It probably depends on your firm’s individual risk appetite. Ongoing monitoring is probably going to be the minimum you need to do. What kind of transactions is the client asking you to do? What is their source of funds or source of wealth? Do they have Russian bank accounts, Russian properties? Are they travelling to Russia? 

Theoretically, someone withdrawing money to then go and spend in Russia which could potentially be spent in a sanctioned entity is a risk in itself. You have to look at what the authorities want, which is to offer no safe quarter for oligarchs. You need to ask yourself is your relationship to Russian clients living outside of Russia hindering that policy end? Or more precisely, how are you reconciling those two things?

Can you please clarify how the new civil strict liability offence will be enforced in practice?

Breaching sanctions is now a strict liability offence meaning that regardless of the intent, the OFSI is able to implement a monetary penalty for a sanctions breach. It’s a ‘balance of probabilities’ test, and the OFSI will take into account factors like severity, amount, whether there was wilful intent or not when deciding on a penalty for a breach. But in fact any breach of sanctions could result in a penalty now.

We hear that all dual use goods are restricted by EU/UK even though for civil use – how does that impact goods going from China given both have a large trade relationship?

It doesn’t matter the origin of the goods, so goods coming from China which are on an EU/UK dual use list must still comply with those restrictions, or goods being exported to China which are on the dual use list must follow the rules. Only goods being sent between EU member states (and certain approved states) are exempt from various dual use restrictions. Meaning you could send dual use equipment from France to Spain, but not France to China without following the specific export or import rules.

Why do private suppliers of sanctions screening remain not regulated, because if their services fail (or are sub optimal) it is only the regulated entity (that is using their services) on the hook. Notwithstanding use of services/internal config can be poor.

There’s nothing in the rules or regulations unfortunately about how companies should manage the lists. The lists are published and publicly available and the onus is on the business, regulated or not, to ensure they follow the rules and check the lists. The service providers are essentially offering an easier way to check these lists, but the responsibility still remains on the business to be sure they aren’t dealing with a sanctioned entity and have checked the list.

My company allows for other Ad agencies to display mobile video advertisements through our mobile applications. This agency is not on a sanctions list. Their ads reached users in Crimea, and they paid us on the number of views. In this case, are we considered breaching the US sanction law?

This sounds like a potential issue, yes. Companies like Payoneer have been fined by US authorities for processing payments from Crimea. It depends on if sanctioned entities or individuals are involved in the transaction. If a business relationship is entered into in a region like Crimea it is important to be sure that sanctions are not being breached.

Continued to above question. The users in Crimea just watch the Ads to use the apps only, no payment from Crimea. Is it any issue?

I couldn’t give a legal opinion on this matter, but from a risk perspective I would say this could constitute a risk and it should be carefully assessed. US sanctions compliance is very strict and the US authorities are actively going after companies they consider in breach of sanctions.

As a longstanding corporate governance practitioner who is also registered as a trust and company service provider, I’m very curious whether the government considered the intricate details in making Companies House a regulator instead of a repository. Do you not feel that if insufficient attention to detail is spent in implementation, then any regulatory regime could be half-baked?

That’s a very good question. Clearly this is new territory for Companies House and there will likely be a period of adjustment to their new role. We haven’t heard much about increased resources for Companies House which could also be an issue given that the FATF still considers the UK FIU to be severely understaffed. We will need to see how the regulatory regime works in practice.

What level of sanctions checks do we need to do for other firm’s clients – do we need to check all of their beneficial owners etc or just get solicitors on the other side to confirm they have complied

You need to be sure for yourself that you aren’t dealing with sanctioned entities. For money laundering purposes you can rely on third party due diligence. I am not sure if it is exactly the same process for sanctions due diligence, but if you have the names of the beneficial owners etc then checking them against a list for your own assurance is a good idea.

If a client you represent is in litigation with a company represented by solicitors  and later  goes on the sanctions list. How does this impact my client and any alleged debt owed by them to the now sanctioned party?

Ths could potentially impact any debt owed as the sanctioned entity cannot have economic resources made available to it, and will likely have its assets frozen. In this case you would likely need to apply for a licence from the authorities – OFSI in the UK or OFAC in the US – in order to be paid, or the solicitors on the other side would need to apply for a licence to pay the debt.

What to do if a client appears on the sanctions list?

First you need to understand what kind of match you have. If the name of an individual or entity you are dealing with matches an entry on the sanctions list, this is known as a name match. If there is a name match, but you are satisfied that the individual does not match the description, you do not need to take further action. This happens more often than you think. If that’s the case, record it and write up your reasoning. 

If the individual or entity you are dealing with matches all the information on the sanctions list, this is likely a target match.

If you have a target match, or if you are unsure, it must be reported immediately. You should have a clearly-defined senior management responsibility for sanctions compliance. That function will be required to evaluate the match and determine the next steps. You must stop all work on that client or that transaction. 

The UK recently expanded the scope of ‘brokering services’ what are the practical implications of this for law firms?

A number of sanctions instruments, which are the official name of a sanctions law, include prohibitions on the provision of brokering services. This actually has a broader definition under the UK regime than the EU one. In the EU, brokering services mean the buying or selling of goods, or the negotiation or arrangement of transactions from a third country to a third country. Under the UK definition, brokering services means the facilitation of anything that enables the arrangement to be entered into and the provision of any assistance that in any way promotes or facilitates the arrangement. 

In the UK, this definition would capture indirect financing, or even the provision of related professional advice where it in any way promotes or facilitates the arrangement. The arrangement being the thing under sanction.

There are UK and EU sanctions on brokering services relating to oil and gas projects in Russia, or for use in Russia, alongside prohibitions relating to deepwater, Arctic offshore and shale projects in Russia. 

It is important to remember the purpose of sanctions is to hurt the Russian economy. The Chinese mobile operator Huawei has stopped its roll out of 5G services in Russia. So within a few years there’s going to be a huge gap between Russia and the rest of the world on mobile service, which is the point. So when it comes to dealing with a sanctioned industry, the purpose is to stop progress. 

For the British law firm, are you offering professional advice that in any way promotes or facilitates an agreement, such as technical advice on Arctic drilling, then you might be breaching sanctions regulations. 

Are we obliged to notify the authorities of a target match even if we’ve decided not to do the work?

Yes of course. If you have a target match you can’t do the work anyway so it’s not your decision. Any work done on a target match is breaching sanctions laws. Any target match has to be reported straight away to the MLRO. Solicitors have an obligation to report this to the OFSI, and not reporting a target match is a criminal offence. 

Is it lawful to provide legal opinions to sanctioned entities on the activities they may enter into without breaching sanctions?

I can’t provide a legal opinion so you should speak to the Law Society. It would depend on the actual sanctions regime they entity falls into as well. Some sanctions are only for certain things, like for Iran, sanctions from the EU and UK at least usually focus on oil and dual use goods. 

But if we’re talking about a strict sanctions regime, for example a Russian business that is sanctioned which is a client, you cannot deal with or make funds or economic resources available to them unless there is an exemption in legislation or you have a licence from the OFSI. And you cannot do anything that would circumvent the asset freeze either. So providing advice or an opinion, I would imagine for free since they can’t pay you, might be construed as trying to circumvent the asset freeze. Either way I wouldn’t be doing anything for a sanctioned entity without a licence from the OFSI.

What practical advice would you give to someone in a business relationship with an entity subject to sanctions?

Freeze all their assets and undertake no transactions or assistance unless there is an exemption in the legislation or sanctions regime or you have a licence from the authorities. 

How to effectively deal with Russian entities under current circumstances?

You need to be checking everyone in that chain against sanctions lists. Put them through enhanced due diligence, do source of funds checks, subject them to ongoing monitoring, but also take legal advice that you aren’t breaking the law by engaging with them. As we looked at earlier, the US has been pretty straightforward; they don’t want businesses working with Russia. 

Are you making funds available to a sanctioned person if you contract with an entity that the sanctioned person owns less than 25%?

A beneficial owner is someone who ultimately owns or controls more than 25% of a company’s shares or voting rights, or who otherwise exercises control over the company or its management. In many jurisdictions, anyone fulfilling this level of ownership or control will need to be identified.

So if the entity is neither owned nor controlled by the listed person, then the presumption is that the entity is in principle not affected by the asset freeze or the prohibition to make funds or economic resources available to it. However, it cannot be ruled out that funds or economic resources might be made indirectly available to listed persons via an entity which they neither own nor control. You would need to assess this on a case-by-case basis. Either way you would have had a target match if you identified a sanctioned entity or individual while determining they didn’t own 25%, so at that point you would know from the authorities what the situation is with making funds available to them. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.