February 29, 2024 - On Friday, February 23, the U.S. announced sanctions and export controls on hundreds of Russian and "enabling" persons and entities to mark the second anniversary of Russia's further invasion of Ukraine and in protest of the murder of anti-corruption activist Aleksei Navalny. The more than 500 new sanctions "target individuals connected to Navalny's imprisonment as well as Russia's financial sector, defense industrial base, procurement networks and sanctions evaders across multiple continents," while new export restrictions target "nearly 100 entities for providing backdoor support for Russia's war machine."1
All U.S. companies engaged in international commerce, directly or indirectly, are expected to maintain effective compliance programs that screen for, and avoid transactions with, targeted persons and entities. Going forward, the newly sanctioned must be added to the rolls of Know-Your-Customer ("KYC") blacklists maintained by companies and their screening vendors.
However, the facilitators and enablers who constructed these evasion networks are undoubtedly already adapting, replacing—aided by Russia's intelligence services—these targeted entities with new waves of strawmen willing to risk future sanctions for financial reward.
The increasing sophistication of our state adversaries and corresponding countermeasures by our government lead to seemingly never-ending cycles of designation and evasion. At the same time, more aggressive criminal enforcement of existing sanctions and export controls is likely. The U.S. Department of Justice ("DOJ"), has criticized traditional screening methods as insufficient and signaled its intent to enforce sanctions and export controls in a manner similar to U.S. Foreign Corrupt Practices Act ("FCPA") enforcement2 —which is driven not only by an "actual knowledge" standard for liability but also "high probability" standard of liability for the actions of intermediaries.
Companies and their compliance teams will be consistently stuck in the middle of a whack-a-mole exercise of increasing complexity. How best can they respond to and manage such challenges?
Considering that sanctions and export controls are tools to further foreign policy objectives, companies can borrow lessons from America's struggle against terrorist networks in Iraq—and indeed other national security challenges—where the root cause of failure was an organizational mindset ill-adapted to the new tactics deployed by a resourceful adversary.
Retired General Stanley McChrystal described the issue as an "attachment to procedure instead of purpose" that valued "efficiency over adaptability." While this approach can be successful within relatively simple systems, the same may prove fatal when the "number of branches on the contingency tree" becomes too great and "[s]omething that was once merely complicated had passed the threshold of complexity."3 In such circumstances, "[f]or crews trained in checklist-based efficiency, minor deviations from the plan led to unnecessary deaths."4
Faced with a rapidly evolving and increasingly complex threat environment in Iraq circa 2006, two strategies proved successful: (1) flattening hierarchies and facilitating cross-functional information-sharing across military branches and government agencies, and (2) identifying facilitators and enablers without whom the terrorist networks' foot soldiers could not effectively coordinate and launch attacks.
General McChrystal's Joint Special Operations Command ("JSOC") pooled data seized on the battlefield with information from tactical interrogations and national intelligence agencies' holdings. Analysts observed terrorists contacting the same bomb-makers, corrupt police, forgers, money launderers, and smugglers. JSOC drew on those links to quickly identify and locate more terrorists and degrade the ability of the next wave of terrorists to carry out deadly attacks.
With this example in mind, what actions can companies take to better manage the ever-increasing complexity of today's evasion networks and leave the whack-a-mole paradigm?
First, companies should improve coordination and sharing among and across teams. Sanctions and export controls teams should be in regular communication about challenges and lessons learned. Anti-corruption teams familiar with the "high probability" standard should be included. Colleagues in tax, finance, procurement, and sales likely also have information important to a holistic, risk-based assessment of evasion risk. Companies should pool information—as JSOC did—and push it down to lower levels to better inform operational decisions.
Second, cross-functional teams should conduct a root-cause analysis whenever customers, resellers, or distributors are designated or listed. Doing so will allow companies to identify the facilitators and enablers that frustrated their prior compliance efforts and prevent exposure to future liability. What intermediaries were involved? Who are the managers and ultimate beneficial owners of such entities—and do they appear in other relationships? Who was the identified end-user, and do they have the industrial and technical background to use the products? Do the addresses provided appear to be legitimate business locations, or in other relationships? Who from sales proposed the relationships? Have those colleagues since proposed new opportunities for similar orders? As the JSOC learned, identifying and locating second-order persons facilitating the underlying actions allows more-effective and higher-impact targeting.
We do not suggest that such cross-functional retrospectives can or should be done for all of a company's counterparties or intermediaries. But when any counterparty or intermediary is designated or listed, such an exercise would be well worth the effort.
Companies undertaking such an exercise can best protect themselves from the next wave of front companies that the facilitators and enablers will deploy. We expect that U.S. regulators will view such efforts as part of effective compliance programs. Companies are—as the DOJ has warned them—on the front lines of this economic war. Taking lessons from successful warfighting strategies are necessary to anticipate and block the next steps of the highly sophisticated, complex evasion networks we face today.
Footnotes
1. The White House, Statement from President Joe Biden Ahead of the Two-Year Anniversary of Russia's Brutal Assault Against Ukraine (Feb. 23, 2024).
2. DOJ, Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Ethics and Compliance Initiative IMPACT Conference (May 3, 2023) ("Where in years past a compliance team might have mitigated national security risks through sanctions-screening software and attention to a few sanctioned countries, today a new level of diligence and attention is required. In this way, to quote Deputy Attorney General Monaco, sanctions truly are the new FCPA.").
3. General Stanley McChrystal (ret.), Team of Teams: New Rules of Engagement for a Complex World, at 107 (2015) (emphasis in original), available on amazon here: https://www.amazon.com/Team-Teams-Rules-Engagement-Complex/dp/1591847486.
4. Id.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
