Following the unprecedented levels of sanctions activity in response to Russia’s invasion of Ukraine, which has resulted in companies dealing with the most significant and complex sanctions regimes across multiple jurisdictions, authorities in the US, UK and EU are now turning their attention to enforcement of those sanctions.
Sanctions authorities have indicated that they are bolstering their enforcement teams to handle the expected increase in sanctions-related investigations, and we are seeing an increase in requests for information from authorities across multiple jurisdictions to support on-going investigations.
In light of this, companies need to ensure not only that they have robust sanctions compliance programmes in place (as this may be a mitigating factor when faced with an investigation), but also the ability to identify any potential breaches and respond swiftly when detected. In this regard, authorities will expect companies to keep their risk assessments up to date, taking into account lessons learned from the Russia sanctions, and to enhance any existing processes in relation to the investigation of suspected sanctions breaches.
We have summarised below some of the key points to consider at the outset when responding to a potential sanctions breach, and the steps companies should be taking.
1. Identify the potential breach and stop the activity that caused the breach:
Review and identify the activity which triggered the potential breach. For example, was it dealing with a restricted party or country, or was the type of transaction or product restricted?
Having identified the potential breach, ensure that controls are put in place to stop the activity that caused the breach and to prevent further steps being taken (e.g. to prevent shipments of goods or on-going payments being made to a sanctioned individual or entity).
2. Conduct a preliminary review of the scope of the potential breach and consider the specific sanctions breaches:
Having identified the activity that triggered the potential breach, you then need to consider its scope. The outcome of this analysis will dictate any reporting obligations and to assess next steps with authorities.
Work out which sanctions regimes apply (considering, for example, the location of the company, where the breach occurred, and any jurisdictions to which goods were sent), and the laws or regulations that were in force at the time of the breach. External lawyers should be engaged at an early stage to ensure that all considerations are appropriately factored in and privilege maintained over communications to the extent possible.
You should also be considering whether the potential breach was a breach of the relevant laws or regulations, the policies of the company, and / or any contractual obligations – and then what that might mean for the company going forward.
3. Conduct an internal investigation
Having reached a preliminary review on the potential breach and its scope, consider whether you need to conduct an internal investigation.
Companies need to have in place a step-by-step plan to ensure that the investigation is properly structured, protected by privilege, that an audit trail is preserved, and the investigation is conducted to a standard defensible in front of authorities given the risk of potential external investigations. External counsel should continue to be involved in this process: this is particularly important when dealing with cross-border matters to ensure appropriate advice is given on differences in applicable laws and regulations.
Key steps may include:
- putting in place a Terms of Reference to define the client group and scope of the investigation, and to seek to preserve privilege and put in place communications protocols to protect confidentiality;
- identifying who the relevant custodians might be – and ensuring that their data is put on legal hold where possible and document preservation notices are issued;
- collecting any potentially relevant emails, instant messages or mobile data forensically (to ensure that the process is defensible to authorities);
- taking appropriate data privacy advice, particularly when dealing with cross-border matters; and
- reviewing and analysing the data and conducting interviews.
Throughout the process, all decisions should be documented, and the audit trail preserved.
4. Consider the consequences of the breach and reporting obligations
In parallel with conducting any investigation, you will need to form a view on the potential consequences arising from the breach and any obligations the company may be under as a result. Depending on the circumstances, you may be able to form a view relatively early in the investigation, whilst in others it will be more complex.
Key considerations may include:
- Are you under an obligation to report to sanctions authorities?A violation of reporting obligations could amount to an offence, so it is essential to be aware of the applicability and scope of any reporting obligations.
- Do you need to report to other regulators / authorities? Consider whether you are under an obligation to report to other regulators or authorities: for example, do you need to file any Suspicious Activity Reports to the NCA, or report to the FCA?
- Should you make a voluntary disclosure? Even where there is no obligation to report, the company may still benefit from a voluntary disclosure given that this may lead to discount on a penalty, or additional ‘cooperation’ credit with the authority in question should the matter reach the enforcement stage.
- Do any other third parties need to be notified? Make notifications to other parties if necessary. There may be disclosure obligations to board members or other stakeholders, including contractual requirements.
Be aware that sanctions regulators and authorities are likely to share information with each other. This is seen increasingly with enforcement authorities across jurisdictions. It is important to view potential breaches holistically, and approach authorities consistently.
A breach of sanctions can have significant legal, financial and reputational consequences for companies. Whilst an effective sanctions compliance programme is extremely important, companies need to ensure that they are prepared to take the appropriate steps at an early stage when faced with a potential breach. The initial response will set the tone for the future engagement with the authorities and could be significant later down the line when responding to information requests or negotiating enforcement outcomes.
For a more detailed practical guide to investigating potential sanctions breaches, our global team covering US, UK and EU sanctions have recorded a webinar for clients to access on demand. Please contact us for further information.