- Country
- European Union
- Publication type
- Article
- Thematic area
- Sanctions compliance & due diligence
Introduction
At the EU Sanctions Helpdesk, our mission is to support EU SMEs with sanctions compliance, which includes one-to-one support with your due diligence tasks. However, it is possible to put procedures into place in your business that can deal with many compliance due diligence tasks internally. Doing so will allow you to understand and handle sanctions with confidence.
A sanctions compliance programme is an internal programme to help you ensure that you comply with legal obligations arising from international sanctions (also known as restrictive measures). European Union law does not define what a sanctions compliance programme should consist of, but that does not mean your business does not need one – all EU operators are required to comply with EU laws, and that includes EU sanctions. A sanctions compliance programme can help ensure that you do comply.
There is no one-size-fits-all sanctions compliance programme. Each of the more than 30 million active businesses in the EU will have its own potential exposure to sanctions risk. A sanctions compliance programme will depend on the size, structure and scope of a business’s activities, as well as the nature of the goods and services it supplies.
Whatever the size or scope of your business, your sanctions compliance programme should be risk-based: it should reflect the unique risks your business is exposed to and take steps commensurate with those risks to mitigate them effectively.
With that in mind, these six tips give you information on how you can set up your own compliance assessment programme and manage your business’s risk exposure.
1. Conduct a risk assessment
The first step in ensuring your organisation’s compliance with sanctions is to identify which sanctions-related risks it is potentially exposed to. These risks may arise from:
- Your customers, including any agents or brokers;
- Your supply chain;
- The industry in which you operate or which you support;
- Geographic considerations, such as the locations of your business, your agents, your customers or your suppliers.
You can find out more about the nature of these risks in Sanctions due diligence: Where to begin or Red flags: Mastering the indicators of sanctions risk.
You should also be aware that you may be exposed to third-country sanctions due to the location of your activities, the geographic origin of any materials incorporated into your product, or the nationality of your staff.
Once you have identified what types of risks you are exposed to, you should consider how they affect your operations. For example, you could rate each identified risk according to:
- Impact – what would the cost be to you if this risk occurred? There may be business losses, reputational impact or even legal consequences.
- Likelihood – how likely is it that this risk would occur? Is it just a theoretical risk, or has this risk occurred elsewhere in your business or the wider industry?
These ratings will help you prioritise the order in which these risks should be addressed, starting with the highest and most impactful risks first:
When you have identified the nature and scale of the risks you are exposed to, you can consider how this affects your risk appetite. Can you take sufficient steps to reduce your level of sanctions risk enough so that you are confident that your business is – and will remain – in compliance with sanctions laws?
Your risk assessment should include any internal controls you can use to mitigate your sanctions risk to this acceptable level. These controls will form the foundation of your sanctions compliance programme.
When you have completed your risk assessment, you should create an action plan setting out what needs to be done, by when, and finally set a date to refresh your risk assessment.
2. Demonstrate management commitment
For all businesses, management sets the tone of the entire operation. The “tone from the top” is just as important in an SME as it is in a large corporation.
Communicating to everyone in your business that you take sanctions compliance seriously is an important first step in setting the tone.
Of course, statements of support should also be matched with actions. You should, for example:
- Allocate responsibilities for sanctions compliance tasks to effective individuals, making it clear who has oversight of company-wide compliance.
- Delegate sufficient authority to those individuals and ensure they have easy access to top management in the event of a problem.
- Ensure sufficient resources are made available to implement the sanctions compliance programme, giving it the best chance of success. High expectations can only be delivered with sufficient resources.
3. Train and raise awareness
Your sanctions compliance programme and risk appetite should be documented in policies and procedures. This clearly sets out both your approach to sanctions compliance and how it will be achieved practically. These policies and procedures should be available to all staff.
All relevant staff should be trained to spot and manage the sanctions risks in their area of business. This training may be completed in-house, or with the help of external bodies such as trade organisations or consultants.
Sanctions risks change and busy people can forget what they have learned, so this training should be refreshed regularly. How regularly will depend upon the risks you identified during your risk assessment. Many organisations refresh training annually for those employed in high-risk roles.
Finally, all staff should feel able to raise concerns internally about sanctions risks or non-compliance in the organisation. It is better that your staff tell you of their concerns before something goes wrong. Providing confidential, effective channels of communication to management can be an effective way of doing this – for instance through an anonymous ‘whistle-blowing’ arrangement.
4. Undertake counterparty and transaction due diligence
When it comes to implementing your sanctions policies in day-to-day business, you will need to undertake effective due diligence. Sanctions due diligence is the process of identifying, preventing, and managing potential sanctions risks in your business. Your policies and procedures should set out what this means for the different activities in your business. The due diligence activities you undertake should be designed to address the potential sanctions you identified in your risk assessment.
Depending on the findings of your risk assessment, you may need to undertake due diligence on:
- Business counterparties, such as suppliers, customers, agents, distributors and representatives
- Logistics providers
- The goods or services themselves
- Employees
You can find out more about due diligence in Sanctions due diligence: Where to begin.
5. Internal reviews and audits
Internal reviews and audits ensure that an organisation’s implementation of its sanctions compliance programme effectively addresses potential sanctions risk. They assess how faithfully the programme is implemented and identify areas of non-compliance.
Where non-compliance is found, prompt, effective action can be taken to minimise the adverse consequences – for example, by fixing the internal process problem before it causes a breach of the sanctions law. Any events of non-compliance should be analysed, and the results factored into the risk assessment.
How these reviews and audits are carried out will differ depending on the size of the business and its sanctions risk. For a larger SME or for a business exposed to significant risk, internal reviews can be carried out regularly by an oversight team specialising in legal or sanctions risk. Audits would generally be carried out less frequently by an independent function that provides independent assurance to management.
A smaller organisation may need to allocate responsibility to existing personnel to review whether the sanctions compliance programme is effective, as it may not be realistic to have a dedicated function for this. In all cases, those performing testing and audits can be internally resourced or supported by suitably qualified external practitioners.
6. Record-keeping
Record-keeping is a vital part of your sanctions compliance programme. Not every decision in your organisation needs to be recorded, but those that involve decisions about high-risk activity should be. If challenged, you may need to demonstrate – not just explain – why you considered a certain transaction to be lawful if your risk assessment identified it as high-risk activity. This not only helps to demonstrate that you undertook reasonable due diligence, but also helps you to apply your policy consistently across all transactions.
Remember, if you know or suspect that a proposed transaction or other activity would be a breach of EU restrictive measures, you must not continue or participate. The same is true if you know that a proposed transaction or other activity is likely to result in circumvention.