As sanctions increase at an unprecedented rate, so grows the list of risky entities that organizations should avoid doing business with. What's changed in recent years, which organizations should stay alert, and how should those organizations approach compliance? We discuss it all with Josh Shrager, Senior Vice President at Kharon, a leading data and analytics company focused on financial crimes compliance and risk management.
As sanctions increase at an unprecedented rate, so grows the list of risky entities that organizations should avoid doing business with. What's changed in recent years, which organizations should stay alert, and how should those organizations approach compliance? We discuss it all with Josh Shrager, Senior Vice President at Kharon, a leading data and analytics company focused on financial crimes compliance and risk management.
Saxon Prater (SP):
In February of 2022, the Russian invasion of Ukraine spurred a surge of economic sanctions, greatly expanding the list of risky entities that organizations should avoid doing business with.
Laura Sewell (LS)
But any compliance expert could tell you that sanctions have grown more and more complex for decades as the US uses them more and more to combat objectionable foreign actions.
SP
This trend, compounded with a global economy, means a wide variety of industries are at risk for noncompliance.
LS
To dig into today's sanctions and how organizations can mitigate risk, we're talking to Josh Shrager, Senior Vice President at Kharon, an analytics software company with expertise in sanctions screening.
Josh Shrager (JS)
That's at the forefront of what I think becomes important for someone to effectively manage a sanctions program. Right? Starting to think about the data that they can get in that that is verifiable, that is updated and fundamentally can inform their personnel to make faster and better decisions.
SP
I'm Saxon Prater.
LS
I'm Laura Sewell. Welcome to Fintech Focus from CSI.
SP
Josh, welcome to Fintech Focus. It's great to have you.
JS
It is excellent to be here. Thanks so much for having me join.
SP
Well, okay, so let's set up a little context upfront to make sure we're all on the same page. This first question should be pretty straightforward. Could you remind us of what sanctions are in general and why they're important to financial institutions and other organizations?
JS
Of course, look, the beauty is nothing is straightforward. But let's try to give a straightforward answer as best as I can. So, sanctions, of course, are a tool of national power. We could also say international power if you want to think about UN sanctions and essentially at their core.
Sanctions are when the US government blacklists or targets or tries to impact another party. So, that may be an individual. That may be a company or an entity. That may be a whole organization if we think about ISIS or Al Qaeda. That may be a whole nation if we think about North Korea or subsets of sanctions targeting Russia.
At the end of the day, if we're thinking about the US government (though other governments, of course, employ economic sanctions), the US government would use sanctions as a way of trying to get another country or another actor to change their behavior or ultimately to try to impede that country or actor or organization from carrying out a certain type of behavior.
Now, what's always interesting, of course, is while sanctions policy is set by a government or if we want to talk about the UN, an international entity, ultimately the front line of sanctions, of sanctions implementation is not the government itself, but rather is the private sector.
It's financial institutions; it's corporations, it's compliance officers who day-in, day-out are looking at transactions, looking at who's signing up for an account, looking at who's wiring money from one institution to the next. Doing the dirty work, if you will - the real, real challenging work of understanding who is trying to avoid those sanctions and stopping transactions accordingly.
LS
Josh, if you had to guess… generally speaking, every organization is responsible for making sure they're in compliance. What percentage is aware that they have to watch out for sanctions?
JS
So, banks and financial institutions…they know, right? Obviously, there are regulated entities, regulated portions of our economy that understand fully what they need to do from a compliance vantage point, that’s sanctions and anti-money laundering or beyond. Where the answer maybe becomes more interesting is starting to think about corporations. Large corporations - do they have huge compliance programs, understand that they have to comply with sanctions, have sanctions screening programs? Absolutely. Of course. They all do.
How many companies in the world are these large Fortune 100 and 500, 1000 or beyond companies versus small companies that have several employees that import goods from one part of the world but have a small operation to do so? And do those companies fully understand the onus that's on them to also be compliant with sanctions? And I think the answer to that, of course, is a lot less so. A lot fewer of those companies are going to fully understand what their role and requirements are to think about sanctions, vis a vis others.
And I don't think the intent should ever be to scare everyone in the world into thinking that they need to have a sanctions officer at their two-person company. That's not necessarily it. But obviously, being aware of the fundamentals of sanctions and what OFAC screening is.
We've seen OFAC over the past couple of years and beyond impose fines or kind of call out with enforcement actions, companies that have hundreds of employees, maybe don't have an active sanctions program, and somehow, it's come to light that there has been, perhaps not purposely, but there's been a sanctions violation.
So certainly, I think awareness is the fundamental part for all those corporations, everyone out there to be considering.
LS
That's why we're here today, right?
JS
That's right.
LS
So how do sanctions and watchlist screening fit into an organization's overall compliance efforts?
JS
I think they're hand in hand. If we look back a decade and look at AML programs and sanctions programs, often they were separated from one another. And I think the trend that I've seen in the past - we can call it a decade plus or minus some years - there is certainly a confluence between what a traditional AML program would look like and what a sanctions program would look like. More and more, you're seeing communication, shared resources and certainly coordination between them.
In a way, sanctions used to be easier. Sanctions, traditionally, we would think about in a list-based sort of manner. Post-September 11th, we saw hundreds and hundreds of individuals of Al Qaeda and Al Qaeda front companies added to the US sanctions list, sanctioned under Executive Order 13224 that targeted Al Qaeda and the Taliban.
And if one of those entities/one of those people appeared on the list, a bank or a corporation would say, “I cannot do business with that person.” And we've seen even in early October, and we see it almost every week that OFAC and other jurisdictions around the world are adding entities and individuals to their sanctions list.
So, I’m not saying that the list is going away. That being said, there are certainly a lot more complications than there used to be. One, there is the existence of sectoral sanctions. So those are sanctions like we’ve seen in the Russia context post 2014 after Russia had annexed Crimea. We saw that the United States imposed sanctions on whole sectors of the Russian economy. And obviously, there's a lot to talk about with Russian sanctions.
But sectoral sanctions, it's not going to be a list of entities. It's going to say that "hey, anyone in the US cannot deal with these certain industries in Russia." And people in the US, businesses, banks, and others have to understand that they're transacting with someone in Russia, that they are indeed not in that industry. And we also see that kind of in the North Korean context. And that's UN sanctions and US sanctions. Just looking at a list won't help with that.
The other bit is maybe even more complicated than that. It can be, but we'll try to unpack it really quickly. And that is the so-called 50% rule. And that's something that exists in the United States and exists in the European Union. In the US, this comes out of the US Treasury Department, out of OFAC, and it states that any entity that is 50% or more owned by a sanctioned actor is considered sanctioned by law, even if that entity does not appear in a list.
So, let me give an example. Let's say there's a company that owns 52% of another subsidiary. The first company, Company A, is sanctioned and appears on an OFAC list. But their subsidiary, which is 52% owned by them, does not appear in the sanctions list. The regulations read that everyone needs to be aware. Everyone, as in compliance programs, need to be aware and need to surface information to know that who they're transacting with is majority owned by a sanctioned entity and thereby is treated sanctioned by law.
So, it's a long-winded answer. I know. It's a specialty of mine. You can ask my wife about that. All this is to say that we are at the stage in modern sanctions programs where we need to look beyond just who appears on the list or does not appear on the list.
LS
So, I want to ask you, with this OFAC 50% rule, how does that show up? How do organizations flag those?
JS
It's a great question. Elbow grease is probably a large part of that. A bit tongue in cheek, but that is honestly part of the answer. So, look, at the end of the day, folks need to do enhanced due diligence on who they are transacting with or their client. Obviously, all modern sanctions programs and all modern compliance programs, rather, are based fundamentally on the risk-based approach.
Regulators realize that institutions do not have unlimited resources to dedicate towards complying with sanctions. So certainly, not every client is treated the same. That being said, the onus is moving more and more towards compliance programs that they are expected to know beyond just their customer.
So, instead of just saying, "so-and-so does not appear on a sanctions list, that means they're good," if there are some other flags about that person, if they come from a jurisdiction of concern or in an industry of concern or there are other red flags, the expectations now are that compliance program will not just dismiss them as not being on a list, but they will dig more. So, you'll do that through research.
It's also where data companies come in. That's what we do at Kharon. We certainly look at the networks and understand the expanse of ownership and connections between sanctioned and non-sanctioned entities and try to surface that information.
LS
Okay. Gotcha. So pretty complicated.
JS
It's complicated for me, too. Don't get me wrong.
LS
You're listening to Fintech Focus. We're talking with Josh Shrager from Kharon about today's sanctions and modernizing your sanctions screening program.
SP
You kind of alluded to this, how sanctions have changed over the past decade or so. You mentioned Al Qaeda and various other entities. Can you speak a little bit about how they have changed even in the past year or so?
JS
Yeah, I mean 2022 alone. Let's go back to the beginning of this year. It has been a roller coaster in many ways as life goes, but especially for sanctions. So, look, of course, the war in Ukraine has been transformative. And we know it's been transformative geopolitically and economically and all of that. But on the sanctions front, a word that I find myself using again and again as I think about the US and the multilateral sanctions that have targeted Russia is “unprecedented.”
So, the scope, speed, depth, breadth, the continuation of the sanctions that are targeting Russia are unlike anything I think anyone has seen. And certainly, I think a big part of that we can look at the US in an isolated sense, and I would stand by that statement entirely. But even beyond that, thinking about the multilateral approach.
So, certainly, in the past year, we see sanctions targeting Russia but also beyond Russia. Certainly, you see that coordinated actions between different governments throughout the world. So, we see the same day that the US announces sanctions on specific individuals or entities that maybe the European Union and the Canadians have done the same. Or we've seen legal actions, law enforcement actions in one country to coincide with sanctions actions in another country. So certainly, I think kind of the rise of multilateralism is something that I would make a strong note of.
Probably, I can talk for 15 minutes about what we've seen in the past year. But the one other one that I will call out as a recent trend or kind of recent evolution certainly is how we're seeing not just traditional sanctions authorities being used.
So, in the US, I think of sanctions authorities as mostly being held by the US Treasury Department. It all comes out of the executive branch. Ultimately, it's a presidential decision to decide to impose sanctions on a person to enter your country. It could also come out of Congress, but we'll save that for another discussion.
But beyond that… traditional sanctions authorities are at the Treasury or State Department. Certainly, we're seeing import and export controls also rising in coordination with sanctions. So, we see the US, the US Commerce Department, the bureau, the BIS, which is a component of the Commerce Department, are also using their authorities to target what sorts of goods are being exported, and if we want to think about Russia, trying to prohibit that.
So, maybe they're not conventional sanctions. But they're being used as another tool of national power in coordination with sanctions and with the expectation that financial institutions and corporations are aware of these authorities and how they may impact their work. So, in the summer, there was a joint alert by FinCEN, a component of the US Treasury Department and BIS, a component of the US Commerce Department that I just spoke about.
And in this joint alert, the crux of it was the alert cautioned financial institutions and banks, traditional financial institutions, to be aware of export restrictions and how that may impact maybe not the bank itself but their clients and basically putting banks on alert that they need to now be aware of and thinking about this. So, this is a really interesting trend over the past year and probably a couple of years; we can see, even going back to the previous administration, how these authorities are being exercised and leveraged maybe more than ever before.
And my strong expectations are that this is the beginning. We'll continue to see more and more of that as the US government and other governments see that as an effective way to try to combat illicit actors or countries that they may be trying to target.
LS
That's great information, Josh. So, like you said, this is unprecedented. And as you also said, it's just going to keep growing, evolving and becoming more complex. So, you can't rely on systems or programs that are even three years old. So, what does a modern, effective sanctions program look like for today's institutions and organizations?
JS
That's the question. The bottom line to your point exactly, is it's changing. It's changing every day. And look, at times, I think people can get overwhelmed by how much things are changing and what they need to be doing. The good answer that hopefully brings a degree of comfort to folks who are thinking about what their own institutions or what their own corporation can be doing is that there's a lot of technology that is there to help.
So, what's important? One, for me, it all starts with data. We hear that a lot nowadays. One of the big buzzwords is "big data" and people who are using big data and bringing in all sorts of data. And big data is important, and that's great to think about.
But fundamentally, for me, a modern compliance program needs to be thinking about smarter data. You don't want a compliance analyst to be drowning in a billion data points. And then, the analyst has to think about verifying the authenticity of a data point or understanding how 500 data points fit together. So that gets the smarter data and gets to connected data.
Really at the heart of it - at the heart of any sanctions action is a network. It's a network of individuals and entities and vessels and buildings and addresses that somehow all fit together. It's not unique to sanctions, but certainly, looking at it in the sanctions context, I think that that's at the forefront of what I think becomes important for someone to effectively manage a sanctions program - starting to think about the data that they can get in, that is verifiable, that is updated and fundamentally can inform their personnel to make faster and better decisions.
Regulators are always going to be out there wanting banks and wanting corporations to do more, and they should be doing that. That's their job. I think the good news is a modern compliance program that has smart, well-connected, well-thought-out data, using that with a screening tool that flags false positives, that is comprehensive and will employ when needed another buzzword - AI, (It can be over-talked about, but there's also a lot to be said for how can the machine help a smart human being?).
I think at the end of the day, we want to help our smart, compliant professionals with this data and with the technology that empowers them to make smarter, better decisions.
LS
So, the old working smarter, not harder, that we all try to achieve.
JS
Working smarter, not harder. And sometimes I feel like I need to practice what I preach…But we'll save that for a conversation with my therapist. (Laughs) No, I'm just kidding!
It really is how do we do more? How do we make more impact? And it's exciting. It's really challenging, of course, but it's exciting.
I talk to compliance officers and banks, corporations and governments throughout the world every day and hear about how people are tackling these situations. And I'm a data guy, right? I work at a data company. I live and breathe it. And I look at how our data empowers folks to make better decisions and how individuals are thinking about smarter data and working smarter, not harder.
SP
This is Fintech Focus. We're discussing today's sanctions risks and how to maintain compliance with Josh Shrager from Kharon.
So, we talked about Russia a little bit, but are there other specific sanction groups that financial institutions should look out for?
JS
Yes. Russia, Russia, Russia has obviously been the theme of the year for everyone around the world. Right?
That being said, if we look at in the past month alone, and what we see out of OFAC, we see sanctioned actors, numerous Iran sanctions, sanctions targeting networks in Iran and their front companies that operate in the Middle East and South Asia and other places.
We've seen a continued focus on Myanmar and new actions that came out in early October from the US Treasury Department targeting Myanmar. We don't think much about Bosnia and Herzegovina anymore, but we've seen recent actions targeting them. So, while Russia is front and center in the world of sanctions and maybe a lot of the world right now, that's not the only game in town.
The other area that I would call out and it's shocking that we made it this far in a conversation without saying crypto. And we can have a whole other session talking about crypto and talking about sanctions and the crypto space and illicit finance. And we'll save that for now. But what I will mention, of course, is that we're seeing more and more sanctions actions that are targeting illicit actors' crypto wallets. So, we'll see Hamas; we'll see another sanctioned actor, and the Treasury explicitly targeted their wallets, Bitcoin wallets or otherwise.
And then we also saw recently, in the past couple of months, the targeting by the US Treasury Department of something called Tornado Cash, which is a virtual currency mixer. Again, we can not get into all the nuts and bolts of what a mixer is and what that targeting has meant.
But certainly, as we all think about the intersection of crypto and the legitimate economy, we're also seeing sanctions actions that explicitly focus on crypto services like Tornado Cash, or more traditional sanctions that may be going after actors, but also including listing out their Bitcoin or other crypto wallets. That's something that certainly increased, and I would say it's something for us to all keep an eye on.
LS
Yeah, I would think it's a whole other ballgame with crypto.
So, we talked a little bit earlier about smaller organizations maybe getting a little overwhelmed with compliance and ways that education is important for all. But what is at stake for institutions and organizations that aren't keeping an eye on this vast sanctions landscape?
JS
Yeah, I mean, I don't wear the government hat anymore, but I did for a number of years in my career. I still think it's fair to say that the government wants to have willing partners in banks and corporations throughout the country and beyond. I think that's the desire, right? It's not to have to be adversarial.
That being said, at the end of the day, the government has enforcement tools at their disposal that they will use. And there's a couple of buckets that we look at with sanctions compliance or, I would say, with sanctions violations.
There are those in the world or those in the United States (none of our listeners, I have no doubt about that), but who know they're violating sanctions and just do it anyways. There's everybody else whose intent is to follow the law. They want to do what's right.
That being said, they missed something. They don't have a comprehensive enough program. They have the most comprehensive program in the world, but nobody's perfect. Certainly, that exists and while the government doesn't expect that anyone is perfect. They are still willing (and do it all the time), to use their enforcement mechanisms to show people that they're serious.
So, you see enforcement announcements that come out of OFAC or from other regulators with sanctions violations, and they'll talk about monetary fines, or they will say that someone's self-disclosed. And that is certainly a huge factor and what happens with an enforcement action. At the end of the day, we're not here to scare anyone. But the reality is the government takes this seriously.
And I think what the government wants, of course, is for those throughout various industries and sizes of companies to be aware of these sanctions and to know, at the end of the day, the law and sanctions laws, they do not differentiate between the largest bank in the world and the smallest company in the country.
And what we see is that regulators and law enforcement officials certainly are willing to (and have) used their authorities to target those who have had sanctions violations. And I think that's the wake-up call for all of us to be at least educated and aware of what each of our obligations are.
LS
Yeah. And you mentioned penalties. They're getting into the millions of dollars for some organizations. And I look over them every once in a while. And a penalty can be the kiss of death for some smaller companies or organizations. So, it's very, very serious.
JS
Yeah. Look, it's serious and that's it. I mean, we see fines that are tens, hundreds of thousands of dollars. Small, millions of dollars. Hundreds and hundreds and hundreds of millions of dollars. I routinely see fines that are hundreds of thousands of dollars or $1,000,000.
And if you're asking a huge bank, relatively speaking, it's not a lot. If you're asking me or if you're asking my small company that has X millions of dollars of revenue a year, it is a lot. And so much of the fundamental way that the government may treat an enforcement case is by looking at the compliance program or sanctions compliance program that a company has in place.
So, if a company, let's say it's a small, smallish company, and they say, “look, we're smallish, we don't have a huge compliance program, but we're aware that we import or export goods or work with international clients. We're aware that we need to have a sanctions compliance program. We do. Here's their manual; our legal officer's in charge of it because we don't have a dedicated compliance team. But yes, we have a program. We do consult the OFAC list. We do some screening for the 50% rule.”
That would be a mitigating factor or certainly a contributing factor to what sort of penalty ultimately the government would levy against an organization.
SP
Josh, thanks for all of this. I feel like I got a quick geopolitical download, and I certainly have more research to do about Bosnia and Herzegovina and Myanmar and various other things that you mentioned.
But in closing, is there anything else that you would like to say to financial institutions? Anything else that they should know?
JS
I think at the end of the day, this isn't going away. If you look year on year, going back to September 11th, we see that sanctions are increasingly a tool in the government's toolbox that they're using more and more. And that's not going to change anytime soon. It's something that we all need to be mindful of.
We all need to be considerate and educated on where these sanctions programs are going, what that means, and what sort of onus that puts on an individual company. And let's continue to pay attention and inform ourselves. There's a community of folks in the compliance world that are working on these issues day in and day out. Let's see how it all unfolds.
LS
Great. Josh, thank you so much for being on Fintech Focus today and providing some education and awareness to our listeners. We could continue talking about this for hours. It's one of my favorite topics. You've provided a lot of great information for us to all ponder, so thank you for being on.
JS
Thanks, Laura. Thanks, Saxon. Let's do it again.
LS
Sounds good. Thank you.
SP
That should do it for this episode of Fintech Focus. Thanks again to Josh Shrager for joining us and giving us a bit more insight into the sanctioned world. And thanks to all of you for listening.
LS
You can find previous episodes of this show and learn more about what we do by visiting csiweb.com. You can also subscribe to Fintech Focus wherever you get your podcasts. We'll be back soon, but until then, say hi to CSI on Twitter @csisolutions or on our Facebook page, Facebook.com/csisolutions. We'll see you next time.
Note: The above transcript has been lightly edited for clarity.