Intuitively, for transactions involving the most sensitive items, such as defense articles governed by the International Traffic in Arms Regulations or military items in the 600 series of the Commerce Control List, particular care should be taken in vetting restricted parties.
But the greater risk may lie with organizations that export a wider variety of items subject to the EAR – especially those classified as EAR99 and other ECCNs, which can often be exported or re-exported NLR.
This is because nearly all items subject to the ITAR require a license. This is generally true for 600-series items as well. But the EAR allows so many items to be exported to the NLR that this status is often misinterpreted as meaning that export controls do not apply. This is not the case, and if you don’t do a thorough restricted party screening, it’s easy to miss situations where seemingly innocuous transaction details trigger a license requirement.
In addition, the U.S. government’s use of sanctions has also changed. The various restricted party lists once primarily included imprisoned smugglers, terrorist organizations, and some hostile government entities. Now, these lists have become an essential tool for implementing U.S. foreign policy. As a result, the lists have expanded to include many legitimate and established businesses. Given the fluidity of global politics, new names are frequently added to restricted party lists for a variety of reasons.
Here are some considerations and best practices for restrictive party screening.
Screening subjects
When screening for restricted parties, include all known parties to the transaction, including:
- customer;
- sales representative;
- Dealers, distributors and any other channel partners;
- Service providers and intermediaries such as banks and freight forwarders (whether your own or appointed by your client)
Also screen parties involved in other aspects of your business – especially those with whom you share data (also subject to export controls) or conduct financial transactions.
Some companies screen vendors, employees, and contractors against these lists during the pre-hiring or onboarding process. This is a good idea to avoid headaches and embarrassment later, and it makes sense to do it at the same time as your other pre-hire screenings.
It’s also wise for companies that do sensitive work or deal with sensitive clients to screen visitors.
Screen Beyond Name
Some restricted party lists provide addresses or other information. This information is not always meaningful or accurate, but when it is available, use it. It can uncover situations such as someone using a DBA that is not on any list but shares the address of a denied or restricted party.
You can also filter by geographic location, IP address, or email domain, which is particularly useful for businesses that accept orders online. If your order is shipped to Toronto, but the IP address is from a computer in Cuba, you need to know that information before completing the purchase. While IP and email addresses are easy to mask, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), which maintains the government’s most radioactive denied party lists, has said that failing to do this additional screening could be considered negligence.
What’s important is that you act on the information you have, even if its accuracy is limited.
Screening in any relevant jurisdiction
The U.S. government maintains several lists, each with its own purpose (see related article: Understanding the Various Restricted Party Lists). These lists include:
- Entity List (EAR)
- Denied Persons List (EAR)
- Unverified Entry List (EAR)
- Military End-User List (EAR)
- Prohibited Parties List (ITAR)
- Specially Designated Nationals and Blocked Persons List (OfafaC’s SDN List)
- Comprehensive Screening List (Compiled by the International Trade Administration based on the above lists)
In addition to this, if your own organization has foreign subsidiaries or affiliates that may be involved in the transaction, you should review any appropriate lists of the countries in which those subsidiaries or affiliates are located.
Finally, screen for restricted party lists in the country where the end-user of the item you are exporting is located. Doing business with the wrong parties in other countries is one way your own company can end up on denied party lists in other countries.
Filter content outside of the public list
Government agencies cannot keep up with all the relevant information needed to screen effectively. For example, OFAC’s “50% rule” extends sanctions against an individual to any company in which the individual owns 50% or more. Example: A Russian oligarch who owns a string of businesses. The individual will appear on OFAC’s SDN list, but the changing company name may not.
Additionally, in some countries, the government may not publish a list of restricted parties, but instead provide it to a limited number of third-party suppliers or certain vetted exporters.
There are a number of private companies that collect and collate this data. Major players include companies such as Dow Jones, Thomson Reuters, Kharon, and Sayari. The category is large and poorly defined, but their own descriptions often include the following terms:
- Business Risk Intelligence
- Complying with sanctions
- Denied Party Screening or Restricted Party Screening
If you handle sensitive material or do business in places like Russia and China, which have many sanctioned entities, these services may provide additional scrutiny.
Screening as early as possible
It is best practice to screen new customers during their first interaction with potential business. Some companies have a policy of screening customers before their names are entered into a CRM system or sales database.
If you send out an RFQ, screen the responses as they come in — not after the list has been whittled down to one or two finalists.
If you don’t already screen your visitors but are considering adding this layer of security, screening should occur at the time of the appointment, not when they show up at the front desk. You’ll learn this lesson quickly, the hard way.
Filter, then filter again
The various restricted party lists change frequently. Companies are sold. People change jobs. As a result, a person or entity that previously passed muster may be flagged today.
There are usually two approaches to rescreening.
Transactional: Every time you transact with an entity, it is screened. Most companies begin their export compliance journey here.
Partner-based: Entities are screened before they enter the company database and every time an entity’s files change. Then, every time the relevant restricted party list changes, the entire database is screened based on those changes. This increases the number of individual files that need to be screened but reduces the overall frequency of the screening process. This is often the model that companies move to as compliance programs mature.
Automated screening process
Manually checking comprehensive screening lists can be useful for small businesses that occasionally export. But as a regular practice, it’s prone to errors — the most common being, “We’ve screened this name a hundred times and it’s never been flagged, so we’re not going to bother with it anymore.”
There are a number of enterprise-level software tools that can automate the screening process, using fuzzy logic or artificial intelligence to compensate for spelling errors, foreign language translations, and other pitfalls.
These systems require constant maintenance and attention. If your system never seems to get any matches, this could be due to low screening volume, or it could mean it’s not sensitive enough. On the other hand, if you’re being inundated with false positives, it’s not doing its job.
Develop a process for managing soft matching
If you have established responsible screening practices, some of the returns will be unclear. An effective compliance program needs to include a clear chain of command: Who has the authority to review a soft match, and what process should be followed when making a decision?
Keep good records
As with every aspect of an export compliance program, the most important risk management function is that if something does happen, you can prove that you were not negligent and that you faithfully followed a carefully designed screening process.
Doing better than the minimum
A final best practice is to think beyond strict regulatory prohibitions and consider export transactions involving restricted parties. For example, in addition to the SDN list, OFAC maintains another list called the Non-SDN Chinese Military-Industrial Complex Company List (NS-CMIC List). There may not be a prohibition on doing business with certain entities on that list. But this could invite unnecessary scrutiny and reputational damage.
Do you have questions about best practices for restricted party screening? Visit www.learnexportcompliance.com to learn about our company, our faculty, our staff, and our highly regarded Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars and live webinars in the U.S., Europe, and elsewhere, and to browse our catalog of more than 80 on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute (540-433-3977) for more information. Scott Gearity is President of ECTI, Inc.
Leave a Reply Cancel reply
You must be logged in to post a comment.