06/04/2023 Alexander

The importance of sanctions risk management

Pawel Kuskowski invited Jonathan Benton and Lee Byrne, top financial crime professionals in the UK to talk about why sanctions risk management should be treated with the same importance as money laundering.

What are sanctions?

When asked about the changes and impact of sanctions, Jonathan shares that over time, sanctions have turned from a soft political tool into one able to freeze hard cash. As a result, multi billion dollar companies could suddenly see half their portfolio frozen overnight.

Lee adds that a lot of sanctions activity was historically related to state economics. From the Greeks in 300 BC blockading a port to the British having their tea blockaded around America, we have come to a point now where it’s been disseminated into actual individuals who are suggested as being supportive of the state. This brings a level of complexity to financial services and the crypto space because what happens in the traditional sector will now be translated to the crypto space.

Lee explains that criminal sanctions evaders, not just Venezuela or Iran but also North Korea, are taking proceeds from cyber crimes in the form of crypto. Therefore, sanctions risk management is currently just as, if not more important, as money laundering. Unfortunately, most of the narratives still focus on money laundering even when there is a more immediate risk of enforcement action through sanctions. This is because sanctions are a form of foreign policy and if they are not followed, it is effectively treason.

The difference between sanctions and Anti-Money Laundering

When Pawel asks if proper Know-Your-Client (KYC) is needed for sanctions risk management, Lee replies by saying that while the underlying foundation is to know your clients, the main difference between the two is the risk assessment.

Injunctions are held at the wallet level. Jonathan mentions that one thing we can now do which wasn’t the case previously is serve orders of unknown persons in unknown locations based on their wallet ID. One can trace the elicit money back to the wallet ID if the ID is held by one of the big exchanges.

Jonathan also explains that if exchanges are told they have elicit money but still allow for its movement, they could be liable under tort. Answering Pawel’s earlier question regarding KYC, he says that KYC was the starting point when exchanges started their operations. The challenge is that now the Office of Foreign Assets Control (OFAC) will go after a particular somebody in the crypto space. He references that Tornado Cash is now sanctioned under OFAC.

Lee explains that there are also degrees of noncompliance such as:

  1. Absolute ignorance;
  2. Unknowingly used (but there were systems and controls in place);
  3. Wilful blindness;
  4. Collusive conduct.

The reality is that there is no concept of risk-based approach in sanctions.

Watch the whole discussion:

Consequences from sanctions

To clarify why companies face such high levels of consequences, Jonathan explains the two types of offences in law:

  1. One where you have to have the mental stimulation or the mental mind and then you commit the act with that state of mind;
  2. Strict liability, where you act and you become liable straightaway.

Strict liability is basically asking yourself, “how much trouble I am in” and not “if I am in trouble”. Companies cannot use excuses like, “my staff was off sick”. However, in their defence, companies could mention that they have done the following to mitigate the level of enforcement action taken against them.

  1. Risk assessment;
  2. Training;
  3. Everything reasonable.

According to Lee, strict liability is basically saying that you’re guilty but the question is, do you get a slap in the wrist or do you hit the headlines and get all your finances taken off? Jonathan labels this as a mitigation exercise where if companies have done something, they at least have a plea bargain.

Lee clarifies that companies should acknowledge they have a responsibility and they must carry out a risk assessment for their policies and procedures in order to identify if they are exposed to risks and then take steps to mitigate those risks.

Who is liable for a sanctions breach?

In the UK, if you are a UK national or a UK business, you are subject to sanctions limitations. The “reasonably aware” test will apply to financial services firms as opposed to members of the general public. However, you do not have to use financial or obliged entities to move value around the world. The ease of using crypto exchange organisations has now made the crypto space a haven for criminals. This is precisely why sanctions risk management has become very important.