Why mid-size and small companies need robust sanctions compliance

In 2019, e.l.f Beauty, a small, California-based company with just over 300 employees, paid $1 million to settle an enforcement action by the Office of Foreign Assets Control (OFAC) of the US Treasury. E.l.f. imported 156 shipments of false eyelash kits from Chinese suppliers that sourced some of their materials from North Korea. The company self-reported the sanctions violations after an internal audit and reportedly paid a lesser fine as a result. 

Today, staying straight with US, European, and other sanctions requirements is even more difficult. With the war in the Ukraine raging and the number of sanctions on Russian businesses, individuals, and companies that work with them escalating, small to mid-size companies need to enhance their ethics and compliance efforts to avoid fines. Recently, the United States imposed new sanctions on Chinese and Emirate companies, as well as a network of Iranian companies, further adding to the scope and reach of existing sanctions. 

What are sanctions?  Is the US the only country that imposes them? 

Countries such as the US and multilateral organizations such as the United Nations, European Union, and World Bank impose restrictions against a country, group, or individuals. These restrictions can include travel bans, asset freezes, arms embargoes, and trade prohibitions for a variety of reasons including political, military, and social issues such as trafficking, terrorism, drug trade, or violations of rules and laws.

The US alone has more than two dozen sets of sanctions regimes targeted at Iran, Russia, North Korea, Venezuela, Syria, and other countries and groups such as Hezbollah. Other countries also impose sanctions, such as the UK, Canada, Australia, and Japan. The purpose of sanctions is to try to alter the behavior of states, groups, and individuals (for example, Russian oligarchs that support Putin) that violate international norms of behavior.

Export controls, such as restrictions on the export of goods or technologies by any means (including virtual) can also apply in addition to sanctions. Anything military—whether it’s technology, equipment or even know-how—usually requires a prior license from the US government prior to export. Other technology and equipment may be restricted under the Department of Commerce export laws as well as sanctions. For example, US computers and software, such as Microsoft 365, cannot be sold in Syria and other sanctioned countries.

Do US sanctions apply to all companies regardless of size? 

Yes. All US persons must comply with OFAC regulations, including all US citizens and permanent residents, regardless of where they are located, all persons and entities within the United States, and all US incorporated entities and their foreign branches.

For example, CNBC reported last March that cybersecurity training firm INE, a mid-sized company, did not expect that sanctions would affect its business. But, based on an informal conversation, INE ran its client list against the US Treasury sanctions database and was shocked to learn it was doing business with sanctioned Russian banking entities. INE immediately severed ties with two clients to which it had been providing IT training services.

So, just avoid Russian, Syrian and other sanctioned companies and we’ll be okay? 

No. Large companies and banks in Russia that are sanctioned can have subsidiaries or joint ventures in areas such as web development, cyber, or supply chain. It may not be immediately apparent that they are within current sanctions. Cayman Island companies are notorious for being fronts for Russian investment. It can be difficult to peel back layers of ownership to determine the real owners.

Hiring software developers in Eastern Europe can also raise risks if some turn out to be Russian nationals. As INE found, having any associated entity as a customer is a violation of Treasury Department sanctions. The e.l.f. Beauty example illustrates how having sanctioned entities in your supply chain also violates the law.

How can small and mid-size companies ensure they have sanctions compliance? 

Size is no excuse for non-compliance, so small and mid-size companies need to ensure they have a reasonable and effective compliance system that guards against key risks, such as sanctions and trade control violations.

The US Treasury Department and other sanctioning entities maintain updated lists on their websites. Sanctions lists are searchable and various vendors offer screening services with consolidated lists including US, multilateral, and other countries’ sanctions requirement. Start screening your existing customers, suppliers, and contractors.

To ensure compliance—and to get credit for your effort in the event of a violation—take these additional steps, at a minimum:

  • Identify key risks and make sure they are reviewed and updated regularly.
  • Set up an ethics and compliance procedures to mitigate the risks.
  • Make sure you have clear policies that tell everyone what they need to do in simple terms to stay on the right side of the law.
  • Train your employees regularly on these requirements; many requirements are counter-intuitive and complicated.
  • Audit compliance with the requirements to make sure they are being followed.

 The key takeaway 

As the eyelash and cyber examples show, any company can inadvertently violate the sanctions laws, particularly when e-commerce moves at the speed of a click. Sanctions laws and regulations are strict liability; it doesn’t matter if you didn’t know. Make sure your company is protected.

As regulatory guidance evolves, so too do ethics and compliance best practices. You can learn more by exploring our collection of resources for keeping pace with the US Department of Justice. 

The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Readers should consult with their own attorney regarding legal matters.