INSIGHT: Developing a sanctions compliance programme

IT IS an offence to contravene Australian sanctions laws. The maximum penalty for breaches of Australian sanctions by corporations is a fine the greater of 10,000 penalty units (AUD 3.30 million as of 1 July 2024 ) or three times the value of the transaction. 

For corporations this is a strict liability offence, but as prevention can be difficult, the legislation provides that it is a defence if it can prove it took such precautions and undertook such due diligence to avoid contravention as would be expected of companies in that position. This evidence could include details of the sanctions policy and methodology used in risk assessments and screening as well as any software used, plus details of staff training provided and available sanctions expertise.  

Step 1: Assess the organisation's current risks and compliance

The systems and controls in the corporation's sanctions program should be commensurate with its assessed sanctions risk. This assessment should consider matters such as:

• Customers, supply chain, sub-contractors and agents.  

• The services it offers. 

• The geographic locations of the organisation and services, as well as its customers, supply chain, and agents. 

• The risk from a trusted insider breaching the requirements. 

Such reviews should be regularly undertaken and used to develop and/or update compliance policies, procedures, internal controls, and training in order to mitigate any risks.   

Organisations should review too the extent of their insurance coverage, especially directors’ and officers’ insurance, because of the substantial costs of investigating or defending allegations of sanctions breaches. Note however that the conviction of an offence may negate claims for such coverage and legal advice should be sought.  

Step 2: Documented Compliance Programme with company wide application

The Policy should include active support and oversight by senior management and use suitably qualified and experienced personnel,  although those persons may also have other roles. Whistleblower policies should be in place so that staff reporting possible violations can do so without fear of reprisal. 

The compliance program and its application should be regularly reviewed and updated where material changes occur.  External audits may be appropriate to ensure that the system is working as intended. 

Step 3: Are contractual obligations required? 

• Consider incorporating sanctions obligations in contracts so that the customer agrees they have undertaken due diligence in sanctions obligations and that end users and/or goods are not sanctioned goods.  

• Consider the inclusion of a force majeure clause to encompass the effects of sanctions. Force majeure is a clause that is included in contracts to remove liability for unforeseeable and unavoidable catastrophes that prevent parties from fulfilling obligations. Some clauses limit force majeure to an Act of God (such as floods, earthquakes, hurricanes.) but exclude matters such as acts of war or terrorism, labour disputes, or interruption or failure of electricity or communications systems, so it is important such clauses are drafted noting that complying with a sanctions law is not a breach;  

• Ensure contracts contain a contractual right to disclose information, including confidential information, to government if required in sanctions matters. 

• Consider jurisdiction – some EU countries have no claims provisions that prevent claims arising from other parties’ attempts to comply with sanctions laws.   

Step 4: Screening and transaction monitoring for sanctions risk

Service professionals such as customs brokers, freight forwarders, airlines and shipping companies should undertake due diligence on proposed freight movements, the routing, and the parties. As requirements change, the due diligence needs to be ongoing. Consider: 

• Subscribing to DFAT’s Consolidated List, remembering that this List only covers travel bans and asset freezes. Also consider the sanctions put in place by foreign jurisdictions such as USA, UK, and European Union should there also be involvement in those regions (e.g., a director of US nationality); 

• Screen new clients that are newly established companies in areas subject or adjacent to sanctioned countries.  

• If in doubt, obtain an indicative assessment via PAX, the DFAT sanctions portal.  

If breaches do occur, additional procedures / training is undertaken and documented to prevent a recurrence.   

Step 5: Alert generation, review and documented action.  

Any alerts identified should be documented and the policy provide methods to review, record and  escalate for further review if required, noting especially that sanctions screening can provide  false positives requiring review.  

Step 6: Regular and documented staff training in compliance.   

If there are circumstances in which there is a high possibility of a sanctions breach occurring  that  activity should immediately be ceased or the engagement declined.