Close this search box.

Audit, risk and internal control  |  Directors' responsibilities  |  Governance

Sanctions – Getting Compliance Right: Why Boards Should Care


The ongoing Russian invasion of Ukraine has led to an unprecedented international response, including the sanctioning of Russian entities and individuals in a bid to weaken the Putin regime. The speed, scope, and complexity of these sanctions pose a significant challenge to businesses and organisations as they attempt to successfully navigate compliance obligations.

All sectors of the economy, along with civil society and public sector organisations, now face having to comply with these new sanctions. From retail and manufacturing to venture capital and non-profits, companies and organisations need to ensure they have an effective compliance framework in place. Furthermore, due to the interconnected nature of society today, small and locally based businesses and organisations should not feel immune to potential sanctions links – every organisation, regardless of size, must conduct the necessary due diligence to ensure any hidden sanctions connections are uncovered and addressed.


Implementing an Effective Sanctions Governance Framework

Collectively, board members and senior management have responsibility for setting the strategy for sanctions compliance governance, risk management, and system and controls. It is paramount for boards to keep their finger on the pulse when it comes to overseeing the design and implementation of a sanctions governance framework for their company or organisation. It is critical for boards to fully understand their regulatory responsibilities.

It is important for organisations to demonstrate the right steps and protocols are in place, as regulators are applying deeper levels of scrutiny to controls and procedures due to the current political climate. Having well-formed procedures in place can signal commitment to compliance even if inadvertent violations do occur. A successful compliance framework will incorporate the following:

  • Risk Assessment & Strategy: A business or organisation wide risk assessment is the most important first step for your organisation to complete when setting out a sanctions response strategy. It helps the board and senior management understand risks, including specific analysis of jurisdictional risk exposure.
  • Policies & Procedures: It is important to set out clear policies for how to tackle sanctions compliance and related risks. These policies should be supported by procedures outlining how the organisation plans to build these controls into its operating model. Local regulatory requirements, key risk areas, and roles and responsibilities should be considered.
  • Systems & Tools: Policy and procedures are ineffective if organisations do not have the necessary tools to carry out due diligence and controls. Boards should consider what each organisational unit or department needs in terms of tools, which can be a mix of custom-built internal resources as well as external technology platforms that can help with due diligence, monitoring and analysis.
  • Training & Awareness: Not all staff are likely to be fully aware of sanctions requirements or how these relate to their role. Raising awareness is therefore critical, as is training staff so they are aware of compliance obligations, sectoral vulnerabilities, and organisational policies and procedures. Complying with sanctions requires a company-wide response. Training and digital learning programmes may include information on how to implement systems and tools and how to spot signs of sanctions evasion practices.
  • Governance & Management Information: This sets out how you are going to monitor and manage your organisation’s adherence to the set sanctions compliance framework and strategy. This helps boards keep a pulse of how well the organisation is doing at adopting sanctions policies and the effectiveness of sanctions controls.
  • Periodic Assessment: It is important for boards to consistently review and assess their organisations’ ability and effectiveness in detecting sanctions risks and identifying potential violations. Board members can consider having compliance teams provide periodic reporting to the board and publish any relevant findings in annual impact reports. These assessments can be used to update the organisation’s sanctions compliance framework and identify training and awareness gaps.


What Questions Should Be Asked in the Boardroom?

  • Which jurisdictions do you have operations in, including countries in which you do business, the currencies you trade in, and the countries your partners and clients are based in?
  • What policies, processes, and procedures has your organisation implemented to ensure that it is compliant with all sanctions obligations for all jurisdictions in which you operate, including screening requirements?
  • Have these policies, processes, and procedures been stress-tested to ensure they are robust and applied in a timely and efficient manner?
  • What are the operational, legal, regulatory and reputational risks specific to your sector, including geographical and industry vulnerabilities, and what can be done to minimise these risks?
  • What is the appropriate due diligence to conduct on your customers, clients, suppliers, partners, donors, investors, or other stakeholders to ensure that your business is fully compliant with sanctions obligations? You must consider not only your own third parties but their associates and beneficial owners and the extended supply chain.
  • How should you engage with other companies or organisations where potential sanctions links exist?
  • How should you handle companies, organisations, or individuals who have network ties to sanctioned entities and individuals, but are themselves not sanctioned?


Key Considerations for the Board

  • Effective digital due diligence systems and tools – such as Themis Search – are a fundamental part of a compliance framework. Given the publicity of recent sanctions, it is important to broaden screening to known counterparties and associates of sanctioned individuals and entities, as it is likely that sanctioned individuals and entities will be trying to re-route their financial flows through third parties as quickly as possible. It is also important to conduct due diligence on subsidiaries and other corporate structures as these are often used for sanctions avoidance purposes.
  • Boards should maintain awareness of any special licence exemptions issues, as these licences make it legal for specific entities tied to sanctioned individuals to continue doing business. Recent examples include the US Treasury issuing a special licence for entities owned by sanctioned Russian businessman Alisher Usmanov and exempting telecommunications services from ongoing Russian sanctions.
  • To fully get to grips with sanctions, board members should be aware of how they are crafted and understand the rationale that underpins punishment for violations. Penalties take into account the nature of non-compliance, including the consistency, proportionality, and transparency of non-compliance. Also taken into consideration are public interest factors, the harm done to sanctions objectives, and the expected knowledge of sanctions and compliance systems.
  • Sanctions regimes have been expanded in recent years to include sector based sanctions, which target specific sectors and prohibit specific activities. These sanctions are less clear cut than traditional sanctions targeting specific individuals and entities by name.
  • If a company deals with transnational or even domestic trade, it is important to consider export controls to ensure they are not in violation of trade restrictions, including, inadvertently, through business with suppliers, customers, or partners.


The Cost of Getting It Wrong

There can be considerable legal, financial and reputational costs of “getting it wrong” when applying compliance obligations to the complex global web of sanctions. Any individual or organisation found to be conducting business, either directly or indirectly, with any sanctioned individual or entity is subject to potential fines, penalties, or even prison sentences.

In the UK for example, breaches of financial sanctions are criminal offences, punishable by up to seven years in prison. Monetary fines in the UK can be up to £1 million or 50% of the breach, whichever is greater. Penalties can be imposed on a legal entity and/or the officers who run the entity, including a director, manager, partner, or other similar officer.

Additionally, the UK’s newly passed Economic Crime (Transparency and Enforcement) Act enables the Office of Financial Sanctions Implementation (OFSI) to impose monetary penalties on a “strict liability” basis, which removes the requirement that monetary penalties can be applied only on a person if it is satisfied that they knew or had reasonable cause to suspect that they were in breach of sanctions. The new Act allows OFSI to publicly name companies that have breached sanctions, even if they have not been fined, thus increasing the reputational risks associated with non-compliance.


Serniya Engineering: A Case Study

The US and UK have both sanctioned a Russian sanctions evasion network operating across multiple countries. Moscow-based Serniya Engineering used two UK-based companies – Majory LLP and Photon Pro LLP – as front companies to facilitate the procurement of key equipment for the Russian government. Using Themis Search, a network of individuals with ties to Serniya’s UK front companies can be found, showing how integrated many sanctioned companies are in foreign economies. Boards must consider how to deal with such individuals, who may not themselves be sanctioned but could pose significant financial or reputational risks. Boards must ask themselves if and when conducting business with such individuals is worth it.


Network Mapping of Serniya Engineering and its UK Front Companies 

Mapping Taken from Themis Search


Going Forward 

Board members should have a plan in place for how to approach sanctions compliance and how to navigate the risks and questions that will continue to arise as sanctions against the Putin regime evolve further in the coming months. At Themis we believe that an organisation’s best defence against sanctions risks are its people, equipped with the right technological tools. The best sanctions response frameworks rely on a shared understanding of sanctions and financial crime risks and this is best led from the top.

We can help you with your needs via our Themis Search screening platform and investigative tools for CDD, our specialist team of investigators ready to tackle your wide-ranging EDD needs, and our suite of Country Risk Reports and best practice guides, podcasts and briefing notes on this topic and much more. Click here to book a short demo of Themis Search.

About the Author: This blog is written by Eliza Thompson, Financial Crime Researcher with the Themis Insight Team.