On 7 September 2023, the European Commission (Commission) published a guidance note (the Guidance) for EU businesses on the circumvention of sanctions. The Guidance outlines the essential components for a company’s compliance program to prevent circumvention of the EU sanctions against Russia. These “enhanced due diligence” measures include measures to apply when conducting strategic risk assessments, and best practices when reviewing business partners, transactions and goods. The Guidance also includes a list of circumvention red flags that EU operators should consider when entering into a commercial relationship.1
The European Union has imposed 11 rounds of sanctions against Russia since the start of the conflict in Ukraine in February 2022. These consist of sectoral sanctions under Council (EU) Regulation 833/20142 (Regulation 833) and individual financial sanctions (asset freeze and prohibition to deal with listed individuals or entities) under Council Regulation 269/2014 (Regulation 269).3 The EU has also escalated its sanctions against Belarus4 and imposed targeted restrictive measures against Iran5 because of those countries’ support of Russia’s actions in Ukraine.
Given the scale of the EU sanctions against Russia, the EU has emphasized enforcement and anti-circumvention measures. To this end, the Guidance focuses on the export-related restrictions under Regulation 833. EU businesses are, however, expected to have due diligence measures for all relevant activities that could fall within the scope of EU sanctions.
Key recommendations to EU companies include:
- Identify, assess and understand the possible risks of circumvention that are most relevant for their business activities and operational model.
- After identifying the risk indicators, take corrective action to mitigate these risks and implement enhanced due diligence measures in light of the risk indicators.
- Be particularly attentive to circumvention red flags when entering into a relationship with a new business partner, and conduct enhanced screening of a new business partner if red flags are present.
- Take preventive measures, such as including contractual clauses in business arrangements with third-country operators to prohibit the re-export of sanctioned goods to Russia or Belarus.
- In the case of EU financial institutions that maintain correspondent accounts for non-EU financial institutions, be particularly vigilant with respect to EU sanctions.6
Risk Assessment of Potential Sanctions Circumvention
Risk management and internal controls are core elements of an effective sanctions compliance program. Although there is no uniform risk management framework, the Guidance states that EU operators should conduct strategic risk assessment to mitigate exposure to possible circumvention schemes based on the following core elements:
- Identifying threats and vulnerabilities: Entities should exercise vigilance on the main circumvention techniques, including emerging patterns, relating to the products, transactions and commercial activities that are pertinent to their business. The Guidance provides examples of industries and business activities that should be subject to particular vigilance, including EU manufacturers of semiconductors, goods included on the list of dual-use goods and advanced technology items (so-called high priority battlefield items), and goods that may be often and easily miscategorized under a Harmonized System (HS) code not subject to sanctions.7
- Risk assessment: Entities should perform risk assessments relating to their business sector, products and commercial activities. The assessment may take into consideration risk indicators, typologies and other publicly available information.
- Designing and implementing risk mitigation measures: Entities should design prevention measures based on the identified risks, particularly addressing risks deemed as higher-risk areas in their business, and proactively incorporate mitigation measures in their risk management practices and procedures. Controls should also be implemented to test the effective functioning of those procedures.
- Regular updates: Given the evolving nature of circumvention techniques, entities should regularly map out and update identified threats and vulnerabilities. It requires, among others, staying informed on EU sanctions updates and implementing internal procedures that are responsive to such updates. The Guidance also recommends that senior management be involved and informed regularly by the entity’s compliance officers about identified risks and the response to those risks.
Enhanced Due Diligence
The Commission’s FAQs on Russian sanctions provide that EU entities have to perform appropriate due diligence calibrated according to the specifics of their business and the related risk exposure.8 Consistent with the foregoing approach, the Guidance provides that EU entities should particularly focus on sectors that are deemed to be most critically exposed to circumvention risks. EU entities involved in those sectors should implement enhanced due diligence measures in their compliance programs to mitigate circumvention risks.
The Guidance outlines general good practices when implementing enhanced due diligence:
- Stakeholder level: Identify and verify business partners, including their customers, representatives, beneficial owners and other potential persons of interest. Such measures should be applied to direct stakeholders (e.g., customers, distributors, agents), as well as indirect stakeholders (e.g., end-user(s), intermediaries, banks).
- Transaction level: Verify money flows, route of goods and the involvement of transportation companies. Such review entails, among other things, assessing the business rationale of the transaction, the country of origin/transit/destination of the goods, and the underlying financial scheme relating to the transaction.
- The goods: Confirm whether the relevant goods are subject to EU export or import restrictions, or are included on the EU’s lists of high-priority battle items or economically critical goods. EU entities should also assess if the relevant goods contain components that are more likely to be disassembled and diverted for non-intended purposes. The Guidance emphasizes that EU entities should pay particular attention to exports to countries that do not apply restrictions on exports of sensitive goods to Russia and Belarus (see EU’s notice of 1 April 2022).9
Typologies of Sanctions Circumvention and Best Practices
Diversion to or From Russia or Belarus via Third Countries
The Guidance states that EU companies should have in place adequate due diligence procedures to ensure that their operations involving goods subject to Russian sanctions are not diverted to Russia. As part of best practices, the Guidance recommends that EU companies ensure that they know their business partners and assess whether those partners are reliable.
The Guidance also recommends including contractual clauses prohibiting re-exports or transfers of the relevant goods to Russia or Belarus in dealings with third-country business partners. Such contractual clause may also include a provision that the importer commits not to re-sell the relevant goods to a third-party business partner that itself does not commit to not re-export such good(s) to Russia or Belarus. The Guidance states that it is vital that a sanctions compliance contractual clause be valid and enforceable under the law that applies to the contract. EU companies may also perform ex-post verifications regarding their business partners’ compliance with their commitments.
An EU exporter’s failure to conduct adequate due diligence may be taken into consideration by national competent authorities when assessing a potential violation of EU sanctions, including in cases of re-exportation from a third country.
Special Risks for Financial Institutions
Key components of the EU restrictive measures against Russia include restricting or preventing sanctioned parties from gaining access to the EU financial system (e.g., the EU SWIFT ban, restrictions on deposits, debt/equity restrictions, asset freezes) and restricting financial transactions involving sanctioned activities or goods.
The Guidance warns that transactions involving correspondent accounts carry higher risks of sanctions circumvention. In particular, correspondent accounts that facilitate transactions such as wire transfers, international trade settlements and cross-border payments may raise important sanctions considerations. The risks can vary depending on the foreign respondent’s profile.
EU financial institutions should therefore conduct adequate assessment of risks and appropriate due diligence on risk relating to: (i) the foreign respondent’s business and markets, (ii) the type, purpose and anticipated activity, (iii) the nature and duration of the relationship with the foreign respondent, and (iv) the supervisory regime of the jurisdiction in which the foreign respondent is licensed. Based on this assessment, EU financial institutions should design and implement controls to effectively manage the identified risks.
Circumvention Red Flags
The Guidance provides a non-exhaustive list of indicators (i.e., red flags) that should draw the attention of EU companies when they are entering into a business relationship with a new trading partner. If an EU company identifies any of these indicators, it should perform enhanced due diligence with respect to the counterparty or transaction. These indicators include, among others:
- Indirect transactions involving intermediaries or shell companies that make little or no economic sense.
- New customer/transactions with companies located in countries labeled as so-called “circumvention hubs” and involving so-called high-priority battlefield items.
- Transit through countries labeled as “circumvention hubs.”
- Complex corporate or trust structures.
- A business partner that was recently established or has merged with a sanctioned entity or an entity linked to sanctioned entities or persons.
- Change of ultimate beneficial owner shortly before or after sanctions are imposed.
- Potential control of an entity by a designated person, even if their direct ownership appears to be under the 50% threshold (e.g., member of the Board of Directors, beneficial owner, managing director, other entities or persons in the ownership structure linked with a designated person).
In addition to the red flags in the Guidance, EU companies should also consult the Russian Elites, Proxies, and Oligarch (REPO) Task Force’s March 19, 2023, advisory on Russian sanctions evasion. That advisory includes additional red flags that may be useful.
Recognizing that changing circumstances and the dynamic nature of the EU’s escalating sanctions against Russia may pose compliance challenges, the Commission has issued FAQs and guidelines, or expectations, for EU companies on their sanctions compliance program. Although sanctions enforcement is primarily the responsibility of member states, the Commission has stated that it is committed to assisting member states to ensure consistent implementation of the EU restrictive measures across the EU.
The Guidance is non-binding but the enforcement agencies in the member states likely will consider it when assessing potential violations. For example, law enforcement authorities could use the Guidance to determine whether a particular action by a company meets the standards required in a given situation. If it does not, the authorities could consider it as negligent conduct.
The Guidance provides important information on the Commission’s compliance priorities and emphasizes four core components to a strong compliance program: (1) risk assessment, (2) internal controls, (3) enhanced due diligence, and (4) vigilance. The Guidance also considers that demonstrated compliance commitment of senior management to be a key component to an effective compliance program.
The Guidance shows that the Commission expects that EU companies will maintain an adequately empowered and resourced compliance program.
Although the Guidance is intended for EU companies, non-EU companies that conduct business in the EU are also required to comply with EU sanctions.10 Moreover, under some circumstances, an EU nexus can develop that would subject certain business activity to EU jurisdiction even if it is carried out by non-EU entities.
All EU sanctions programs include an anti-circumvention rule that prohibits participation, knowingly and intentionally, in activities the object or effect of which is to circumvent the relevant sanctions regulation (EU Anti-Circumvention Rule). Under the EU Anti-Circumvention Rule, the key elements are (i) acting with knowledge and (ii) intent to circumvent a prohibition included in the regulations. Failure to maintain an appropriate EU sanctions compliance program may be an important factor that national competent authorities consider when determining whether an entity is in potential breach of the EU Anti-Circumvention Rule, or has otherwise committed a violation of EU sanctions.
1 This client alert is for informational purposes only and does not constitute legal advice. Complex assessments often have to be made as to which sanctions regime applies in any given instance, given the multinational touch points of many entities and individuals. In that regard, given the complex and dynamic nature of these sanctions regimes, there may be developments not captured in this summary. Moreover, while the summary was accurate when written, it may become inaccurate over time given developments. For all of these reasons, you should consult with a qualified attorney before making any judgments relating to sanctions, as there are potentially severe consequences of failing to adhere fully to sanctions restrictions.
2 See Council Regulation (EU) 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia’s destabilising the situation in Ukraine (as amended), OJ L 229(1).
3 See Council Regulation (EU) 269/2014 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (as amended), OJ L 078(6).
4 See Council Regulation (EC) 765/2006 of 18 May 2006 concerning restrictive measures in view of the situation in Belarus and the involvement of Belarus in the Russian aggression against Ukraine. The latest round of sanctions imposed on 3 August 2023 included restrictive measures that, among others, expanded the ban on exports to Belarus to a number of highly sensitive goods and technologies which contribute to Belarus’s military and technological enhancement, and imposed an additional export ban on firearms and ammunition, and goods and technology suited for use in aviation and the space industry. Per the EU Commission, these measures sought to align the Belarus sanctions with the Russia sanctions regime.
5 See Council Regulation (EU) 203/1529 of 20 July 2023 concerning restrictive measures in view of Iran’s military support of Russia’s war of aggression against Ukraine. Under Regulation (EU) 269/2014, the EU Commission has also imposed asset freeze measures against individuals involved in the development and delivery of Unmanned Aerial Vehicles to Russia.
6 A correspondent account is an account established by a domestic financial institution to receive deposits from, make payments or handle other financial transactions on behalf of a foreign financial institution.
7 See the EU’s List of Common High Priority Items (Version of September 2023). Additionally, together with international partners including the European Union and Japan, Australia, Canada, New Zealand, the United Kingdom, and the United States (collectively referred to as “the Export Enforcement Five” or “E5”), the U.S. Department of Commerce’s Bureau of Industry and Security issued a notice that included 45 common high-priority items, highlighting for industry that these items pose a heightened risk of being diverted illegally to Russia because of their importance to Russia’s war efforts.
8 See Commission Consolidated FAQs on the implementation of Council Regulation No. 833/2014 and Council Regulation No 269/2014, Circumvention Due Diligence, FAQ #1.
9 See European Commission, Announcements, notice to economic operators, importers and exporters, 1 April 2022
10 EU sanctions apply: (i) within the territory of the EU; (ii) on board any aircraft or vessel under an EU Member State’s jurisdiction; (iii) to EU nationals anywhere in the world; (iv) to legal persons, entities and bodies incorporated or constituted under the law of an EU Member State (including branches of EU entities in third countries); and (v) to any legal person, entity or body in respect of any business done in whole or in part within the Union.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.