What Does Every FinTech Founder Need to Know About International Sanctions and What Does It Mean For Technical Implementation?
Today I wanted to give you a quick overview of the concept of international sanctions, how they work and how they may impact a FinTech company, especially from the standpoint of technical implementation and tools.
Warning: this is not compliance training. 😉
There are so many conspiracy theories, wrong interpretations, and misconceptions about sanctions and sanctions scanning. People sometimes get totally overwhelmed and feel like sanctions and embargoes are even more stressful than GDPR or Brexit.
Let’s keep it simple, ok?
So, where do international sanctions come from?
Sanctions can be imposed by individual countries or international organizations and, simply speaking, there are 4 types of sanctions:
- Against a country or territory (e.g. North Korea or Crimea). These sanctions are extremely rare because territorial sanctions usually impact a lot of innocent people who happen to live or be in that place. Territorial sanctions mean that you cannot offer your services on that territory at all. For example, your perfectly valid Visa card may not work in Crimea.
- Against specific individuals, sometimes called “Specially Designated Nationals” or “SDNs.” Usually, those people are criminals, known members of terrorist organizations, and politicians responsible for civil wars, human rights violations, and other international crimes.
- Against members of certain groups or organizations. For example, there are specific sanctions against members of Hamas or the Taliban, regardless of their residence or nationality. There are specific sanctions against members of certain governments or governmental organizations (for example, against certain government officials in Venezuela or members of the Iranian Revolutionary Guards). This category of sanctions does not always specify the names of individuals (because people may join these groups at any time), but rather they say that any member of this group or organization is under sanctions, and therefore you cannot offer your financial services to them.
- Against certain industries or types of commercial activities. For example, you cannot buy Iranian or Venezuelan oil, you cannot buy or sell arms with governments of certain African countries, you cannot export certain products to or from Russia, etc.
Why is this important?
People often say that “Iran is under sanctions” or “Russia is under sanctions” or “Venezuela is under sanctions” and it’s not correct.
From the technical implementation standpoint, it sometimes makes a huge difference: either you block a country and cannot serve anyone there, or you find a way to detect and block a couple of dozens of people and can work with everyone else – without breaking any laws.
On the other hand side – the consequences of even a single mistake can be huge, especially if those are OFAC (US) sanctions.
“Fun” facts: there are some contradictory and mutually exclusive sets of sanctions, which can make the life of a compliance officer super interesting. The most common examples would be Cuba (the US still has sanctions against most activities in Cuba, but Europe has nothing against Cuba whatsoever) and Russia vs Ukraine (where both countries claim that the other side is an occupant and international criminal).
How do you go about the technical implementation of sanctions compliance to keep it simple and reasonable?
Usually, I recommend implementing the following basic rules (obviously those are a very general set of guiding principles, just for illustration purposes):
- IP block North Korea and Crimea as a minimum.
- If you have US-based financial partners, they will likely force you to block Cuba, because they would want all their partners to be OFAC-compliant. Even if you are in Europe.
- Don’t support countries where there are lots of problems and little economic opportunity. For example, many of my clients decide not to support countries that are suffering from a long history of civil wars, or with known active terrorist organizations on their territory, simply because it’s hard to know for sure who is who in these countries, and it’s easier not to support these countries than to investigate extensively each application from there and treat it as high risk with enhanced monitoring requirements going forward. So, even though there are no sanctions against certain countries, you may still decide not to support them, purely based on risk/opportunity analysis.
- There are countries with political problems and restrictions around some economic activities there (e.g. various sanctions against certain industries and government officials in Russia) or even with known terrorist groups operating there (e.g. Taliban in Pakistan), but the overall economic opportunity is still interesting for many. In this case, you may decide to invest in good monitoring tools, hire experienced native speakers for investigative work, and this would allow you to support, for example, Russian or Pakistani clients with reasonable safeguards.
P.S. If you would like to learn more about how to implement best practices around AML and sanctions requirements, check out my AML Templates Bundle, where you will find:
- AML Policy Template
- AML Risk Assessment Template
- Customer Onboarding SOP
- Transaction Monitoring and Sanctions Scanning SOP
- Digital Onboarding Guide with recommendations on how to set up onboarding flow, data validation, risk categorization, and monitoring rules for natural persons and legal entities.
Hope it helps!
As seen at HackerNoon.