Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
Hello and welcome to the latest in the Mishcon Flash Webinar series. We are looking at nightmare scenarios and today we’re going to be talking about sanctions, which is a hot topic. I’m Shaistah Akhtar, I’m a Litigation Partner here at Mishcon and also head up the Sanctions Group. I’m joined today by a couple of experts in this area, Luke Firmin, who is a Director of Financial Crime at the consultancy firm, Mazars, who we do quite a bit of work with, and Richard Stopford, Managing Associate in the Litigation and Sanctions team. Before we get started and as people are joining, just a couple of housekeeping points. First of all, if there are any technical issues then do put a note in the Chat Box and hopefully someone will fix things. If you have any questions and if time allows, we will look at questions at the end but in the meantime, if you can put those in the Q&A box, we’ll do our best to, to deal with questions at the end but if not, the session is being recorded, you will get a link circulated at the end with our contact details and we’d be very happy to pick up questions individually after this session. So, launching into the scenario for today and just to set the scene, you, as the client, a business person or corporate entity discover one morning that a major supplier, business partner, customer or even bank that you deal with, is all of a sudden on the UK Sanctions List. Now, this is something that you don’t get any prior warning about, it’s literally published, the list is updated almost on a daily basis and you, you, it’s published on the Government’s website. So, what, what do you do in that kind of situation and just handing over to Richard first, what are the kind of steps that anyone should do, should do in the, in the first instance when you, when you realise this, this, this development?
Richard Stopford
Managing Associate, Mishcon de Reya
Thanks, Shaistah and thank you everyone for joining. So, in that nightmare scenario, I think first thing that the business really needs to be focussing on is to hold the risk. I’d be instructing my operations team to work out what the touch points are with that designated person, with the business partner, to work out whether not there are going to be any payments placed in the near future, whether or not they are involved in any joint projects, whether or not they’re providing any goods or services. If for example that payments are due to be made to the business partner in the next 14 days or the next month or so, then instruct the payments team to cease making any payments to them pending legal advice. I think the second important stage in that initial response is try to martial the information that’s available because the legal team is going to need that to compile and produce its legal advice. So the legal team will need to know the identity of the business partner, its corporate structure, its ultimate beneficial ownership, it will need to understand the contractual relationship that it has with your organisation and the nature of any goods or services that are provided. And once all that information has been, has been brought together, it should be handed over to the legal team who can that start to produce their analysis and advise the business on how it should manage its sanctions risk. So, Shaistah, back to you in terms of what the legal issues are in terms of what the legal team will be considering at that point.
Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
So it’s worthwhile just considering a basic question of what does a designation mean? So if somebody’s put on the Sanctions List, what, what does it mean to be a designated person? And we’re dealing with quite a narrow scenario today because it’s a, it’s a huge topic and we will not have time to cover every type of, type of sanctions in this session but when, when a person is designated, it essentially means an asset freeze so you can’t deal with that person in a number of respects, that means you are prohibited from dealing with any funds or economic resources that are owned, held or controlled by that designated person. You can’t make funds or economic resources available, directly or indirectly to that person or to anyone for the benefit of that person, so very broad restriction and there is, we’ll come on to discuss what that actually means but essentially, in practical terms, it means you can’t pay or receive payments or deal with the assets of that person or provide any economic benefit so that could be use of property, loan facilities, release of obligations, so very broadly designed restriction and it’s also worth mentioning that trying to get around these restrictions in what is termed circumvention, is an offence in itself, so you try and restructure and funnel payments through a different route, that, that, to, to deliberately to avoid what is prohibited, that is, is an offence in itself, so it’s important to be, to mind, to be mindful of, of those restrictions. Worth also mentioning a couple of other points. One, that there, there are often exemptions or licencing arrangements that can be, that can be, can be made and it’s worth considering those that if you fall into any of those categories. Again, there’s a lot of detail around those and applying to the Office of Financial Sanctions Implementation obviously that manages that process is beyond the scope of this, this Flash session but worth just flagging. And also worth considering Nexus with other jurisdictions so we often get approached by clients asking us what the UK position is but they, it is also important to consider whether you have any kind of dealing with the US, it may even be just a transaction denominated in US dollars which gives you a touch point with US correspondent banks with, with the, any EU member state whether any business or any members of the Board or any individuals or nationals of these other jurisdictions or other jurisdictions round the world that have unilateral sanctions, regimes, Australia, Japan, Canada being some examples. So these are all points to consider but going back to the question of designation, a common question we’re asked is how do you identify if someone is a designated person or associated or owned or controlled by a designated person? That’s a very tricky question which involves some you know practical investigation so, Luke, do you want to tell us a bit about how you, how you address those issues.
Luke Firmin
Director of Financial Crime, Mazars
Yes, certainly. And I mean I think it’s important first to just give an overview of what we mean by ownership and control and you know how this ties in to the importance of your sanctions due diligence and what you need to do. You know, we’ve already alluded to the fact, you know we’ve mentioned beneficial owners, you know the key principle is that, you know, as a firm you need to look beyond just your named customers and consider who potentially benefits from those transactions and assets. I mean, I’m not going to go into too much detail now but I think you know the key principle around ownership and control is that by virtue of being owned or controlled by a designated person, other entities themselves can be considered designated so even if they’re not named on a sanctions list, because they’re owned by sanctioned individuals, it you know it falls within the same restrictions. So ownership is kind of one component and you know that can be established if a designated person holds and it can be directly or indirectly more than 50% of shares or voting rights in an entity and the concept of control, which is set out in EU guidance and that’s all about you know if we take the example of a bank account, who ultimately controls those funds, you know there may be other people in the background who are benefiting from them, so you know it could include criteria such as having the right, again directly or indirectly, to appoint or remove board members, it can include having a majority of rights in an entity and you know there’s, there’s other various, complex methods, you know using a agents and offshore companies where essentially, you know people will deliberately set out to mask the fact that they’re pulling the strings and benefitting so, it, you know, it’s incredibly complex area which kind of brings us onto the kind of steps that you need to take to, to unravel the ownership structures and you know understand these two separate but related principles of ownership and control. You know, there’s, I’ll kind of try and break down to three areas when you consider you know how you, how you need to kind of understand your customers, you’ve got the actual information about the customers and third parties, you know the ownership and control of entities, you’ve then got the information relating to your customer’s activities and that may change over time, you know we see it in AML, we see it in sanctions, customer signs up, you know, these are services, before you know it they’re actually moving in to kind of sanctions activity so, that’s really important and you know, in the instance of a breach, you know you’re not just relying on historic information, you need to see what’s happening now and then the final point, again, you know started to relate to it there is the, the jurisdiction and geographical reach, you know if your customers and the kind of parties they deal with, because of the complexity of sanctions and restrictions on exports, this is a really key component because you know your customer might essentially be shipping goods or facilitating through, through the financing, shipping of goods into one country that are ultimately ending up in a, in a sanctioned country. So, you know, just thinking about steps to take, you know and the information that you need, you know it’s really important that you obviously first consider the information you have at the moment. In the instance of a breach, you really need to then start to look at you know, what information is out there, there’s open source intelligence, you’ve got things that you know you should really be putting into place at the time but you know supply chain, mapping, you know actually interacting with the customer but you know the use of corporate intelligence providers is often something that needs to be done in the instance of a breach because you know instances where it’s better to have some kind of you know human source intelligence to obtain information that might otherwise be masked. You know, one other thing related to this that often gets asked, if you go to any kind of sanctions events is, when is enough, enough? And I think just a key point on this is that, you know, obviously you are never going to explicitly state what is considered to be enough, you know that in terms of the steps taken to identify potential breaches, one thing they do confirm is that when they decide whether to impose a penalty, they’ll look at the preventative steps taken, you know whether the firm knew there was a breach and the efforts they took to prevent the breach and it’s all got to be risk based and proportionate.
Shaistah, I think it would be important to just kind of think about you know once the legal team have formed the view that a business can’t deal with this, you know customer or business partner, what contractual or legal issues come into play?
Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
Yeah, so, the, the, the contractual position is it’s important to know that people often look at what the termination provisions are, how they can extricate themselves from a situation like this. It’s important to know at the outset that that’s not going to help you in, in any kind of criminal scenario so where, where you have inadvertently or, or however ended up in a position where you are in violation of sanctions that that is a quite separate issue to the contractual position which is more about how you can manage your commercial rights and obligations. So, most clients that we, we, who we advise will, will in most cases have contracts which are silent on sanctions, they won’t specifically mention sanctions as a termination event so you see contracts, purchase orders, loan facilities, where there are general termination provisions, force majeure, illegality perhaps and you’re then relying on implying a term or, or, or relying on arguments that the contract’s been frustrated so that performance would be illegal and, and so that, there is a body of case law around this, there was a case where judgement was handed down just yesterday with Mr Justice Foxton and it’s a complex, fact dependent question but the short point is, the Courts are, put a high bar on termination in this kind of scenario and what we’re talking about here are pre-existing obligations so, this is different to whether you can continue to make payments and continue to perform a contract, this is where you’ve got pre-existing obligations and payments that are already due or, or, or, you know a, a, a scenario where there, there is, there is a situation which is not directly affected by the sanctions but sanctions have been triggered and, and, and designation has been made which then casts doubt on the situation. So, generally speaking, the Courts will be looking for a legal work around so, could you apply for a licence? And, or, or, or some kind of practical commercial solution like payment in another currency, which is, is, is a legal solution rather than circumvention. So, these, these are the kind of considerations in, in that kind of situation but it is important and we are advising clients on this all the time where, where you’re dealing in a, with high risk jurisdictions or, or sectors to, to provide for a sanction specific termination clause in your agreements to make the position clearer. So, we, we’ve been talking about what happens when things go wrong and how, how to, to deal with that kind of situation but it’s also important to consider how you can manage your risk and avoid these consequences arising in the first place. Richard, do you want to talk about some of the more preventative areas that, that we, we, we advise clients on.
Richard Stopford
Managing Associate, Mishcon de Reya
Sure. I think, I think the most important thing here is that the risks are properly understood by the senior management within the business and that they really buy into a risk mitigation plan and the strategy. I mean from our perspective I think we’d be looking to produce a suite of documents to help a business organise and manage its sanctions risk that are really embedded within the fabric and operating model of the business. What we don’t want is documents produced that then get to sit on a shelf and that don’t get used by anybody going forwards. I think the first thing we’d be looking to do is a brief note of advice for with delivery to the senior management to set out the risks that are in play with that particular business’s operating model. We’d be looking to set out the current position in the UK, EU, US perspectives so they can understand the issues that are in play. We’d then be looking to sort of codify the position that the business is going to adopt in some form of policy or high level principles document. And the point of that is that there is, it ensures buy in from all stakeholders within senior management and it sets out the, the direction of travel for that business, especially when there might be for example different, different risk appetites, so it’s useful to bring everyone together in a, in a single form of policy strategic documents on that front. We’d then be looking to move from a policy document to a much more business focussed employee handbook which sets out how the business is actually going to behave in any given scenario going forwards, where the red flags and what it, what checks it is going to run in any given scenario so that that is understood in the business but then the important thing at the end of that process is to really try to embed those changes within the business and that can be in the form of a top down communication from the senior management team, it can also be in the form of training delivered to the people on the ground who are implementing these changes so they are really understood and then going forward, it’s important to make sure that there is a responsible owner within the business who is in charge of updating the sanctions guidance, updating the risks because the sanctions landscape is constantly evolving and, and so it’s important for them to stay up with the risks on that front. Luke, that’s sort of from on the legal, on the legal side but are, is there anything which can be done on the tech side that can help businesses manage their sanctions risk?
Luke Firmin
Director of Financial Crime, Mazars
Yeah, I mean it’s, it’s a very important point, I mean there’s firstly, I mean there’s no requirement for firms to have an automated screening tool but I think given vast amounts of data, the rapidly evolving sanctions regime you know, back when the Russian war started, you know there were new parties being added every day so, it, it’s difficult to imagine a scenario where a firm doesn’t have a solution in place because you’ve got to respond swiftly, get to the risk as soon as possible so, you know I think one of the key things to remember is the purpose of the solution is you know it has to enable any firm to check the customer and third party data against live sanctions watch lists you know as soon as possible in an efficient way because the last thing you want to do is to drown your compliance staff in, in junk, you know you need to get to those high risk issues and identify breaches as soon as possible. And I think another important thing just to mention is, it’s not just about identifying actual sanctions breaches, it’s also about flagging risks because as I said before, you know, customers may be moving into different you know jurisdictions and areas you’re not aware of and sanction screening tools need to be able to pick these kind of thing, things up. You know, the, the thing that sometimes goes wrong is there’s so many tools out there it can be confusing and I think any firm when thinking about the tool they use, it’s got to be fit for purpose, it has to be specific to your risks and it has to be configured correctly. It, it’s probably worth, you know, I’d love to talk about this for an hour but I’ll, I’ll touch upon some kind of key considerations and this often relates to things you find when there’s, you know, huge fines and, and why things sometimes get missed. I think data quality is a huge thing, you know garbaging garbage out, if you got duplicates, if you’ve got junky data, your tool isn’t going to be able to work optimally and you’re potentially going to miss things. One of the most important concepts is the balance between effectiveness and efficiency, so effectiveness being does the tool actually pick up sanctioned individuals, entities? But the other thing is efficiency, like how does it get there? As I said before, does it drown your team? If you’ve got a hundred people, you know, churning through alerts, you’ve got to make sure the tools configure correctly and I think that’s where you know there are specialist firms out there that can help configure it and benchmark it but that’s a really important point and I think just as a final one, it’s that, I mean I know this isn’t an actual word but explainability of the tool, it’s something the regulator is picking up on, you know, with the advances in how these tools work, they shouldn’t just be seen as a black box. You need to be able to explain to your staff, to your board, to the regulators, how you’ve gone from the sanctions risk that you’ve identified through to the configuration of that tool and that is often the missing step, so that methodology, that clear articulation of how you have set the parameters of your tool to pick things up is really important and it’s something that will be considered when it comes to you know potential penalties for breaches. As a kind of related point, I just wanted to just also mention you know if you think about the purpose of the tools and you know we’ve got this instance, the scenario here, let’s say you find out about a breach because something’s popped out from your tool and you identify the breach, it’s really important that as a firm you’ve got a response plan in place and you know, at a high level there, some of the key things that you have to make sure you’ve got in advance is knowing you know how, who is responsible for that disclosure to the regulator? Who is accountable, you know who has ownership for the steps when you have to investigate why it happened? That root cause analysis, things like you know obviously now showing that they want to name and shame firms so, you know have you got a stance, have you got a mechanism in place where the firm can actually you know respond to, to key stakeholders and, and, and another concept and thing that is often missed is the, the need to properly document and record what you’re doing because as I said, someone could be added to a list on one day, if it’s not clear when you took an actual step then you could find yourself having actually fallen foul of, of the kind of sanctions requirement. So, you know I’d love to talk about this all day but I think, one thing I think that’s really useful to know and it’s probably something for you, Richard, is you know what are the risks of getting this wrong and the related penalties?
Richard Stopford
Managing Associate, Mishcon de Reya
Thanks, Luke. I’ll try to deal with this relatively quickly but I think you know it’s important to get this right just given the risks of getting it wrong, there’s no bare minimus threshold on a transaction and the penalties can include seven years in prison or a fine and it’s also to consider the thresholds in liability, I mean on the criminal side the, possibly the prosecutors will have to show that there is, you had knowledge or reasonable cause to suspect that you were committing sanction steps. So on the civil side for a fine, for a civil monetary penalty, there is no such knowledge requirement, it’s a strict liability offence. A person’s intent or knowledge surrounding a breach is immaterial to whether, to the question of whether or not OFSI has the power to impose a fine so it’s incredibly important to get that, to get it right and businesses should be extremely cautious when dealing with high risk jurisdictions and as you alluded to, Luke, OFSI now has the power to name and shame individuals where it believes on the balance of probabilities only, somebody has committed a sanctions offence and there have been several instances of OFSI now using that power to put people that it thinks are committing offences in the spotlight. So I just think all of that just underscores the need to have proper procedures and policies in place and carry out appropriate KYC and just a final, a final word here, all the noise coming out of the enforcement bodies at the moment is how they are looking for the next big case to prosecute, they are incredibly nervous about sanctions non-compliers, about sanctions circumvention and we are watching this space with baited breath for the big important case that we’ll, we think will inevitably be coming. I’m conscious that we’re, we’re coming to time so Shaistah, I’ll hand back to you for any concluding remarks.
Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
Okay, thank you for that. So just to round up, I’m, before we hopefully have time for a couple of questions. I want to just summarise a few takeaways, so three points in this necessarily brief overview of this particular scenario. First thing to draw out of all of this is that you, and it’s a tri point that you need to ensure you know who you’re dealing with so, due diligence, screening tools, proper processes, these are all you know essential and having an imperfect system in place is better than having nothing at all because you know, you, you need some kind of defensible, defensible infrastructure that you can then point to if you are on the wrong end of an investigation and this particularly, particularly the case with regulated firms who, who have their own obligations and, and systems and controls requirements so, that’s the first thing. The second thing is to ensure that you carry out a proper risk assessment of your business and people tend to look at the obvious jurisdictions like Russia, Iran, Libya and others but if you’re based in the UK, you do business in the UK, there are around 30 jurisdictions that are affected by sanctions rules so, and there are also less obvious jurisdictions, the offshore, offshore bases, the you know now UAE, Cyprus, jurisdictions that are used as the layers of ownership and control which, which also need to be looked at carefully and, and some kind of audit trail of the decisions you take as part of that risk assessment which again will come in useful if you, if you are caught up in any kind of sanctions potential violation. And finally, the point that I, I’ll go back to about your contractual arrangements to make sure that they are sanctions proof as it were. Again, they’ve, it will not help with any criminal liability but in the commercial context of looking at your rights and obligations it is important to make sure that you have specific provision where, where a sanctions trigger is, is evoked and that you have appropriate warranties and indemnities which can also help you as part of your due diligence process. So, that was everything we were going to say in, in the time allowed. I’m just looking at the questions and I think we have time for a couple. There is, so I think there’s, it’s quite a, quite a common question, how far are companies expected to look down their supply chain? I think Luke if you, if you could perhaps respond to that. And the second, second question about informing a regulator of suspected or actual sanctions breach or, or you know if a payment has already been made, I think we can amalgamate that. Perhaps I can take the second first and bring Richard in on that and then perhaps Luke you can have a think about the first question.
In terms of a regular, I mean the term regulator is used for OFSI which is the, the, the enforcement authority for sanctions, it’s a, it’s, it’s part of the UK Government’s Treasury Department and that, you know if you’re, that is as distinct from regulated, as in a regulated firm where, where you know you’ve got the Financial Conduct Authority, so if there is a sanctions breach, if you find that you’ve been making payments where you shouldn’t have been making payments or you’re dealing with someone who turns out to be a friend of Putin or some kind of violation that that, that that needs to be addressed, there, there, you, you do, the advice we give is to, to self-report that to OFSI because that will help you mitigate any consequences of that offence, if an offence has been committed. So, that, the, the use of the term regulator for OFSI is an all-encompassing one. In terms of making a report to the FCA, that is obviously applies to regulated firms who are, who are supervised by the FCA but there is also an obligation on professionals to, professional firms and certain, certain sectors to make a report where there has been a suspected breach of sanctions so, Richard, do you want to just briefly cover that off just for an awareness point.
Richard Stopford
Managing Associate, Mishcon de Reya
It’s just, it’s just that very point, it’s, if you, if a professional lawyer or accountant becomes aware that perhaps one of its clients has committed a sanctions breach then the professional does itself have an obligation to report that activity to OFSI so it’s just keeping that in mind as a professional when go around your business if one of your clients has committed breach or you suspect there have been breaches before that.
Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
Thanks for that, Richard. Luke, do you want to just briefly deal with the how far down the supply chain do you need to go question.
Luke Firmin
Director of Financial Crime, Mazars
Yeah, thanks for the extremely difficult question mark. It, it’s, it’s a brilliant question and it’s, you know I went to, I went to an event last month and there was a, there was this exact question asked of OFSI and so I’m going to use this as my defence for giving an answer that’s not as specific as you’d like and the answer is there is no right answer, you know, knowing your customer, knowing your customer’s customer, there is no right answer, it comes down to the facts and the circumstances, I mean, you can look at some of the, some of the fines where you know alarm bells have been ringed on relating to supply chain issues and you realise they’re not actually that far down the chain, okay, so you know there’s obviously an expectation that you will look you know a couple of levels down but I think as soon as you, you know, experience a customer that has a very, very kind of high risk kind of business activity, it then turns the dial up in terms of the expectation and you know it’s not the same as AML where it’s all about you know kind of being risk based because of the nature of sanctions compliance but it is still about proportionality so I think you know you need to demonstrate that you’ve taken the right steps and you’ve got comfortable, you’re never going to be able to go all the way down, you know there is a limit to what you can do so I think you know you have to come back to the point of you know what do we think OFSI would expect and it’s, they would expect you to have the right measures in place in the first place to look through the supply chains but yeah, it’s not, it’s a very difficult you know it’s a very difficult topic and it’s something that I know all organisations deal with. I love, I would love obviously to give some more specific guidance around that.
Shaistah Akhtar
Litigation Partner and Head of Sanctions, Mishcon de Reya
Great, thank you for that, Luke. Very well, very well summarised, complex, complex answer to a complex question. Thank you very much to everyone, we’re out of time. As I said at the beginning, we, this session has been recorded and it will be circulated, a link will be circulated to everyone who accepted the invitation so if anyone missed any part of it or wants to, to go back over things then feel free to do that. We’ll also be sending you a link to our contact details so that you can reach out to any one of the panellists individually if you would like to raise any specific questions or you’d like to arrange a short call, very happy to do that, but just remains for me to thank Luke and Richard and to everyone who dialled in, so thank you very much.