Sanctions and AML: how firms can keep up with evolving regimes
The subject of sanctions is high on the news agenda, with the current situation in the Middle East constantly bringing new developments, after the US imposed heavy sanctions against Iran.
Such significant global events mean the topic in general is under the spotlight, and someone who knows the ins and outs of sanctions and how they can affect businesses is Martha Kliss, Head of Global Trade Compliance at UCB, a global organization within the pharmaceutical industry.
Here, Martha, who has a background in compliance and screening, delves into the impact of an ever-changing sanctions landscape, the impact of the Office of Foreign Assets Control (OFAC)‘s 50% rule, and more…
What has the impact of the evolving US sanctions regime been on companies in your sector?
It’s been very challenging. As the recent news shows, regulations can change almost daily, which makes it very challenging for all sectors around the globe. Since the US market and trading in US currency is critical to many multinationals, it is extremely important to follow the evolving regulations to avoid compliance risks.
What we know is that the current administration in the US has issued multiple executive orders changing sanctions and regulations, and therefore affecting ways of working for those companies active in sensitive regions, such as the Middle East and Crimea.
Companies need to take a risk-based approach. This means having role(s) dedicated to monitoring the ever-changing regulations coupled with developing ways of working where changes are implemented in an agile manner to avoid penalties.
If you’re not keeping up with developments then you’re putting yourself and your company in harm’s way. The key is to be vigilant.
Are companies well equipped to deal with frequent changes and amendments to sanctions lists and programmes?
In the pharmaceutical arena, I would say, yes. The compliance landscape has changed dramatically over the last three years and has become more complex to navigate – because of this most companies should have strong screening processes and procedural controls in place.
In our world, we have the same risks across the board when it comes to entities, embargos and end-use/end-user licensable needs, if the company decides to go into markets that require licenses. However, as it relates to licensable ‘commodities’ (i.e. dual-use), traditional pharmaceutical companies could be less burdened by this type of requirement, unless they work with commodities such as modified microorganism or precursor chemicals also used in narcotics that will require BIS licensing.
Other industries, such as computing, aerospace, or those that are differently regulated (i.e. ITAR), would require a lot more effort and resources to remain compliant.
In terms of being able to deal with the changes to sanctions programmes, I see our industry as being divided into three categories. Small companies, usually more focused on scientific development, tend to need a lot of help with compliance, as they often don’t understand this type of risk or potential impact.
Medium-sized organizations tend to have good solutions and see the benefit of having a robust system in place, while your larger multinationals are, by far, the best in class. These multinationals would normally have dedicated teams just for trade compliance and its different areas, such as export control, regional customs, and so on.
In our industry many are in the mid-tier. Companies have small but robust teams looking after compliance but they also rely on external support from consultant partners when it comes to country-specific support and staying up-to-date.
How far down into a company’s ownership should you go in terms of identifying and assessing sanctions exposure and risk?
With the 50% rule in mind, companies should screen every business partner, apart from employees, to avoid violating country-specific privacy laws. Traditional screening platforms do not identify majority ownership as that is not included in the multiple debarred listings, however, it is critical to have a module that would offer this specific discovery and screening across the board, as those entities would not come up through traditional means.
Our recommendation is to team up with a platform, like Dow Jones, that is able to identify and flag those majority owned entities (50% majority owned). Once these result in a positive match, you still need to do a deep dive into the detail to truly understand the risk and verify if the flag is a false positive or a true risk. You need to have procedure control with escalation governance so that transacting with flagged business partners can be stopped at once.
You must also have a good advisory board in place to assess events that merit escalation, that way you will be confident in your plans to mitigate risk.
What are the stumbling blocks?
Those come when systems are not connected. For example, multiple system platforms require the data elements to be entered in their ERP system. If you’re working outside the system then you are most likely not getting the benefit of third party screening, meaning the company then has to do risk-based analysis to determine where those partners that are not touched by their ERP system are.
You need to map your network, identify those that don’t touch it and then find solutions to perform, download and upload them into your ERP system screen engine to eliminate any potential risk and deal with an undesirable and, more likely, prohibited entity. It’s all about having an end-to-end view, applying reasonable care and doing the best you can as part of your due diligence. This way you are able to act quickly and effectively whenever required.
What are your pointers for complying with OFAC’s 50% rule?
The rule highlights entities owned or controlled by listed individuals that have violated the law. These entities are very challenging for the industry, as this often depends on how the entity is structured, “50% or more owned by one or more blocked persons, is itself is considered to be a blocked entity.”
All of this is driven by the US and, to an extent, the EU. If a company has a multinational footprint, with the US or US currency as an essential part of their operations, its people must be vigilant and have systems in place, which include add-ons to your traditional screening systems, to make sure the majority requirement is captured.
Doing this manually these days is not feasible – you need to depend on a good robust engine that will screen for you and understand overall risk, so you don’t lose leverage in the market because of a compliance pitfall. Again, not doing this by failing to have the right solution in place, can have a very negative impact on companies that depend on the US market or transact in US currency.
What is your suggestion for managing the risk posed by having several buyers in a large organization?
You have to do a risk-based analysis to identify who touches the supplier or potentially interacts with them outside of your ERP/e-procurement systems. That way you can gain visibility of transactions that are not captured in your systems.
So, would you say that maverick buying could have particularly dire consequences in the current fluid sanctions environment?
Absolutely. You don’t know who you are buying from. You could have no idea that you are buying products that could be violating regulations and/or are from a prohibited entity because you did not perform the correct due diligence. You really have to know your suppliers, where the product is made and, in some extreme cases, even the nationality of the labour force making the imported commodity could be a compliance issue.
The role of technology in monitoring sanctions lists
Maintaining and monitoring (effective) sanctions lists involves the determination and screening of large, disparate data sets. This includes company ownership percentages, names of listed individuals that extend to aliases and listed locations. Depending on the size of a business’ customer base, checking and keeping up to date with these lists can be a challenge. This is why many are now opting to integrate screening tools and technologies, such as Encompass, into their practices.
This can bring not only significant time and cost savings, but also provide an extra level of security that manually performing the associated tasks would not give.
How Encompass can help
At Encompass, we know that intelligent process automation (IPA) enables firms to get the full picture on the people and entities they are considering entering into a business relationship with, and it can be done in a way that is both efficient and cost effective, particularly important given the evolving stringent regulatory framework we see in relation to sanctions and AML.
An understanding of the corporate structure and those with beneficial ownership and control of an end customer is central to building this picture and understanding what lies behind a company.
Going a step beyond the unwrapping of the corporate structure in question, another key stage in the process is identifying and analyzing sanctions risk, which, thanks to automation technology, can also be done to considerable effect.
According to a client’s risk-based approach, Encompass is able to screen individuals and entities against preferred suppliers of PEP (Politically Exposed Persons) and sanctions data. The level of screening is determined by a client’s internal policy requirements, and our data integrations mean that existing trusted sources can continue to be used.
Our platform integrates critical data sources, including global sanctions lists, and automatically conducts intelligent analytics to deliver easy to understand global corporate linkage and personal share ownership. This is the starting point for a know your customer (KYC) and third-party risk management process, allowing further automation to build on top of the unwrapped foundation.
This technology-led approach gives our customers a clear advantage. Utilizing the best in class technology is the easiest and most convenient way to satisfy regulators, as well as ensuring continued productivity and efficiency.
Learn more about KYC & AML compliance.