This is part 2 of a five-part series with Tom Fox and the FCPA Compliance Report on navigating an increasingly complex sanctions landscape. The series will consider the current sanctions landscape, discuss how to build a sanctions compliance program, walk listeners through what happens when a sanctions breach or potential breach is discovered, consider new sanctions exposure, and conclude with a look in that veiled land of the future by considering issues on the horizon.
Who in an organization is responsible for a sanctions compliance program? There is no one-size-fits-all solution. It first depends on the size of the organization. Typically, a sanctions compliance program is within the purview of the Financial Crimes Compliance (FCC) team, which may sometimes be known as the financial security compliance team within a larger compliance department.
Another approach is to have a dedicated sanctions team within the FCC unit. However, in other instances it may be that sanctions compliance is split between other FCC teams, such as anti-money laundering (AML) and anti-bribery and corruption (ABC), or a similar approach. These teams work closely with the “Know Your Customer” (KYC) teams since the underlying customer information is such a critical component of ensuring sanctions compliance. In that structure, the FCC team will report ultimately to the Chief Compliance Officer (CCO).
At the end of the day, every person in the organization is responsible for being aware of and owning their own activity or job function’s sanctions risk. Mitigating this risk cannot solely rest on the shoulders of the compliance department or team.
Whatever structure might work best for a given entity, emphasis must be put on operationalizing a sanctions compliance program at the front-line of defense– the goal being to internalize the importance and the need for sanctions compliance from the bottom up. Sanctions risk can be managed in the same way financial institutions manage credit risk: down to the individual employee. The reason for this is that regulators are increasingly focused on moving the risk management process to the front lines of an organization, with multiple lines of back up.
The importance of sanctions compliance starts by communicating to the first line of defense, but must flow throughout the entire organization: from the CEO to the senior business leaders, and all the way down to employees dealing with the customer base. These are not compliance issues to be handled exclusively by the compliance function, but the compliance department must be empowered to enforce the sanctions compliance program throughout the organization.
While tone from senior management is important, targeted training also bears substantial weight. Fundamental awareness training should be baseline for every employee. Targeted training should be tailored to the exposure and risk level of given activities or job functions, and employees who are exposed to more risk should get more comprehensive, nuanced, and detailed training.
In the current environment, there is increasing pressure for cost-cutting in the compliance function. Organizations should resist the urge to cut costs, even as COVID-19 makes this pressure more acute. Regulators are anticipating that entities will remain vigilant during times of uncertainty. The idea of cutting corners now in an attempt to reduce costs could result in added costs, including fines and penalties, down the road.
To listen to the next podcast in the series, please click here.