U.S. Sanctions: How Businesses Can Minimize Risks and Build Effective Compliance Programs

An interview with a U.S. sanctions attorney on who is required to comply with U.S. sanctions, what secondary sanctions are, and how companies can minimize exposure when conducting cross-border transactions.

U.S. economic sanctions remain one of the most pressing issues for investors and entrepreneurs engaged in international business. To discuss the topic, we sat down with U.S. sanctions attorney Alex Fesenko, principal of Fesenko, P.C. Law Offices, a U.S. boutique firm focused on U.S. sanctions.

Who Is Required to Comply with U.S. Sanctions

Alex, thank you for joining us. Anyone involved in cross-border investment eventually runs into sanctions questions. Perhaps the most fundamental one is: how do you avoid sanctions exposure when your business extends beyond a single country’s borders?

Alex Fesenko. Thank you for having me. I should clarify upfront that I practice exclusively in U.S. sanctions law, so everything I say will be framed through that lens. Unfortunately, there is no short answer to your question. U.S. sanctions have a long history and apply to many countries, as well as to specific individuals and entities.

Let’s start with who must comply. U.S. sanctions law covers the following categories:

1.  U.S. citizens;

2.  U.S. permanent residents (green card holders);

3.  Any person, regardless of nationality, physically present in the United States;

4.  Entities organized under U.S. law or the law of any U.S. jurisdiction, including their foreign branches;

5.  Entities owned or controlled by U.S. persons or entities;

6.  Any person or entity conducting transactions through the U.S. financial system or in U.S. dollars.

Beyond that, all other foreign (non-U.S.) persons and entities are expected to comply with U.S. sanctions if they want to avoid exposure to secondary sanctions.

Speaking of which, what exactly are secondary sanctions?

Alex Fesenko. Secondary sanctions are a mechanism for pressuring foreign companies and individuals who are not technically required to comply with U.S. sanctions, but who risk being sanctioned themselves if they do business with parties already on the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List), or otherwise subject to U.S. sanctions restrictions. The essential message from the United States is: it doesn’t matter whether you’re a U.S. company or not, if you work with sanctioned parties, we will cut off your access to the dollar system and to the U.S. market. That is precisely why banks and businesses around the world, from Dubai to Shanghai, generally decline to deal with sanctioned parties, even when their own domestic laws don’t require them to.

So effectively, U.S. sanctions apply to almost everyone?

Alex Fesenko. At a minimum, they apply to everyone who wants to operate in the U.S. market or transact in U.S. dollars. So, the question of how to stay clear of sanctions is relevant to a very broad audience.

From a practical standpoint, the most important principle is straightforward: do not have any business relationships with sanctioned parties. OFAC can impose substantial civil penalties for dealing with such parties. Beyond individual designations, there are countries and territories subject to comprehensive U.S. sanctions: Iran, North Korea, Cuba, and the Crimea, Luhansk, and Donetsk regions, among others. Conducting any business with persons located in those territories is prohibited, with limited exceptions for certain humanitarian activities.

And then there is Russia. While there are no comprehensive U.S. sanctions against Russia as a whole, Russia leads the world in the sheer number of active U.S. sanctions programs. There is an extensive and constantly expanding list of goods, technologies, and services prohibited for export from the U.S. to Russia. On the services side, it is prohibited, for example, to provide accounting, trust, corporate, or management consulting services to any person or entity located in Russia. In the technology space, IT consulting and IT design services, IT support, enterprise software cloud services, and custom software development are all prohibited. When in doubt about whether sanctions apply to a given transaction, the best first step is to check OFAC’s website. If the answer is still unclear, consulting a sanctions attorney is the right call.

Common Compliance Mistakes

In your experience, what are the most common mistakes businesses make when building sanctions compliance programs? Is it willful disregard, underestimating risk, checkbox compliance, the absence of internal procedures, or something else? And how deep does counterparty due diligence need to go in cross-border transactions: is a sanctions list screening sufficient, or do you need to analyze ownership structures, ultimate beneficial owners, and indirect connections to sanctioned persons or jurisdictions?

Alex Fesenko. There are several recurring patterns.

First, checkbox compliance. Many companies subscribe to a screening service and consider that sufficient. The checks are run as a formality, without any real analysis of the transaction structure, the beneficial owners, or the underlying economic purpose.

Second, underestimating secondary risk exposure. Surprisingly, there are still clients who believe that because their company is not American, U.S. sanctions law simply doesn’t apply to them. That is a dangerous misconception. Dollar-denominated payments, the use of U.S. technology, the involvement of U.S. persons, or simply touching the U.S. financial system - any of these can create a sufficient jurisdictional nexus for U.S. sanctions to apply.

Third, the absence of clear internal compliance procedures. Even where senior management understands the risks, companies often lack a formal written sanctions policy, escalation procedures for flagged transactions, designated compliance personnel, and employee training.

Fourth, ignoring the 50 percent rule. Under OFAC’s 50 percent rule, if one or more SDN-listed persons directly or indirectly own 50 percent or more of an entity, that entity is itself treated as blocked, even if its name does not appear on the SDN List. Companies routinely check whether a counterparty’s name appears on the list without ever examining who owns it.

Willful noncompliance does occur, but the more common problem is a systemic underestimation of risk coupled with the mistaken belief that sanctions are a banking problem, not an operational one.

As for the scope of due diligence, a simple sanctions list check is never sufficient. A reasonable minimum compliance standard should include screening against relevant sanctions lists (OFAC, EU, UK, and others depending on the geographic scope), ownership structure analysis, identification of ultimate beneficial owners (UBOs), application of the 50 percent rule, assessment of indirect connections to sanctioned persons, and evaluation of jurisdictional risk factors: country of incorporation, place of actual operations, supply chain routing, and correspondent banks.

The depth of due diligence should be risk proportionate. A straightforward transaction with a publicly traded European company warrants one level of scrutiny. A supply transaction into a higher-risk jurisdiction involving a multi-layered ownership structure warrants something considerably more rigorous. In high-risk cases, you need to look beyond the legal structure: at funding sources, logistics arrangements, business reputation, and prior sanctions history.

Can company executives be held personally liable for violations of U.S. sanctions law? In what circumstances does exposure extend beyond corporate fines to civil or even criminal liability for directors, beneficial owners, or senior management?

Alex Fesenko. Violations of U.S. sanctions can result in asset blocking, significant civil penalties, and, in cases involving willful conduct or gross negligence, criminal prosecution.

Personal liability for executives can arise where management knew about the sanctions risk and consciously approved the transaction, participated in a scheme to circumvent sanctions, directed the concealment of information, or failed to take reasonable steps when obvious red flags were present.

In the most severe cases, the consequences include multi-million-dollar penalties and criminal prosecution resulting in actual imprisonment. In practice, the harshest outcomes tend to arise where there is proven intentional circumvention of sanctions through complex intermediary chains and shell structures.

If a company is just entering the international market, where should it start from a sanctions compliance standpoint? What baseline procedures and internal policies do you consider the minimum necessary to reduce risk from day one of international operations?

Alex Fesenko. When entering international markets, a company needs to establish the basic architecture of a sanctions compliance program from the outset. The minimum required framework includes a written sanctions policy approved by senior management, a designated compliance officer, a risk-based counterparty due diligence process, an escalation and decision-making procedure for flagged transactions, training for key personnel in sales, finance, and logistics, and documentation of compliance decisions.

The critical point is that sanctions compliance is not a document. It is a process. It has to be embedded in day-to-day operations. Companies that build the system proactively tend to reduce both regulatory and reputational risk significantly.

Obtaining an OFAC License

Suppose a company failed to conduct thorough due diligence and entered into a business relationship that may attract OFAC’s attention. How does OFAC typically respond in such situations?

Alex Fesenko. It depends on whether a violation actually occurred, how serious it was, and what information OFAC has. If OFAC has received preliminary information or developed suspicions, you may receive an OFAC subpoena requesting answers to specific questions and the production of additional information. Do not underestimate the importance of that document or the need to respond accurately and on time. OFAC uses the information gathered through that process to decide what it will do next. Ignoring the subpoena, evading the questions, or providing false information can result in substantial penalties or even designation on the SDN List.

Since we’re on the subject of the SDN List, on what basis does OFAC designate parties, and how difficult is it to get removed?

Alex Fesenko. OFAC has very broad authority under presidential executive orders. It is not required to notify anyone in advance of a designation, nor to disclose the specific criteria used to make one. Designation is an administrative action; no court is involved. That is precisely what makes challenging a designation in court so difficult.

Once a designation has occurred, the most effective path to removal is through the administrative process, specifically, by filing a petition for reconsideration with OFAC. It is a complex undertaking, and working with an attorney is strongly advisable.

SDN designation sounds like an extreme scenario. What about more common, day-to-day situations where a company needs to proceed with a transaction but is uncertain whether it might implicate sanctions?

Alex Fesenko. The first step is to determine whether the proposed action would actually violate U.S. sanctions. As I mentioned, you can try to work that out using OFAC’s website or consult a sanctions attorney. If the answer is yes, if the transaction would violate sanctions, then you need a license from OFAC. The license application can be filed either independently or through counsel, depending on how well you understand the sanctions framework and how comfortable you are working in English. If the transaction value is significant, engaging a specialist is almost always worth it to avoid costly misunderstandings.

How long does it take to obtain an OFAC license?

Alex Fesenko. As a rule, OFAC issues a decision on a license application within roughly a year.

Why does it take that long, and is there any way to expedite it?

Alex Fesenko. OFAC is dealing with an enormous volume of applications. Some applicants receive a decision faster, others wait longer. Unfortunately, there is generally no mechanism for expediting a license, except in exceptional circumstances, usually involving humanitarian considerations. An example would be a refugee family left without resources after their assets were blocked because the bank holding them was sanctioned.

What options are available if OFAC is taking an unreasonably long time to decide, or has denied a license application or a petition for removal from the SDN List?

Alex Fesenko. If OFAC is dragging its feet, the best course of action is to establish direct communication with the agency and find out why there is a delay. Sometimes OFAC needs additional materials or information; providing those proactively can help move things forward.

If OFAC issues a denial, it is possible to refile if important points were missed in the original application or if there are new facts, arguments, or changed circumstances that could support a favorable decision. In any case, the preferred approach is to resolve matters with OFAC through dialogue. Litigation against OFAC is the last resort, something to consider only when all other avenues have been exhausted.