April 24, 2020
By: Natasha Bright, Content Writer, ACSS
In order to gain insight in the real-world experience of those in the industry, the Association of Certified Sanctions Specialists (ACSS) has taken the time to ask sanctions professionals about their day-to-day activities and how they see the future of the sanctions industry unfolding.
For this Member Profile, ACSS had a conversation with Matt Bell, who leads the export controls and sanctions practice for FTI Consulting, and is also one of the newest ACSS Advisory Board members. He started his career with well-known firms like KPMG and EY before moving into multiple legal and compliance leadership roles with major companies facing significant settlements, monitorships, and government directed audits. His experience includes advising companies in diverse industries like energy and telecommunications, helping them navigate complicated export control and sanctions compliance issues.
The Association of Certified Sanctions Specialist recently spoke to Matt about challenges he sees for his clients and his views on the future of sanctions compliance.
ACSS: You have worked with clients in many different sectors. What are some differences between them as it pertains to sanctions compliance?
Matt Bell: I’ve dealt with just about every industry at some level through my consulting background. Sanctions really touch every industry, so there are some things that are common across compliance programs, such as the need to know who they’re doing business with. This includes screening their business partners and their transactions to make sure they’re not dealing with sanctioned countries/parties including terrorists, drug dealers, or other bad guys.
The differences come when you look at whether they are a US-based company or a foreign company. If they’re non-US based, then it depends more on what type of products they’re making or their relationship to the US more broadly. The higher-tech the product, the higher need for potentially controlled US content to make those products. Then they develop a much different sanctions risk profile because they may be attaching US jurisdiction to their business. Whereas, if they make low tech products like textiles, food products or consumer products, it’s much less likely that those are going to involve sufficient controlled US content to subject them to US law from the export controls jurisdiction perspective. Ownership structure, being listed on US stock exchanges, or perhaps the roles of US persons in their business also affect their risk profile.
But I think now you’re seeing a much more aggressive stance from the US government on enforcement related to secondary sanctions, which now exist on North Korea, Iran, Cuba, and Russia. A lot of companies are de-risking and just saying, “Hey, even if we don’t have US stuff in what we make, we probably transact in US dollars. We probably have some US ownership or US connection.” So, they’re just kind of complying with US law out of an abundance of caution.
You saw in the last year a lot of enforcement actions against a lot of different industries that everyone talks about – everything from fake eyelashes to fighter jets. Everyone across these industries is starting to notice and starting to build out a program.
ACSS: What is a common piece of advice you give to clients?
Matt: It’s very important that people look at their business, and this about how it operates and if they have the internal controls to address the risk. And, when I say internal controls, I mean it differently than I think many law firms or lawyers look at it. My time as an in-house counsel and compliance officer, in addition to my consulting background, forced to learn to build compliance programs that are practical, operationally focused, and easily audited.
A lot of companies write a compliance manual, right? But, it’s a standalone document organized by legal subject matter that’s off on a shelf somewhere that they are expecting everyone in the business to read and figure out. And even if they did read it, they would have no idea as a procurement officer or a sales manager in the company, what are the five or six things they’re supposed to do in regards to sanctions compliance on a daily basis to keep the company safe and keep themselves safe because it’s buried in a 100-page document.
So what I always try to implement is an approach I call a functional compliance program, meaning whatever that overarching document is, whether it’s a policy manual or a high-level procedure, it’s divided by functions in the company, like sales, marketing, procurement, finance, et cetera. If you work in sales, you read the section for sales. It’s like four or five pages, maybe. And, it has bullet points and a lot of white space and checklists. Things that are very user friendly, like here are the five things you need to remember. To extent possible, embed the key compliance steps or actions into each functional departments’ operating procedures or desk instructions – whatever you call them at your company – and then use the overarching compliance document as way to document the risks and the controls in the business. This also serves as a very handy tool for internal audit and external auditors to test your controls during functional department reviews.
Also, think about how your frontline employees do their job, what they care about, what they’re measured on, what their managers care about, and what their managers’ managers care about. The more you can embed compliance as a part of the fabric of that job itself as opposed to a separate obligation; I think you have much more success at people wanting to do it. Measure compliance tasks as part of their HR performance evaluation because it’s one of the key parts of their job.
ACSS: What is a common challenge that companies encounter in their sanctions compliance programs?
Matt: Trying to understand the reach of US law and whether they’re a US or non-US company. I think sometimes there’s confusion on what all parts of their business that applies to and also who are actually the sanctioned parties from a sanctions perspective. That OFAC 50% rule and the need to aggregate ownership from multiple parties to look at what’s 50% or more is a big challenge for many companies. In the energy sector, now you have a 33% rule for certain Russian parties. All of that is just confusing to clients and really is very challenging for a company to do on their own without essentially paying for a service provider to give them the list and the ownership research, and those are not cheap. There are six-figure subscription fees involved many times.
Of course, the huge companies can pay that, but how do we scale that down to even midsize or small enterprises that may have one or two compliance people on staff for the whole company. And, you’re telling me the only way to get the data they need to really understand ownership is to pay 40 to a hundred thousand a year for a list subscription. That’s an entire headcount, right?
So, I think that the common challenge is how do you get what you need to do sanctions compliance in today’s world. The government has some expectation of you doing this research, but it’s so ever-changing and evolving, and people are trying to evade sanctions with very complex ownership structures. So, either they’re not doing it at all, or they’re wasting a significant amount of their time doing their best without those databases.
They’re trying to do their own Google search and open-source research. You have somebody dedicating all their time to that due diligence as opposed to other compliance obligations of the company. And, the chances of them doing it manually and uncovering this scheme of who’s actually sanctioned and then stopping the transaction is pretty small. When you take this risk-based approach that all the government agencies tell you to do, you can’t just ignore that risk, so you have to do something. But at the same time, what is the real benefit of wasting an entire resource? How much are they actually finding and what are the chances they’re actually going to uncover something that fairly savvy criminals have not already hidden. I think that’s a big common challenge.
ACSS: What do you think the future of sanctions compliance looks like?
Matt: I think the future of compliance more and more looks like technology. With the amount of data that is out there and the expectations of regulators and enforcement agencies- you need a data-driven, technology-driven approach to your sanctions compliance. When you do your due diligence, I think more and more expectation is it’s not just on your customer, but it’s all the third parties involved in the transaction. It’s the banks involved, it’s the shipping agents, customs brokers involved.
It could be the ultimate end user if you’re getting that information fed back to you through a sell-through report or a warranty request. That’s one that a lot of companies miss. They may sell to a distributor, for example, a product or they sell to who they think is a consolidator and integrator of their products with other things. But then the warranty registration for the end customer comes through, right? The person who now owns your widget in the world, registers the warranty and now you have this visibility into who has your product and are you even screening them or do you understand who ultimately got your product? It’s maybe something you weren’t expecting because it didn’t come through the normal flow of your business.
The other thing I think will affect the future of sanction compliance is that as more products become connected to the internet- to the internet of things – there’s going to be some type of tracking of essentially most products unless it’s just really low tech products. Once you get into industrial and commercial goods and anything that’s very expensive, there’s going to be some mechanism to track where it’s at in the world.
I think you’ll start seeing those types of geo-tracking tags on a lot more items, which then means companies have a lot more visibility somewhere in their company where they’re doing business. If suddenly your widgets become smart widgets because of these tracking tags and they all start showing up and pinging that they’re in Tehran or Pyongyang, are you going to have that data feeding to a compliance function?
Another example is something that telecom companies do. When you turn on a cell phone, it pings a software server to look for the latest update, right? The company knows where your phone is in the world, right? It registers the location.
So, you can imagine a scenario where a bunch of phones come on and register that they’re in a sanctioned country. When that happens, if your compliance function is tied into that system, they can immediately be notified. They can see that the group of phones came from the same lot and were all sold to the same distributor who then sold the phones to a sub-distributor. Because you have this technology connection with compliance, you can figure out how they got to the sanctioned country, then notify the US government from a disclosure perspective and remediate by firing the sub-distributor. I have seen this happen and when done right, that all occurred in less than 72 hours from the moment the phones switched on in a sanctioned country.
Bottom line is that if you have the data somewhere in your company, you better be thinking about how to use it from a compliance perspective because the government looks at the knowledge of the company and its employees very broadly and if you have an issue go undetected by compliance but operations “knew” about it for months or years – that is not a good look in front of the regulators.