It may seem like a Herculean task — but it can be done.  I regularly opine that mitigating sanctions risks for your third-party population is an easier task than doing so for your anti-corruption risks.  One big reason — geography is an important limiter on sanctions risks.  The ability to evade sanctions has to be financially practicable — for example, it makes no sense to divert a large quantity of products from some far off location to Russia or Iran because of the prohibitive expense.  As a result, geographic proximity to high-risk ports (e.g. Dubai proximity to Iran is a classic example), transshipment points and other financially viable locations should be the focus of every sanctions compliance program.

Turning to third-party risk management, let’s put together the essential elements of an effective mitigation program. 

1.  Risk Assessment and Know Your Third-Party Population:  It is critical to identify and collect information on all your third-party intermediaries on the distribution side and all your vendors and suppliers on the supply side. Your “holistic” review of the third-party risks should include specific geographic locations, relevant products and services, potential government connections and owners, and ultimate beneficial owners for intermediaries, suppliers, vendors and yes, even customers.

2. Integrate the 50 Percent Rule: Companies have to incorporate related companies that are owned 50 percent or more by one or more prohibited party (remember two 25 percent owners who are SDNs and total 50 percent or more ownership in the related company transform the related company into a prohibited SDN).

3.  Varying Levels of Due Diligence — One-and-done screening is not an effective due diligence screening strategy.  The level of due diligence has to vary depending on the risk.  Given the nature of the transaction, the parties involved and the history of transactions, if any, due diligence screening is just the first step.  The more information you learn the more likely to uncover a real red flag.  That does not mean that due diligence should be a boil the ocean exercise; rather, it should be a focused and intelligent process keyed to levels of risk.

4.  End User Documentation — Companies have quickly adapted to the new sanctions realities by embracing end user certifications as a critical way in which to mitigate risks.  By requiring third parties to provide and/or secure such certifications, companies are able to mitigate potential diversion risks.  Of course, when a third party refuses to cooperate in securing such end user certificates, such non-cooperation is a screaming red flag.

5. Monitoring and Quick-Time Audits: Effective compliance means keen awareness.  This in turn requires monitoring and quick-time audits through regular sampling procedures.  Third-parties who pose a high risk should be subject to sampling of transactions, documentation and shipping materials.  Regular checks can be incorporated into robust contractual and certification requirements.

6.  Training and More Training:  Third-party training has become fairly standard.  Such training usually involves code of conduct or possibly anti-corruption.  This program needs to include trade compliance — sanctions, dual use, ITAR and other topics as needed.  This is a great way to collect updated certifications after training programs are completed.

7. Red Flag Identification and Sensitivity: Perhaps the most important aspect of managing sanctions compliance risks for third parties is familiarity and experience in identifying red flags for further investigation.  Sanctions evaders are sophisticated and can be very cagey.  Trade compliance staff has to be well-trained and exercise a keen eye on picking up sanctions red flags, following up on issues, and pursuing concerns even when facing resistance from the third-party, the customer or even your internal business constituency.

In March 2023, DOJ, OFAC and BIS issued a Joint Compliance Notice (“JCN-Russia”) addressing compliance with the Russian Sanctions Program.  The JCN-Russia is a terrific document that sets out a long list of red flags that every company should be familiar with and apply each day. 

Companies such as manufacturers, distributors, resellers, and freight forwarders are often in the best position to determine whether a particular dealing, transaction, or activity is consistent with industry norms and practices.  Due Diligence has to vary according to the risk — and the detection of warning signs of potential sanctions or export violations is important.

Common red flags can indicate that a third-party intermediary may be engaged in efforts to evade sanctions or export controls, including the following:

• Use of corporate vehicles (i.e., legal entities, such as shell companies, and legal arrangements) to obscure (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions;
• A customer’s reluctance to share information about the end use of a product, including reluctance to complete an end-user form;
• Use of shell companies to conduct international wire transfers, often involving financial institutions in jurisdictions distinct from company registration;
• Declining customary installation, training, or maintenance of the purchased item(s);
• IP addresses that do not correspond to a customer’s reported location data;
• Last-minute changes to shipping instructions that appear contrary to customer history or business practices;
• Payment coming from a third-party country or business not listed on the End-User Statement or other applicable end-user form;
• Use of personal email accounts instead of company email addresses;
• Operation of complex and/ or international businesses using residential addresses or addresses common to multiple closely-held corporate entities;
• Changes to standard letters of engagement that obscure the ultimate customer;
• Transactions involving a change in shipments or payments that were previously scheduled for Russia or Belarus;
• Transactions involving entities with little or no web presence; or
• Routing purchases through certain transshipment points commonly used to illegally redirect restricted items to Russia or Belarus. Such locations may include China (including Hong Kong and Macau) and jurisdictions close to Russia, including Armenia, Turkey, and Uzbekistan.