Sanctions risks for corporates

More and more penalties are issued to corporate organizations for non-compliance with sanctions regulations over the last years. In 2023 alone, the Office of Foreign Assets Control (OFAC) issued a total of more than EUR 1.38 billion in penalties[1]. These penalties serve as a stark reminder that corporate organizations need to ensure adherence to sanctions regulations.

The increase in penalties, both in quantity and amount, reflects a broader trend of intensified global efforts to combat illicit activities as well as a further enhancement of regulatory restrictions related to Russia. To illustrate, this blog highlights three examples of sanctions violations, namely violations that ensued from (1) exporting software, (2) not screening IP addresses, and (3) acquiring an organization.

In 2023, a software company was fined approximately EUR 2,700,000 for violating sanctions programs, as its services and software were exported to Specially Designated Nationals (hereinafter: ‘SDNs’). SDNs are natural persons and entities that are subject to sanctions imposed by the U.S. government. This software company supported the sale of software through third-party resellers to SDNs, including major Russian enterprises. After the purchase, these enterprises could download, install, and activate the software on their devices. Moreover, they received available updates and software renewals. As a result, the software company in question was facilitating the operations of SDNs, including enterprises that generated revenues for the Russian state. To mitigate the risk of sanctions in the future, the software company enhanced its sanctions compliance program, implemented an end-to-end screening system and made sure to have sufficient insight into the end users of its products

The second example of a sanctions violation that we would like to highlight in this blog is a failure to screen IP addresses. An organization that provides payment reward cards was fined approximately EUR 200,000. The violation occurred when the organization redeemed cards for users with IP addresses and email addresses that were associated with sanctioned countries, such as Syria and Iran. For these countries comprehensive sanctions apply, meaning that imports, exports and financial transactions are restricted. The organization failed to adequately monitor the IP addresses and email addresses of the users who redeemed these cards. To mitigate the risk of sanctions in the future, the organization implemented IP and email address screening in their transaction blocking procedures and instituted independent testing by a third party at regular intervals.

When organizations expand through acquisitions, they may face significant risks if they fail to update and enforce adequate sanctions controls. For example, a logistics company was fined EUR 5,700,000 for making payments through the U.S. financial system in relation to shipments to, from, and through sanctioned countries. The company did have a sanctions policy in place. However, as this organization started to acquire a number of other logistics companies, the existing sanctions policy and the related controls did not keep up with the pace and complexity of the growing operations of the organization. As a result, the company failed to implement adequate procedures or controls to prevent trade and transactions involving entities in sanctioned jurisdictions. This example serves as a reminder that only having a sanctions policy in place is insufficient; it is important to periodically monitor and review the implementation as well. 

Compliance with sanctions is crucial for organizations across all sectors. The severity of the penalties that regulatory authorities impose highlights the need for strong, risk-based sanctions compliance controls, such as screening. KPMG Forensic supports clients to (pro)actively design, implement and monitor sanctions measures. Our team combines technical expertise and experience with corporations and compliance. KPMG has designed a global methodology that is used within the field of sanctions model validations in accordance with the legal requirements, the legal expectations of regulators and our experience within the sector. We can support corporates with our knowledge and expertise in regulatory compliance and risk management and help in navigating the evolving landscape of sanctions regulations.

If you have any further questions or if you are interested in more information, feel free to reach out to Renske van Hooff (Partner at KPMG Forensic Technology, VanHooff.Renske@kpmg.nl) or Monica van Santbrink (Manager at KPMG Forensic Technology, VanSantbrink.Monica@kpmg.nl).

Monica van Santbrink
Manager, Forensic
KPMG in the Netherlands