The GIR Insight Sanctions Roundtable

Global Investigations Review hosted a debate in March 2023 to mull over developments in the sanctions arena since the publication of the GIR Guide to Sanctions, in 2022. The discussion covered key aspects of the current landscape in the United States and the United Kingdom, looked at developments in this fast-moving area, and analysed some of the issues for businesses and practitioners arising from the increasingly intricate and creative ways in which sanctions are now being applied.

The discussion was chaired by Barbara Linney of BakerHostetler and Rachel Barnes KC of Three Raymond Buildings. Also taking part were Britt Mosman of Willkie Farr & Gallagher, Richard Weinert of BDO and James Bowen of Linklaters.

The following is an edited transcript.

Part one

Barnes: I wonder if I could pick up on the points that everyone has made on both cooperation and divergence. I want to start by echoing what Richard says about the fact that, way back when, if you complied with the US standards, you were good and didn’t really need to worry about the other jurisdictions so much.

Now, we find the United Kingdom in an unexpected position – particularly with designations under the Ukraine–Russia scheme. There are individuals and entities designated in the United Kingdom – who are not SDNs [specially designated nationals] nor designated in the US – on our broader list, certainly with Russia and Ukraine. That causes real difficulties both for the counterparties and financial institutions who now have to worry not only about the US lists, but also the EU and UK lists. And there isn’t a perfect overlap of jurisdictions at all.

Richard, you touched on the BIS list. I wonder whether you might be able to expand upon that and the idea of this divergence and the difficulties of having to check the different lists, think about export controls, think about sanctions and think about different jurisdictions.

Weinert: What I’m seeing is that it’s prompting a move towards automation and more continuous screening mechanisms. So, companies are trying to make sure that there’s continuous screening throughout the business cycle and a greater effort is being made to identify all parties to a particular transaction on the export compliance side.

So, companies are looking for and trying to understand what their blind spots might be. It might not be a party that the company is actually in a contract with. It might be, for instance, something like a customer-selected freight forwarder or a warehouse provider that the company didn’t necessarily hire. Companies are really trying to get that end-to-end view to make sure they’re understanding all the parties and all the links in the chain.

On the export compliance side, there’s a lot more interest in not just the lists but end users and end destinations. So again, not necessarily someone that the company is doing business with directly, but where the products are ultimately ending up. If items are subject to the EAR [Export Administration Regulations], is your customer reselling them? Are you dealing with a distributor that’s then reselling them? Trying to understand who the end users are and the end destination is another area of emphasis and focus.

For instance, you’re still seeing drones getting into Russia even though the companies that manufacture them have ceased doing business in Russia. That’s because there are third parties and intermediaries involved. So, I think companies are really trying to get their arms around that.

Also, there’s a lot of emphasis on party screening. Item identification and understanding the products you’re selling, and whether they’re subject to the EAR, is also receiving more attention now because I think that helps a company to determine more of a risk-based approach. There’s no one-size-fits-all. So, if you have a really good grasp on what you’re selling, you know who you can sell it to and who you can’t sell it to. You’re seeing more investment in that area as well.

Barnes: Britt, I wonder if you could pick up on this. One thing that interests me is how do you find clients trying to deal with this issue in contractual relationships and getting sight of the people with whom their counterparties are doing business?

Mosman: It’s a very interesting challenge. Let’s start with the list-based sanctions that Richard was discussing and put those into perspective. In the United States, we had more than 1,500 discrete sanctions actions on over 800 targets related to Russia last year. The European Union has sanctioned almost 1,200 individuals and 100 entities in response to Russia’s aggression – a doubling of its entire sanctions portfolio. The United Kingdom has also roughly doubled its portfolio, imposing sanctions on over 1,000 individuals and 100 businesses since the invasion.

These don’t overlap. When it comes to even the simplest list-based screening, companies are having to screen much more broadly. But what is important – aside from the list-based sanctions – is how the Russia sanctions have included some really novel innovations that we’ve never seen before that are pushing the concept of smart sanctions even further. Sanctions used to be a lot simpler. We’ve all been in this space a long time. We can remember when it was just embargoes and blocking; either everything was off limits, essentially, or nothing was.

In the last 10 years, especially after first Russia’s first invasion of Ukraine when sectoral sanctions were invented, we started to see this move towards smart sanctions. We didn’t necessarily have to ban everything. It could be just certain equity restrictions past a certain tenor, or it could be certain services. And this has gone so much further in the last year.

In the United States, there are the four main categories of sanctions:

• the comprehensive investment ban on Russia and the covered regions of Ukraine;
• the blocking sanctions;
• the targeted sectoral sanctions that impose a variety of unique restrictions against specified persons or sectors of the Russian economy; and
• the price gap.

These sanctions innovations mean that companies can’t just ask if this is a blocked region or a blocked person even after they have screened their Russian touch points. That’s just the beginning of answering the question of whether something can go forward. All these novel measures have their own effective dates, wind-down periods, exemptions, definitions and general authorisations. All of that has to be understood before you can analyse a given transaction or activity that falls within the scope of those restrictions.

Simply internalising and operationalising all these complex restrictions is becoming so complicated; that’s partly why some companies have decided to derisk beyond what’s legally required. Or they’ll apply the most restrictive sanctions and export controls measures globally without even bothering to analyse which regime covers which activity.

When you put it into the deal context or the contract context, you have to think about how difficult it can be under the best of circumstances for third parties outside the company to have access to the corporate governance documents of their customers, let alone counterparties or people multiple steps removed on a supply chain.

The idea of being able to ascertain ownership interests or aggregated ownership interests or to determine ownership or control – these are just not easy endeavours.

In a lot of these contracts, the language requires parties often to rep that they are not owned or controlled by a sanctioned person. So, getting to the bottom of this is really important and really challenging. We’re also seeing the continued derisking that I mentioned. Financial institutions, in particular, have been derisking for sanctions reasons for a long time, because they are on the front lines of really enforcing and amplifying sanctions in a lot of ways.

But now it’s not just financial institutions who are doing that. This might be a good point to turn it to James, as I know you mentioned you deal with a lot of financial institutions and have a perspective on screening and all these challenges.

Bowen: The key point I would address is one that you’ve made already. Sanctions now involve a lot more judgement calls being made and more detailed analysis; the process of internalising that for financial institutions or any corporate is more and more challenging. All our clients are accepting that they’re going to have to do it because the rate of external legal spending they’ve had over the last year on sanctions issues is a significant cost for the business.

I completely follow your point around a lot of institutions and corporates just deciding to derisk. Perhaps later on we might talk a little bit about reputational concerns because the decision to derisk for sanctions reasons also ties quite well into the way that an awful lot of our clients are making decisions to step away from certain jurisdictions at the moment – not necessarily because they are completely compelled to, but because shareholders, stakeholders, regulators and the broader public in the jurisdictions in which they operate expect it of them.

For now, I’ll return to the specific screening point.

Besides derisking, I don’t think the mechanism for financial institutions has changed. Again, it is three or four high-profile providers for list-based screening and then there are deep dives by risk consultancies for specific transactions where there will be large payments made. One interesting thing I’ve seen in the market, which I don’t think is exclusively for financial institutions but perhaps is prevalent among them, is that people in compliance departments, heads of sanctions and so on are calling each other up. There’s a reason they are talking to each other about concerns with specific counterparties, particularly within syndicates, for example, and we’re seeing the market as a whole tending to form a view on whether given entities are sanctioned or not – are designated or not. This quite frequently is based on soft comfort from regulators. OFSI or OFAC, or whoever it may be, has handed down a letter, which may relate to a specific transaction, may not be of general application, but people within the market become aware of this and then that is factored into decision-making.

The final point, briefly – and something that financial institutions have had to grapple with from a UK and EU perspective at least – is control because it’s a factual test. As we all know, it’s a very challenging factual test to get to the bottom of in jurisdictions like Iran or Russia, especially since the war in Ukraine, where a whole load of public information has been removed from company websites and so on. There’s a real lack of certainty. Compliance departments and legal departments are having to perform these challenging judgement calls in this atmosphere of very limited and imperfect information. I can completely see the rationale for an awful lot of financial institutions determining to derisk.

Part three

Linney: In the screening context, I certainly agree that legal and the practical challenges are faced by those who are trying to make sense of screening results and whether those results are enough.

Just to provide a little more context, the reason why ownership due diligence is so important is, on the US side, because of what is called OFAC 50% rule. This states that if any entity is owned 50% or more in the aggregate by one or more persons on the SDN [Specially Designated Nationals And Blocked Persons] List, then US persons must treat that entity as blocked just as if it were on the list itself. Other countries – the UK, EU member states and so on – have similar but not identical rules. Some of these rules get more into the question of control, which is certainly a thorny issue. I agree with James on that point!

It really is important to recognise that a screening programme is simply not enough. The question of whether, for example, certifications or representations and warranties in commercial documents are good enough is really a risk-balancing decision that has to be taken by the various parties involved, particularly when you consider that both the US and the UK now have strict liability enforcement in the civil enforcement context.

Turning then to the practical challenges around screening – and particularly from the perspective of in-house legal and compliance teams – it’s important to focus on a number of considerations that those of us in private practice don’t necessarily focus on day to day, but which I’ve certainly seen come to the fore in the form of unintentional violations. If you have a screening tool that is not set to do dynamic or continuous screening, then you run the risk that, at some point after the relationship begins, the party with whom you’re dealing, or some other party to that transaction, becomes listed and there are consequences that you’re unaware of.

Another important factor to consider is whether the screening software is set to catch everything that you need it to catch – and I recognise that that is a real challenge because it’s necessary to strike the right balance between very conservative settings on the one hand and a high volume of false hits on the other. Trying to find a way to set this screening tool so that you’re picking up everything you need to pick up can be very challenging for the in-house compliance teams who are charged with setting up and monitoring screening tools. The other thing that’s critical is to understand the implications of a hit that you get from a screening programme. That’s become more complex, as others have mentioned.

The implications of an SDN hit is one thing and the implications of an Entity List hit is quite different so you have to be aware of what it means when there’s a hit – and that can be challenging in terms of educating the people and the compliance team who are reviewing these hits.

Finally, the application of the 50% rule varies from list to list, because it’s an OFAC rule. It applies to the SDN List but it doesn’t apply, for example, to the BIS Entity List. We need to recognise that although the specific 50% rule that OFAC has promulgated doesn’t speak to control as the rules of agencies in other countries do, OFAC does urge caution with respect to control because that could be indicia of possible attempts to evade the sanctions or the likelihood that the party with whom you’re dealing might be placed on a sanctions list in the future. These things are critical to an understanding of the sanctions hits and the application of these various rules around ownership and control.

The screening and due diligence aspect is critical to compliance. But what happens when mistakes are made? That’s where you start to get into the enforcement realm. Interestingly, many of the agencies, including OFAC, actually name their various divisions ‘compliance’ and ‘enforcement’, so there’s very much a tie between those two things. In the past year, we’ve seen an increased focus on enforcement. Both export controls and sanctions violations can be enforced on a strict liability in the civil context as well as by the criminal justice system.

One of the challenges from an enforcement perspective for non-US parties has been the extraterritorial reach of US export controls and sanctions law. This extraterritorial reach remains something of a mystery. Perhaps most folks have come to appreciate the nuances of extraterritoriality in the context of sanctions, but on the export control front, you have a tremendous amount of confusion over what is – or what isn’t – subject to the EAR. And to make that as complicated as possible. BIS has, in the form of various rules in the EAR, de minimis calculations and a variety of foreign direct product rules that are critical to an understanding of whether you’re handling a product that might be subject to restrictions.

My last observation on enforcement is the formation both of a transatlantic taskforce that was established by the United States and its key allies, as well as the so-called ‘Task Force Klepto Capture’ established within the United States in the past year. That is an inter-agency law enforcement task force and one of its principal missions is to identify and seize assets of sanctioned individuals and companies around the world.

I think this perhaps came as a surprise to many folks in the international business community, but the existing civil and criminal asset forfeiture authorities are being leveraged to secure seizure of assets that are the proceeds of unlawful conduct. It’s not a sanctions rule per se or an export control rule per se, but particularly in the anti-money laundering context, it’s been used quite a bit in the past. I’d be curious to know whether perhaps others are seeing some of these same trends. Britt, shall we start with you?

Mosman: Absolutely. That was really a helpful overview, showing how many things there are to consider and how many areas where enforcement of sanctions and export controls can arise and the interplay. I’ll focus briefly on the sanctions enforcement side. There’s the rhetoric, which has certainly intensified, and the results, which have not yet caught up to the rhetoric.

If we start with the cases themselves, OFAC has continued to dominate the sanctions enforcement landscape. In 2022, they resolved 16 enforcement actions that totalled almost US$43 million, while enforcement in the EU and UK has continued to be very limited – really, just a handful of low-value cases. This level of activity, even on the OFAC side, just didn’t match the rhetoric. In 2022, we heard Deputy Attorney General Lisa Monaco describe the need to enforce sanctions with unprecedented intensity, calling it a sea change and referring to sanctions enforcement as the new FCPA [Foreign Corrupt Practices Act]. Likewise, in the EU, certain member states took steps to pave the way to make sanctions enforcement easier.

One of the notable developments has been Germany enacting new legislation to support an increase in sanctions enforcement, and there have been various other EU-wide efforts to prioritise sanctions enforcement. For example, there was the launch of Operation Oscar to improve financial investigations by EU member states into assets held in violation of EU sanctions on Russia. The European Commission has taken action to improve the current sanctions enforcement patchwork among the various states by pushing for the harmonisation of penalties for sanctions violations in all member states via a directive – it hasn’t occurred yet but there are various calls for those sorts of improvements.

On the UK side, what stood out for me last year is what others have noted – that the UK did implement strict liability for civil violations of sanctions, which just lowers the bar for bringing an enforcement action. We’ve had that in the US for a long time and it’s a very powerful pressure point that OFAC can exert, and I think it makes bringing cases easier. So, on top of all these signals and all these kinds of statements, there are reports that all the jurisdictions we’re talking about have upped the amount of resources that they’re dedicating to sanctions enforcement and are working together at really unprecedented levels.

For example, last autumn, OFAC and OFSI announced their enhanced partnership to reinforce their coordination and their collaboration on both sanctions administration and sanctions enforcement for years to come. From my perspective, this partnership is very real – it’s very much under way. We’ve heard about exchanges of personnel between the two agencies. I was at the OFAC holiday party and was surprised when I saw a bunch of British people from OFSI there. If that’s not enhanced partnership, what is?

But even though the actual sanctions enforcement cases haven’t caught up yet, there’s every reason to believe that they will – that all these investments will start paying off and that we will see a significant uptick in sanctions enforcement across all these jurisdictions in 2023. As with our discussion of screening, it means the US is not going to be the only sheriff in town. And when it comes to sanctions enforcement as well, companies, again – like screening, like compliance – are going to need to think globally.

I’ve worked with various companies that are taking steps now to mitigate their risk, which I generally recommend. This includes all the steps you would expect –updating compliance policies and procedures, conducting training, refreshing risk assessments, enhancing contractual undertakings and, where appropriate, continuing to divest from Russia.

So that’s my quick take on the sanctions enforcement side, but I’m really excited to hear what my co-panellists have been seeing and what’s percolating in their practices.

Weinert: Sticking with the cooperation theme, on the BIS side, we’re seeing more cooperation with other agencies. I know the Department of Commerce and Department of Justice (DOJ) recently announced a strike force partnership for dealing with technology, particularly with national security implications. Their mission is pretty expansive. It’s not only the investigation and prosecution of violations of export laws but things like training and Big Data analytics, so I’m definitely seeing some more coordination across agencies. We also saw that in response to the Russia sanctions, so there are numerous examples of the DOJ, Commerce and FBI working together on seizing property – oligarchs’ jets and things like that.

Cooperation has bipartisan support in the United States, which is something we don’t see too often. It’s something all sides tend to agree on, particularly when it comes to Russia and China and the national security interests. I also think BIS is growing some more teeth. In 2022, they announced some changes to their enforcement and so there’s going to be higher penalties and fines for more egregious violations. But they’re also trying to fast-track more of the technical or the minor things – voluntary self-disclosures –and focus their efforts on the wilful violations, the sanctions evasion activities. When you go through their press releases, that’s the stuff that they’re always keen to talk about. And as we said, the enforcement trend is up year over year – 2021 was a record year for BIS in terms of prosecutions as well as administrative enforcement actions.

On the coordination side, this is the first in response to the Russian invasion. It was the first time there has been such a multilateral effort on the export control side, so it’s really an international coalition that BIS helped to build with the EU, Canada, Australia and other nations when it comes to starving Russia and Belarus of certain military technology.

Of course, I think the elephant in the room is that we’ll continue to see more activity on the China side, entities always being added to the list, and then the rules changing in 2020 on the MEU [military end user] side for China. That’s always going to be a continuing area of focus for BIS.

Bowen: I might just make a couple of points.

It’s probably fair to say that UK enforcement has been significantly more limited than US enforcement for the last year and particularly the lack of OFSI enforcement actions being publicised, relating to Russia. That doesn’t indicate there’s no enforcement action going on, it doesn’t indicate there’s no investigations going on, but it does seem to indicate that we’re a little way behind OFAC and the EU regulators, for example, in Germany. I won’t talk about the collaboration with the US because it’s been mentioned so many times. It’s clearly here to stay and it will likely be a significant source of upskilling for OFSI.

The interesting thing that may come out of it is maybe that we start to see more and more piggyback actions with people facing liability in both the US and the UK and in other jurisdictions.

It’s quite interesting, as Britt identified, that sanctions are being called the new FCPA in the US, because obviously a significant number of FCPA actions recently, or bribery and corruption actions more generally, have involved liability and settlements in the US and in the UK and in other jurisdictions. And if this becomes the norm for sanctions violations, where the regimes have diverged but there are still significant overlaps in them, particularly for high-profile figures or high-profile companies in Russia and Ukraine, that could be quite interesting and maybe the low-hanging fruit for UK and EU enforcement authorities.

Talking about low-hanging fruits, one area where we could begin to see a reasonable number of enforcement actions over the coming years – or the coming year – will be where people have self-reported breaches. With the significant range of new measures that have been put in place, you have the difficulty of complying with them, the difficulty of complying with them in real time and the lack of wind-down periods for many of them. An awful lot of corporations, I imagine, will have committed inadvertent breaches over the last year, and will have determined to report these to the regulators either because they’re obliged to do so or as a conscious decision to self-report. It may well be that we see some enforcement action coming out of that, or at least publications, which certainly OFSI has the power to do, where they choose not to impose any penalty but instead, they say: ‘This named entity [or] this unnamed entity had this sanctions violation occur. Here’s an update to the market so people don’t permit the same thing to happen again.’ So, that could be quite interesting on the enforcement front.

We’ve talked a lot about OFSI, at least from a UK perspective, but in the UK we also have issues around enforcement action or supervisory reaction from other regulators; specifically I’m thinking of the Financial Conduct Authority – the FCA. Sanctions violations and sanctions compliance is an area of supervisory focus for the FCA. They’ve really focused over the last year on testing and strengthening firms’ compliance or firms’ sanctions control measures, sanctions compliance measures, and have focused on potential enforcement action around this. So even if OFSI remains fairly quiet over the coming year, I think particularly regulated institutions will also need to worry about FCA reviews, FCA compliance measures, making sure that they can say to their regulators with a straight face: ‘We have put in place adequate systems and controls to mitigate our sanctions risk.’

And on that front, I’d be really grateful for Rachel’s views slightly more on the OFSI side, but also more generally, around enforcement action and enforcement risk in the UK.

Barnes: I agree in the UK we will see an uptake in enforcement. And following from that, whenever that comes through the pipeline, I think the benefit will be increased transparency for the market. As we see more enforcement actions, we’ll know more about where the enforcement agencies’ priorities lie, where the grey areas are, where the brighter lines are in terms of violations. That can be to the benefit of all of us, because with an increase in the regulations, with the increase particularly on the amount of sanctions, export control regulations and rules, we have a problem knowing what’s permissible and what’s not. So, increased enforcement actions may have an increase in transparency to help us all on that level.

I was going to make five points. Number one, OFSI enforcement. We are definitely behind the US on this. I think we’ve had eight monetary penalties published since 2019, the largest of which was just over 20 million, which dwarfs in comparison to the OFAC actions, but nonetheless, it is a start. I think OFSI has a real capacity issue; it’s addressing that by looking to OFAC to see how a body with a much longer history of enforcement deals with things. There are very few people in OFSI, relative to OFAC, which has multiples of the numbers of civil servants in OFSI. But when we think of OFSI, we also need to think about the NCA [National Crime Agency] because they like to think of themselves as the equivalent of the FBI, but they are the criminal investigators who work with OFSI.

Certainly, there are investigations ongoing and there have been dawn raids.

Barbara mentioned earlier that the allied nations have a taskforce and have agreed to have klepto units, and in the UK, it sits in the NCA. That certainly is active – we have seen one High Court case following a dawn raid, so we know it’s going on. We have also seen the use of civil asset freezing and forfeiture measures related to a sanctions or alleged sanctions violation. Barbara mentioned earlier the use of asset forfeiture freezing mechanisms in respect of sanctions violations. And we see that in the UK with bank account freezing actions being brought under POCA [the Proceeds of Crime Act 2002] in relation to monies which are said to be the proceeds of sanctions violation. We will see more of that, I think.

On the civil side, OFSI is inundated with potential breach reports at the moment, so whilst it may well find there are actions coming out of that, we are going to have a time lag because it just takes the very few people that there are in OFSI an awful long time to go through them all.

This is the same sort of issue that we’ve seen on the money laundering side with the number of SARs [suspicious activity reports] sent in to regulators. The regulators are swamped. Certainly over the last year, lots of people in the market have put in potential breach reports because it’s better to be safe than sorry, in terms of voluntary reporting.

Number two: sanctions violations investigations, the dawn raids, using the established freezing forfeiture measures.

My point three is looking not just at OFSI and the NCA but at the actions against export control violations. These are investigated by HMRC [His Majesty’s Revenue and Customs] and they have two powers. One is that these can result in criminal actions and the other is that HMRC can use civil penalties as well, compound penalties.

Although, again, a relatively limited penalty figure compared with the US, we are seeing the export control order violations resulting in compound penalties for breaches of export controls relating to military goods, dual-use goods, etc. I think we will probably start to see more of that, as well. What is unfortunate from our perspective as practitioners is when HMRC does issue its list of compound penalties, it doesn’t tell you who the entity is. It doesn’t tell you what the goods are. It doesn’t necessarily tell you what the jurisdiction is. It will just say ‘unlicensed exports of dual-use goods’ or ‘unlicensed exports of military goods’ and doesn’t really give you very much information. So, transparency is lacking there, which would help private practitioners and the marketplace.

Number four on my list is the FCA enforcements that James touched on earlier – both in terms of supervisory actions but also there are enforcement actions (relatively few and far between) for breaching the money laundering regulations, that can include compliance failures as regards sanctions, as well as money laundering or counter-terrorist financing, per se. So, there are some actions now; I suspect there will be more in time.

My point five – as Barbara mentioned earlier with the extraterritoriality of US enforcement measures – we’re starting to see extradition requests.

The US is requesting that the UK government extradite people whom it says have been involved in sanctions violations. There are a couple of those in the pipeline – in court. They relate to violations or alleged sanctions violations in regard to designated people. What we’re not seeing is extradition requests for people involved in banks or financial institutions, as opposed to those who are said to be ‘the facilitators’ of sanctions violations by the central Russian oligarchs, etc.

This is a really interesting area that goes back to our question of where the rules are similar and where they diverge because in extradition you need dual criminality – you need the conduct to be an offence in both jurisdictions. I think there will be interesting questions where we see that divergence, where something is an offence or would be an offence under US law – is it under UK law? That will be an interesting point – going back to issues of extraterritoriality, jurisdiction and convergence and difference.

Those are my five points, with a couple of others thrown in for good measure, on the enforcement side.

Part four

And I suppose this leads us into crystal-ball gazing in terms of what the future holds, but also the issues we’ve touched on of reputational harm and where, even if conduct isn’t legally prohibited, whether clients are saying ‘we don’t want to do this business anyway’. There are extra-legal issues, reputational issues that they are concerned about.

So, for my part, I think we’ll see enforcement actions increase. I think we will see people increasingly concerned about that wider reputational harm – we’ve seen it with Russia certainly. James, is that an issue you’ve seen with your financial clients, financial institutions?

Bowen: I’m not sure it’s just financial institutions any more. If you look at the Ukrainian government’s list of companies that haven’t withdrawn from Russia yet, which obviously aren’t sanctioned, but this is a reputational issue for sure. It includes a whole load of sectors – and shareholders are alive to this kind of thing.

I suppose financial institutions are concerned about it, and perhaps US financial institutions particularly because they’ve got experience with OFAC, they’ve got experience with the DOJ and they generally have a very low risk appetite for any kind of sanctions issue.

A lot of sanctions questions are factual questions, so it’s quite hard to get to the zero-risk-at-all point without returning to a point made earlier: ‘We’re just going to withdraw from these jurisdictions entirely. We’re not playing any more. We’re taking the ball and we’re going home.’ We are seeing a reasonable number of institutions doing this.

Tied into the reputational risk issue is another point we’ve made, which is that it’s harder and harder to ensure compliance with the growing range of sanctions. This makes it more likely that you’ll have sanctions violations, potentially enforcement action, potential reporting obligations and you’ll have the reputational harm that may be associated with that.

It may also mean that if it becomes more and more frequent that people have these sorts of technical violations, that there is less moral opprobrium attached to certain functions violations. I’m not certain that is the case or not, but it could be an interesting direction of travel around reputational risk associated with sanctions.

The final point I’d speculate on – although I’d be interested to hear my US colleagues’ view on this – is that it seems likely that sanctions on Russia and Ukraine have been effective enough and have been a palatable enough solution to Western governments, and indeed Western electorates, that they’re going to be the default for future foreign policy challenges. And so even if my hypothetical client is happy to say, ‘We’ll just withdraw from that jurisdiction, the reputational risk is too much, the sanctions risk is too much, the complexity of navigating a way around these enforcement issues is too much’, that isn’t necessarily a complete solution to this sanctions question, because you don’t know which jurisdiction is going to be sanctioned next and how key that jurisdiction is going to be to your business.

But on the crystal-ball gazing front, I very much hand over to my colleagues. Richard might have an interesting view on the future of export controls. I’d be interested to see and to understand where that might go.

Weinert: On the export control side, I think it’s going to continue to be high up there in terms of the toolbox. But on the flip side of that, you also see countries like China investing heavily in technology now to try and avoid US content and US items altogether. So, it’s a kind of arms race in that regard where if that investment is made, there’ll be diminishing returns to some of the export controls.

Going back to the reputational risk, we talked about the complexity of dealing with sanctions from numerous jurisdictions and some companies just saying: ‘OK, we’re just going to derisk and pull out of Russia altogether.’ Russia has an economy roughly equivalent to that of Texas, so it might be easier for companies to do that in Russia, whereas a country like China, that’s going to be a lot more difficult, with all the different industries involved. Russia is primarily oil and gas, whereas China has everything and their economy dwarfs Russia. So, it’s not necessarily an option for companies to be able to pull out of China if there were to be some kind of conflict or if something goes on with Taiwan or something like that. I think companies are looking at that from a reputational perspective and really trying to understand their exposure there.

Mosman: I’m glad that we’re touching on the broader ESG [environmental, social and governance] considerations, because the legal or technical analysis isn’t the end any more. It’s one factor that companies are considering as they decide whether to continue to transact in somewhere like Russia, where there still is a possibility legally to thread the needle and not violate sanctions or export controls.

This is a change. For a long time, there has been an attitude from companies that governments set the boundaries of what dealings can be done, and the private sector’s job is to stay on the right side of the line. This makes sense because the government is the one with the power, the one that, in some ways, is best positioned to make these national security determinations. They’ve been setting these norms for a long time, especially in the United States, but in the last year in particular, companies have been asking: What should we be doing? What do our shareholders expect us to be doing? Who within the company makes these decisions and how do we do so consistently?

These are really interesting discussions. The flip side of it is concerns about doing right by employees in Russia and balancing that with suffering some reputational harm for staying in Russia. But we have an ethical duty to people that we have employed for decades and, at least, exiting this relationship in a way that does right by them.

So, no easy answers. And even when a company does decide to exit the Russian market, leaving Russia is much more challenging than it sounds, given all the local Russian laws that are designed to prevent companies from doing so and to penalise them for doing so.

Looking ahead, the interplay of ESG and legal considerations will continue and the trend of multilateral cooperation will continue. I think, though, that we’ll see more situations going forward where either the UK or the EU restrictions are broader in scope than those imposed by the US, as these regimes continue to strengthen and grow.

Companies will need to continue to exercise additional diligence and caution to ensure that they’re complying with all applicable sanctions and export control jurisdictions. I think the US will continue to deploy export controls – Richard’s comments on this were very helpful. We have seen them used as a means of supporting sanctions programmes and as an independent means of addressing national security concerns. So, the fact that they’ve been successful in impairing Russia’s war effort and the fact that they’ve been relied on to target Chinese ascendancy and critical tech sets a model for the role of export controls in foreign policy. And so that’ll be turned to more often.

A final caution there, though. Remember that companies need to ensure compliance with both sanctions and export controls, especially when entering into transactions in high-risk jurisdictions like Russia and China. They are not a complete overlap.

Barnes: Britt’s comment is really insightful on the ethical issues that companies face when trying to exit a market and also the legal issue they face when having made a decision to exit the market because of sanctions or foreign policy issues, whether or not they actually have to. But they’ve made that decision in a way that ensures both their employees in the country, Russia in particular, are not exposed to retaliatory action. Certainly, in my practice over the past year, I’ve had clients coming and asking me, how do we do this in a legal and the safest way possible? Some of those clients, when they’ve made an announcement that they were leaving Russian market, noted that the police were knocking on the door of their Russian office the next day and they had real concerns about their employees there. That’s a really interesting question that companies are just not used to grappling with but have increasingly had to do and are doing over this past year. How do we ensure we get out in a way that’s ethical and safe, as well as conducting our business in other jurisdictions in a way that is ethical, safe and legal?

Linney: Rachel makes a very good point on concerns about the local law response to withdrawing from a particular jurisdiction because of sanctions issues. We saw some similar concerns on the US side in the context of many of the Venezuelan sanctions that were put in place and so that’s certainly something to be aware of and to weigh into one’s decision-making.

In general, sanctions and export control practitioners have to be able, whether in private practice or consultancies or in-house, to recognise that this is not just a determination that’s being made solely on the basis of whether a particular action is lawful from the point of view of sanctions or export control law, but that there are many other factors, whether it be other areas of law, business, employment, etc., that may be impacted. It really behoves all of us to recognise that, and to help our clients recognise that, and to recognise the context in which they’re having to make some decisions about how their particular entity is going to respond to the issue.

Certainly from an employment law perspective, we’ve seen issues in the US, and in other countries because of the extraterritorial aspect of export control laws, about how to balance employment and civil rights against requirements of off-limits nationalities who are identified in various export control laws.

Picking up on something that Richard said about avoiding companies in countries like China trying to avoid US technology in order to avoid extraterritorial application of US law, that has long been a concern in the defence market.

We didn’t talk much about the other export control rules here in the US that apply to the military and defence market. There’s very much been a ‘let’s have an ITAR-free [International Traffic in Arms Regulations] programme’ attitude in the UK, the EU and so on. And interestingly, DDTC [Directorate of Defence Trade Controls], which is the agency within the State Department that administers those regulations, has recently signalled that it may be considering some relief on the re-export side of that long arm of the ITAR.

So more to come on that. I wouldn’t necessarily predict that will happen this year because these things move notoriously slowly at these agencies, but at least we’ve seen some potential willingness to consider the issue.

What that brings me back to is that these ESG concerns – and I don’t mean to minimise these issues – are just the latest sort of new issue that interacts with the compliance role in managing reputational risk and business risk. We’re reminded that it’s important, as compliance professionals, to view compliance in a broader context and really be prepared to pivot quickly to address concerns as they come up.

We’ve certainly seen some of these concerns; for example, the desire to eliminate forced labour from the supply chain or other ESG concerns spur new legislation and, frequently, the responsibility for complying with that new legislation lands on the desk of someone in the compliance department.

I was speaking the other day with a UK in-house lawyer who told me that she’s now spending about 30% of her time on ESG issues. This is somebody whose focus five years ago was sanctions and anti-corruption, and then over the years added on export control to her portfolio of responsibility. Now we see the focus on ESG. Five years from now, the focus may well shift again. And so, for me, the important thing to recognise is that not only does the export control and sanctions area have numerous nuances – you can take a deep dive into just about any aspect of these issues, as the GIR Guide to Sanctions so aptly illustrates – but I think the conclusion that we have to draw from all this is that given the role of compliance in this broader context, compliance personnel are well advised to have both flexibility and willingness to learn as key characteristics, given that the landscape has changed constantly and will continue to do so.

About the panel