Sanctions Compliance: A Unique Approach for Conglomerates
The U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) January 2022 settlement agreement with Sojitz (Hong Kong) Limited for alleged violations of the Iranian Transactions and Sanctions Regulations (“ITSR”), 31 C.F.R. Part 560, is an important reminder of how conglomerates—which are typically multinational—can run afoul of U.S. economic sanctions. The global reach of U.S. sanctions programs administered by OFAC is a difficult legal regime to avoid for a conglomerate with cross-jurisdictional and -industrial business operations, regardless of where the parent holding company and subsidiaries are located. Approximately one-third of all OFAC civil enforcement actions since 2019 have involved multinational conglomerates of some kind. With the rapid rise of an arguably “comprehensive” U.S. sanctions program targeting Russia since its invasion of Ukraine in February 2022, and Russia’s significant role in international commerce—such enforcement actions are only likely to increase.
In this post I aim to provide helpful guidelines for parent holding companies to reference when establishing, enhancing, and/or administering their own sanctions compliance program (“SCP”). However, it is first important to illustrate how far reaching the U.S. sanctions regime can be, warranting the parent company to take the lead in compliance in order to protect not only itself from liability but the entire conglomerate.
The Global Reach of U.S. Sanctions Programs
Sojitz Corporation’s—a soga shosha (i.e. a distinct Japanese conglomerate variety)—Chinese subsidiary Sojitz (Hong Kong) was alleged to have violated the ITSR when it purchased Iranian-origin petroleum-based products from a Thai supplier but paid for them in U.S. dollars from its Hong Kong bank to the supplier’s bank in Thailand. In doing so, Sojitz (Hong Kong) caused several downstream intermediary U.S. financial institutions that processed these payments to engage in and facilitate transactions they would have been prohibited from performing themselves under the ITSR.
Other than the indirect use of the U.S. financial system for these transactions by Sojitz (Hong Kong), there was no other U.S.-nexus to its Iran-related transactions, resulting in a $5,228,298 settlement with OFAC. Application of this “causation” principle under the International Emergency Economic Powers Act (“IEEPA”)—the statutory basis for most U.S. sanctions programs—is the primary extraterritorial kicker for U.S. sanctions, which prohibit foreign-based entities engaging in conduct that causes any U.S. party to transact with a sanctioned target (e.g. directly or indirectly involving the U.S. financial system in the transaction).
The OFAC enforcement matter involving Sojitz (Hong Kong) illustrates how attenuated the agency’s jurisdiction is outside of the United States to trigger U.S. sanctions risks and the need for a tailored SCP. Unlike their subsidiaries, parent companies typically don’t have their own operations other than holding and maintaining ownership and control interests. However, certain U.S. sanctions programs can hold a parent company directly liable for their subsidiary’s prohibited conduct (e.g. OFAC’s Iran and Cuba sanctions programs), and even where the subsidiary alone is at fault, it is still financially and/or reputationally connected to the parent. Therefore, parent companies will typically find themselves ultimately responsible for managing the conglomerates overall sanctions risk profile—as the subsidiaries’ risks are shared by the parent—and need to create their own unique mitigating controls that are unlike those of their operational subsidiaries.
Sanctions Compliance Guidelines for Parent Companies
Managing compliance with these far-reaching U.S. sanctions laws is no easy task for the parent company. It requires a top-down approach in tailoring and administering a SCP commensurate with a complex risk profile for the conglomerate as a whole, which must be distilled from numerous subsidiaries’ distinct sanctions risk profiles—each assessed on their respective customer-base, products, services, geographic locations, and other operational idiosyncrasies.
A prudent first step is for the parent company’s board and senior leadership to commit to and support such compliance efforts, especially the provision of adequate resources since parent companies may have minimal personnel and little to no compliance officials of their own. In allocating adequate resources to a parent company’s SCP, it is necessary to retain personnel with necessary technical knowledge and expertise with respect to OFAC’s sanctions programs. Their first course of action will be for the parent company to conduct its own risk assessment, and then tailor relevant compliance controls.
Whereas subsidiaries’ respective controls are tailored to risks premised on their operations, a parent holding company will need to formulate a minimum standard for controls it expects all its subsidiaries to maintain. Such standards should include, but are not limited to:
- Prohibitions and/or restrictions on any dealings with defined countries/regions and categories of persons, including persons identified on OFAC’s sanctions lists, unless approved through established stop, hold, and review procedures of the parent company and/or the subsidiary’s compliance function.
- Use of restricted party screening tools with specified minimum calibration requirements.
- End-user validation procedures, such as use of end-user declaration forms or IP address identification capabilities (where applicable) to prevent diversion of goods or services to prohibited end-users, end-uses, or destinations.
- Use of sanctions compliance clauses in contracts and agreements.
- Recordkeeping procedures in line with OFAC-related requirements.
- Minimum training expectations (i.e. at least annually or more, all new hires, accountability measures, content, etc.).
- Sanctions compliance testing and audits protocols.
- Compliance issue reporting procedures and relevant contact details of the parent company, while detailing potential repercussions for non-compliance.
A parent company’s SCP should also enable and encourage subsidiaries to exceed such minimum standards. In addition, it should contemplate unique issues that may arise for certain subsidiaries based on their respective operations, including conflict of laws mechanisms for example where a subsidiary may be subject it to anti-sanctions laws for example. Note that where a parent company has operations of its own (e.g. selling goods and services), it will need its own separate SCP that has controls to address the relevant risks, but that is also compliant with the overarching SCP drafted for the conglomerate as a whole.
Once the parent’s SCP has been implemented, it must continuously monitor all subsidiaries for compliance and issues through an independent and objective testing/audit function. OFAC has underscored the importance of this function in enforcement actions involving subsidiaries whose rogue employees circumvented SCP’s that were otherwise considered reasonable, including the Sojitz (Hong Kong) enforcement action. Meanwhile, the parent must ensure that its compliance function and SCP remain up to date on OFAC’s rapidly evolving sanctions regime. The SCP will need to be capable of adjusting quickly to an evolving risk profile stemming from OFAC’s regulatory updates, subsidiaries’ operational changes, and all mergers and acquisitions activities.
The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at 202-440-2591 or meshkat@falawpc.com.
The information provided in this post does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available are for general informational purposes only. Information on this post may not constitute the most up-to-date legal or other information. Links to other third-party websites are only for the convenience of the reader, user or browser; the the author does not recommend or endorse the contents of the third-party sites.