Facing the myriad third-party sanctions risks can be daunting. Many global organizations rely on a network of third-party intermediaries that pose a variety of risks. To mitigate those risks, companies have to implement practical steps tailored to the specific risks.
Let’s start with some basic compliance requirements. Initially, as part of the onboarding process and assignment of a sanctions risk category, global organizations have to conduct due diligence to unearth any potential issues. These issues will include: (1) beneficial ownership; (2) presence of existing or former government officials (and closely related family members); (3) prior enforcement or civil litigation matters relevant to the risks presented; (4) existence of a compliance program, including policies and procedures and training; (5) proposed business relationship and course of business; and (6) financial status and health of the third-party. As part of the due diligence process, the company has to conduct independent research relating to the third party based on Internet searches and follow up inquiries using relevant database and intelligence platforms.
The proposed agreement between the organization and the third-party should be clear on the expected course of dealing, including the territory (or territories) in which the third-party should operate and expected markets in which the third-party will operate. For example, if the proposed agreement includes Iran as territory in which it will operate, that provision would create obvious problems and have to be removed.
The contract with the third-party should contain relevant compliance representations and certifications that are tailored to the specific risks uncovered during the onboarding process. At a minimum, the contract should include robust certification provisions ensuring that the third-party will: (1) comply with all applicable economic sanctions laws and regulations; (2) submit periodic certifications of compliance as directed by the organization; (3) notify the organization if there is a potential violation; (4) participate in appropriate compliance training or deliver its own compliance training session(s); (5) complete end-user verification documentation when required; and (6) comply with specific testing or auditing requests from the company, including verification of end-use shipment data and documents.
To the extent that specific issues arise during the onboarding process, companies should tailor the contractual provisions to address these representations. For example, if the third-party has a family relationship with a prohibited (or restricted under sectoral sanctions) party, the company should craft a specific provision to address that risk.
While contractual provisions sound good on paper, and even in practice, the existence of contractual representations, by themselves, are rarely sufficient to avoid potential liability under sanctions laws and regulations. For example, in the 2019 Apollo Aviation OFAC enforcement action, OFAC settled an enforcement action for $210,600 for violation of the Sudanese Sanctions Program despite the fact that Apollo’s contract leasing a jet engine included a provision prohibiting the leasee from violating sanctions laws and regulations. The leasee subleased the jet engine to a Ukrainian party who violated the Sudan Sanctions Program. OFAC noted that Apollo Aviation took no steps to ensure compliance with the contractual prohibition on dealing with prohibited countries, entities and individuals.
OFAC has consistently taken the position that contractual provisions are one of several required steps that companies should take to ensure compliance with sanctions laws and regulations. To this end, OFAC has cited the importance of periodic certifications of compliance, along with robust monitoring and verification procedures to ensure that third parties adhere to United States sanctions laws.
OFAC’s enforcement actions and compliance guidance underscore the importance of audit, testing and verification procedures as a key tool of any sanctions compliance program. In my view, this should be a high priority for all trade compliance programs. An effective auditing, testing and verification program is essential and has to focus on those high-risk third parties that may transship goods and provide services to prohibited countries, entities and individuals.
In crafting such a program, the first step is to implement appropriate verification procedures and documentation for completion by the third party. Based on this documentation and considering the level of risk, a tiered-based testing program should be used to collect and analyze a sample of transaction documentation relating to third-party transactions. In this respect, companies should collect and review invoice/purchase orders, shipping documentation, bills of lading and other appropriate documentation to verify that the end-user/customer was the recipient of the goods. In the case of services (e.g. software), documentation again should be collected and reviewed to verify the ultimate recipient fo the specific service (e.g. cloud delivery of software). Depending on the results of the sample transactions, additional sampling may be necessary to ensure overall compliance.
The monitoring program should include appropriate check-ins and informal interviews with company representatives responsible for maintaining the third party relationship along with other information collected during the audit, testing and sampling review.