If companies operated with perfect governance mechanisms and controls, they would all be ready for the coming sanctions enforcement storm.  However, that is not the corporate reality.  Even after several companies are the subjects of these aggressive enforcement actions, corporate boards, senior risk managers and senior executives will turn to the chief compliance officer and ask — “do we have an effective sanctions compliance program?”  I can see it play out in my head over and over again.

No one in the business world can claim they are surprised.  DOJ has stated its intention repeatedly over the last two years — DOJ’s new focus is not just because of eh Russia sanctions program and the war in Ukraine.  Rather, DOJ’s new focus reflects the clear linkage of corporate criminal conduct and national security threats.  Companies that engage in sanctions violations jeopardize our country’s national security and foreign policy objectives.  The connection is inextricable and DOJ has realized the need to bring the hammer down in this area.

Luckily, companies should know how to build effective sanctions compliance guidance.  There is a lot of guidance available for companies to rely on and building a compliance program to address sanctions is not “rocket science” (although the last time I used that phrase with a prospective client, he responded, “Well Mike, my last position before legal and compliance was as a rocket scientist.”

Start with the Justice Department’s Evaluation of Corporate Compliance Programs (March 2023 edition) and the National Security Division’s Voluntary Disclosure Policy.  Add to the mix the excellent guidance from the Treasury Department ‘s Office of Foreign Asset Control, A Framework for Sanctions Compliance Commitments.  Further, OFAC has a lengthy record of sanctions compliance enforcement settlements that outline a variety of compliance lessons learned and best practices for remediation and overall compliance foundations.

The Basic Five Elements

An effective sanctions compliance program has to address five basic elements: (1) Senior Management commitment; (2) Risk assessment; (3) Internal controls; (4) Monitoring, Testing and Auditing; and (5) Training.

There is nothing surprising in these five elements and they dovetail neatly with DOJ’s more extensive ECCP.  Both provide more than enough for companies to fashion.

From my perspective, here are my top-5 deficiencies that companies need to address:

First, Corporate boards and senior management are often clueless when it comes to understanding sanctions risks and the need for robust ethics and compliance mitigation.  It took a long time for boards and senior executives to understand the need for anti-corruption compliance and we are not very far down the learning curve on sanctions compliance.

Second, companies have failed to unravel and understand the significant third party risk created by distributors who resell products to prohibited customers or end users.  Just like FCPA risks, third party violations are relatively easy for DOJ to establish for sanctions violations since companies rarely undertake measures to track there their products go and who is using them.  Companies are quickly embracing end user certificates and traditional end user certificates and documentation.

Third, companies need to conduct supply chain audits to understand where they are sourcing materials and products. Stakeholders and the European Union are pushing companies to undertake robust supply chain audits to uncover serious risks such as slavery, human trafficking, and sanctions violations.  IN the US, OFAC already has pushed this same requirement for companies but few if any have embraced the need for supply chain audits as a means to mitigate sourcing and sanctions risks.

Fourth, companies need to build a basic set of internal controls to ensure that sanctions issues are identified, escalated and properly resolved.  This is not such a difficult task but companies have failed to implement basic escalation controls to ensure proper review and resolution of red flags.

Fifth and finally, OFAC has stated that companies should conduct training annually for those responsible person.  Unfortunately, few companies have satisfied this requirement.  It is so basic and so obvious but for some reason companies have ignored or forgotten this basic requirement.