The risk of violating Russia sanctions is greater than many companies realize because of the way bad actors work through third parties and in third countries to mask who their ultimate beneficiary is, compliance specialists say.
Just as some companies are trying to blend Russian oil with oil from other countries to evade sanctions by the United States and other western governments because of the war in Ukraine, many companies are working through fronts in Turkey and elsewhere to get microchips and other goods into Russia, putting American companies at risk of having to pay penalties for even inadvertent violations.
“Sanctions liability in the U.S. is a strict liability, without knowledge,” said Tom Firestone of Stroock & Stroock & Lavan in a Lextegrity webcast. “So, if you’re dealing with an SDN [specially designated national] you can be held legally liable for that regardless of your intent.”
Broadly targeted sectors
The Russia sanctions are especially challenging because, unlike in the past, the penalties apply to all types of companies and not just to banks and other financial institutions, which have tended to be the focus of sanctions.
“Any company that has some nexus to Russia or countries neighboring Russia, or countries friendly to Russia such as Turkey or UAE, have risk exposure,” said Mihnea Rotariu, risk and compliance analytics director at Lextegrity.
U.S. Department of Justice Deputy Attorney General Lisa Monaco earlier this month called Russia sanctions the new Federal Corrupt Practices Act (FCPA), meaning it’s the agency’s biggest focus in terms of rooting out the kind of illegal practices that ensnare U.S. companies because of their foreign partners’ business practices.
“Sanctions don’t mean anything if people can easily evade them, so you have to stop the evasion, and that’s a key part of foreign policy right now,” Firestone said.
The compliance specialists say they’re getting requests from companies new to this kind of scrutiny because they haven’t had to have systems effective at spotting this level of evasiveness before.
“Russian businesses are relocating to third countries so they don’t appear to be sanctioned Russian businesses,” Firestone said. “They’re hiding behind front people in third countries.”
“Let’s say a Turkish company has an agreement with a German company and the Turkish company has a separate agreement with a Russian company,” said Rotariu. “So, after they buy their products from Germany, they sell them through countries like Kazakhstan or Azerbaijan, to Russia, so unknowingly your product might be transferred to Russia.”
From a risk management standpoint, general counsel should have an assessment conducted by an outside party. Not only can the independent specialist match the systems to the company’s risk profile, but it can give the company arm’s-length protection if its goods inadvertently get into the hands of a Russian company.
“If you’re before OFAC [Office of Foreign Assets Control] or DOJ, and they ask, ‘Why didn’t you rake this due diligence to the 12th level? You stopped at the 8th level,’ you’ve got to have an answer for that,” said Firestone. “The answer should be, ‘We did a risk assessment, which identified these areas of risk, and from that recommendation we did this level of due diligence.’ That’s a much better answer than, ‘We didn’t think we needed to go that far.’”
The risk assessment can also help keep your compliance systems updated so they catch the latest practices by bad actors.
“If you’re capturing risks from five years ago but not the risks today — the intermediate in the UAE, the mixing of Russian oil with Lithuanian oil — your compliance is not an effective or robust program,” Firestone said.
Once the risk assessment is completed, you want to develop a system that helps you do due diligence on your foreign business partners, with the goal of uncovering any company or individual behind the companies.
“The fact that [bad actors] have done a good job of masking their participation in transactions doesn’t necessarily protect you,” said Firestone. “In fact, it makes it all the more important you get underneath the structure to figure out who you’re dealing with.”
Even with business partners that appear to have nothing to do with Russia, it’s crucial to know who is behind them.
“If the board wants to know, with a transaction that has nothing to do with Russia, who the business partners are and whether they have a connection to Russia, that’s exactly the right question to be asking,” Firestone said. “Because the transaction may ostensibly have nothing to do with Russia but it may in fact have a lot to do with Russia. You want to make sure you’re not being dragged unwittingly into some sanctions evasion scheme.”
The system should also track transactions to identify red flags.
“If for the last five years a certain distributor in Turkey has been buying $1 million worth of product a year, but suddenly after the war started, you see that distributor buying $10 million, that’s a transaction you want to understand,” said Rotariu. “If you’ve onboarded a vendor that you’re expecting to do $250,000 a year in transactions, but when you’re looking on a monitoring site you’re seeing huge volumes of transactions going through that third party, maybe that should prompt compliance to update their due diligence and do a more detailed due diligence, reach out to a third party and ask for additional due diligence, because it wasn’t the risk model you were expecting.”
The systems a multinational needs to stay on top of these compliance risks aren't cheap, typically in the millions of dollars, but the penalties and reputational damage for getting ensnared by an evasion scheme is higher.
“Look at settlements and fines OFAC and DOJ have come out with and say, ‘Look at Company XYZ; do we want to end up like them because we didn’t have a compliance program?’” Firestone said. “You can’t show a profit from it. Obviously, it’s preventative.”