by Brent Carlson and Michael Huneke
“Slow is Smooth, Smooth is Fast.” U.S. Navy SEALs and Aikido martial arts masters have valued this mantra as a reminder that deliberate, thoughtful action is—unexpectedly—the quickest way to accomplish your objectives in the face of chaotic circumstances.
Next in our “fresh look” series on economic sanctions and export controls compliance—and the convergence of both with anti-corruption compliance following the declaration by the DOJ that sanctions are the “new FCPA”—we apply this principle to responding to allegations of sanctions or export controls evasion.
Compliance professionals dealing with an allegation of sanctions or export controls evasion are facing chaotic, dynamic, and multidimensional circumstances. Today’s sanctions evaders include highly sophisticated actors who know the weaknesses of traditional, KYC-based screening tools. In parallel, sanctions regimes are expanding and U.S. authorities are increasing their expectations for companies, which they consider to be on the front lines not just of economic competition but warfare, while also devoting increasing resources to sanctions and export controls prosecutions as a national security priority. A third front exists in the form of new, significant incentives for whistleblowers to report suspected evasion to U.S. regulators.
In these circumstances, we offer some practical guidance for applying a “slow is smooth, smooth is fast” approach to planning and executing internal investigations, thereby reducing the risk of investigative or analytical missteps that could cause severe consequences later.
Slow is Smooth: Planning for Investigations
Investigations are stressful events. The key is not to give in to the pressure to speed up, but to slow down. Breathe. Be the calm in the middle of the storm. Slowing down (and remembering to breathe, literally and figuratively) allows one to keep overall objectives in focus while being more mindful of the critical details. This makes investigations more efficient, effective, and economical.
The Goldilocks Factor: Use Work Plans to Calibrate between Doing Too Much or Too Little
Haphazard investigations that jump from doing too much to doing too little are prone to inefficiencies and are difficult to defend under external scrutiny. Keep in mind the dangers of this “Goldilocks” Factor in taking the time to align on agreed objectives and tailor your work to meet them. Investigations will often take unexpected turns; and there will always in hindsight be some areas where more could have been done and others, less. Work plans accordingly should evolve. But defaulting to “boiling the ocean” approaches prove too much (and are not regulators’ expectation) and thereby waste finite resources, unreasonably delay resolution, and risk obscuring key root causes. Similarly, rushing investigations and limiting review to data that is easily available proves too little and risks missing information that, while requiring a bit more effort to obtain, might be the most critical.
Map Your Data Before You Need to Scramble for It
The slow-is-smooth approach to data mapping is to do so in advance before you are in a crisis. Determine now how relatively higher-risk subsidiaries generate, receive, and maintain sales order and shipment documentation. What nonfinancial data (e.g., emails and other forms of correspondence) is generated? What financial data? Is relevant information collected by departments other than sales or logistics (e.g., tax or finance)? Where are the underlying sales orders? Scrambling to map these data sets in the context of an investigation will both feel rushed and responses from colleagues might be overly cautious or even delayed when they know an investigation is underway. It is a good idea to refresh the data map as part of regular risk assessments. That way the map will be ready before you need it.
Companies could also consider a mock “tabletop” training exercise to practice locating information relevant to an allegation of evasion. Such exercises are opportunities for training and communication on the new emphasis by U.S. authorities on sanctions and export controls compliance.
Look at Geographic Maps; Appreciate Time and Cost Pressures
Regulators look at maps, so should you. Some risks do not jump off the page but are unavoidable with even a casual reference to a map. Your transport and logistics providers are businesses; assume that they face intense competitive and end-customer pressures to always take the shortest, cheapest option. This is particularly so for distributors or resellers from whom you require advance payment.
Smooth is Fast: Executing Investigations in a Deliberate, Efficient Manner
Stress-Test the Reliability of Data Inputs
When executing an investigation, take a critical look at the reliability of the inputs. Both internal and external records can be falsified. All fraud starts with pressure, so look at the dynamics and individuals involved in the creation and handling of documents. Taking a “smooth is fast” approach puts you in the best position to notice anomalies and discrepancies that can be identified and pulled out through thoughtful analysis.
End-user information is a weak link in sanctions and export controls compliance. Obtaining end-use and end-user certifications is a fundamental aspect of sanctions and export controls compliance; so too, however, are actually reading and critically assessing the information you are provided. Even where a purported end-user is not sanctioned and passes traditional KYC checks, stress-test the information you receive in at least two important aspects:
- End-User Identity: Is the purported end-user in fact an end-user? Freight forwarders are not end-customers; it is insufficient to screen only them.[1] Recent enforcement activity highlights the risk of not stress-testing whether the purported end-user is actually the end-user.[2]
- End-User Capability: Is the end-user capable of using the product received? For example, is a general trading company in a free zone going to buy heavy equipment for its own use? Or are they just going to trade the heavy equipment to an actual end-user?[3]
Request and Review Export and Shipping Documentation
Export and shipping documents are essential to any sanctions or export controls evasion investigation. Such documents may contain evidence of evasion on their face; at the least, they provide a contemporaneous record of product movement against which to test other information. Do not forget to evaluate whether the shipping documentation shows signs of manipulation or fabrication.
Also look at the Harmonized System (“HS”) codes used for the product shipped. The U.S. government has publicly identified high-priority HS codes that should receive more attention and recently issued related guidance on September 28, 2023.[4] Sophisticated actors seeking to evade sanctions or export controls are equally aware of these “trigger” HS codes. Expect that evasion efforts will attempt to trick employees, or conspire with them, to avoid these HS codes appearing on documentation.
Understand Incoterms—and their Limitations
There is no International Commercial Terms or “Incoterms” defense to sanctions or export control evasion. The deliberate use of Incoterms to facilitate evasion would also expose the seller and its employees to potential criminal liability.
Evaluate also whether prior practices changed. Have the Incoterms recently changed, such that your company no longer receives shipping information? As we mentioned previously,[5] how, when, and why shipping or customer information has changed are important to identifying and analyzing evasion risks.
Understand Buyer Incentives
It is perfectly legitimate to offer customers or distributors the opportunity to purchase on credit, to award them additional product free of charge, or to offer to split certain costs with them. But if you are investigating alleged evasion, be mindful that such incentives can be abused to obscure improper activity.
Scope Investigations to Find—and Enable You to Remediate—Root Causes
Identifying its root causes and remedying them are expected by U.S. authorities to be elements of any company’s compliance program and evidence that an internal investigations process is “working” in practice. Keeping this in mind from planning, during execution, and through close-out is important to reduce the risk of having to double-back or fill a gap at the end.
Application to Whistleblower Allegations
In adopting a “slow is smooth, smooth is fast” approach to internal investigations of potential evasion, prepare for increasing numbers of whistleblower reports.
The U.S. Securities & Exchange Commission (“SEC”) already has a well-known whistleblower program; although reports alleging economic sanctions and export controls violations appear to have been historically rare, the SEC has in the past considered that the falsification of company records and the failure to prevent evasion to violate the accounting provisions applicable to certain issuers of securities (U.S. and foreign).[6] With sanctions and export controls being a top national security priority, expect the potential rewards for whistleblowers to dramatically increase—and the SEC will consider fines in related enforcement actions by other departments in calculating whistleblower awards.
Additionally, recent U.S. legislation expanded an existing FinCEN Bank Secrecy Act whistleblower program to include violations of U.S. economic sanctions.[7] Although FinCEN has not yet published the program’s implementing regulations, media coverage and FinCEN’s public statements suggest that it has already received reports of economic sanctions violations[8] and, as of October 3, 2023, FinCEN has already made referrals to the DOJ and OFAC.[9] The SEC and FinCEN programs can award whistleblowers between 10 and 30 percent of fines collected, providing a substantial financial incentive for employees or counterparties—or competitors—to come forward.
Conclusion
The current sanctions and export controls enforcement environment is undergoing radical changes caused by geopolitical factors over which internal compliance professionals have no control. These changes increase the potential consequences for missteps in the scoping or execution of internal investigations in response to allegations of evasion. Such risks and consequences will only multiply if dealt with in a reactive or ad hoc manner; instead, they call for a “slow is smooth, smooth is fast” mindset that will ensure time is taken to deliberate and document subjective decision-making and that investigations will be sufficiently scoped to identify root causes while achieving their objectives more quickly than through rushed decision-making. Companies can get ahead of the curve now by taking a “slow is smooth” approach to investigative processes and planning, so that in responding to actual allegations of evasion they are prepared to execute a “smooth is fast” approach.
Footnotes
[1] See, e.g., FinCEN & BIS, FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Increased Vigilance for Potential Russian and Belarusian Export Control Evasion Attempts (June 28, 2022) (evasion red flags include “Transactions involving freight-forwarding firms that are also listed as the product’s final end customer, especially items going to traditional Russian transshipment hubs.”) (footnotes omitted), available at https://www.fincen.gov/sites/default/files/2022-06/FinCEN%20and%20Bis%20Joint%20Alert%20FINAL.pdf.
[2] See, e.g., 3M’s recent $9.6 million settlement with OFAC, where among other things “The Trade Compliance employee . . . mistook the German intermediary to be the end user . . . and did not perform due diligence on the Iranian entity.” available at https://ofac.treasury.gov/media/932166/download?inline.
[3] See, e.g., U.S. Attorney’s Office for the Northern District of Georgia, Virginia man convicted of exporting heavy equipment to Iran in violation of U.S. sanctions laws (Sept. 14, 2023), available at https://www.justice.gov/usao-ndga/pr/virginia-man-convicted-exporting-heavy-equipment-iran-violation-us-sanctions-laws.
[4] See, e.g., BIS, Bureau of Industry & Security Issues Best Practice Guidance to Help Prevent High-Priority Items from being Diverted to Russia (Sept. 28, 2023), https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3342-2023-09-25-bis-press-release-customer-certification-v3-se/file.
[5] Brent Carlson & Michael Huneke, Know Your Customer, but also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA” (Sept. 28, 2023), https://wp.nyu.edu/compliance_enforcement/2023/09/28/know-your-customer-but-also-yourself-a-fresh-look-at-sanctions-export-controls-risk-assessments-in-the-era-of-the-new-fcpa/.
[6] In the Matter of Quad/Graphics, Inc. (Exchange Act Release No. 87128, Sept. 26, 2019).
[7] The Anti-Money Laundering Whistleblower Improvement Act (part of the Consolidated Appropriations Act (2023), Pub. L. 117-328.
[8] Fred Williams, FinCEN Fast Tracks Whistleblower Rule, moneylaundering.com (July 13, 2023); Fred Williams, Dozens of Whistleblowers Have Contacted FinCEN Since December: Sources, moneylaundering.com (Jan. 17, 2023).
[9] FinCEN, Prepared Remarks of FinCEN Director Andrea Gacki During ACAMS: The Assembly (delivered virtually) (Oct. 3, 2023), available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-andrea-gacki-during-acams-assembly-delivered.
Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).