If you serve in a managerial or advisory role with a company that has foreign operations, suppliers or customers, several familiar phrases have probably caught your attention more often lately. Do “change to the entity list” and “new sanctions announced” sound familiar?
Global policies and norms around the exchange of goods, services and ideas are in flux. Various countries, multinational organizations and multilateral treaties with their own best interests in mind are all attempting to regulate trade between foreign nationals and across international boundaries. This has created an increasingly complex patchwork of disparate and sometimes conflicting rules.
The volume of changes and shifts in enforcement and interpretation of existing laws makes it tricky to navigate the regulatory environment. Accordingly, the risk of companies and their affiliates running afoul of regulators has risen significantly. Even the most seasoned and mindful officers with the best intentions can wind up scratching their heads over how to proceed.
There is light at the end of the tunnel. Those companies that are aware of certain interrelated elements of the regulatory environment and design and implement a robust compliance plan around it can improve their odds of success.
WHO MAKES THE RULES?
There is no shortage of regulators today. In the United States, two active and well-known agencies are the Bureau of Industry and Security, which handles export controls, and the Office of Foreign Assets Control, which focuses on sanctions. The UN Security Council also plays a major role in the sanctions regime by maintaining more than a dozen active programs.
Several separate international treaties apply as well. One is the Wassenaar Arrangement, which limits the transfer of products and technology with dual-use and military applications.
Then there are individual countries and trade blocs. They have their own policies, or are actively developing them, and their rules can sometimes conflict. To complicate matters, some countries maintain extraterritorial laws that apply to companies that trade entirely outside of their own domestic borders. The United States is a prime example. Recent enforcement actions have shown that any firm whose commercial activities utilize U.S. content, have a U.S. nexus (e.g., transactions denominated in U.S. dollars) or involve U.S. sanctioned entities (directly or indirectly) can find themselves in the crosshairs of U.S. regulators.
WHO NEEDS TO PAY ATTENTION?
If you are a manufacturer selling to a distributor but do not have transparency into the distributor’s end customers, watch out. You might be at risk of indirectly violating export controls or sanctions laws. If you are a mining company using vehicles with autonomous navigation capabilities at your foreign mines, be careful. You might be exporting export-controlled technology and expertise. If you are a tech company considering hiring a foreign national to improve your semiconductor chip design, proceed with caution. You are likely getting ready to make a “deemed” export or re-export by training the employee.
Simply put, there are myriad circumstances in which a business can unexpectedly find itself in violation.
Suppose that corporate headquarters has authority to approve management decisions by foreign subsidiaries. If the activity occurs between one of its foreign entities with another in a foreign jurisdiction, headquarters can still be held accountable for facilitating sanctioned transactions. Elsewhere, managers who are steeped in similar rules that apply across the jurisdictions of their supply chains can stumble if they do not know the detailed licensing and reporting requirements in each. Hong Kong, for instance, requires both export and import licenses for controlled items.
In general, export controls tend to focus on key industries and technologies. That might first bring to mind aerospace, defense, technology and telecommunications, but the life sciences, automotive, energy and mining industries are also in scope. In this realm, rules generally apply to both final producers and upstream parts suppliers and sometimes extend downward to impose restrictions on end users.
Sanctions, on the other hand, tend to be broader and therefore can impact many more companies. Some sanctions regimes focus on a specific type of transaction with a certain individual or entity. Others can be more comprehensive and restrict nearly all commerce with an entire country.
WHY DO SOME COMPANIES FALL SHORT?
One of the most common mistakes companies make is failing to understand or be aware of the export controls and sanctions relevant to their business activity. Compounding this issue is the fact that regulations can change at almost any time. China, for example, released its draft Export Control Law in 2017 to unify and broaden the scope of existing export control policies. The law is still technically under review, but its announcement alone has shifted the regulatory environment in China.
The breadth and fluidity of the regulatory environment points up the idea that companies with strong compliance programs can still run into trouble when they do not modify their programs as “de jure” or “de facto” requirements change. Or, they can go awry if they fail to implement their own stated policies. Examples can range from high-level issues related to a company’s culture or incentive structure all the way down to the mundane, such as forgetting to update sanctions lists used in pretransaction checks.
Regardless of the reason, penalties for noncompliance are often steep and can extend beyond one-off fines. Nonmonetary fines, such as restrictions on certain business activity, can potentially be worse, depending on their scope and duration. In certain cases, U.S. authorities have taken the drastic step of naming the violator itself to a U.S. sanctions list. That prevents other companies from engaging in commercial or financial activities — even those unrelated to the initial offense — with the violating company.
For publicly traded companies a robust compliance program is increasingly expected by ESG-minded investors. In all companies, officers and directors can face potential personal liability for egregious violations.
HOW TO DESIGN A ROBUST COMPLIANCE PROGRAM
The good news is, the cards are not stacked completely against companies and staff when it comes to export controls and sanctions compliance. Several prominent regulators have published guidelines that, by and large, agree on three key themes of a robust program:
1. Tone at the top: Management communicates the need for effective compliance and empowers compliance staff within the organization.
2. Message in the middle: Often the middle ranks are more critical than the top. This is where compliance is designed, managed and measured and flows through compensation and incentive structures.
3. Practical for the people: Compliance requirements must respond to and integrate with the daily flow of business, especially in high-risk areas; a free-standing compliance process rarely succeeds, whereas a well-designed program takes into account the daily work of frontline employees and embeds the key steps required to mitigate risk.
These high-level principles are a starting point; the right program design will vary for each company. Effective programs draw upon a deep understanding of the relevant regulations — both their intent and the common pitfalls — and blend that understanding with an in-depth view of a company’s operations to focus resources where they matter most.
The process often begins with a top-down risk assessment that identifies and tracks hot spots across the organization. Examples include controlled products in the supply chain, opaque counterparties and sensitive jurisdictions. Once a plan is designed and implemented, it is important to identify and mitigate vulnerabilities through stress testing and external audits on an ongoing basis.
It’s also critical to have a plan for dealing with potential missteps. How easy and culturally safe is it for employees to raise concerns? Is there a clear point of contact for both insiders and external parties? What internal investigation process will the company follow if it receives such a concern?
Fortunately, most regulators have a clear message when it comes to mistakes: They recognize they will happen even in the best programs. But they expect companies to exercise a certain standard of care and to be honest and transparent if mistakes do occur.
GOOD COMPLIANCE IS GOOD BUSINESS
Beyond regulatory threats, there is a strong business case for creating a robust export controls and sanctions compliance program.
More and more, companies are scrutinizing the counterparties in their supply chains to assess their reliability. Those that are deemed to have a lax compliance program are likely to be replaced by the other counterparties to avoid introducing unnecessary risks into their own businesses (e.g., procurement disruptions). This is particularly relevant for technology and telecommunications parties because of increased regulatory uncertainty in the sector and the designations of key suppliers or key customers to the entity list.
Implementing an effective compliance program also presents powerful opportunities to improve the business. At a fundamental level, executing the design process requires mapping the flow of products and ideas through the entire organization while assessing risk in touchpoints with various employees and counterparties.
This improved transparency in the supply chain can often identify opportunities to introduce new efficiencies such as optimized tariff planning, software automation opportunities and Lean and Six Sigma principles. The process also helps identify critical human and intellectual capital in the business, which can translate into better security and utilization of these assets.
For all of these reasons, in addition to avoiding costly penalties, companies that tackle the export controls and sanctions compliance challenge head on will find themselves racing toward a competitive advantage.
Compliments of FTI Consulting, a Member of the EACCNY