Handling the risks of a newly aggressive sanctions regime

The international banking community watches with great anticipation as US regulators continue to flex their muscles in Europe. Following a guilty plea to criminal charges for breaking sanctions against Sudan, Iran and Cuba, BNP Paribas has been fined $9 billion and suspended for a year from performing certain dollar clearing transactions through its New York branch. The size of fine and restricted access are unprecedented, and it appears to have whetted US regulators' appetites: they are currently taking enforcement action against Commerzbank and Deutsche Bank and no fewer than five other banks are under investigation.

All of this activity sends a clear message to non-US banks: do not contravene US sanctions legislation. In this climate of expanding extraterritoriality of US sanctions, banks are battling to understand how precisely they fall under US jurisdiction and what compliance measures need to be introduced to avoid crossing US regulators, not to mention their local regulators.

US sanctions legislation has a very long arm. Non-US banks have been (and will most likely continue to be) unwittingly caught by US sanctions legislation simply as a consequence of processing dollar transactions through correspondent bank accounts in the US. This is problematic because the US sanction regime is harsher in many respects than that of the European Union. For example, it has a much longer list of prohibited activities in relation to Iran, with the regime being very complicated to follow given the myriad statutes and executive orders and differing levels of applicability. The US imposes sanctions against countries which the EU doesn't, for example Cuba. Furthermore, the designated persons list for the Russian regime differs substantially from the EU's list.

Non-US banks are taking the view that it is in their interests to comply with the US regime, rather than argue against the jurisdiction on a case-by-case basis. In recent years, 10 major non-US banks have faced US regulator fines ranging from $3 million to $700 million relating to Iran, but none of those institutions has successfully challenged the extraterritorial application of the US sanctions regime. There are two main reasons for this decision to accept the regulatory punishment. First, banks fear the severe penalties that can result from breaches (penalties can be up to twice the value of the losses attributable to the misconduct), and prefer to avail themselves of the possible 50% reduction to fines afforded to co-operative banks. Second, compliance with the US regime is a condition of retaining access to the US banking system, which is crucial for the operation of any international bank.

Non-US banks are faced with a very tough task when implementing systems and controls to comply with the range of sanctions legislation applicable to them: two regimes, US and the EU, each with its own lists of designated persons, asset freezes, and trade embargoes in multiple jurisdictions. Whether a particular transaction being processed by the bank is in breach of any sort of sanctions legislation is not always an easy question to answer, which is why banks are looking to bolster their sanctions systems and controls. Regulators do not always provide detailed guidance, but will look to see whether a reasonable compliance programme has been put in place. A reasonable programme should have a robust process by which the bank knows its customer's business in detail.

Banks should take a risk-based approach to compliance. For example, the compliance programme should flag high-risk jurisdictions and industries. Then, banks should meet with customers who operate in high-risk jurisdictions/industries and review and understand their business models. If the bank clears dollar payments through the US, it must inform customers that they must comply with the US regime in addition to the European regime. A customer conducting business with no nexus to the US may well have not considered this.

Each transaction must be screened using sophisticated software to avoid dealings with designated persons and entities "owned" and "controlled" by them. Software used must be able to pick up "fuzzy" matches and to study corporate structures – ownership and control are defined widely under EU law. Most institutions have such software, but there is no substitute for ingrained knowledge of sanction regimes and keeping up with its fast-paced evolution.

Knowledge of sanctions, high-risk jurisdictions and industries is vital. Those who learn to safely operate within the constraints imposed by sanctions legislation will be the ones who will be able to benefit from continued business in sanctioned states, which often offer lucrative markets. Those who cannot put those systems in place must exit from those markets, ultimately missing out on valuable and long-term business opportunities.

Nimisha Agarwal is an associate in the disputes and investigations team at law firm Taylor Wessing