Practical issues and steps you should take 14 min read
Global sanctions are increasing year on year, reflecting a backdrop of increased global conflict. With the World Trade Organisation estimating that 12% of global trade is now affected by sanctions1, increased cooperation between sanctions and financial crime regulators is likely to result in a proportionate increase in enforcement activity. As such, companies and organisations will be best placed to defend any future regulatory action or class action exposure by reviewing and uplifting their policies, processes and procedures for identifying and addressing sanctions risk now.
We outline the key aspects of the Australian Sanctions Regime, the practical issues that corporations may encounter when implementing and managing their sanctions compliance frameworks, as well as some recent case studies to illustrate how the regime can apply.
What is it?
The Australian Sanctions Regime, like all sanctions regimes, seeks to address situations of international concern by imposing measures including:
- restrictions on trade in goods and services;
- restrictions on engaging in commercial activities;
- targeted financial sanctions on designated persons and entities; and/or
- travel bans on certain persons.
What is the legal basis of these restrictions?
Australia implements United Nations Security Counsel (UNSC) sanctions regimes as a member of the UN, primarily under the Charter of the United Nations Act 1945, and its regulations and the Australian autonomous sanctions regime, primarily under the Autonomous Sanctions Act 2011 and Autonomous Sanctions Regulations 2011.
Australia currently imposes 24 separate sanctions regimes.
In addition to these state-based sanctions regimes, the Australian Government introduced major changes to Australia's sanctions framework at the end of 2021 by allowing for the imposition of thematic sanctions against individuals and associated entities for conduct involving serious human rights violations, serious corruption and malicious cyber activity, wherever such persons may be located in the world.
Who must comply?
You are required to comply with the Australian Sanctions Regime if you are:
- a legal person conducting activities in Australia; or
- an Australian citizen or Australian registered body corporate.
Limited exceptions may apply if a permit covering the relevant activity is obtained from the Minister for Foreign Affairs. As set out in our 2023 Year in Review article, the Australian Sanctions Office has granted four general permits to date (each with two-year validity periods). These are permits authorising:
- the provision of financial assistance and financial services relating to Russian oil, together with the transport by ship of Russian oil and refined petroleum products, provided that these products are purchased at or below a price cap;
- payment of taxes required by Russian laws;
- payments to the Russian IP agency for the purpose of obtaining, renewing or maintaining intellectual property rights under Russian law or the Eurasian Patent Convention; and
- dealings with controlled assets for the purpose of obtaining and providing legal advice and representation.
What are the consequences of failure to comply?
The consequences of failure to comply with the Australian Sanctions Regime are serious.
- For individuals, each breach is punishable by imprisonment for up to 10 years and a fine of up to three times the value of the transaction or 2,500 penalty units (at the date of this article $782,500) (whichever is greater).
- For bodies corporate, each breach is punishable by a fine of up to three times the value of the transaction or 10,000 penalty units (at the date of this article $3.13 million) (whichever is greater).
For bodies corporate, these are strict liability offences, which means engaging in conduct that contravenes a sanction will be a breach even if there is no intention to contravene the sanction.
Are any defences available?
A defence is available for bodies corporate that can prove they took reasonable precautions and exercised due diligence to avoid contravening the relevant law (see further 'Raising a robust defence').
The Australian Sanctions Office (ASO), within the Department of Foreign Affairs and Trade, is Australia's primary sanctions regulator. The role of the ASO includes:
- providing guidance to regulated entities;
- processing applications for sanctions permits;
- promoting compliance with the law;
- monitoring compliance in partnership with other government agencies; and
- supporting corrective and enforcement action by law enforcement agencies.
The ASO undertakes its responsibilities in coordination with other Commonwealth agencies, including the Australian Federal Police, Australian Border Force, and the Australian Transaction Reports and Analysis Centre (AUSTRAC). AUSTRAC has recently established:
- a dedicated intelligence team to monitor and triage financial reporting about Russian sanctions;
- an operational response to the Israel/Gaza conflict which includes monitoring for sanctions evasion typologies.
While there have been a handful of publicly disclosed prosecutions of individuals for sanctions offences, there has not yet been any publicly disclosed prosecution of a corporation for a sanctions offence.
In addition to potential criminal prosecutions for sanctions breaches, companies may also be exposed to potential enforcement action by ASIC for breaches of directors' and officers' duties in circumstances of serious sanctions non-compliance and AUSTRAC for violations of Australia's anti-money laundering and counter-terrorism financing laws.
There are a number of practical issues that corporations may encounter when implementing and managing their sanctions compliance framework.
Navigating a complex regime
The application of the Australian Sanctions Regime can be complex, and sanctions risk is becoming ever more material for organisations.
In seeking to ensure compliance, a corporation should establish a sanctions compliance program that accommodates for the complexities and nuances of the regime. This program should be documented and communicated to all relevant personnel.
Key aspects of an entity's sanctions compliance program include:
- Risk assessments- before establishing a sanctions compliance program, a corporation should identify and assess its sanctions risk. The systems and controls in the corporation's sanctions program should be commensurate to its assessed sanctions risk;
- Screening and transaction monitoring- a corporation should screen customers, transactions and third party service providers for sanctions risk;
- Alert generation, review and action- a corporation should ensure that alerts raised through its screening and monitoring processes are reviewed by trained personnel and are appropriately investigated and addressed;
- Training and awareness- a corporation should ensure all persons involved in managing sanctions risk receive appropriate and up-to-date training with respect to the risks faced by the company and the systems and controls in place to address those risks;
- Audit and assurance – a corporation's sanctions compliance program, and the systems and controls in the program, should be subject to periodic reviews (as well as further reviews in the event of a material change). The program should also provide for independent audits; and
- Governance– a corporation's sanctions compliance program should have clearly defined roles and responsibilities to ensure the systems and controls in the program are implemented and monitored appropriately. The program should provide for an accountable person at management level who is responsible for overall compliance with sanctions laws. This person should have direct report to senior management or the board.
|How we can help: we can advise you on and assist with designing and implementing a robust sanctions compliance framework that is tailored to you and the risks you face. This can include advising on the application of the sanctions laws, conducting risk assessments, preparing a sanctions compliance program, conducting training and providing 'on-tap' external legal advice on complex issues.
Responding to incidents
It is important for companies to promptly and thoroughly address issues relating to sanctions compliance as and when they arise. How a company responds to a potential sanctions contravention can significantly impact its legal and reputational standing and stakeholder relationships. Companies that carefully and proactively investigate and address potential issues often emerge stronger, while companies that choose to ignore or minimise issues, or respond reactively, risk creating additional legal exposures (for the company itself and its directors and officers), damaging their standing with regulators and weakening their stakeholder relationships.
|How we can help: we have experience assisting clients with all aspects of an investigation in response to a potential incident, engaging with regulators and providing advice on compliance measures to address the incident and prevent further incidents occurring in the future.
Raising a robust defence
It is an offence to contravene the sanctions law. For bodies corporate, this is a strict liability offence, meaning proof of fault is not required to establish the offence. It can be difficult to prevent all possible sanctions breaches, especially for larger entities. For this reason, the law provides that a body corporate will not commit an offence if it can prove it took reasonable precautions and exercised due diligence to avoid contravening the sanctions law. This is an absolute defence that is intended to 'promote a culture of corporate compliance.'2
The defence applies an objective test. To rely on this defence, a body corporate must establish that the reasonable precautions it took and the due diligence it exercised are what would be expected of a body corporate in the same position. This is a matter of fact. Sanctions policies and procedures, risk assessments, screening and due diligence software, sanctions compliance training and sanctions expertise (both in-house and external) are all essential to raising a robust defence. These tools must be designed so that they are fit for purpose. They should also be monitored, reviewed and updated regularly.
|How we can help: we can advise you on and assist with designing and implementing a robust sanctions compliance framework. Should an incident occur, we can assist you with a response, including by helping you to conduct an investigation of the issues and advising you on legal risks and compliance measures. See above for further detail.
Extra-territorial application of sanctions regimes
A corporation should assess its sanctions risk before engaging in any activities and reassess its sanctions risk on a regular basis. When assessing sanctions risk, a corporation should consider whether its activities are caught under the sanctions laws in other jurisdictions. Some of these laws have wide extra-territorial application. This is most notable in the US, where sanctions laws are given broad extra-territorial effect and are actively enforced by US regulators. US sanctions laws apply to:
- US persons, which includes US citizens and permanent residents (wherever located), other persons located in the US, US entities and non-US entities that are owned or controlled by US persons;
- US products, software and technology; and
- persons that cause or are involved in activity within the US (eg making a US-dollar transaction through the US financial system).
Australian corporations need to be alive to the potential impacts of sanctions laws with extra-territorial application and take steps to ensure compliance with these laws. These measures may include, for example, implementing systems and controls to ensure the entity does not provide a product or service to a US person.
|How we can help: we can assist you with mapping which sanctions regimes may apply, putting in place appropriate risk assessment and monitoring processes to ensure compliance and advising on the application of multi-jurisdictional sanctions laws through our integrated alliance with Linklaters.
In brief: In October 2022, OFAC announced that virtual currency exchange Bittrex, Inc (Bittrex), agreed to pay over US$53.56 million, to resolve liability in relation to alleged violations of multiple sanctions programs and anti-money laundering and suspicious activity report reporting requirements.
OFAC alleged that Bittrex failed to prevent persons located in sanctioned jurisdictions from using its platform to engage in virtual currency-related transactions. Specifically:
- based on IP address information and physical address information collected about each customer at onboarding, Bittrex had reason to know these users were located in jurisdictions subject to sanctions. However, at the time of the transactions, Bittrex was not screening this customer information for terms associated with sanctioned jurisdictions.
- Bittrex did not maintain an effective anti-money-laundering program from February 2014 through December 2018. At times, as few as two employees were responsible for reviewing over 20,000 daily transactions for suspicious activity.
However, OFAC took the view that the following mitigating factors significantly reduced the penalty payable:
- Bittrex was a small, new company at the time of most of the alleged violations;
- Bittrex substantially cooperated with OFAC's investigation; and
- Bittrex took remedial measures quickly in response to the alleged violations.
- New companies and those involved in emerging technologies should embed sanctions compliance into their business functions from the outset.
- Companies should ensure their sanctions compliance service providers are providing services commensurate with their sanctions compliance risk.
- When providing services globally, screening for location information, is an important control — especially when location information is available through IP addresses or information provided by customers.
In brief: In March 2023, the Well Fargo Bank (Wells Fargo) agreed to pay US$30 million to resolve liability in relation to 124 alleged violations of the Iranian, Sudanese and Syrian sanctions programs.
OFAC alleged that:
- from 2008 to 2015, Wells Fargo, and its predecessor, Wachovia Bank provided a foreign bank located in Europe with software that the European bank then used to process trade finance transactions with US-sanctioned jurisdictions and persons.
- Wells Fargo did not identify or stop the European bank’s use of the software platform for prohibited trade-finance transactions involving sanctioned jurisdictions and persons for seven years despite potential concerns raised internally within Wells Fargo on multiple occasions.
However, OFAC took the view that the applicable penalty should be reduced as the majority of the violations related to agriculture, medicine and telecommunications spending which may have been eligible for a general or specific licence – limiting the sanctions harm caused by the conduct.
- There should be oversight across all business units within an organisation. This includes lines of business that may be small relative to the larger organisation or that involve products or services falling outside the larger organisation’s core business.
- Companies should promptly investigate and address sanctions compliance risks when raised internally.
- Companies should undertake comprehensive due diligence regarding potential sanctions risk when undertaking a merger or acquisition, pursing new business opportunities or preserving business relationships without proper oversight.
Binance Holdings Limited
In brief: In November 2023, cryptocurrency exchange Binance Holdings Limited (Binance) agreed to pay US$4 billion to the DOJ (including approximately $970 million to OFAC) in relation to contraventions of sanctions and anti-money laundering laws.
OFAC alleged that Binance prioritised profits over compliance and knowingly allowed US customers to trade with users in sanctioned jurisdictions. Specifically:
- between August 2017 and October 2022, Binance knew it had users from sanctioned jurisdictions which would be matched by its algorithm with US users in breach of sanctions laws;
- senior management was aware that Binance’s trade matching algorithm would cause US users to transact with users in sanctioned jurisdictions and, despite attempts from the Chief Compliance Officer to convince the Binance CEO to adopt mitigants to avoid sanctions violations, did not implement controls to prevent these sanctions breaches from occurring;
- as a result of its failure to implement controls, Binance processed over 1.6 million individual virtual currency transactions — totalling approximately US$706 million — in violation of Iranian, Syrian, North Korean, Cuban and Ukrainian and Russian Sanctions.
- Compliance controls should be incorporated into a company’s platforms and systems. Companies will be responsible for the technologies they use — including where use of an algorithm or other 'autonomous' system contributes to a sanctions violations;
- commitment to sanctions compliance must come from the top and should begin from a company's first day of operations. Effective compliance requires adequate resourcing as well as compliance functions receiving the backing and authority necessary to perform their role.
In brief: In February 2020, the UK's Office of Financial Sanctions Implementation (OFSI) imposed penalties totalling £20.47 million on Standard Chartered Bank (SCB) for breaches of European Union (EU) sanctions on Russian banks and other entities in relation to actions that undermined or threatened the territorial integrity and independence of Ukraine.
The relevant EU sanctions prohibit any person within the EU from making loans or providing credit to sanctioned entities where those loans or credit have a maturity of over 30 days.
Between 2015 and 2018, SCB made 102 loans totalling £97.4 million to Denizbank A.Ş. At the time, Denizbank was then almost wholly owned by Russia's Sberbank and was a sanctioned entity.
While some of the loans were subject to an exemption under the sanctions regime (for financing the import or export of non-prohibited goods between the EU and a third party), and OFSI acknowledged that SCB had taken steps to ensure its dealings with Denizbank were compliant with the EU sanctions, those compliance measures were not appropriately implemented and enabled loans to be made which violated EU regulations.
SCB was penalised for 21 loans made to Denizbank. OFSI applied a 30% discount to the penalty because SCB self-reported the breaches and conducted an internal investigation into the misconduct. SCB's penalty was further reduced on a ministerial review of quantum.
In introducing compliance measures, companies must ensure those measures function effectively in practice. This is equally important where the measures are implemented for the purposes of meeting an exemption under a sanctions regime.
In considering penalties, regulators and government authorities generally look favourably on companies' good faith attempts to comply with sanctions regimes and, in cases of suspected misconduct, attempts to investigate and rectify wrongdoing.
Australian enforcement action
In brief: Following a 2006 Royal Commission to investigate Australian companies' involvement in violations of the UN's sanctions regime on Iraq, ASIC commenced civil penalty proceedings against six former officers of the Australian Wheat Board (AWB) (later known as AWB Limited). One of those directors was found by the Supreme Court of Victoria to have breached his director's duties by failing to make enquiries and prevent wrongdoing by AWB, even though he did not participate in or have any direct knowledge of the misconduct. The conduct occurred before the current Australian sanctions regime was in place.
- In 2006, the Australian Government established a Royal Commission (known as the 'Cole Inquiry') in response to the findings of a 2005 report from the UN that AWB had breached UN sanctions on Iraq by facilitating violations by Iraq of the 'Oil for Food Program' - the scheme established by the UN in 1995 which permitted Iraq to sell its oil in the global market but prevent Iraq from using the proceeds of those sales to build its military capability.
- The UN's inquiry found that, in breach of UN sanctions, AWB had funnelled payments to Iraq via a third party company in Jordan and had supplied foreign currency to Iraq.
- The Cole Inquiry substantiated the findings of the UN report and recommended that a number of AWB officers be investigated for potential crimes under state and federal criminal legislation and for civil breaches of the Corporations Act 2001.
- Ultimately, criminal prosecutions were not pursued but ASIC commenced civil penalty proceedings against six former officers. In October 2016, two such proceedings were heard at trial.
ASIC's civil penalty proceedings
- ASIC alleged that Mr Trevor Flugge, former Chairman of AWB, and Mr Peter Geary, former director of AWB, breached their directors' duties under sections 180 (a director must act with care and diligence) and 181 (a director must act in good faith and for a proper purpose) of the Corporations Act by failing to inquire into and stop AWB's misconduct.
- In the case against Mr Flugge, the court found that Mr Flugge had breached s180 of the Corporations Act because, while he did not know that certain of the payments were contrary to UN sanctions (and indeed was under the impression that certain of them were approved by the UN), he was on notice that the UN had made enquiries in relation to the payments from 2000. Accordingly, on receipt of such notice, the court found Mr Flugge had a duty to make reasonable enquiries into whether the payments were irregular, and those enquiries would have revealed the improper conduct. Mr Flugge received a $50,000 fine.
- In the case against Mr Geary, the court found that ASIC had not sufficiently proven that Mr Geary knew, or should have known, that the impugned payments were irregular or were not approved by the UN. ASIC appealed the court's decision with respect to Mr Geary in 2018 but was unsuccessful.
A reminder that directors and officers may be found personally liable for sanctions contraventions of their companies, and will not be able to plead ignorance when, by reason of their position, they were duty-bound to make enquiries and the enquiries would have disclosed the wrongdoing.
https://www.wto.org/english/res_e/booksp_e/wtr23_e/wtr23_e.pdf, page 50 (Figure C.3).
Clause 16, Explanatory Memorandum, Autonomous Sanctions Bill 2010 (Cth).