As a former detective, I like clues. Clues make or break your case. Clues can lead you to an entirely different conclusion than you initially anticipated. Each clue gets you one step closer to the truth — even if it was not the original truth you sought.
In my investigative days, my best tools were interviews in the field and grand jury subpoenas, talking to witnesses, pounding the pavement, and obtaining relevant records. Today, as I try to help customers identify sanctions risk before they become liabilities, my best clues are enforcement actions and the sanction designations from regulators.
The geopolitical events and recent rapidly evolving sanctions climate make the embargoes and sanctions screening we did a few years ago seem like a quaint exercise. We ran the customer database through a screening engine nightly, then we ran the wires and ACH transactions. We crossed our fingers hoping we didn’t get a hit. When the occasional hit did occur, it was usually a false positive.
The digital economy is ushering in tremendous changes. Digital transactions are crossing the globe in near real-time and the pandemic accelerated the adoption of digital channels. The pace and velocity of transactions continues to amplify. This ever-increasing pace, combined with the current geopolitical climate, and regulators’ growing technology awareness contributes to our current sanctions climate of laser-focused and rapidly evolving regulatory expectations.
Your sanctions compliance program should evolve to match your company’s transactional sophistication and digital presence. The days of a few screening checks of your customer database are long gone. Today, the depth and complexity of sanctions and embargoes compliance expected by regulators is at an all-time high.
Embargoes and sanctions expectations are sometimes vague and frustrating. Fortunately, businesses can find a trail of regulatory breadcrumbs to help navigate the rapid pace of recent OFAC actions and global sanctions regulations. Let’s examine how the clues can help solve the case of proactive sanctions compliance.
CLUE #1: Accelerated and Evolving Designation Announcements from Regulators
We have entered an era of heightened geopolitical conflict and the volume of sanctions and embargoes on individuals, accounts, businesses and institutions is exponentially expanding. The war in Ukraine is driving frequent updates to global sanction designations. OFAC actions occur on a nearly daily basis. The running document from OFAC listing sanction updates for 2022 alone is already 572 pages. By comparison, the complete document for all of 2021 was only 247 pages. Only 247 pages. 2021 was busy…2022 will be unprecedented.
CLUE #2: Heightened Focus on Digital Evasion and Digital Threat Vectors
Our next clue starts with the wealth of wisdom available in the recent enforcement actions published by regulators – which clearly broadcast regulators’ concerns with closing the existing loopholes that evaders are stepping through in digital channels.
In the United States, the most relevant OFAC recent actions are published by the U.S. Department of Treasury here, with recent actions including a valuable section called “Compliance Considerations”. This section contains some of the most important clues about current regulatory priorities. Take these clues from recent actions:
EXHIBIT A: Lack of focus on sanctioned locations, especially Crimea, due to failure to monitor IP (Internet Protocol) addresses to identify risk associated with sanctioned locations.
- Cite: https://home.treasury.gov/system/files/126/20210723_payoneer_inc.pdf
- Synopsis: Payments processor transmitted thousands of payments for individuals in sanctioned geographies.
- Translation: If you are looking at IP addresses for fraud or IT security concerns, you need to use that same data to detect and mitigate sanctions risk.
EXHIBIT B: Large, technologically sophisticated businesses should implement and employ compliance tools and programs that are commensurate with the speed, scale and technology savvy of their business operations.
- Cite: https://home.treasury.gov/system/files/126/20200708_amazon.pdf
- Synopsis: Online retailer sold products to sanctioned individuals and customers in sanctioned geographies.
- Translation: If you pride yourself on your global presence and technological innovation, your compliance programs require parity to the technology that makes you profitable. As your sophistication increases, so too must your compliance program. There is a significant, inarguable level of ambiguity in that sliding scale. Just how sophisticated your compliance program must be at a given level of commercial sophistication is not stated. When in doubt, err on the side of compliance.
The types of organizations being held accountable for sanctions violations are also shifting and making sanctions compliance even more complex. Sanctions screening is no longer a requirement solely for highly regulated U.S. financial institutions. Sanctions compliance should be a priority for every business with a digital presence, even if you do not have a regulator annually camping out in your office space.
Need proof? Of the seven enforcement actions occurring thus far in 2022, only one was levied against a financial institution. Enforcement actions in 2022 included a mix of importers and brokers, a travel ecommerce site, a mining company, and a financial analytics firm. A true hodge-podge of commerce, with only one bank in the mix. This does not mean banks are off the hook. It means that a sanctions enforcement can – and in this climate, is highly likely to – come calling, no matter your industry.
CLUE #3: Increasingly Targeted Jurisdictional Sanctions
Western allies are taking a strong stand of solidarity against Russian leaders and oligarchs with controlling interests in Russia and the portions of the Ukraine where it has seized control. However, they wrestle to take a unified position without unintentionally bringing harm to innocent citizens and/or refugees trying to escape these regions. The result has been increasingly targeted jurisdictional sanctions – many of which are hard to manage practically using legacy sanctions controls.
Recent sanctions, some illustrated below, added the Russian-controlled regions of Donetsk and Luhansk to the comprehensive jurisdictional sanctions list, along with Crimea (which was already on the list). The complexity lies in how these regions are defined, often with formal definitions from regulators lagging behind the sanctions – if those definitions are provided at all.
Not only do these red flags underscore the growing regulatory focus on crypto wallets, they also clearly impose some new concepts and expectations, including:
- Leveraging IP geolocation data collected by your app or website as a sanctions control
- Applying heightened vigilance and controls involving transactions originating from the following, which are seen as high-risk for sanctions evasion:
- Comprehensively sanctions jurisdictions
- FATF (Financial Action Task Force)-identified jurisdictions with AML/CFT/CP (Anti-Money Laundering/Combating the Financing of Terrorism/Counter-Proliferation) deficiencies
- IP addresses previously flagged as suspicious
- Crypto exchanges or Money Service Businesses (MSB) located in the high-risk jurisdictions mentioned above
This illustrates that regulators are doubling down on location technology as a sanctions control and highlights a mainstream expectation for detecting sanctions risk in digital channels going forward. The regulators’ point is clear: sanctions controls must reflect the level of digital transformation an organization has achieved. If your website or app is collecting an IP address or geolocation, your organization should also be using it as a sanctions control.
Digital compliance solutions can help position your sanctions program to respond to digital demands and digital sanctions evasion threats. Solutions that can interpret your site and app’s collected IP/geo data, contextualize it to more accurately determine the region the transaction is originating from and leverage it in a sophisticated fashion within a risk-based approach to sanctions are quickly becoming sanctions essentials. Regulators are extremely vested in clamping down on vulnerabilities allowing evaders an opportunity to escape sanctions. Law enforcement is actively following the money and no business wants that trail leading to their doorstep.
Staying proactive about digital sanctions compliance must be an ongoing priority. Evaders’ technological proficiency is increasing. Most sanctions evaders are savvy enough to know to obfuscate and spoof their true location with technology such as VPN, proxy or TOR browser. It is time to implement technologies and/or shared digital identity and location intelligence consortia that can help businesses better assess the risk associated with digital transactions.
The ability of digital identity consortia to detect and unmask this type of evasion is especially interesting. Evaders are very careful to obfuscate their location when in the process of evading – but probably weren’t so careful five minutes prior when they were streaming a video or playing a mobile game on another device from an organization that is also a consortia member. This is where the power of shared intelligence adds advantage by shedding light on their likely true location and helping businesses beat criminals at their own game.
IN SUMMARY: Digital Sanctions Compliance is a Tough Case that Can Be Solved by Paying Close Attention to Clues
This collection of clues and evidence leads to a very difficult conclusion: effective sanctions compliance in today’s digital economy is a tough case to solve. However, you can confidently help keep your organization compliant – even within a rapidly evolving regulatory environment. A proactive sanctions program starts by paying close attention to the bread crumbs regulators leave behind and using your findings as the basis to regularly evaluate and evolve your financial crime compliance program and technology tools.