By Szilvia Sandberg, edited by Adrian Sandberg
Note: This article builds on a piece I published on the FCPA Blog approximately 4 years go, but has been substantially updated and expanded to reflect recent developments in sanctions and compliance.
In the past couple of years, sanctions list screening has become one of the most critical compliance tasks for financial institutions as well as many multinational companies. In 2023, the cryptocurrency exchange Binance pleaded guilty and paid $4.3 billion in fines for violating sanctions and money laundering laws. This included a nearly $1 billion settlement with the Office of Foreign Assets Control (OFAC) in the US for allowing users in sanctioned jurisdictions (Iran, Syria, Crimea) to trade on its platform. In October 2024, TD Bank pleaded guilty to violating the US Bank Secrecy Act (BSA) and anti-money laundering regulations with ties to sanctioned entities, paying a $3.09 Billion penalty. This pales in comparison to the largest-ever fine for sanctions violations in the financial sector, namely the $8.9 Billion paid by BNP Paribas in 2015 for violating U.S. sanctions against Iran, Sudan, and Cuba, clearing billions of dollars through the U.S. financial system.
Additionally, sanctions law has grown in relevance in the non-financial sector. The US Department of Justice (DOJ) and OFAC jointly imposed penalties on British American Tobacco in April 2023 for violations of sanctions laws related to North Korea. The company agreed to a $629 million settlement including $508.6 million paid to OFAC, which was the largest North Korea sanctions penalty ever imposed. The above examples clearly show what kind of risk businesses face if they enter into a business relationship with a sanctioned entity.
So, is one of your business partners really sanctioned? In order to answer that question, we must consider the following aspects.
- Jurisdiction: who has imposed sanctions?
The first aspect is which jurisdiction your company is located.
Within the EU, for example, there are three main sources of sanctions. Firstly, all member states are obliged to implement sanctions imposed by UN Security Council under Chapter VII of the UN Charter. Second, the EU can also implement measures based on unanimous decision of the European Council in line with the objectives of its Common Foreign and Security Policy (CFSP) as set out in Article 21(2) of the Treaty of the European Union (TEU). Third, Member States can also create their own national lists (for example, the Dutch national terrorism list). The EU Sanctions Map gives a clear overview on the current sanction landscape of the EU.
In the case of the UK, the EU–UK Withdrawal Agreement on 31 December 2020 implemented a separate sanctions regime via the Sanctions and Anti-Money Laundering Act 2018 (SAMLA).
In the US, OFAC rules set out list-based, country-based, sectoral or secondary sanctions, which often have extraterritorial effect where there is a US nexus.
In some cases, the jurisdictions’ different sanctions regimes are divergent and can be contradictory. For example, the first Trump administration decided to withdraw from the Joint Comprehensive Plan of Action (also known as the Iran Nuclear Deal) in 2018, previously agreed by the EU and US, thus reimposing sanctions against Iran. The decision led to secondary sanctions being imposed by the US government, in other words on non-US persons or entities (third parties) that conduct business with individuals, regimes, or countries already subject to primary US sanctions. As a response, the EU amended the Blocking Regulation to protect EU businesses from the extraterritorial application of US sanctions targeting Iran. In December 2021, the Court of Justice of the European Union affirmed in the Bank Melli Iran v. Telekom Deutschland GmbH case that companies must follow EU law, not US policy, thereby softening the blow for EU companies.
- Sectoral sanctions: what is sanctioned?
When Iraq invaded Kuwait in 1990, the United Nations Security Council (UNSC) imposed a comprehensive financial and trade embargo on the entire country, which stayed in force until 2003. The initial purposes of the sanctions were to force Iraq to withdraw from Kuwait and to pay reparations. In 1990, UNSC Resolution 661 prohibited all trade and economic resources with Iraq, except payments for medical and humanitarian purposes and foodstuffs, followed by UNSC Resolution 986 in 1995, which allowed the country to sell oil on the world market in exchange for food and medicine, known as the Oil-for-Food Programme. However, the sanctions were widely criticized as they caused high rates of malnutrition, lack of medical supplies and soaring child mortality rates in the country.
The disastrous humanitarian side-effects of the near-embargo against Iraq helped bring about a new concept in foreign policy: sectoral sanctions.
Instead of being against an entire country or an individual, sectoral sanctions are targeted economic restrictions imposed on specific industries, for example energy, finance, or defense. The intention is to weaken strategic economic sectors while minimizing humanitarian impact, in effect restricting access to financing, technology and trade in those sectors. The best examples include the US economic sector sanctions targeting the oil industry in Venezuela, primarily Petróleos de Venezuela SA (PdVSA), or the EU sanctions imposed on Russian financing, technology, and energy projects following the 2014 and 2022 conflicts.
- 50 per cent aggregated or not: when is an entity really sanctioned?
In order to define whether an entity is sanctioned or not, you also have to look at the ownership structure of the entity. EU, UK and US sanctions regime largely follow the same “50 percent rule”, with minor distinctions. Within EU, sanctioned ownership refers to more than 50 percent. According to OFAC rules, sanctioned ownership has to be equal to or more than 50 percent.
However, in terms of aggregation principle, the different sanction regimes are more divergent. Let´s take the following example. Company A is 30 per cent owned by Company B and 30 % owned by Company C. Company C is 100 per cent directly owned by OFAC SDN and EU and UK Sanctioned Individual A. Company B is also 100 per cent directly owned by OFAC SDN and UK Sanctioned Individual B.
The EU and US sanctions regimes apply basically the same approach in this regard. In the US, OFAC's 50 Percent Rule applies to entities owned 50 percent or more in the aggregate by one or more blocked persons. Within the EU, the same aggregation principle is followed.
In contrast, the UK’s OFSI General Guidance states that an entity is sanctioned if a sanctioned entity owns or controls this entity directly or indirectly by holding more than 50% of the shares or voting rights in an entity. In other words, UK sanction law would not aggregate different designated persons’ holdings in a company, unless, the shares or rights are subject to a joint arrangement between designated parties or one party controls the rights of another.
- Ownership or control?
In case of the most widely-used type of EU sanction – an asset freeze – making payments or offering goods or services to a third party linked to sanctioned party through ownership control is prohibited according to EU sanctions law. If a listed person owns more than 50 per cent of an entity, it is presumed to be controlled and frozen. However, control can also be established below 50 per cent if the listed person influences management or benefits directly from the entity. The UK sanction regime is also applies this principle. According to OFSI General Guidance, where the financial sanction includes an asset freeze, it is generally prohibited to deal with the frozen funds or economic resources, belonging to or owned, held or controlled by a designated person. Nevertheless, OFAC’s 50 per cent rule focuses on ownership and not to control. An entity that is controlled (but not owned 50 percent or more) by one or more blocked persons is not considered automatically blocked pursuant to OFAC’s 50 Percent Rule.
- Is the screening is in line with data protection rules?
Many trade compliance specialists face this challenge every day as most companies’ master data also includes natural persons, not only legal entity debitors and creditors in an ERP system. And therein lies the challenge: if it comes to the screening of employees, there is a legal risk triggered by the need to conduct the screening and the protection of sensitive data in line with current data privacy rules. Based on article 6 and 9 of European Union’s General Data Protection Regulation (GDPR), the obligation to screen personal data against EU sanction lists can be based on a legal requirement and is legitimate for reasons of substantial public interest. In contrast, there is no generally applicable federal privacy law so no federal law exists clarifying the potential legitimacy of screening of sensitive employee data in the US against US sanction lists.
In any event, comparing penalties paid by companies for sanction lists violations against data privacy breaches leads to the conclusion that it would be far less damaging to be fined for a data privacy violation than a sanctions breach. A clearly documented and proportionate policy in this regard is essential for minimizing both those risks.
- What is the best software?
In addition, technical difficulties also constitute a challenge, despite the rapid development of different types of screening software. There are several requirements regarding the screening software’s technical features.
The most important question is whether the screening software can be connected to your ERP system, such as SAP through an interface. This means that a potential “hit” can block any transaction to a potentially sanctioned entity unless the hit is shown to be a false positive and is manually approved by a Compliance or Trade Compliance Specialist.
However, it constitutes another challenge, which is the large number of false positive hits generated by search algorithms. A common practice is to apply 80 per cent similarity in terms of names and addresses of entities, including abbreviations. The screening system also has to be designed in a way that it is able to detect special characters, as well. Even in case of small software configuration errors, companies might face paying penalties if the screening software applied is not capable to identify sanctioned entities because of special characters not used in the English language, modern ISO basic Latin alphabet. For example, in 2019 Apple agreed to settle 47 unwitting sanction violations when their screening tool failed to match different upper case and lower case characters.
Importantly, the software must also be designed in a way that different screening profiles can be set for every subsidiary depending on the applicable lists in the country where that specific entity is located. It is also a commercial question as the fee which companies have to pay for the software is often based on the number of screening on a yearly basis. With a master data set of hundreds of thousands of debitors and creditors screened on a weekly basis, it means millions of screenings annually. It is essential that the master data is screened against all applicable sanctions lists but no more than that. Equally, it must be ensured that inactive business partners are not screened as it could also trigger higher fees.
Further important features are manual individual screening and manual batch upload function. Manual screening is of paramount importance because it enables all company employees to screen a potential business partner manually against all applicable sanctions lists before the company enters into a business relationship. This feature must be as user-friendly as possible as it might be used by hundreds of employees on a weekly basis. Similarly, manual batch upload is also essential because business certain entities don’t have an ERP system. It means that automatic block through interface is impossible. However, potential hits can be pointed out through a manual batch upload of master data of that business entity.
Finally, serviceable software is a good start but it will only work if the screening package covers all relevant sanction lists against which a business entity must screen its master data on a weekly basis. In other words, we have to know which international database the software covers and if this matches your business profile.
Conclusion
Ultimately, sanctions list screening is no longer a narrow compliance exercise confined to the banking sector. It has become a core operational and legal risk management function for multinational companies across virtually all industries. As the examples above demonstrate, the consequences of getting it wrong can be enormous: not only in terms of financial penalties, but also reputational damage, business disruption, regulatory scrutiny, and even criminal liability. At the same time, the increasing fragmentation of sanctions regimes, divergent approaches to ownership and control, expanding sectoral measures, and the growing overlap with data protection obligations make sanctions compliance far more complex than simply checking names against a list.
In practice, effective sanctions screening requires a combination of legal expertise, robust governance, high-quality master data, and carefully configured technology. No software solution alone can eliminate risk if the underlying legal analysis, screening parameters, or escalation procedures are inadequate. Companies that treat sanctions screening as a strategic compliance function rather than a purely technical exercise will be better positioned to navigate this increasingly complex landscape. In that sense, sanctions screening truly remains a “needle in a haystack” exercise — but one where failing to find the needle can carry extraordinary consequences.
Image: Pixabay.com
Add comment
Comments