Euro SIFMANet Barna Report

During the design of the sanctions packages imposed on Russia following its full-scale invasion of Ukraine in February 2022, the initial focus was on throwing the net as wide as possible. The aim was to impose restrictive measures on a broad range of financial and trade activities. However, following the early flurry of activity, attention has now shifted towards ensuring effective implementation and enforcement.

Over nearly two years, the RUSI-led European Sanctions and Illicit Finance Monitoring and Analysis Network (SIFMANet) has highlighted the main structural challenges faced by EU member state national authorities, and businesses with sanctions responsibilities. It has also identified that all stakeholders – whether private sector actors seeking to improve their implementation or governments monitoring for circumvention and evasion – need better data. This would allow sanctions to be more effectively implemented, and circumvention and evasion more effectively tackled.

To gain insights on this issue, the Centre for Financial Crime and Security Studies (CFCS) at RUSI hosted a roundtable discussion in Barcelona in November 2023, with the support of Dow Jones Risk & Compliance. The event gathered sanctions experts from the public and private sectors across different European jurisdictions to explore, under the Chatham House rule, the role of data in strengthening the implementation and enforcement of sanctions. This engagement was part of SIFMANet’s activities supported by the National Endowment for Democracy, and along with a video filmed on the day, this report presents the main findings from the discussion.

The Need for Data to Support Sanctions Implementation

Sanctions used to be an isolated task within the compliance departments of financial institutions, whose primary responsibility consisted of screening sanctions lists to check for individual and entity name matches with their client base and transaction activity.

At the workshop, private sector representatives noted that this modus operandi started to change following the introduction in 2014 of sanctions against Russia, in response to the Kremlin’s annexation of Crimea and invasion of eastern Ukraine. This programme introduced sector-specific sanctions, which for the first time required financial institutions – and others from the private sector such as oil services companies – to have a deeper understanding of their clients and, critically, their activities.

This task demanded increased resources from these elements of the private sector, as well as their clients, to obtain and process data that was far more complex than merely checking for sanctions-list name matches. Fast forward to February 2022 and the sanctions that followed Russia’s full-scale invasion dramatically increased this burden and introduced complex sanctions compliance to a large number of economic operators that had never been exposed in this way before.

As a result, businesses place significant demands on national competent authorities to assist with identifying where they require licences to continue their operations, but also information regarding possible entities engaged in sanctioned activities, something that is not yet widely available from the typical vendors of sanctions screening services.

Participants from both governments and the private sector clearly articulated in the workshop that if sanctions are to be implemented effectively by the private sector, placed on the frontline by their governments, then a significant improvement in data is required. There was also strong agreement that banks should not be left to carry this burden on their own. Governments must clearly make those businesses engaging in trade exposed to sanctions aware of their responsibilities and must either have proper internal sanctions-monitoring controls or access to third-party tools that can provide them with the necessary compliance capacity.

Given the purpose of the workshop was to focus specifically on data, the next section addresses specific tactical data that the private sector could leverage to improve its sanctions compliance, and how governments can use data to facilitate better private sector implementation.

What Data is Helpful for Implementing Sanctions?

The use of data for improved sanctions effectiveness falls into two parts: data used to support implementation by EU member states’ banks and businesses; and data (mainly related to trade) used to identify sanctions circumvention.

Improved Implementation

For banks and businesses operating in the EU, data plays two roles: first, it facilitates better identification of sanctioned individuals and their assets; and second, it clarifies where clients might be involved in restricted sectors or activities.

Beneficial Ownership Registries

Beneficial ownership registries are useful sources of data on companies and their ownership structure and related natural persons involved in them. However, both public and private sector participants noted that registers, if accessible, often do not hold the same type of information in each country, they do not always hold reliable and updated information, and they are at times only accessible in certain languages. In addition, some jurisdictions have business registries that require subscriptions and have limited financial intelligence on, for example, companies’ financial statements.

Participants defined public access to beneficial ownership registers as a crucial element for sanctions implementation and they regarded the ruling from the November 2022 European Court of Justice as a new and troubling challenge. A representative from the Spanish Treasury explained that one of the goals of the Spanish Presidency of the Council of the EU is to harmonise information across EU registries.

Client Documentation

Given the lack of publicly available and machine-readable data, trying to map client activities involving Russia’s neighbouring countries and trading partners demands that the private sector devote substantial amounts of manual labour to check information submitted by clients on their transactions. Businesses hold the deepest knowledge of the sector in which they operate and of their own activities. So, the data they provide is essential. However, representatives from financial institutions noted that it is increasingly difficult to rely on information submitted by clients given that, as elaborated below, it may be subject to a lack of knowledge on the part of their clients or to obfuscation tactics used by those seeking to evade sanctions.

Businesses are not only trading in goods subject to sanctions, but also technical services, and many do not know the extent of their sanctions obligations. An example shared by a participant described that providing crew members for a vessel carrying Russian oil could fall under EU prohibitions, but many businesses do not know this, and rely on financial institutions to inform them that such activity is prohibited.

Furthermore, participants noted that they are increasingly holding conversations with clients regarding suspicions of document forgery. Financial institutions explained that the supporting information provided to justify the submitted documentation is often useful to confirm or reject their suspicions. But again, this work creates a significant extra burden on the financial institutions’ sanctions compliance community.

To effectively manage their monitoring burden, many financial institutions are thus following a risk-based approach. If a financial institution sees a client trading with a third country with which it has maintained trade relations in the past, then it can lower manual effort. On the contrary, if the business relationship was recently established or has now shifted to include controlled goods, the financial institution will increase the manual work required to check the transactions.

While financial institutions monitor clients across all sectors, key corporates may serve as the most useful and expert sources of data. These include shipping companies, logistics firms and airlines. These businesses hold the raw data required to check goods that banks do not have access to, such as the bill of lading, the itinerary of vessels or identity location spoofing. The top companies in these sectors are screening these elements, but with a lower level of scrutiny than banks would like them to for sanctions-compliance purposes.

In sum, better data is required if the private sector is to be fully empowered to play its role on the frontline of sanctions implementation. As the complexity of sanctions has grown, the provision of and access to data has lagged. New tools need to be developed by those companies with expertise in providing data services; and governments need to provide access to additional sources of data that can enhance the effectiveness of the private sector.

Identifying Circumvention

As well as facilitating improved implementation, data – particularly trade data – can be used by governments to identify changes in trade flows that may be indicative of emerging sanctions circumvention routes used by Russia to procure the key goods it requires for its military.

Trade Data

Public and private sector representatives acknowledged their initial positive assessment of the reported declines in their jurisdictions’ direct trade with Russia. This assessment changed once they identified the increasing exports – including of controlled and banned goods – to third countries regarded as high-risk for circumvention. This indicated that their trade with Russia continued, albeit indirectly. To properly observe and understand the specific transactions and flows, and the extent to which they represent sanctions circumvention, authorities and the private sector point to various data points to strengthen their sanctions compliance mechanisms.

Participants noted the difficulty of proving that goods exported from a specific jurisdiction to a third country are then re-exported to Russia through generic import/export trade data. Sources such as UN COMTRADE – described as not particularly user-friendly – or national customs data can serve as a good guide to identify suspicious trade flows, but do not provide sufficiently deep insights. A participant provided a visual example in which a member state exported apples to a third country, and the third country exported apples to Russia. The flow of apples can be identified in the member state’s national customs data but unless the items are specifically identified, it is hard to prove that it is the self- same apples that enter Russia. Participants added that the customs data from Russia and certain third countries may be a useful starting point but cannot be trusted and often entail language translation complications.

To compensate for this lack of clarity, tools such as Import/Export Genius provide transaction-level tracking data, identify where a product was produced, and to where it was shipped. Authorities and financial institutions can use this data to then query companies involved on whether sanctions are being breached. A key piece of information employed in trade is Harmonised System (HS) codes. These describe the nature of a product.

HS codes differ across jurisdictions, as countries incorporate additional digits to the six-digit HS codes for further classification. For example, in the EU they are known as TARIC codes and in the US they are HTS codes. This creates divergences among HS codes, which authorities and businesses must understand. HS codes are particularly useful to screen for dual-use goods. However, participants highlighted that not all dual-use goods have HS codes. This a critical challenge as the technical descriptions of HS codes in regulations often create confusion, which increases cost of compliance for businesses that must manually check them.

Furthermore, authorities and financial institutions have detected that some businesses will alter the HS codes of goods to pass them off as products not subject to prohibitions. This is related to the document forgery issue that is increasingly spotted by financial institutions in the information provided by clients. Participants explained that when a bank is financing trade through letters of credit, they will have more information on the operation than if the trade is conducted via “open account” through which their access to data is limited to just seeing the financial transaction. This makes it harder to spot irregularities. As one participant noted, “the task now consists of screening against information that is not there”.

The collection of trade data is essential for the private sector to effectively implement sanctions and detect circumvention. However, trade data also plays a key role in the diplomatic efforts of authorities. The EU both requests trade data from third countries and also asks them to validate its own perspective on the third country’s trading activity, to assess their involvement in circumvention. Suspicious trade flows and confirmed circumvention activities identified through the aforementioned analysis of trade data by EU operators can be leveraged by authorities from sanctions-imposing countries to deter third countries from facilitating circumvention through their jurisdictions.

Other Data

Throughout the roundtable, participants also pointed to other data sources that would be useful for authorities and businesses to exploit and process to enhance their investigations and compliance systems.

For example, for individual financial transactions, Business Identifier Codes (BIC) are well-known sources of data used for addressing SWIFT messages, routing business transactions and identifying business parties, but the screening of less common items can also provide valuable information. One such example is screening IP addresses that may help identify businesses operating in high-risk jurisdictions. IP addresses can be disguised through VPNs, but their usage can be detected and as a result trigger a red flag to demand enhanced due diligence. As private sector participants noted, screening IP addresses is an increasingly common practice by larger financial institutions and e-commerce firms to block transactions from sanctioned jurisdictions and/or flag transactions for further scrutiny. They noted that national competent authorities could enhance the effectiveness of private sector sanctions implementation by providing this information in sanctions designations as and when available.

The need to leverage such additional data points to support sanctions implementation highlights the added complexity of the post-2022 regimes. Using these data sources to triangulate and identify evasion activity demands a considerable degree of manual work to check the entities involved and their activities. Yet, despite the resources required, going beyond basic due diligence and conducting open-source intelligence (OSINT) analysis must now be a critical component of sanctions implementation.

With regards to maritime transport, the Automatic Identification System (AIS) required by the International Maritime Organisation (IMO)to locate vessels was also noted by both public and private sector participants as providing valuable data. Even though the AIS can be turned off, this should trigger a red flag in due diligence systems. AIS will also indicate changes in the draft of the vessel, which might reveal that transhipments took place due to a change in the vessel’s cargo. This can be complemented with the use of satellite imagery. Similarly, IMO identification numbers of designated vessels are key pieces of data that institutions should have at their disposal to monitor their activity such as reflagging or change of ownership.

Private sector actors, particularly financial institutions that can afford to make such investments, are increasingly developing OSINT capabilities as they can provide invaluable data on clients, their partners and their activities. The information can be openly shared with authorities and other private institutions.

Persisting Challenges

While available circumvention routes are increasingly limited, participants noted that supply chains are getting more layered with complex multi-jurisdiction corporate structures and operators increasingly struggling to control what is happening along a particular route. The manual work required to effectively obtain and screen the necessary data is a cumbersome burden for the private sector and the task of identifying companies owned or controlled by sanctioned individuals in the supply chain is challenging. Ownership data is relatively straightforward when it is publicly available – which, as indicated above, is not always the case – but determining “control” is a more difficult task, given that the necessary information might not be public and the concept of “control” can be judgemental.

In certain areas, participants explained that they face the challenge of combining contradictory datasets. For instance, when monitoring to confirm that a transaction was done below the oil price cap, both authorities and businesses must check data from shipping companies and customs pricing data, which do not always match. This intense screening is conducted for each individual transaction but if the goal is to disrupt the trade of oil or battlefield items before it happens, operators would need to develop foresight by identifying patterns and incorporate these mapping activities into their compliance procedures to anticipate potential evasion transaction.

A further complication to these mapping efforts and the blocking of suspicious transactions is the decoupled nature of payment flows from their related trade flows. While payments are flowing between two jurisdictions, goods may be produced and transported from factories in third countries. For example, a Swedish entity can have a Dutch bank account, receive the payment from a shell company in Turkey, and ship controlled goods from Malaysia via a third country to Russia. Financial institutions emphasised that it is very challenging to block such transactions as they are often unaware of the trade flow connected with the payment, a trade flow involving countries outside the Western sanctions regime and thus not subject to local control. Furthermore, even if (in this case) the Turkish shell company is identified as facilitating sanctioned trade, a new shell company can easily be established in its place elsewhere with no transaction history.

One possible way of addressing this challenge, raised by finance experts at the roundtable, is to identify pinch points in the payment flows, for example by making more use of SWIFT messaging data by mandating greater use of currently discretionary fields, to help illuminate payments related to circumvention.

The increasing burden placed on the private sector led participants to express their concern over the lack of clarity regarding the extent of their compliance obligations to confirm there is no risk of sanctions violation or circumvention. They have significantly increased their sanctions-dedicated resources and tools but at some point they have to make a judgement as to how far their due diligence obligations extend. Participants explained that investigations had traditionally been limited to checking two levels of ownership, but recent investigations have gone down many more levels of ownership to identify the real individual controlling an entity. Private sector representatives added that this may clash with the expectations of regulators, which will also differ across the jurisdictions they operate in. Even minute differences will be immense for internationally operating institutions.

A clear message from participants was that many businesses lack experience regarding the availability and use of the data sources discussed at the workshop. This often means they resort to third-party data providers and vendors. These services ease the burden on businesses, but authorities have raised concerns of an over-reliance on these services without understanding how the tools they provide work. Participating authorities explained that their inspections showed that many businesses do not properly detect the right matches after inputting the data provided into their systems, and some screening systems struggle with fuzzy searches with multiple options per identifier. These fuzzy searches are themselves the outcome of vast discrepancies across sanctions lists, further complicating compliance tasks.

Furthermore, the heavy burden imposed on the private sector is met with a lack of incentives to actually comply with sanctions obligations. First, participants noted that HS codes are used for tax purposes, so businesses are not always interested in reporting them accurately. Furthermore, for intentional circumvention schemes, public and private sector representatives agreed that the consequences of breaching sanctions at the moment are not enough to deter violations, both in terms of low financial penalties but also low chances of detection.

This is partly related to the insufficient level of information exchanged within the EU, a major impediment to sanctions investigations and enforcement. Currently, many investigations are crippled when a national competent authority requests information from a member state where sanctions violations are not yet criminalised. A participant suggested that to improve the sharing of data and avoid duplication, the EU needs a sanctions-related institution such as OLAF, which is currently the only agency that coordinates member states regarding imports and exports. Regional initiatives for enhanced information-sharing within the EU are happening in areas such as the Baltic states, but this should be happening across the EU.

Recommendations

As one workshop participant noted, a key feature of the current sanctions regimes against Russia is that policymakers are expecting sanctions to achieve far more today than has been expected of sanctions regimes in the past, and governments’ messaging often seems to expect companies to screen transactions against non-existing data.

A core pillar of the effectiveness of the current sanctions implementation and enforcement landscape is the availability, accessibility and quality of data. During the workshop, participants proposed a series of valuable sources of data for authorities and businesses to strengthen their investigations and compliance mechanisms. However, these data sources pose a series of challenges in themselves, which the EU must take measures to mitigate in order to improve the sanctions efforts across the public and private sectors. The importance of this is clear. Data can not only support better implementation of sanctions by EU member states and their financial institutions and businesses, it can also provide a strong basis from which to engage in dialogue with third countries that are vulnerable to – or indeed are already facilitating – sanctions circumvention.

With a focus on how governments can support the private sector in achieving their goals, some specific recommendations emerged from the workshop.

1. Clarity of obligations. Supervisors need to clarify what is required of the private sector. Too often requirements and expectations are ambiguous and lack specificity. Although ambiguity may be a means by which governments can ensure businesses do not merely restrict their compliance obligations to the bare minimum, the uncertainty faced in the private sector on whether they have done enough for a single transaction leads to inefficient responses, the investment of extensive (potentially unnecessary) resources and manual work, and economic costs.

2. Enhanced awareness in the private sector. Businesses must expand their understanding of the steps needed to conduct sanctions due diligence on clients, their trade partners, controlled products and sectoral risks. Governments must support this education process by providing briefings and access to new data sources that can facilitate sanctions implementation. As one participant noted, screening for “persons connected with Russia” is just not possible – or desirable; and placing the burden of policing businesses entirely on the banking sector is not efficient. Key industry sectors such as shipping and logistics must be made to feel equally responsible and empowered.

3. Harmonisation and consistency are key. Small inconsistencies in sanctions interpretations by authorities can have a significant impact on the private sector. For example, within the EU, the understanding of ownership and control differs across member states and, in consequence, guidance for businesses operating in several jurisdictions varies. Likewise, the quality and nature of information found in national beneficial ownership registers varies, is often not updated, is in different languages, and is not publicly available. Among the sanctions coalition, key identifiers such as HS codes also differ and alignment in this regard would facilitate the tasks of both authorities and the private sector. More broadly, the quality of trade data is lacking and should likewise be presented in a harmonised manner as much as possible.

4. Optimising use of trade data. First, trade data from EU member states can be trusted and should be the foundation of trade-related sanctions implementation. EU member state capacity in this field varies – development of an EU member state sanctions trade data expert working group could enhance the use of this data to identify EU-based weaknesses. Second, trade data should continue to be used to engage with third countries to ensure common understanding of the key items that are subject to restriction.

5. Improve EU-wide trade data sharing. The EU should create an EU sanctions-related information-sharing mechanism similar to OLAF to ensure consistent interpretation of sanctions (particularly related to trade).

6. Consolidation must continue. The consolidation of regulations is essential for businesses with insufficient experience to navigate complex EU legislation. Furthermore, a consolidated – and more closely aligned – list of sanctioned individuals and entities from the international sanctions coalition would facilitate the task of businesses that aim to be compliant across all regimes.

7. Make greater use of SWIFT data. Tackling circumvention trade flows would benefit from identifying pinch points in the flow of payments, for example by making more use of SWIFT messaging data by mandating greater use of currently discretionary fields, to help illuminate payments related to circumvention.

8. Technological advancements. The current level of manual work required to fulfil sanctions compliance obligations is an unsustainable burden on the private sector. Greater attention should be placed on developing tools that will facilitate the effective compliance of businesses. For example, a participant noted Singapore’s introduction of blockchain to track payments and trade.

In sum, data – in all its forms – is emerging as a key tool in enhancing the effectiveness of sanctions implementation against Russia. Yet, the provision and availability of data by governments to the private sector has lagged the growth in complexity of sanctions. Accessible data has the potential to enhance the ability of financial institutions and businesses across the EU to be fully empowered to correctly identify entities, industry sectors, activities and specific goods that should be blocked. It can further assist with the identification of circumvention activity and underpin diplomatic engagement with third countries. The challenge ahead is to enhance the quality and accessibility of these data sources to ensure the impact needed to further restrict the funding and resourcing of the Russian military.

Tom Keatinge is the founding Director of the Centre for Financial Crime and Security Studies (CFCS) at RUSI, where his research focuses on matters at the intersection of finance and security. He is also currently a specialist adviser on illicit finance to the UK Parliament’s Foreign Affairs Committee ongoing enquiry.

Gonzalo Saiz is a Research Analyst at the Centre for Financial Crime & Security Studies at RUSI, focusing on sanctions and counter threat finance. He is part of Project CRAAFT (Collaboration, Research and Analysis Against Financing of Terrorism) and Euro SIFMANet (European Sanctions and Illicit Finance Monitoring and Analysis Network).