Sanctions and export control issues continue to pose challenges for companies. Political developments such as the U.S. elections, Brexit, conflicts in Belarus or trade tensions demonstrate the need to keep internal compliance programs under review. Key developments in the last year include the following:
In 2020, the EU has adopted new sanctions regimes. Such regimes cover sanctions against Nicaragua, Belarus and Turkey, as well as sanctions to counter cyber-attacks. Although these regimes introduce mainly asset-freezing measures against certain parties, they have extended the spectrum of controls and reiterated the need to observe additional compliance areas. The EU is also working towards introducing a new global human rights regime similar to the Magnitsky Act in the U.S., targeting perpetrators of serious human rights violations.
Further, the EU is currently completing the process for updating the Dual-Use Regulation. The EU institutions concluded negotiations for the compromise text of the new Dual-Use Regulation on 10 November 2020, which must now be approved into law by the European Parliament and the Council of the EU. If adopted in its current form, it will impose additional obligations on EU exporters of dual-use goods and technology. The agreed updates include new catch-all controls on non-listed cyber-surveillance items that can be used for violating human rights, increased due diligence obligations on exporters seeking global export authorizations, new General Export Authorization ("GEA") for intra-company technology transfers and encryption, as well as increased transparency rules. These changes are expected to increase compliance risks in this sector.
While sanctions against Iran were partially lifted by the EU in January 2016, thus creating new opportunities for companies, the Trump Administration has caused uncertainty by withdrawing from the Joint Comprehensive Plan of Action ("JCPOA") in May 2018 and reinstating sanctions against Iran, including recently the designation of the Bank of Iran as a Specially Designated Person ("SDN"). The EU's response was to boost its Blocking Regulation by including certain U.S. sanctions on Iran in its scope, thus prohibiting EU companies from complying with such U.S. sanctions and requiring an authorization from the European Commission for doing so. However, the Blocking Regulation and reinstated U.S. sanctions on Iran often pose conflicting obligations on EU companies and consequently entail increased compliance risks. U.S. President Elect, Joe Biden, has demonstrated the willingness to negotiate the U.S.' return to the JCPOA, provided that Iran adheres to strict compliance. It remains to be seen whether the situation in Iran will change, but the country Iran remains of politically high profile.
The United Kingdom ("UK") left the EU on 31 January 2020 and a transitional period will apply until 31 December 2020. Both the EU and the UK have adopted contingency measures to address regulations in the areas of sanctions and export controls. In particular, the UK has adopted domestic legislation to implement its own sanctions regimes and to carry over all EU sanctions regimes in a no-deal Brexit scenario, i.e. if the EU and the UK cannot agree on a comprehensive Free Trade Agreement following the transition period. In this context, the UK has already adopted its first independent sanctions regime, the Global Human Rights Sanctions Regulations 2020, targeting persons and entities involved in human rights violations in recent years. At the same time, while the overall framework for export controls will not change, there will be new licensing requirements for trading dual-use items between the EU and the UK. The UK has published a new Open General Licence (OGEL) for exports to the EU, while the EU has added the UK in the list of countries subject to GEA EU001.
2020 also saw the tightening of U.S. controls on Chinese companies and Chinese-made technology in an effort to counter unfair trading practices and boost the U.S. economy. Moreover, sanctions relating to North Korea, Syria, Russia, Ukraine and Crimea, to name only a few, continue to directly impact companies' business behavior. As the EU and the U.S. play the most important role when it comes to shaping new sanctions policies, this area continues to affect many businesses worldwide.
The broad scope of many sanctions regimes and the deep impact on business relations with customers in targeted countries makes compliance with all applicable laws a permanent challenge for businesses engaging in international trade and investment. Infringements may result in heavy fines, reputational damage or even criminal prosecution. As a result, investigations of infringements – whether those occurred willfully or negligently – are a crucial instrument to protect the integrity of a company and to ensure that it keeps control of the situation. On the positive side, national authorities in EU Member States are alive to the challenges faced in this area by companies. The possibility for voluntary disclosure covering certain infringements and the publication of detailed guidelines on designing internal compliance policies specific to trade compliance are useful contributions in an ongoing dialogue between companies and authorities.
Typically, internal investigations of a potential export control or sanctions infringement are triggered by one of the following situations:
- Internal suspicions of export control infringements. Very often, companies themselves realize that they have erred in applying export control provisions, e.g. by relying on an incorrect general licence or by not consulting the latest list of designated entities or individuals. Sometimes an initial high-level audit produces evidence that employees have engaged in restricted trade with sanctioned countries. Another example may be the incorrect "deduction" of shipped items from the total number of products for which an export licence has been obtained, which might result in goods being shipped without authorization, despite such authorization being required under EU rules. This is a particularly difficult issue to track and may be easily caused by human mistake (e.g. due to inadequate training) or by the lack of software tools that facilitate tracking exported goods (e.g. appropriate IT systems).
In such cases, an internal investigation is required to fully assess the gravity of the infringement, potential liability of the company and the steps required to remedy the concerns, e.g. a voluntary disclosure of the infringement to the authorities or training of the persons in charge of exports. Voluntary disclosures to avoid fines are encouraged in many jurisdictions. However, due to the different scope among EU Member States of the breadth of voluntary disclosure provisions, companies should seek legal advice before proactively making use of this procedure. This is because they may find themselves in a risky situation, including a criminal investigation, if the conduct is not covered by the scope of the applicable voluntary disclosure scheme, or if such a scheme is not provided for under applicable national legislation.
- Official investigations by authorities. Internal investigations may also be triggered by an external review such as an audit of the company's books without any concrete suspicion of export control issues. In such a case, a company should mirror the authority's "fishing expedition" to ensure that it has clean records. Where an authority is already investigating an alleged breach of export control or sanctions laws, the company concerned may want to investigate whether any further infringements have occurred and require immediate action.
- M&A and financing. Finally, investigations of potential past export control and sanctions issues and more generally of the compliance system in this field may be caused by M&A or financing projects. In the course of preparing documents for a due diligence or for corporate finance projects (issuing bonds, entering into new credit facility agreements etc.), third parties may request a statement on potential legal areas of concern and a risk assessment. In this case, companies need to investigate their compliance internally with the export control and sanctions rules applicable to them.
While an investigation in the area of export control and sanctions has many parallels with investigations in other legal areas, some specifics need to be considered.
First, the applicable legal regime and the competent authorities need to be identified. It follows from the nature of trade activities that a number of jurisdictions may need to be considered in determining which law applies to a specific transaction. Some jurisdictions such as the U.S. have a far-reaching extra-territorial scope. In particular, with regard to investigations in defence sector companies, U.S. International Traffic in Arms Regulations ("ITAR") controls the movement of controlled data between the EU and the U.S. This means that investigations should be structured to ensure that potentially ITAR-sensitive material is reviewed in an ITAR-compliant manner. This may limit the ability of non-U.S. citizens to be involved in the review of such data. In an internal investigation, the steering team needs to ensure that such data is identified and kept separate from other information to be reviewed. Appropriate documentation is required to demonstrate compliance with these export control rules. Another example are U.S. secondary sanctions, which extend controls to non-U.S. companies in non-U.S. transactions that the U.S. deems as presenting risks under certain sanctions regimes. U.S. secondary sanctions increase compliance risks for EU companies and require particular vigilance in export transactions, including appropriate due diligence prior to approving "sensitive" transactions. Further, EU or Member States' law may even prohibit complying with certain sanctions other states impose through anti-boycott laws, such as the Blocking Regulation.
In the EU, export control and sanctions provisions are generally set at the EU level while the enforcement falls into the competence of Member States' authorities. Very often companies need to deal with parallel investigations by several authorities, whether that is authorities in different EU Member States, or even multiple authorities within the same Member State. It is worth noting that in the U.S., a reporting obligation for boycott requests exists regardless of whether the company complied with the request. Again, this may impact the way an investigation is structured between the EU and U.S. For instance, EU subsidiaries receiving a boycott request should make their U.S. parent entity aware of it, so that the U.S. corporation can comply with potential reporting obligations.
Second, scoping an investigation correctly facilitates a thorough review of all aspects that might be relevant both for the company and for the competent national authorities. For the former, an investigation allows identification of the deficiencies in its systems and procedures, and for the latter, it helps to have a complete overview of the remedial measures that the company concerned has taken to remedy the situation and their adequacy. Identifying the root causes of a problem might not be easy, in particular in companies with presences in several countries and complex internal structures. In cases like these, there might be elements in transactions that would not necessarily strike an auditor but which might play a big part in creating a compliance issue. Such elements are, for example, U.S.-nexus such as transactions denominated in U.S. dollars that immediately trigger U.S. sanctions rules. Another example is technology transfer, which might be a particularly sensitive issue from an export control perspective. Therefore, initiating an investigation with a broader scope than would usually be expected might prove useful in dealing with the situation in a holistic manner.
A further issue of particular importance for scoping an investigation is that sanctions rules, by their nature, can rapidly change due to political developments as demonstrated by the situation in Iran. This makes it difficult for companies to keep their compliance system up to date. For instance, from time to time entities or individuals will be added to or removed from the asset freezing and blocking of economic resources lists. In other areas, rapidly introduced sanctions sometimes make provision for the "grandfathering" of existing contracts otherwise covered under the new regime. These grandfathering provisions can differ between EU and U.S. sanctions regimes, between contracts entered into in a variety of different time frames, and sometimes only apply on a temporary basis, in effect stipulating a grace period for winding up existing contracts. Following the relaxation of EU sanctions on Iran in 2016 and the re-instatement of U.S. sanctions on Iran in 2018, the scope for disparities between the two regimes in this area has increased. This also appears to have an impact on financing by EU banks, which often request further information in relation to certain actions of EU clients if they consider that the transaction may lead to exposure under U.S. law. This raises significant difficulties for European companies doing business in Iran. In practice, before starting an investigation, a legal assessment by a sanctions law expert should be sought in order to identify the factual scope of the investigation. This aims at ensuring that the investigation uncovers all relevant material, including both incriminating and exculpatory material.
Third, investigations of export control infringements are particularly complex. Unlike in other investigations, emails often do not contain all the relevant facts required for a risk assessment. Even interviews with the key employees involved, e.g. the export control officer, do not ensure that all facts can be sufficiently established. In companies with complex internal structure and business organisation, identifying the person(s) in charge of exports might prove to be a complicated exercise, given that often different employees in different positions across the supply chain are involved in dealing with exports. Many infringements therefore require a broad scope of interviews with the company's personnel involved in all stages of the export process across the supply chain, from taking and recording an order to the finance department.
Moreover, an in-depth review of the company's electronic accounts is useful in identifying the number of shipments involved, the items shipped and the consignees of the goods. So-called structured data that needs to be reviewed resides in an electronic repository. For instance, this may originate in SAP systems tracking all orders and shipments a company handles in its day-to-day business operations. In order to understand and investigate such data files, it is important to obtain the database schema, which helps to determine the relationships between tables within the database. Accordingly, a thorough legal investigation goes hand-in-hand with the involvement of forensic experts experienced in the e-discovery of structured data.
This is also true for exports of technology items, or exports which take the form of technical assistance. In particular the use of cloud servers can easily expand the impact of export control and sanctions laws to business conduct even within the same group of companies. For instance, sending via email, travelling abroad with a business laptop containing or uploading to a cloud server technical drawings or CAD files of technology that may both be used for civil and military applications ("dual-use technology") can trigger export control questions and may require prior authorization. This may be the case even where the technology never leaves the business, but physically or virtually crosses a border. For those investigating potential technology transfer infringements, compliance with export control provisions is likewise important, e.g. when sending emails with attachments from Europe to the U.S. in the course of an internal review.
The complexity of export control law and the difficulties in reviewing the vast amount of data is also a challenge for the authorities. Many national export control authorities or customs authorities therefore appreciate the cooperation of companies which investigate potential infringements internally and present the results of their review to officials. Depending on the concrete infringements, companies may qualify for a voluntary disclosure programme that in some jurisdictions provides companies with full immunity from fines. But even if full immunity is not available, disclosing information voluntarily is often considered as a mitigating factor in determining a fine, and may even lead to a termination of administrative procedures without a conviction. In this process, it is crucial that national authorities see that the company concerned has taken measures to rectify the situation and correct the root cause of the problem. Steps such as conducting training of its personnel at all stages of the supply chain or introducing appropriate software tools, such as Enterprise Resource Planning (ERP) systems, to help track correctly exports are vital in actively showing that a company takes compliance seriously and invests resources in remediation.
Increased regulator attention in the area of trade compliance is necessarily leading to the maturing of internal compliance policies, often with guidance provided by different authorities on key aspects to consider. These policies should cover the full range of possible export control or sanctions issues, taking into account a company's individual risk profile in this area. For example, as well as covering supply chain issues, a trade compliance policy may also lay down rules on taking business laptops abroad where there is a risk of inadvertently exporting controlled technology stored on the computer. A robust internal compliance policy assists investigations in three main ways. First, such a policy should prevent or at least pick up possible infringements. Second, it provides a structure for investigation of any infringement that does occur: identifying gaps in hierarchy or supply chains which may be susceptible to such infringements, as well as helping to track information flow within a supply process. Finally, these two reasons also mean that such a policy provides reassurance to authorities that a company not only takes this subject seriously but has the means to implement any lessons learned in the case of a genuinely mistaken infringement. This may act as a mitigating factor in determining a fine.
Export control and sanctions problems generally gain high management attention. This is not only due to the risk of fines and reputational damage. Under certain legal systems in the EU, it is mandatory for companies exporting goods to have a board member take legal responsibility for export control compliance. Governmental procedures are often directed against this board member. Accordingly, investigations of export control infringements require professional handling including experience both of substantive export control laws and of the procedural aspects of handling an investigation in order to fulfil management expectations.
The above considerations have been identified by the EU as being important for designing an effective Internal Compliance Programmes ("ICP"). In August 2019, the European Commission published guidance on ICPs in the area of export controls, taking into account both international standards from other export control regimes, as well as best practices by national authorities. The guidance identifies seven core elements that an ICP should contain: (i) top-level management commitment to compliance; (ii) organizational structure, responsibilities and resources; (iii) training and awareness-raising; (iv) transaction screening processes; (v) performance reviews, audits, reporting and corrective actions; (vi) record keeping and documentation; and (vii) physical and information security. Although these elements are not an exhaustive list and ICPs should be tailored to the company concerned and its business activities, the guidance provides useful insight into the competent authorities' priorities when reviewing a specific transaction or investigating a company.
In times of dynamic international relations, export control and sanctions law gains importance as a political instrument. Infringements carry a high risk of fines, criminal prosecution and reputational damage for companies, members of their management, as well as their personnel. Internal investigations in this area require specialised expertise regarding the substantive legal assessment, the procedural management of the investigation, the forensic review of electronic data and the internal procedures followed at all stages of the supply chain until the export is completed.
|Dr. Falk Schöning
Hogan Lovells Brussels
T +32 2 505 0911
|Falk Schöning can assist you regarding all questions and problems of EU and German antitrust law, foreign investment control law and export control law. He advises in particular on international cases which require coordination between different legal systems or representation vis-à-vis several regulators. Falk is frequently called on by companies which need advice on EU or German export control law, in particular regarding procedures with the German authorities. He knows the typical pitfalls of trade and sanctions cases and regularly cooperates with European and German regulators BAFA, Bundesbank, the Federal Ministry of Economics and the customs authorities. As part of Hogan Lovells' wider European trade compliance team Falk frequently structures compliance programmes according to BAFA's guidance on Internal Compliance Programmes.
Hogan Lovells Brussels
T +32 2 505 0942
|Eleni Theodoropoulou focuses her practice on EU and international trade and investment law. She advises on EU sanctions and export controls, EU customs matters, as well as international trade and investment law and policy in the context of free trade agreements. She has participated in several export control investigations and internal audits, and has extensive experience in advising clients on how to best build their trade compliance structure. Eleni also advises on issues related to Foreign Direct Investment screening in the EU.
Prior to joining Hogan Lovells, Eleni gained experience at the European Commission's Directorate-General for Trade (Investment Unit), the International Centre for Trade and Sustainable Development in Geneva, the Permanent Representation of Greece to the Council of Europe in Strasbourg, and in private practice in Athens.