Sanctions screening your third-parties

International sanctions affect companies in any industry, and – as recent enforcement action has shown – companies of varying sizes. As such, sanctions are one of the most important risk factors to consider in any compliance programme.

No one wants to be found to have business ties to a sanctioned entity given the potential for significant financial penalties and reputational damage.

As a result, sanctions screening has for a long time been the bedrock of any compliance programme that has to consider large numbers of third parties.

How does sanctions screening fit into a risk-based approach

We work with many types and sizes of companies with varying global footprints. One question that comes up time and again is whether an organisation needs to check all the third parties it is working with (or planning to work with) against sanctions lists or whether the application of sanctions screening could, or should, be determined based on risk.

Many of our clients choose to run simple sanctions screening against all their third parties as a bare minimum. It is simply not worth running the risk of going into any relationship blind and accidentally breaching sanctions.

And with about a hundred anti-terrorism or other economic sanctions lists around the world with varying degrees of significance and application it is an impossible task to check them without the help of a specialised screening solution.

The dangers of hidden links

Another challenge to be aware of with sanctions is indirect or hidden sanctions risk. The US, EU and UK dictate that companies which are 50% or more owned by one or more sanctioned entity or person are considered sanctioned themselves but they do not provide separate comprehensive lists of these entities, leaving the onus on you to find out.

Third parties can also have surprising connections that pose a sanctions risk. An entity registered in the UAE can still have links to sanctioned entities in Iran, for example.

In 2018 US-based electronic manufacturer Epsilon Electronics Inc agreed to pay $1.5m to settle an OFAC (Office of Foreign Assets Control) enquiry into business transactions made with a Dubai-based distributor that then sold the goods in Iran. While OFAC’s investigation could not find direct proof of Epsilon’s products being shipped to and distributed in Iran it found enough indication on the Dubai distributor’s website of links to Iran and goods being distributed there via an affiliate, to show intent to redistribute to Iran.

As a result, not having sufficient information on affiliations or a good understanding of a third-party’s footprint and operations could expose you to inadvertent sanctions breaches.

This kind of indirect link would not be captured through sanctions screening alone, so for your higher risk third-party relationships more enhanced due diligence is needed.

Sanctions lists are constantly changing

Sanctions lists are not static. People and companies can be added or removed from them at any time. Without continuous monitoring of those lists, one of your third parties or their affiliates could be added to a list, putting you in immediate danger of sanctions breaches, even if you checked them before signing your contract.

If you have a large third-party population, it is simply not feasible to check the lists regularly and cross-reference against your third parties, nor is it time- or cost effective to rescreen all your third parties as frequently as needed.

Depending on the profile of jurisdictions and sectors you operate in, and the kinds of third parties you need to engage, you may find you get a higher or lower amount of potential hits when you conduct screening.

For some of our clients, this is a straightforward task they can comfortably manage in house, for others this task is simply not manageable with a small and overstretched compliance team with limited foreign-language capabilities.

Sanctions screening is the bare minimum check for third parties, though any compliance programme will benefit from a risk-based approach, whether this is running screening with different configurations for different risk levels or knowing when to escalate to a deeper level of due diligence.

However, you choose to run your screening programme, make sure you think about how you will manage the challenges of hidden risk through sanctioned affiliates; stay up-to-date with any changes to sanctions designations; and conduct false positive and negative reviews to make sure you are focused on what is relevant.

Emily Morgan is client services director at Control Risks