An effective compliance program is critical to mitigating the risk that a sanctions violation will occur. In the US, OFAC encourages a risk-based approach to sanctions compliance. In the UK, the FCA expects regulated entities to tailor their systems and controls to mitigate the risk of financial sanctions violations. In France, companies are encouraged to follow US and UK best practices. In Italy international standards also apply. Moreover the Bank of Italy requires financial institutions and operators subject to AML obligations to apply risk-based policies in order to define the degree and extension of client verification (“know your costumer” checks) and to implement appropriate procedures and policies. The Bank of Italy expressly requires that client verification shall include whether the client is listed in any of the lists of designated entities and persons adopted by the EU/UN.
As to the export of dual-use items, the EU Commission Recommendation (EU) 2019/1318 provides non-binding guidance to help exporters in identifying, managing and mitigating risks associated with dual-use trade controls. The relevant principles can also be used as a reference for the implementation of an appropriate sanctions policy.
No one size fits all. However, an effective sanctions compliance program will typically include the following:
- a top-down approach;
- up-to-date policies and procedures (including disclosure requirements);
- clear communication of policies and procedures;
- periodic training tailored to risk profile of company and level of involvement of particular types of staff (and third party agents);
- risk-based sanctions screening process;
- dynamic sanctions screening that is aligned to third party due diligence procedures;
- daily updates to US and EU and UK sanctions lists necessitate regular reviews;
- non-US companies should screen for SDNs even without a US nexus to the transaction to avoid secondary sanctions, unknown US nexus, and reputational risks;
- processes in place for considering to whom payments are made and whether these funds come from a legitimate source;
- systems and controls in place that are tailored towards minimizing the risk of a sanctions violation;
- a system for reporting potential violations, conducting appropriate internal investigations, and imposing remedial measures;
- regular audits and reviews of sanctions screening policies, procedures, and training; and
- independent audits and testing.