On 30 March 2022, K2 Integrity hosted its latest webinar on evolving sanctions against Russia, during which K2 Integrity sanctions and policy experts Chip Poncy, Olivia Allison, and Gerald Werner discussed the impact the sanctions are having on global supply chains. This article summarizes the key points and analysis from the event. If you would like to watch a recording of the webinar, please click here.
Between export bans and the numerous entities and individuals now restricted from transacting in the global economy, organizations worldwide must evaluate the legal, reputational, and cybersecurity impacts on their supply chain. How can companies navigate the current landscape and mitigate their supply chain and cyber risks?
Sanctions against Russia continue to evolve rapidly, as governments across the globe coordinate to impose a wide range of Russia-related sanctions measures, including asset freezes, financial or economic prohibitions, trade requirements, and export controls. Beyond growing regulatory prohibitions regarding Russia, companies are self-sanctioning and voluntarily withdrawing operations or investments from Russia.
These multilateral efforts include the European Commission's "Freeze and Seize Taskforce," announced on 17 March, which formalizes what for two decades has been a shared responsibility between the European Commission and the European Union (EU) member states. This task force will work alongside the multilateral Russian Elites, Proxies, and Oligarchs (REPO) task force and a range of domestic initiatives, such as the U.S. Department of Justice's newly launched Task Force KleptoCapture and the UK's new Kleptocracy Cell.
Authorities across a range of jurisdictions have also implemented blocking sanctions against leadership and oligarchs in Russia. Over the course of one week, Canada announced sanctions against 160 Russian lawmakers, the United States against 300 Russian lawmakers, and Australia against a number of Russian propagandists and Belarusian President Lukashenko and his family. In addition, Switzerland-despite not imposing sanctions against Russia following the 2014 invasion of Crimea-opted to adopt EU sanctions on Russia, effectively mirroring the EU sanctions campaign as it evolves.
We continue to see companies withdraw from Russia, resulting in frequent announcements about operations and customer supply chains being rerouted or suspended.
Supply Chain Analysis and Due Diligence
Companies should think about their primary or level one suppliers and consider what their supply chain risk management system actually examines. Considerations include:
- Does the organization have a global policy that is evenly implemented, especially if there are operations around the world, where company branches are feeding into the company's global database?
- What is the organization's direct exposure to the sanctions, and what's been designated where?
- To what degree does the organization have adequate due diligence to understand who is behind the businesses in the supply chain? A lot of businesses that are controlled by sanctioned individuals, particularly oligarchs from Russia or elsewhere, may be set up in a way that obfuscates their ownership.
It is important for organizations to spend time considering the wider economic impact of the sanctions that have been imposed. An organization may have, for example, level-one suppliers that are facing a crunch from other customers self-sanctioning or de-risking out of that market. Does the Russian supplier have the financial reserves to withstand the repercussions of current events? When considering logistics, particularly for organizations that rely on supplies of goods, it is worth the effort to understand the logistical routes the goods travel. Are there items certain countries have banned that will affect the company's supply chain logistics?
Public opinion is influencing self-sanctioning much more so now than during Russia's 2014 annexation of Crimea, resulting in unprecedented scrutiny. Companies are pulling out of Russia due to public opinion and activist campaigns against companies trading with Russia. As a result, many companies are making different supply chain decisions than they may have normally.
Since the pandemic-and more so with the implementations of the current sanctions-it has become more apparent that organizations need to re-examine their supply chains to ensure they are diversified and agile, taking into consideration both onshoring or nearshoring to reduce potential risk to the business. This can be difficult as this results in adding multiples of every supplier into the screening process.
Another thing organizations should determine is the degree to which subsequent supply chain levels (i.e., levels two and three) are exposed to Russia. Does the organization have visibility over its subcontractors, and do its contracts give the right to know? How and where is that information being tracked?
Other considerations include the organization's exposure on raw materials. Oil, gas, metals, and IT have been covered extensively in the press. For example, in the computing supply chain, neon gas and palladium are important for components, and while impacts there are not yet hitting the market, they are expected in the coming months. More generally, organizations should prepare for additional shocks to commodities markets as the full effects of sanctions take hold and authorities consider imposing additional Russia-related restrictions.
Evaluating and Updating Transaction Monitoring Procedures and Controls
Transaction monitoring, which is traditionally associated with anti-money laundering (AML) programs for financial institutions, has become critical to sanctions compliance. This has become apparent at least since the 2014 Russia campaign in Crimea. Sectoral sanctions expanded thinking about sanctions beyond list screening and asset freezing. Identification of sectoral sanctions risk introduced the "if this, then that" type of decision-making for sanctions compliance, which required the integration of financial crimes risk management and broader risk management for financial institutions in order to identify and interdict prohibited activity.
Institutions subject to AML program requirements are expected to conduct ongoing monitoring, including risk-based transaction analysis, in order to identify and report suspicious activity and maintain up-to-date customer information as part of ongoing customer due diligence (CDD); these are now an expected part of CDD programs under domestic regulations as well as global AML standards. That sort of transaction monitoring involves looking for behavioral changes in certain customer types-or even in individual customers in specific instances-to assess whether the risk profile is in fact changing.
Behavioral change transaction monitoring is critical in the Russian sanctions campaign because of the way that Russian businesses and oligarchs may take advantage of complex business structures to avoid detection at onboarding. Given the transparency challenges associated with what we know about Russian sanctions evasion-including the use of anonymous legal entities, shell companies without clear beneficial ownership, and elongated payment chains utilizing multiple intermediaries-it can be difficult to understand who truly has an interest in a financial relationship or transaction. Often a change in behavior will trigger the need to take a closer look at a customer.
Another type of transaction monitoring focuses on looking for particular typologies. The 7 March FinCEN advisory contains the most recent summary of those red flags and specific typologies associated with types of countries, institutions, or transactions that may have more of a risk of exposure to Russia sanctions. Both types of transaction monitoring, whether for behavioral change or for specific Russian typologies, will be useful in detecting the presence of sanctioned Russian actors, as well as prohibited activities in the current sanctions environment.
Global disruptions present challenges to financial institutions that have tailored their transaction monitoring systems and rules to look for unexpected or unusual activity. With Russia's economy so heavily integrated into the European economies, customers are changing their supply chain or patterns of activity in order to adjust to a new normal. Complicating this further are disruptions caused by legitimate interests in Russia seeking safe haven.
Ultimately, financial institutions whose customers have this sort of exposure are going to need to consider and anticipate the need for more due diligence assistance and work through the noise to figure out what needs to be blocked, prohibited, rejected, or reported as well as what falls outside changing risk tolerance. Tightening rules in ways that can reduce that noise is going to be important for both budgetary and diligence purposes.
Supply Chain Cybersecurity Concerns
Everything about this threat environment has cyber lurking in the background, and understanding the motivation of the attacker is key.
The threat landscape:
- Script kiddies: Fame motivated
- Organized crime: Profit motivated
- Hacktivists: Issue motivated; goal is to expose or inflict public harm
- Nation state: Traditional espionage, now moved to cyber domain; disinformation campaigns; destructive attacks
- Insider threats: Industrial espionage
In the past, this threat landscape model has worked very well, with companies identifying their greatest threat and tailoring their defense strategies accordingly. What we have seen recently, however, is that these categories are merging. For example, organized crime and hacktivists are teaming up, funded by a nation state, making it difficult to formulate an effective defense.
While we have not seen significant cyber attacks from Russia related to the current situation, we have seen an uptick in disinformation campaigns. Over two days in early March, there were thousands of pro-Russian tweets sent to various social media, primarily targeting Africa and Asia. It is safe to expect a cyber attack will happen as Russia becomes more isolated and unpredictable.
Our recent policy alert discussing the cybersecurity landscape and how organizations can strengthen their defenses in light of increasing risks can be found here.
What should organizations look for in outside partners to assess suppliers and improve transaction monitoring?
This is an issue that K2 Integrity has considered from the merger of K2 Intelligence and the Financial Integrity Network. In the global mission to combat illicit finance and financing risk, how do we best posture our assets collectively as a global entity dedicated to that mission? There has to be an integration of proven corporate due diligence; supply chain investigative reports; and analysis in key industries, interdependencies, and geographies. Organizations that bring that sort of resource experience expertise to the table-and tie that together with knowledge of financial institutions that are monitoring transactions within a singular vendor-have a huge advantage. From a relationship level, you want to work with someone that has an opinion on what's happening and is able to have a conversation with the C-suite in order to really drive the changes that you want to make. If you're trying to transform your risk-benefit system internally, then you need someone who's going to be on your side and able to have an opinion and argue for that opinion, not just on technical matters but also in terms of the bigger picture.
How should organizations make use of insurance to protect their operations from cyber and supply chain risks?
Contracting and clauses are really important to understanding what responsibilities you and your partners have with respect to evolving events like the current sanctions crisis. Insurers are getting more critical with regards to cyber insurance, and the signing process is lengthier.
Key Takeaways to Protect Your Organization
Supply chain analysis and due diligence:
- Consider whether your global supplier database is comprehensive. What screening and monitoring are you doing? You should consider screening both for ethical issues as well as financial standing. Consider automated suppliers where you have not already done this. Also consider whether data on regional suppliers is effectively gathered at HQ/screening level.
- Assess your contracts with suppliers' supply chain to ensure visibility of their levels two, three, and beyond. What duties do your suppliers have to disclose their subcontractors? Are they adhering to those disclosures? What records do you keep and where, and how can that be integrated into your screening process?
- Understand your raw materials and any business continuity issues you may have. Key sectors include oil and gas, minerals and mining, and agriculture. Also consider IT and other support service teams you may have.
- Assess what past sanctions evasion patterns you have seen and be diligent in identifying emerging patterns.
Evaluating and updating transaction monitoring procedures and controls:
- Transaction monitoring is critical for sanctions compliance and risk management, as a complement to traditional sanctions screening (e.g., see red flags in the 7 March FinCEN Alert).
- Supply chain disruptions and customer/asset flight from Russia will complicate both forms of transaction monitoring (typology and customer-profile-driven approaches).
- The effectiveness of transaction monitoring controls will ultimately depend on effective CDD and risk assessment processes, at the front end and in dispositioning transaction monitoring alerts.
- The importance of an integrated financial crime risk management approach is key to the effective implementation of sanctions against Russia.
Supply chain cybersecurity concerns:
- There have not yet been any meaningful cyber attacks from Russia. Instead, Russia has been focusing disinformation campaigns on Asia and Africa with the theme "Russia is an innocent victim."
- The biggest concern is retaliation from Russia using ransomware, distributed denial-of-service, or Wiper attacks.
- Review your organization's cybersecurity defenses-know its blind spots. Good controls in the following four areas will prevent 99% of all attacks:
- Phishing: User education, filtering, testing
- Passwords: multifactor authentication, biometrics, testing
- Patching: Focus on most recent vulnerabilities, include mobile devices
- Privileged credentials: Diversify, limit access
- Review your supply chain risk management program with cybersecurity in mind.
As the Russia-Ukraine crisis evolves, K2 Integrity is focused on providing clients with up-to-date information in the form of daily sanctions news alerts, weekly summaries of key sanctions developments, policy alerts, additional webinars, and other means, including through our website and our DOLFIN platform.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.