FAQ
Compliance
Compliance means ensuring adherence to laws (in one’s own company) through certain measures. In the field of global trade, compliance is primarily associated with the checking of persons and active and potential business partners against international. This includes not only business partners but also employees. An organization must take appropriate measures to ensure that no business relations are entered into with, among others, such persons or organisations that are recognised on sanctions and embargo lists.
If a company does not comply with this obligation, it is a criminal offence (For example in Germany defined in §34 AWG).
In general, every company in every sector is affected to take appropriate measures to adhere to global sanctions and embargos. AEO certified companies, or those seeking certification, must show that the measures taken to avoid any business relations with persons and organisations that appear on sanctions and embargo lists.
What does it mean to take “appropriate measures”? This includes all the precautions you take as a company to avoid continuing or entering business relationships with sanctioned persons, companies, or organisations. Continuous and automated sanctions and embargo checks are essential: you need to make sure that your (currently active or new) business partner has not been sanctioned.
It is not sufficient to check your business partners once. It could be that your business partner has been sanctioned due to a change in the sanctions lists (and these usually take place several times a week). Sanctions list checks are therefore only suitable if you monitor these changes in the future. In addition, the check shall be automated. It is not enough to assign an employee to every day manually compare the business partner and personnel master data with the sanction and embargo lists.
Sanction Lists
The obligation to check sanctions lists poses major challenges for entrepreneurs: Global anti-money-laundering regulations criminalise business contacts with persons and organizations who have links to a criminal organisation or are affected by an embargo measure. Likewise, trading with goods that are included in goods-related sanctions lists must be refrained from. If a company violates this and does not carry out a regular sanction and embargo list check, it can be sanctioned and is liable to prosecution.
In the context of anti-money laundering regulations, companies are prohibited from having business contacts with organisations or persons that are included in a sanctions list. Sanction lists are official lists in which persons, groups, organisations or economic goods are noted from which criminal threats emanate. A distinction is made between:
- Person- and organisation-related sanctions lists
- Goods-related sanctions lists
Goods-related sanctions lists contain goods and products that are affected by special import duties or export restrictions, for example. Export restrictions apply, among other things, to dual-use goods that can be used for both private and military purposes.
If a company violates international anti-terror regulations – e.g., by supplying terrorist organisations or disregarding export restrictions – it risks criminal sanctions. Possible sanctions are fines from €500,000 upwards, imprisonment for up to 15 years,
damage to reputation and subsequent impact on business relationships.
For a penalty, it is sufficient if the company acts negligently. In order to exclude such misconduct from the outset, it is advisable to regularly compare employee and customer data as well as your products or trade goods with the relevant sanctions and embargo lists.
The duty to check sanctions and embargo lists does not lie exclusively with the management of a company but is to be enforced equally by every department. Particularly noteworthy are, for example, the accounting department, the sales department, the customer service department and the human resources department.
For example, the accounting department is required to check whether payments are made to persons or organisations that do not stand up to a sanctions list check. Similarly, Sales must reassure itself for each transaction that there is no match to a sanctions list. The service must check that persons and companies on a sanctions list do not benefit from warranty rights, maintenance claims or similar. The HR department should also regularly subject existing employees and all applicants to a GDPR-compliant employee check.
The duty to check sanctions and embargo lists does not lie exclusively with the management of a company but is to be enforced equally by every department. Particularly noteworthy are, for example, the accounting department, the sales department, the customer service department and the human resources department.
For example, the accounting department is required to check whether payments are made to persons or organisations that do not stand up to a sanctions list check. Similarly, Sales must reassure itself for each transaction that there is no match to a sanctions list. The service must check that persons and companies on a sanctions list do not benefit from warranty rights, maintenance claims or similar. The HR department should also regularly subject existing employees and all applicants to a GDPR-compliant employee check.
Since sanctions lists are updated regularly, it is not sufficient to check the existing data only once. On the contrary, regular checking and ideally monitoring is required.
In principle, the intervals can be freely determined by the company. Since the sanctions lists are often updated at very short notice and irregularly, a complete and, above all, automatic check is recommended (monitoring). This is easier to achieve with the help of digital and automated solutions than with a manual procedure – which would require an immense amount of work and time due to the large number of sanctions lists.
In the context of international anti-money-laundering, all European companies are subject to the EU Anti-Money-Laundering Measures. This regulation stipulates that no business relations may be entered into or maintained with individuals who have attracted attention during an Anti-Money-Laundering or sanctions and embargo check. A business relationship is defined as any economic contact as well as any provision of goods, services or financial resources. This so-called ban on the provision of goods and services is intended to deprive global terrorism, criminal organisations or criminals of any financial basis or economic advantage. Companies are legally obliged to cooperate and must subject their employees, customers and contractual partners to regular controls. This ensures that cooperation with persons deemed to be high-risk neither damages the company’s good reputation nor puts it in trouble under criminal law. Sanctions must also be observed in the context of money laundering prevention. For companies, it is problematic to classify themselves in the legal areas of application of the individual sanctions lists, because there are a wide variety of sanctions lists worldwide, which on the one hand can be obligatory and on the other hand can be ignored.
UN sanctions list
For an adequate check of all business contacts, a routine comparison with the sanctions lists issued by government agencies is necessary. These are official catalogues listing all persons, groups and organisations against whom an economic ban has been imposed. The basis for sanctions lists issued at European and national level is the UN Sanctions List drawn up by the UN Security Council. All UN member states are obliged to avoid the listed persons for reasons of international law. At the EU level, there are also European sanctions lists. Entries from the UN sanctions list are included in these. In addition, some states keep their own registers based on international sanctions lists. For example, there are comprehensive sanctions lists of the UK, the USA, Japan and Switzerland. In order to plan and design the regular sanctions list review, the first step is to find out which sanctions lists are relevant to whom.
European sanctions lists
If a company has its registered office and focus of activity within the EU, at least the sanctions lists issued by the EU and the respective national competent body must be checked. At the EU level, a distinction is made between the sanctions lists relating to persons and those relating to countries. For example, the “Consolidated list of persons, groups and entities subject to EU financial sanctions” (also known as the CFSP list) contains the names of all persons, companies and organisations threatened with sanctions by the EU – regardless of their nationality.
UK sanctions lists
The “Consolidated list of Financial Sanctions Targets in the UK” serves as the UK’s central sanctions list and contains financial sanctions imposed by the EU on individuals, companies and organisations as well as national supplements. From the UK perspective, it is therefore more comprehensive than the “Consolidated list of persons, groups and entities subject to EU financial sanctions” and must be checked by companies or branches and locations based in the UK.
US sanctions lists
In principle, the examination of US sanctions lists can be considered if a specific line of business affects the EAR (“Export Administration Regulations”). These form the basis of US export control law. US sanctions lists under the EAR apply worldwide to all products and technologies of US origin – even if the product contains only a single component made in the USA (“integrated abroad into foreign-made products”) or was developed solely with the help of US technologies (“foreign-made direct products”) – that are traded internationally. Thus, even European companies that have no economic connection to the USA, but only deal with European or other non-US companies, are affected by the US sanctions lists. An initial overview of the subjects of the EAR is provided by its official table of contents. Put simply, a company falls within the scope of the US sanctions lists if it trades in goods or services that are of US origin – regardless of where in the world the company is based or where its customers are located.
However, the US sanctions lists are negligible if a company does business exclusively with US companies, as in this case US products may not leave the US goods cycle.
Other sanctions lists
In addition to the sanctions lists of the EU, the UK and the USA, embargoes of Switzerland and Japan could also be relevant. It depends on whether the respective areas of interest apply to a company.
If a company maintains business relations with Switzerland or is subject to Swiss law due to its registered office, Switzerland’s “Consolidated List” should be examined. This contains sanctions imposed by the Organisation for Security and Cooperation in Europe as well as important trading partners of Switzerland. In contrast, the Japanese “End User List” is published by the Japanese Ministry of Economy, Trade and Industry (METI) and lists companies and organisations that are suspected of developing weapons of mass destruction or missiles.
If the business partner data has been subjected to a sanctions list check and a match is found, the company must take immediate action. The further course of action is largely determined by the sanctions list checked and the jurisdiction in which a company is located.
If the sanctions list check does not produce any matching results, there is nothing further for management to do. If there is a positive result and a business partner or employee does not pass the sanctions list check, further steps must be taken.
First, the hit must be thoroughly clarified, because: Identical names do not automatically mean that the person on the sanctions list and the business contact in question are the same. Date of birth, place of birth or the organisation’s registered office, for example, provide clarification. This data can usually be found in the detailed entries of the sanctions lists.
If the company does not make any progress in clarifying the matter or if the suspicion is confirmed, the competent authority must be involved. The competent authority is, for example:
Financial Service Centre of the Deutsche Bundesbank
Federal Office of Economics and Export Control (BAFA)
The authority carries out further comparisons and then informs the company of the result. If it confirms the suspicion, current monetary payments must be frozen immediately, and the initiation or establishment of business relations must be terminated immediately.
EU sanctions lists (“Consolidated list of persons, groups and entities subject to EU financial sanctions”):
If business partner data matches entries on this list, the business relationship should not be continued. The prohibition on providing information applies.
United Kingdom (“Consolidated list of Financial Sanctions Targets in the UK”):
No economic goods or funds may be made available in the case of hits on this list. If the entry is a national addition to the “Consolidated list of persons, groups and entities subject to EU financial sanctions”, it is also advisable to notify the British Treasury.
US sanctions lists:
If the sanctions list check yields hit on US sanctions lists, this does not automatically mean a ban on the business relationship – in contrast to European sanctions lists. Rather, in some cases only an authorisation is required, which must be applied for with the US authorities.
“Consolidated List” (Switzerland):
Here, too, no goods or funds may be provided in the event of hits. In the case of national additions to the “Consolidated list of persons, groups and entities subject to EU financial sanctions”, contact should also be sought with the Swiss State Secretariat for Economic Affairs.
“End User List” (Japan):
In the case of matching results on the METI lists, shipments to the listed companies must be approved by the Japanese Ministry of Economy, Trade, and Industry.
If companies underestimate the importance of a regular and thorough sanctions list check and do not check business contacts against it, they are acting with gross negligence. Criminal sanctions, reputational damage and economic losses can be the result.
So that you neither fear sanctions nor must invest a considerable amount of time and effort in the sanctions list check, it is worthwhile to resort to a simple and automated solution.
PEP
If a company works together with so-called “politically exposed persons” (PEP), an increased risk of activities relevant under criminal law such as money laundering, corruption or tax evasion is assumed. For this reason, such business contacts (customers, suppliers, employees, etc.) shall be treated with increased caution and care. In order to find out whether current or future business partners are politically exposed persons, they must be subjected to regular PEP checks. It is important to note here that the sanctions list check and the PEP check are initially completely independent of each other. In principle, every company is obliged to conduct the sanctions list check, whereas the PEP check does not have to be conducted by every company. You will find out below whether you must carry out the PEP check. The PEP check is particularly complicated by the number of politically exposed persons and especially by the fact that there is no governmental or higher-level body (e.g., EU or UN) that issues official PEP lists. Worldwide, there are only very few providers who (can) identify PEP and their relatives. The PEP lists to which you have access via Trustnet.Trade include more than 1,150,000 names of PEPs or their relatives, which you can match fully automatically with your databases via us.
- Heads of state and government,
- Ministers,
- Members of parliament,
- leading personnel of supreme courts and state authorities,
- Ambassadors,
- Heads of state-owned enterprises.
Since politically exposed persons hold influential and powerful offices, they are assumed to be particularly susceptible to property offences. Thus, the past provides numerous examples of politicians who have exploited their position for personal interests, accepted bribes, influenced the awarding of contracts and laundered illegally acquired funds.
If it is subsequently discovered that a company has business relations with a PEP that has come to light under criminal law, it will be included in the investigation by the prosecution authorities. This can result not only in serious reputational damage, but also in criminal sanctions (fines, etc.). Therefore, a company that does not subject its business partners to regular or only rudimentary PEP audits runs a high economic risk.
According to the German Anti-Money-Laundering-Act (GwG), the PEP check is one of the internal due diligence obligations of companies that must be implemented. Basically, according to §10.3, §11.1, 2 of the German GwG, the check must be carried out before the business relationship is fully established if it must be assumed based on facts that assets related to the business relationship relate to criminal financing or money laundering. As a rule, this applies more to larger and well-connected companies than to small businesses and shops.
If there is a duty to identify politically exposed persons, a mere questioning of the contracting parties is usually sufficient. However, if the precise activities of a company suggest that regular contact with PEP could occur, it is advisable to carry out regular and comprehensive checks with government databases due to the increased risk. These are both national and international sanctions list as well as blacklists and watchlists. These so-called PEP lists list all persons who meet the characteristics of a politically exposed person.
If there is a positive match, one speaks of an increased risk of money laundering on the part of the business partner. This must be reported to a law enforcement agency and the Federal Criminal Police Office after closer examination. Failure to comply with this obligation is a violation of the Administrative Offences Act (German Ordnungswidrigkeitsgesetz – OwiG) – in which case fines of up to €100,000.
Positive indications of the existence of a PEP by no means mean that business contacts must be broken off – a mere risk does not yet mean that criminal offences have been committed by the politically exposed person or will be committed in the near future. In any case, however, the company must establish an efficient risk management and fulfil the “increased due diligence obligations” listed in § 6.2 of the German Anti-Money- Laundering-Act (GwG). These include, among others:
- regular personal meetings with the politically exposed person
- detailed examination of their (business) environment
- close examination of all transactions
The business partner identified as a politically exposed person has a statutory duty to cooperate. This means that he must provide comprehensive information upon request – for example, about the origin of the funds he channelled into the business relationship. If the duty to cooperate is not fulfilled, the continuation of the business relationship should be put to the test and, if necessary, terminated – the risk is too high that illegal activities are to be concealed by withholding information. In this case, a suspicious activity report in the sense of §11 German GwG should also be made to the competent law enforcement agency.
If a company underestimates the importance of subjecting its business contacts to regular PEP checks, it is acting with gross negligence and runs the risk of being subjected to criminal sanctions when conducting business with members of the PEP risk group – whether consciously or unconsciously. The fact that the comparison of individual names with the constantly updated sanctions lists and PEP lists takes a lot of time, means a lot of work and requires a legally sound interpretation of the results should not be a deterrent. However, in order to save time and personnel resources, Trustnet.Trade can help you. With the help of the online-based solution, all business contacts are regularly checked for classification as PEP. This way, you no longer run the risk of overlooking entries or missing updates to PEP lists – you always stay up to date. Your PEP check workload is significantly minimised, and you only need to act if there have been hits and Trustnet.Trade has notified you. If the PEP check does not deliver any results, you can fully concentrate on your main business.
Screening of Employees and Freelancers
As part of the fight against money laundering and to prevent the financing of criminal activities, every company in the EU is obliged to regularly check its employee data against the sanctions lists of the European Union. Sanctions lists record individuals who have links to a criminal organisation or are affected by any sanction and embargo measure.
To exclude business relationships with persons on the sanctions lists, companies should conduct regular sanctions list screening of their employees. Because: As soon as a monthly salary payment is made to an individual listed, or for example a company car is provided, there is a violation of the EU directives. Even if the company did not know about the listing, it must expect heavy fines and other penalties if it maintains an employer-employee relationship. In addition, violations can cause lasting damage to the company’s reputation and a subsequent loss of turnover.
With a regular comparison of employee data, companies receive timely knowledge of violations of the EU directives and can circumvent violations of the prohibition of provision.
A sanctions list check must be carried out both for existing employees and for
- Applicants
- Interns
- Freelancers
- Temporary Employees
Regular sanctions list screenings must be carried out due to the European Directives.
Companies can decide for themselves whether to tie the data comparison to a specific point in time – e.g. a new hire – or to carry it out at regular intervals. However, as the lists are updated regularly (several times a week), an automatic check is recommended, as otherwise current sanctions are not considered and thus violations are to be feared.
If the sanctions list check reveals that one of the employees is on a sanctions list, companies should not act hastily, but should conduct a thorough clarification. For example, identical names do not automatically mean that the same person is meant. Date of birth or place of birth can then provide clarification.
If no clarification is possible or if the suspicion is confirmed, companies must inform the competent authority – e.g. the Financial Service Centre of the Deutsche Bundesbank or the Federal Office of Economics and Export Control (BAFA). The BAFA carries out further comparisons and then informs the company of the result.
If there is no doubt that the employee is on a sanctions list, various legal consequences are conceivable:
- Freezing of monetary payments
- Termination of cooperation with the employee
The privacy of the individual is an asset in the European legal system. In the case of sanctions list checks, however, there is a clear legal basis in the form of EU directives. This is binding in every EU member state but does not give companies general authority to use employee data. Since many EU sanctions lists contain at most
- First and last names,
- details of titles (e.g. Dr. or Prof.),
- date of birth,
- place of birth and
- nationality
no further personal data are to be included in the sanctions list screening. For example, the residential address would not be found in some sanctions lists (eg. EU Regulation 753/2011) and inclusion would therefore be inadmissible under data protection law. Screenings of employee data shall take place exclusively based on the first and last name. Further personal data is not included in the check and is also not stored, so that there are no data protection concerns. However, if matching search results are returned, the company will receive all information recorded on the sanctions lists, i.e. also addresses, if available.
If a German company carries out additional comparisons with US lists, however, they need the consent of the employees concerned, because: American laws do not apply in Germany and thus do not provide a sufficient legal basis for interfering with personal rights.
If a company underestimates the importance of regular sanctions list screening and excludes its employees, it is acting grossly negligent and risks criminal sanctions.
Since a regular comparison of employee data with the constantly updated sanctions lists takes a lot of time and means additional work and administrative effort, a simple and automated solution is needed.