In the Blink of an Eye: Why Mid-Size and Small Companies Need Robust Sanctions Compliance


Post By: Susan Frank Divers, Director of Thought Leadership & Strategy, LRN Corporation

In 2019, e.l.f Beauty, a small, California company with just over 300 employees, paid $1 million to settle an enforcement action by the Office of Foreign Assets Control of the U.S. Treasury. E.l.f. imported 156 shipments of false eyelash kits from Chinese suppliers that sourced some of their materials from North Korea. The company self-reported the sanctions violations after an internal audit and reportedly paid a lesser fine as a result.

Today, staying straight with U.S., European and other sanctions requirements is even more difficult. With the war in the Ukraine raging and the number of sanctions on Russian businesses, individuals and companies that work with them escalating, small to mid-sized companies need to enhance their ethics and compliance efforts to avoid fines.

Last week, the United States imposed new sanctions on Chinese and Emeraticompanies, as well as a network of Iranian companies, further adding to the scope and reach of existing sanctions.

What are sanctions? Is the U.S. the Only Country that Imposes Them?

Countries such as the U.S. and multilateral organizations such as the United Nations, European Union and World Bank impose restrictions against a country, group or individuals. These restrictions can include travel bans, asset freezes, arms embargoes, and trade prohibitions for a variety of reasons including political, military, and social issues such as trafficking, terrorism, drug trade or violations of rules and laws.

The U.S. alone has more than two dozen sets of sanctions regimes targeted at Iran, Russia, North Korea, Venezuela, Syria and other countries and groups such as Hezbollah. Other countries also impose sanctions, such as the U.K., Canada, Australia, Japan and others. The purpose of sanctions is to try to alter the behavior of states, groups and individuals (for example, Russian oligarchs that support Putin) that violate international norms of behavior.

Export controls, such as restrictions on the export of goods or technologies by any means, including virtual, can also apply in addition to sanctions. Anything military, whether it’s technology, equipment or even know-how, usually requires a prior license from the U.S. government prior to export. Other technology and equipment may be restricted under the Department of Commerce export laws as well as sanctions. For example, U.S. computers and software, such as Microsoft 365, cannot be sold in Syria and other sanctioned countries.

Do Sanctions Apply to All Companies Regardless of Size?

Yes, all U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent residents, regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches.

For example, CNBC reported last March that cybersecurity training firm INE, a mid-sized business did not expect that sanctions would affect it. But, based on an informal conversation, INE ran its client list against the U.S. Treasury sanctions database, and was shocked to learn it was doing business with sanctioned Russian banking entities. INE immediately severed ties with two clients to which it had been providing IT training services.

So, Just Avoid Russian, Syrian and Other Companies and We’ll Be Okay?

No. Large companies and banks in Russia which are sanctioned can have subsidiaries or joint ventures in areas such as web development, cyber or supply chain. It may not be immediately apparent that they are within current sanctions. Cayman Island companies are notorious for being fronts for Russian investment. It can be difficult to peel back layers of ownership to determine the real owners.

Hiring software developers in Eastern Europe can also raise risks if some turn out to be Russian nationals. As INE found, having any associated entity as a customer is a violation of Treasury Department sanctions. The e.l.f. Beauty example illustrates how having sanctioned entities in your supply chain also violates the law.

How Can Small and Mid-Size Companies Protect Themselves and Comply?

Size is no excuse for non-compliance, so small and midsize companies need to ensure they have a reasonable and effective compliance system that guards against key risks, such as sanctions and trade control violations.

The U.S. Treasury Department and other sanctioning entities maintain updated lists on their websites. Sanctions lists are searchable and various vendors offer screening services with consolidated lists including U.S., multilateral and other countries’ sanctions requirement. Start screening your existing customers, suppliers and contractors

To ensure compliance and get credit for your effort in the event of a violation, at a minimum, take these additional steps:

  • Identify key risks and make sure they are reviewed and updated regularly
  • Set up an ethics and compliance procedures to mitigate the risks.
  • Make sure you have clear policies that tell everyone what they need to do in simple terms to stay on the right side of the law
  • Train your employees regularly on these requirements; many requirements are counter-intuitive and complicated.
  • Audit compliance with the requirements to make sure they are being followed.

As the eyelash and cyber examples show, any company can inadvertently violate the sanctions laws, particularly when e-commerce moves at the speed of a click. Sanctions laws and regulations are strict liability; it doesn’t matter if you didn’t know. Make sure your company is protected.