Practical issues and steps you should take 14 min read
In a tightening global security environment, the Australian government has recently increased its focus on sanctions, including ushering in new Magnitsky-style reforms to Australia's sanctions laws at the end of last year. Given the limited enforcement in this area in Australia to date and the likely varying standards of compliance across industries and sectors, we see this area as ripe for further regulatory scrutiny. As such, companies and organisations will be best placed to defend any future regulatory action or class action exposure by reviewing and uplifting their policies, processes and procedures for identifying and addressing sanctions risk now.
We outline the key aspects of the Australian Sanctions Regime, the practical issues that corporations may encounter when implementing and managing their sanctions compliance frameworks, as well as some recent case studies to illustrate how the regime can apply.
What is it?
The Australian Sanctions Regime, like all sanctions regimes, seeks to address situations of international concern by imposing measures including:
- restrictions on trade in goods and services;
- restrictions on engaging in commercial activities;
- targeted financial sanctions on designated persons and entities; and/or
- travel bans on certain persons.
What is the legal basis of these restrictions?
Australia implements United Nations Security Counsel (UNSC) sanctions regimes as a member of the UN, primarily under the Charter of the United Nations Act 1945, and its regulations and the Australian autonomous sanctions regime, primarily under the Autonomous Sanctions Act 2011 and Autonomous Sanctions Regulations 2011.
Australia currently imposes 21 separate sanctions regimes.
In addition to these state-based sanctions regimes, the Australian government introduced major changes to Australia's sanctions framework at the end of last year by allowing for the imposition of thematic sanctions against individuals and associated entities for conduct involving serious human rights violations, serious corruption and malicious cyber activity, wherever such persons may be located in the world.
Who must comply?
You are required to comply with the Australian Sanctions Regime if you are:
- a legal person conducting activities in Australia; or
- an Australian citizen or Australian registered body corporate.
Limited exceptions may apply if a permit covering the relevant activity is obtained from the Minister for Foreign Affairs. Australia does not otherwise have a general licensing system, such as the system administered in the US by the Office of Foreign Assets Control (OFAC), that allows a class of person to engage in certain types of transactions that would otherwise be prohibited without the need to apply for an individual license or permit.
What are the consequences of failure to comply?
The consequences of failure to comply with the Australian Sanctions Regime are serious.
- For individuals, each breach is punishable by imprisonment for up to 10 years and a fine of up to three times the value of the transaction or $555,000 (whichever is greater).
- For bodies corporate, each breach is punishable by a fine of up to three times the value of the transaction or $2.22 million (whichever is greater).
For bodies corporate, these are strict liability offences, which means engaging in conduct that contravenes a sanction will be a breach even if there is no intention to contravene the sanction.
Are any defences available?
A defence is available for bodies corporate that can prove they took reasonable precautions and exercised due diligence to avoid contravening the relevant law (see further 'Raising a robust defence').
As of 1 January 2020, DFAT established the Australian Sanctions Office (ASO). This was in response to the perception that Australia has a sound legal framework for the administration of sanctions but, until now, lacked a dedicated regulator.
The role of the ASO includes:
- providing guidance to regulated entities;
- processing applications for sanctions permits;
- promoting compliance with the law;
- monitoring compliance in partnership with other government agencies; and
- supporting corrective and enforcement action by law enforcement agencies.
Despite the establishment of ASO, we understand that the Australian Federal Police remains the primary agency for investigating potential sanctions offences, and to date, there has been minimal corporate enforcement of breaches of Australia's sanctions laws. Drawing parallels to other adjacent financial crime areas that have seen active enforcement in the past few years, we expect that sanctions compliance standards and practices will vary greatly across industries and sectors. Thus, we see this as an area that is ripe for further regulatory scrutiny and identification of breaches.
Companies may also be exposed to potential enforcement action by ASIC for breaches of directors' and officers' duties in circumstances of serious sanctions non-compliance and by the Australian Transaction Reports and Analysis Centre (AUSTRAC). In the latter case, a sanctions breach could, in some cases, also amount to a violation of Australia's anti-money laundering and counter-terrorism financing laws. AUSTRAC has published guidance on what it expects from the entities it regulates in dealing with countries, regions and groups that may pose a high risk of money laundering or terrorism financing. There also remains class actions risk for public disclosures concerning sanctions and financial crime compliance, which we have seen result in increased litigation against companies in other financial crime areas.
There are a number of practical issues that corporations may encounter when implementing and managing their sanctions compliance framework.
Navigating a complex regime
The application of the Australian Sanctions Regime can be complex, and with the new Magnitsky-style reforms, sanctions risk is becoming ever more dispersed for organisations. For example, multiple restrictions may apply to an activity and/or person, or restrictions may apply because of ultimate ownership (which may not be readily discernible).
In seeking to ensure compliance, a corporation should establish a sanctions compliance program that accommodates for the complexities and nuances of the regime. This program should be documented and communicated to all relevant personnel.
Key aspects of an entity's sanctions compliance program include:
- Risk assessments - before establishing a sanctions compliance program, a corporation should identify and assess its sanctions risk. The systems and controls in the corporation's sanctions program should be commensurate to its assessed sanctions risk;
- Screening and transaction monitoring - a corporation should screen customers, transactions and third party service providers for sanctions risk;
- Alert generation, review and action - a corporation should ensure that alerts raised through its screening and monitoring processes are reviewed by trained personnel and are appropriately investigated and addressed;
- Training and awareness - a corporation should ensure all persons involved in managing sanctions risk receive appropriate and up-to-date training with respect to the risks faced by the company and the systems and controls in place to address those risks;
- Audit and assurance – a corporation's sanctions compliance program, and the systems and controls in the program, should be subject to periodic reviews (as well as further reviews in the event of a material change). The program should also provide for independent audits; and
- Governance – a corporation's sanctions compliance program should have clearly defined roles and responsibilities to ensure the systems and controls in the program are implemented and monitored appropriately. The program should provide for an accountable person at the management level who is responsible for overall compliance with sanctions laws. This person should have direct report to senior management or the board.
|How we can help: We can advise you on, and assist with, the design and implementation of a robust sanctions compliance framework that is tailored to you and the risks you face. This can include us advising on the application of the sanctions laws, conducting risk assessments, preparing a sanctions compliance program, conducting training and providing 'on-tap' external legal advice on complex issues.|
Responding to incidents
It is important for companies to promptly and thoroughly address issues relating to sanctions compliance as and when they arise. How a company responds to a potential sanctions contravention can significantly impact its legal and reputational standing and stakeholder relationships. Companies that carefully and proactively investigate and address potential issues often emerge stronger, while companies that choose to ignore or minimise issues, or respond reactively, risk creating additional legal exposures (for the company itself and its directors and officers), damaging their standing with regulators and weakening their stakeholder relationships.
|How we can help: We have experience assisting clients with all aspects of an investigation in response to a potential incident, engaging with regulators and providing advice on compliance measures to address the incident and prevent further incidents occurring in the future.|
Raising a robust defence
It is an offence to contravene the sanctions law. For bodies corporate, this is a strict liability offence, meaning proof of fault is not required to establish the offence. It can be difficult to prevent all possible sanctions breaches, especially for larger entities. For this reason, the law provides that a body corporate will not commit an offence if it can prove it took reasonable precautions and exercised due diligence to avoid contravening the sanctions law. This is an absolute defence that is intended to 'promote a culture of corporate compliance.'1
The defence applies an objective test. To rely on this defence, a body corporate must establish that the reasonable precautions it took and the due diligence it exercised are what would be expected of a body corporate in the same position. This is a matter of fact. Sanctions policies and procedures, risk assessments, screening and due diligence software, sanctions compliance training and sanctions expertise (both in-house and external) are all essential to raising a robust defence. These tools must be designed so that they are fit for purpose. They should also be monitored, reviewed and updated regularly.
|How we can help: We can advise you on, and assist with, the design and implementation of a robust sanctions compliance framework. Should an incident occur, we can assist you with a response, including by helping you to conduct an investigation of the issues and advising you on legal risks and compliance measures. See above for further detail.|
Extra-territorial application of sanctions regimes
A corporation should assess its sanctions risk before engaging in any activities and reassess its sanctions risk on a regular basis. When assessing sanctions risk, a corporation should consider whether its activities are caught under the sanctions laws in other jurisdictions. Some of these laws have wide extra-territorial application. This is most notable in the US, where sanctions laws are given broad extra-territorial effect and are actively enforced by US regulators. US sanctions laws apply to:
- US persons, which includes US citizens and permanent residents (wherever located), other persons located in the US, US entities and non-US entities that are owned or controlled by US persons;
- US products, software and technology; and
- persons that cause or are involved in activity within the US (eg making a US-dollar transaction through the US financial system).
Australian corporations need to be alive to the potential impacts of sanctions laws with extra-territorial application and take steps to ensure compliance with these laws. These measures may include, for example, implementing systems and controls to ensure the entity does not provide a product or service to a US person.
|How we can help: We can assist you with mapping which sanctions regimes may apply, putting in place appropriate risk assessment and monitoring processes to ensure compliance and advising on the application of multi-jurisdictional sanctions laws through our integrated alliance with Linklaters.|
Standard Chartered Bank
In brief: In February 2020, the UK's Office of Financial Sanctions Implementation (OFSI) imposed penalties totalling £20.47 million on Standard Chartered Bank (SCB) for breaches of European Union (EU) sanctions on Russian banks and other entities in relation to actions that undermined or threatened the territorial integrity and independence of Ukraine.
- The relevant EU sanctions prohibit any person within the EU from making loans or providing credit to sanctioned entities where those loans or credit have a maturity of over 30 days.
- Between 2015 and 2018, SCB made 102 loans totalling £97.4 million to Denizbank A.Ş. At the time, Denizbank was then almost wholly owned by Russia's Sberbank and was a sanctioned entity.
- While some of the loans were subject to an exemption under the sanctions regime (for financing the import or export of non-prohibited goods between the EU and a third party), and OFSI acknowledged that SCB had taken steps to ensure its dealings with Denizbank were compliant with the EU sanctions, those compliance measures were not appropriately implemented and enabled loans to be made which violated EU regulations.
- SCB was penalised for 21 loans made to Denizbank. OFSI applied a 30% discount to the penalty because SCB self-reported the breaches and conducted an internal investigation into the misconduct. SCB's penalty was further reduced on a ministerial review of quantum.
- In introducing compliance measures, companies must ensure those measures function effectively in practice. This is equally important where the measures are implemented for the purposes of meeting an exemption under a sanctions regime.
- In considering penalties, regulators and government authorities generally look favourably on companies' good faith attempts to comply with sanctions regimes and, in cases of suspected misconduct, attempts to investigate and rectify wrongdoing.
In brief: Following a 2006 Royal Commission to investigate Australian companies' involvement in violations of the UN's sanctions regime on Iraq, ASIC commenced civil penalty proceedings against six former officers of the Australian Wheat Board (AWB) (later known as AWB Limited). One of those directors was found by the Supreme Court of Victoria to have breached his director's duties by failing to make enquiries and prevent wrongdoing by AWB, even though he did not participate in or have any direct knowledge of the misconduct. The conduct occurred before the current Australian sanctions regime was in place.
- In 2006, the Australian Government established a Royal Commission (known as the 'Cole Inquiry') in response to the findings of a 2005 report from the UN that AWB had breached UN sanctions on Iraq by facilitating violations by Iraq of the 'Oil for Food Program' - the scheme established by the UN in 1995 which permitted Iraq to sell its oil in the global market but prevent Iraq from using the proceeds of those sales to build its military capability.
- The UN's inquiry found that, in breach of UN sanctions, AWB had funnelled payments to Iraq via a third party company in Jordan and had supplied foreign currency to Iraq.
- The Cole Inquiry substantiated the findings of the UN report and recommended that a number of AWB officers be investigated for potential crimes under state and federal criminal legislation and for civil breaches of the Corporations Act 2001.
- Ultimately, criminal prosecutions were not pursued but ASIC commenced civil penalty proceedings against six former officers. In October 2016, two such proceedings were heard at trial.
ASIC's civil penalty proceedings
- ASIC alleged that Mr Trevor Flugge, former Chairman of AWB, and Mr Peter Geary, former director of AWB, breached their directors' duties under sections 180 (a director must act with care and diligence) and 181 (a director must act in good faith and for a proper purpose) of the Corporations Act by failing to inquire into and stop AWB's misconduct.
- The case against Mr Flugge - The court found that Mr Flugge had breached s180 of the Corporations Act because, while he did not know that certain of the payments were contrary to UN sanctions (and indeed was under the impression that certain of them were approved by the UN), he was on notice that the UN had made enquiries in relation to the payments from 2000. Accordingly, on receipt of such notice, the court found Mr Flugge had a duty to make reasonable enquiries into whether the payments were irregular, and those enquiries would have revealed the improper conduct. Mr Flugge received a $50,000 fine.
- The case against Mr Geary - The court found that ASIC had not sufficiently proven that Mr Geary knew, or should have known, that the impugned payments were irregular or were not approved by the UN. ASIC appealed the court's decision with respect to Mr Geary in 2018 but was unsuccessful.
- A reminder that directors and officers may be found personally liable for sanctions contraventions of their companies, and will not be able to plead ignorance when, by reason of their position, they were duty-bound to make enquiries and the enquiries would have disclosed the wrongdoing.
Société Générale S.A.
In brief: In November 2018, Société Générale (SocGen) agreed to pay penalties totalling USD$1.34 billion to US authorities to settle its liability for more than 2,500 sanctions-violating transactions involving Cuban, Iranian and Sundanese entities.
- SocGen admitted to having processed billions of dollars of illicit funds to or through the US or US financial institutions that involved sanctioned Cuba, Iranian and Sudanese individuals or entities from at least 2004 through to 2012 in a 'non- transparent manner that omitted, obscured or otherwise failed to include references' to the sanctioned entities in the information that was provided to US financial institutions that were involved in the relevant transactions.
- The settlement was a global settlement between SocGen and a number of US authorities, including OFAC and the US Department of Justice.
- US authorities are willing to enforce US sanctions law against entities incorporated overseas.
- The majority of SocGen's sanctions violations stemmed from the provision of US dollar credit facilities provided to Cuban banks and other entities controlled by Cuba, and to Cuban and foreign corporations for business conducted.
- The settlement amount reflected the US authorities' consideration of both aggravating and mitigating factors:
- Aggravating factors included that multiple bank units and business lines were involved in removing or obscuring references to the sanctioned entities in payment instructions (demonstrating a 'pattern or practice' of the behaviour) and that numerous employees, managers and officers had actual knowledge of the misconduct.
- Mitigating factors included that SocGen cooperated with the authorities' investigations, ceased the misconduct and took a number of remedial steps including establishing better compliance policies and procedures, increasing the number of personnel within the bank's compliance functions and implementing more comprehensive training.
In brief: In September 2018, Epsilon Electronics (Epsilon) agreed to pay the OFAC USD$1.5 million to settle its liability for alleged violations of US economic sanctions on Iran by selling electronics to a third party that distributed those products to Iran.
- In 2014, OFAC issued Epsilon, a Californian car audio and video equipment manufacturer, with a penalty notice which alleged that between 2008 to 2012, Epsilon sold $2,830,000 worth of electronics to Asra International LLC, a company based in Dubai, that Epsilon knew or had reason to know distributed most, if not all, of its products to Iran.
- Epsilon and OFAC agreed the settlement figure after Epsilon unsuccessfully challenged the penalty notice in US courts and the matter was remanded to OFAC for reconsideration.
All businesses must do proper due diligence on the business activities of their distributors, especially where those distributors are based overseas and may not be subject to an equivalent sanctions regime.
Clause 16, Explanatory Memorandum, Autonomous Sanctions Bill 2010 (Cth).