For the past three years, there has been an escalation of sanctions imposed on Russia and Belarus. Multilateral sanctions have been introduced by the European Union, UK, US, and other G7 countries.
As well as putting individuals on sanctions lists, there have been concerted efforts to think laterally and include other strategies such as sanctioning vessels or aircraft in addition to entities. This comes with an ongoing focus from authorities on addressing sanctions evasion and issuing enforcement actions for non-compliance.
Financial sanctions have been an ongoing and clear focus since 2022, but the approach has since broadened. Now, for example, there are more export controls, including the issuance of the “Common High Priority List” (CHPL) by G7 countries. A list of this magnitude and specificity has not been released before. It comprises a list of different goods separated into tiers and assigned HS codes. Certain countries, including the US, want to restrict particular items/technology/software from being exported to Russia and Belarus because they could be used to support or further the war.
In June 2022, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) issued a joint alert urging “increased vigilance for potential Russian and Belarusian export control evasion attempts”, since then financial institutions have been strengthening sanctions compliance frameworks and controls. Businesses are required to ensure they consider risks associated with the CHPL and goods Russia/Belarus may be seeking to procure via non-sanctioning countries. Organizations are expected to undertake due diligence to ensure the end destination of their products is not Russia/Belarus. The extended focus on export control and trade compliance, however, is not limited to the US, but extends to the EU, UK, and other G7 countries.
The challenge with the CHPL is that the operational processes of financial services organizations, such as banks, have not been designed with due diligence on “goods” in mind; they have screened customers and transactions, not necessarily products, which is something businesses outside the financial services sector are more likely to do as part of supplier risk management or supply chain due diligence. This means financial institutions have had to adapt and figure out ways and means to comply with its introduction.
Moody’s data and technology solutions can help financial institutions, as well as businesses outside financial services, conduct their due diligence on a company that produces or deals in goods on the CHPL. For example, understanding relevant risk factors such as ownership and control related to companies who purchase silicon wafers or ball bearings, through the entity verification process. When more is understood about these types of companies, sanctions exposure can be better assessed, and risk-based decisions can be made about lending, funding, or what kind of sanctions clauses to include in vendor/customer/supplier agreements.
There have been multiple strategies implemented by G7 countries and regulatory bodies to tackle different methods of sanctions evasion. The EU’s Article 5r requires all transactions of over €100,000 to a Russian-owned entity from an EU organization to be reported by said organization.
In the UK, the Economic Crime and Corporate Transparency Act of 2024 placed greater requirements on company formation and greater scrutiny on persons of significant control (PSCs) of registered companies, removing layers of obfuscation that may have previously appealed to sanctions entities looking to exploit the previous ease of company formation in the UK.
Additionally, UK Office for Financial Sanctions Implementation (OFSI) issued a Financial Sanctions Threat Assessment that warns of increased Russian sanctions evasion, highlighting inaccurate ownership assessments and use of enablers to front for Russian designated persons. Most featured intermediary countries for evasion include the British Virgin Islands, United Arab Emirates, the Republic of Cyprus, Switzerland, Guernsey, Luxembourg, Austria, and Türkiye.
Many of the tactics employed to evade detection are not necessarily new, however, they may have been leveraged more extensively in recent years. One example is the use of proximate countries in the region for the transport and exportation of goods, such as selling vehicles to a country that neighbors Russia and the vehicles then being moved across the border.
There have also been instances related to the purchase of luxury goods and artworks to launder money in order to evade sanctions, as well as the use of old tankers and ships, which are red flagged and used to evade association with sanctioned entities or to surreptitiously transport Russian oil. As a result, more vessels and aircraft have been added to sanctions lists over the past three years, which organizations can screen for risk exposure.
Transaction and payment methods may also be considered as part of sanctions compliance. It was observed in a FATF report released in spring 2023 that cryptocurrency is increasingly used by bad actors who exploit virtual assets via ransomware or other cybercrimes. Sanctioned entities may leverage virtual asset service providers (VASPs) to retain control over their assets and later convert funds to fiat currency. The UK’s Office of Financial Sanctions Implementation (OFSI) also stated in a report that enablers have almost certainly used alternative payment methods, in particular crypto assets, to breach UK financial sanctions prohibitions on Russia.
In the world of sanctions evasion, criminals make it their business to find loopholes in the law. When organizations are carrying out due diligence, they may ask why it is not possible to find information on certain activities or behaviors they believe to be linked to sanctions evasion. Most frequently, the answer is that the behavior isn’t illegal. This could be a sanctioned individual or entity exploiting a loophole, which creates something of a “sanctions evasion spectrum” - challenging for businesses who are implementing compliance and screening programs.
The sanctions evasion spectrum demonstrates there are varying degrees of deception, knowledge, egregiousness, and legality when it comes to sanctions evasion. It can be used to implement controls that are equivalent to the level of risk an organization faces and help mitigate the risk of a compliance program failure or regulatory fines.
LEVEL 1
Legal exceptions
Refers to a specific situation where sanctions restrictions do not apply.
For example, according to UK regulations, if a sanctioned person owns more than 50% of an entity, that entity is considered sanctioned-by-extension. Hence, if the entity is owned exactly 50% by the sanctioned person, that entity is not sanctioned by extension.
However, one should note that the UK considers an entity controlled by a sanctioned person to be sanctioned-by-extension. Therefore, enhanced due diligence should be conducted when dealing with an edge case such as this.
LEVEL 2
Circumvention
Refers to activities that are legal in appearance but aim at or result in avoiding the application of sanctions, i.e. reducing ownership by a sanctioned person of an organization to 49% to avoid the application of OFAC’s 50% Rule (which provides that a company that is 50% or more owned by a sanctioned entity is also considered sanctioned).
The risk here is that the divestment could have been done in bad faith to evade sanctions while showing a prima facie compliance with sanctions. In this case, the risk level could be higher than the initial assessment.
LEVEL 3
Willful blindness
Refers to the intentional disregard of the facts, which could have led to the discovery of sanctions evasion and one’s role in facilitating it. This may escalate into active collusion if there is actual knowledge, reason to know, and senior management involvement.
LEVEL 4
Undermining
Negates the application of sanctions; or harms the national security or foreign policy objectives related to the sanction imposed.
LEVEL 5
Active collusion
Refers to willful or reckless violation of law, including management involvement and efforts to hide its conduct in order to mislead OFAC or regulators. For example, a fake divestment of assets of a sanctioned entity to a business associate or family member, but where in reality they still have access or control over it.
The European Union Commission has highlighted two key terms for consideration with regards sanctions compliance - “circumvention” and “undermining.”
According to the Commission, the concept of undermining negates the effects of sanctions, as distinct from circumvention, which “corresponds to activities that are legal in appearance but aim at or result in avoiding the application of sanctions.” The Commission provides the following examples of activities that would be considered as undermining EU sanctions:
Creating greater transparency across a counterparty network is important to help avoid non-compliance with any sanction rules. Sanctioned entities frequently try to obscure their ownership and control through family members, close connections, or other legal structures. One such tactic used to evade sanctions is the creation of shell companies, leveraged to obscure ownership information. There is evidence of common risky corporate behaviors identified by Moody’s that can indicate where a shell company may exist that organizations can screen for as part of their sanctions compliance or third-party risk management program.
There have been significant enforcement actions and penalties for sanctions compliance failings in recent years. OFAC civil monetary penalties related to sanctions totaled more than $1.5 billion in 2023.
The subjects of these OFAC fines include US and non-US entities, as well as banks, fintechs, and corporates in various sectors like aviation, media, and insurance. They also include individual people - not just business entities. A review of recent OFAC enforcement actions show that smaller fines issued by OFAC may indicate significant remediation efforts of its sanctions program and screening system, voluntary disclosure, and no prior history of violation; however, the larger fines (running into the hundreds of millions of dollars) can indicate systemic compliance issues and egregious practices within a large, sophisticated company that received the fine.
As a result of the intense focus on sanctions for the past three years, many organizations, especially those outside the banking sector, have done a vast amount of work to understand their risk exposure and comply with the increase in sanctions requirements.
Robust sanctions compliance programs have helped organizations handle the fast-paced implementation of new packages and prepare for new and changing outcomes. These best practices include:
As well as offering robust, up-to-date sanctions data and workflow automation solutions, Moody’s Sanctions360 solution can help organizations highlight the differences in sanctions priorities between regimes – for example differences between the US, EU, and UK rules. This helps organizations manage the nuances of rules around ownership and control for example.
Moody’s also has a solution organizations can use to understand beneficial ownership and control, as well as a Shell Company Indicator. These solutions support businesses in understanding their sanctions risk exposure, so they can make decisions with confidence about who they work with.
Visit Maxsight™ and see how unified risk management can maximize efficiency and insights into your third-party network for better risk-based decision-making or get in touch to book a meeting.
Digital onboarding | Sanctions compliance | Supply chain risk management | Third-party risk management