Sanctions risk management
Sanctions are a fact of life for Swiss companies and must be considered, regardless of their size
Sanctions are non-punitive but restrictive measures aimed to curb malign behaviour internationally. Sanctions may target states, entities, organisations or individuals. In broad terms, they address nationals of the issuing state, and business done within the state’s territory and jurisdiction. The UN, the EU, and individual nation-states such as the US, or Switzerland publish their own sanctions regulations and targeted lists of individuals.
In simple terms, one can consider that sanctions belong to one of the three broad categories, namely financial, trade and services sanctions:
- Financial sanctions are restrictive measures imposed on designated persons with the effect that the funds or other assets of these designated persons must be frozen. Further, making available, directly or indirectly, any other funds or economic resources to these designated persons is also prohibited.
- Trade sanctions are measures restricting commerce with a specified country e.g. the exchange of specific goods (typically military and/or certain dual-use goods or goods for internal repression).
- Services sanctions encompass other restrictive measures imposed on specific persons/sectors that are often related to specific transactions including the prohibition of rendering certain financial services.
Complexity of sanctions
The complexity of sanctions regimes is ever increasing, enforcement actions are intensifying and the jurisdictional reach of policy behemoths is expanding, hence compliance costs are exponentially increasing.
All companies irrespective of the sector of activity must take sanctions regimes seriously: multinational banks and SMEs alike may infringe sanctions regimes as a result of their business activities.
Each company has a specific risk-DNA that is derived from their:
- jurisdictional exposure;
- product range; and
- business partner/supplier/client network, among others.
Simply applying sanctions screening is not panacea, and getting screening right is a delicate calibration exercise that requires expert advice. Screening is a critical, but it is only a small part of an overall internal compliance programme (ICP). Recommendations as to what an ICP should contain abound, but what follows is the way to do it in practice.
Sanctions compliance framework
Is your sanctions compliance framework currently addressing the needs and risks of your business?
Sanctions risk can be addressed in a number of ways: you can take preventative actions, invest in detecting existing risks, or simply respond when sanctions risks materialise. Ideally, one would apply a mix of the three elements: prevent, detect, and respond as appropriate to your businesses risk appetite.
- Do you have system-related controls and sanction compliance reviews in place?
- How do you manage impact in case of detected shortcomings?
- Do you have guidelines for conducting internal investigations?
- How do you ensure that your sanctions compliance framework is agile and adapted to changing business circumstances/legal regimes?
- Conduct investigations related to sanctions, including exposure assessments, root-cause analysis and remediation of impacted relationships and processes.
- Support with handling breaches (including communication with relevant regulators and authorities).
- Perform sanctions compliance reviews (audits) and manage the impact and consequences in case of shortcomings.
- Review whistleblowing and escalation protocols.
- Do you have a clear allocation of responsibilities/segregation of duties and tasks?
- Are your reporting lines clear and transparent?
- Do you dispense training and organize awareness sessions?
- How do you guarantee access to the relevant resources (laws/tools)?
- Do your staff benefit from trade compliance-related working instructions and guidelines?
- Design/develop/implement sanctions compliance frameworks including providing IT implementation support.
- Development of audit plans/ country risk ratings.
- Assess existing sanctions compliance frameworks and related technologies, perform risk assessments and maturity testing, identify gaps that pose risks and propose solutions to optimize and mitigate.
- Define target operating models, related procedures and controls to ensure an effective sanctions screening.
- Perform functional testing of sanctions related controls.
- Provide training and awareness sessions to key stakeholders (e-learning).
- Define sanctions compliance working instructions, guidelines and workflows /approvals processes.
- Do you have manual/automated/retroactive controls in place? Are they operating effectively?
Do the following concepts resonate with you, and how many of them are applied in practice in your company?
- 4-eye principle
- Signature regulation
- 2-level approval process to release BP
- Documentation and check-lists
- BPDD and SPL screening (export blocks)
- License management
- BP master data reviewer
- End-use/r controls
- Design and implement data management frameworks.
- Implementation of advanced analytics to automate alert handling (i.e. risk based classification, auto-disposition, auto-closure).
- Enhance historical matching systems by applying artificial intelligence technology.
- Review relevant manual, automated and retroactive controls to ensure these are operating effectively.
In addition, our Deloitte Managed Services team provides a sophisticated tool which supports organisations to minimise their risk exposure to sanction violations, political corruption, money laundering and other forms of (financial) crime. It provides high-precision name matching and rapid pinpointing of individuals and entities listed on one of the various pre-configured sanctions and watchlists of your choice (including state-owned entities). The tool is able to identify and evaluate ownership and control structures. The Deloitte Utility contains our Deloitte default configuration able to process the most common sanction & PEP lists but can be adapted to your needs. The integration allows seamless use of aliases, auto-generates search terms to increase the quality of the results and identifies related individuals and entities. It is used whenever structured screening is required (e.g. identifying potential risks in client network) and lists of your choice and client-specific configurations can be integrated. Watch the video to find out more.
Deloitte Managed Services - Professional technical solutions for regulatory compliance
10 practical questions for your business