12 essential building blocks for a robust sanctions compliance policy

  • Case study

    21 June 2023

12 essential building blocks for a robust sanctions compliance policy Desktop Image 12 essential building blocks for a robust sanctions compliance policy Mobile Image

What happened?

While trade and financial sanctions have been proliferating for many years, there have been unprecedented changes in the global sanctions landscape since February 2022, when Russia invaded Ukraine. Now, more than ever, New Zealand businesses are eager to identify their sanctions compliance obligations and take steps to minimise their exposure to sanctions-related risks, including by implementing a Sanctions Compliance Policy (SCP). This alert identifies 12 essential building blocks that will assist any organisation to create a robust SCP.

Who needs to read it and why?

Companies operating in the following sectors and jurisdictions are more likely to be exposed to sanctions risks and benefit from adopting a risk-based SCP: 

  • High-risk sectors: Financial institutions; importers, exporters and logistics service providers; defence and aerospace businesses; technology and telecommunications companies; energy and natural resources companies; multinationals; and professional services firms. 
  • High-risk jurisdictions: Belarus, Cuba, Iran, Myanmar, North Korea, Russia, Sudan, Syria, Venezuela and the Ukrainian regions of Crimea, Donetsk, and Luhansk.
Key components of a Sanctions Compliance Policy

When developing a SCP, it is crucial to align with the expectations of your regulators. For New Zealand businesses, this will include the Ministry of Foreign Affairs and Trade (MFAT) and may also include the Police's Financial Intelligence Unit (FIU). [1] For companies operating internationally, there may also be merit in adhering to the expectations of foreign regulators, including the United States’ Office of Foreign Assets Control
(OFAC).[2] While specific obligations and expectations may exist for organisations operating in high-risk sectors and jurisdictions, Western sanctions regulators will generally expect the following:


1. Policy statement: An SCP should begin with a clear and concise statement that demonstrates the organisation's commitment to comply with all applicable sanctions laws and regulations. It should emphasise the importance of compliance, convey senior management's support for the policy, and identify internal persons responsible for its implementation.


2. Regulatory framework: An SCP should provide an overview of the sanctions laws and regulations that apply to the organisation and the potential consequences of non-compliance, which can include significant fines, criminal charges, loss of business opportunities, reputational damage, exclusion from the financial system, and restrictions on trade. The applicable sanctions rules and penalties will include those of the jurisdictions where:

  • the organisation is incorporated, operating and transacting; and 

  • the organisation’s shareholders and directors are incorporated, nationals or resident.


3. Risk assessment: An SCP should be underpinned by a comprehensive risk assessment that identifies and evaluates the organisation's exposure to potential sanctions violations. The policy should describe the risk assessment process, including the factors considered, such as the organisation's geographic reach, customer base, products/services offered, and transaction types. The greater the exposure to sanctions risk, the more robust the organisation’s SCP should be.


4. Due diligence procedures: An SCP should define procedures for conducting customer, supplier and other business partner due diligence (DD) and enhanced due diligence (EDD) for higher-risk individuals, entities or transactions. DD should include verifying the identity of individuals, entities and their beneficial owners, and evaluating the reputational and compliance risks those persons present. DD should be conducted before entering into a commercial relationship and on an ongoing basis to ensure that a business partner is not subject to sanctions or involved in any activities that may pose a sanctions risk. EDD is recommended for certain high-risk industries [3] and transaction types [4]. The SCP should specify the documents required to support DD determinations and the process for escalating any concerns or red flags identified during the DD process.


5. Internal controls and screening procedures: An SCP should outline the organisation's internal controls and procedures designed to detect, prevent and mitigate the risk of sanctions violations. At a minimum, this should include screening processes for assessing potential customers, suppliers and other business partners against the relevant government-issued sanctions lists, such as those published by the United Nations (UN), MFAT, OFAC and other regulators. The policy should define: the scope and frequency of screening; the tools or resources used for screening purposes [5]; the actions to be taken in the case of a potential match; and the escalation process for suspicious or blocked transactions.


6. Training and awareness: An SCP should emphasise the importance of ongoing sanctions training and awareness raising programmes to educate employees about sanctions obligations, their responsibilities, and the potential risks and consequences associated with non-compliance. The policy should also specify the mechanisms for assessing and documenting employee understanding.


7. Recordkeeping: An SCP should detail the organisation's recordkeeping requirements, including its rules for the retention of transactional data, screening results, and compliance documentation. In the absence of sector specific rules, best practice suggests that DD and EDD records should be kept for a minimum of five years from the date of the last transaction or the end of the business relationship, whichever is later. 


8. Response, corrective actions and reporting: An SCP should define the organisation's response plan in the event of a potential sanctions violation. It should also outline procedures for escalating consideration of a potential sanctions violation, conducting an internal investigation, implementing corrective actions, and disclosing a potential violation to the relevant regulatory authorities, as necessary or advantageous. [6]


9. Testing and auditing: An SCP should establish processes for regular internal audits and testing of the organisation's programme. This may involve periodic reviews of internal controls, screening processes, and employee adherence to policies and procedures. The policy should also specify the remedial actions to be taken in response to audit findings.


10. Continuous monitoring and updates: An SCP should stress the need for ongoing monitoring of sanctions laws, regulations, and regulatory guidance, which can be subject to frequent and sudden change. It should establish mechanisms to review and update the policy and associated procedures regularly, ensuring alignment with evolving regulatory expectations. 


11. Third-party relationships: If applicable, an SCP should address the organisation's approach to managing the compliance risks associated with third-party relationships. An organisation may want to seek representations or warranties from third parties that they do not present sanctions risks, and that they will take reasonable steps to ensure their ongoing compliance with sanctions. These undertakings may be linked to contractual provisions that enable the organisation to exit any relationship that presents an unacceptable sanctions risk.


12. Bank relationships: An SCP should align with any sanctions-related undertakings the organisation has made to its banks, financiers, or others. Bank customers should also be familiar with the public aspects of their bank’s SCP and the sanctions-related terms and conditions governing the use of their accounts and facilities. Customers should be mindful that New Zealand’s High Court recently determined that a bank may terminate a relationship with its customer on sanctions-risk management grounds, subject only to the requirements of its terms and conditions. [7]

What next?

If you would like assistance to develop or refine your organisation’s SCP, please do not hesitate to contact one of our experts.

How can we help?

We have extensive experience of advising on sanctions compliance and enforcement-related matters, including sensitive matters relating to Russia, Iran, China, Cuba, Myanmar, North Korea, Syria, and Venezuela.

We routinely assist clients to:

  • develop or refine sanctions compliance programmes;
  • produce obligations registers;
  • conduct compliance assessments;
  • undertake customer and transaction due diligence and screening processes; and
  • structure low risk transactions.

Members of our team have represented clients in sanctions investigations undertaken by the New Zealand Customs Service, the UN, and the UK and US governments. We have also represented clients in contentious sanctions matters, including Banking Ombudsman Scheme disputes, Human Rights Commission mediations, and litigation. Team members represented the Respondent in Targa Capital Limited v Westpac New Zealand Limited [2023] NZHC 230 and the Defendant in New Zealand Customs Service v Pacific Aerospace Ltd [2018] NZDC 5034). 



[1] New Zealand businesses may also want to seek guidance from New Zealand Standard NZS/AS 3806:2006 on Compliance Programmes, which is of general application. It has been recognised by the Australian Competition and Consumer Commission in relation to competition and the Financial Market Authority at the beginning of the Financial Markets Conduct Act 2013 regime.

[2] OFAC’s A Framework for OFAC Compliance Commitments remains the best starting point for any company looking to establish or refine an SCP.

[3]  For example, the Wolfsburg Group’s Guidance on Sanctions Screening provides more comprehensive DD recommendations for financial institutions.

[4] For example, MFAT’s Guidance Note: Due Diligence, Guidance Note: Banking Transactions and other guidance notes for exporters and importers provide recommendations for New Zealand persons contemplating dealings involving Russia.

[5] Screening can be done manually or expedited with the help of automated technology solutions. Our clients recommend Refinitiv World-Check, Dow Jones Risk Center, LexisNexis® Firco Continuity and SymphonyAI NetReveal.

[6] Some sanctions regulators publish guidance on their reporting expectations. For example, MFAT’s Guidance Note: Duty Holder Reporting informs ‘duty holders’ about their reporting obligations under the Russia Sanctions Act 2022 and Russia Sanctions Regulations 2022. Many regulators encourage and confer benefits upon persons who file voluntary disclosures about their potential sanctions breaches. 

[7] MinterEllisonRuddWatts, Banks may terminate services to entities associated with sanctioned individuals, available here