Sanctions: What has it got to do with CFOs?

In 2023, the US enforcement and regulatory body that deals with sanctions regimes, Office of Foreign Assets Control (OFAC) issued 17 public fines amounting to over $1.5bn, while the UK’s OFSI tends to issue only a few public ones a year, and many more privately.

However, the cost of sanctions breaches extends well beyond the exorbitant fines. When you consider the legal fees, the external support that may be required to understand the issues, the work required to remediate them, and then actually audit the outcomes – there’s a significant price tag associated. And those are just the costs you can find on a balance sheet.

Sanctions, and other compliance shortcomings also carry with them a hefty reputational bill. Depending on severity, a tainted brand can mean the difference between keeping your existing book of business and a regulatory ban on new business, as we have seen with numerous banks over the years.

So, does it pay for CFOs to save money on controls?

Sanctions, unlike anti-money laundering rules, apply to everyone within a given jurisdiction, regardless of whether you are a regulated institution. And failure to comply with sanctions laws in most countries is considered a serious criminal offense. To add additional complexity, sanctions laws of multiple jurisdictions may apply to a business and its employees if they do business across borders.

There are no “comply or explain” rules in the sanctions regime like there are in the UK principles based financial services regulation. When you miss something, it is binary – it is a criminal offense. Skirting the initial costs of getting these kinds of controls in place, is not a popular choice.

Why does it matter to a CFO?

Most firms these days have experts who cover compliance. The CFO is a key oversight role, extending beyond just finance, and encompassing overall governance and controls within a firm. It is also a function that crucially funds the whole business and therefore has direct impact on how sanctions controls are affected by budgets. This is a very direct line of responsibility.

Why are sanctions an issue?

Sanctions used to be simpler. It was mostly about making sure you weren’t doing business with certain people or countries on a list. For those who invested in good, industry standard tools, you could feel pretty safe that the tools would detect almost every permutation of sanctioned names of individuals, countries and other geographical names.

However, with the early invasions into Ukraine back in 2014, sanctions became a lot more complex. It was no longer good enough to match account and transaction names to sanctioned lists. Now we have to slice and dice various options of financial instruments, their length, types of products and much more. For all of those who thought automation was all they needed, they found over time that the complexity and comprehensive nature of contemporary sanctions inherently made the work very manual again – and that means cost.

A prime example: “The amount of hydrazine that can be exported for each individual launch or satellite shall not exceed a total quantity of 800 kg. The amount of any export of monomethyl hydrazine shall be calculated in accordance with the launch or launches or the satellites for which it is made”. This is an actual set of requirements that institutions need to account for when it comes to understanding who their customers are dealing with. It will be a while before AI can accurately supplement or replace humans.

Other challenges are found in the obligation not to do business with associates and subsidiaries of sanctioned individuals and entities. It can be challenging to find suppliers who can provideup-to-date lists of related subsidiaries and associates of the sanctioned names.

And picking up the phone to the government’s sanctions office to ask for advice is – a wish for good luck. By their own admission in public fora, a typical response timeline can be up to 6-9 weeks. There goes any chance of maintaining a healthy level of customer service for your clients.

Other complications include exclusion of names that are similar to those found on sanctions lists, which are not sanctioned, but will create endless false positive alerts. These names and contextual information get placed on the, so called, white lists. An entire cottage industry was built around maintaining whitelists, greylists (of those names that your company has identified as undesirable but are not public), official lists and purchased lists, their audit, maintenance, timeliness, reliability, testing, optimization for reduction of false positives. The work required to keep lists current is astounding.

As a CFO, why should any of this rise to the level of attention when it can be sorted by experts within the organisation? Well, bluntly stated, it is still law with strict liability (strict liability applies to offenses for which the prosecution is not required to prove ‘mens rea’ for one or more elements of the offense. What the defendant knew, believed, or intended is unlikely to be relevant).

As such, it pays to be prepared on what your professional and personal obligations are and challenge the experts within the organization to ensure compliance for the organisation.

Any investigations and ultimately fines, are unnecessary costs that can quickly end up being more expensive than compliance, no matter how tricky it may be to implement the required control framework. As the adage goes, “Those who do not learn from history are doomed to repeat it”.

Comments are closed.