It seems intuitive that extra care in screening for restricted parties should be given to transactions that involve the most sensitive items, such as defense articles subject to the ITAR or those military items that comprise the 600 series on the Commerce Control List.
But the bigger risk may lie with organizations that export a wider variety of items subject to the EAR—particularly those classified as EAR99 and other ECCNs that typically may be exported or reexported NLR.
That’s because just about everything subject to the ITAR requires a license application. The same is often true for 600 series items. But the EAR allows so many goods to be exported NLR that this status is often misunderstood to mean export controls don’t apply. That’s never the case, and if you’re not doing a thorough job of restricted party screening, it’s easy to miss instances when the specifics of a seemingly innocuous transaction trigger a license requirement.
Further, the U.S. government’s use of sanctions has evolved. At one time, the various restricted party lists comprised largely imprisoned smugglers, terrorist organizations and a few hostile government entities. Now, these lists have become a go-to tool for implementing U.S. foreign policy. As a result, they’ve grown to include many legitimate and established businesses. And given the fluidity of global politics, new names are routinely being added to restricted party lists for any number of reasons.
So here are some considerations and best practices for restricted party screening.
Whom to screen
When screening for restricted parties, include all known parties to the transaction, including:
- Customers;
- Sales reps;
- Resellers, distributors and any other channel partners;
- Service providers and intermediaries, such as banks and freight forwarders (whether your own or those specified by the customer)
Also screen parties to other aspects of your business—especially those with whom you share data (which is also subject to export controls) or conduct financial transactions.
Some companies will screen vendors, employees and contractors against these lists before hiring or as part of the onboarding process. It’s a good idea that can save trouble and embarrassment later on, and it makes sense to do it at the same time other pre-employment screenings are being conducted.
And for companies that do sensitive work or deal with sensitive customers, it’s also prudent to screen visitors.
Screen beyond the name
Some of the restricted party lists provide addresses or other information. It’s not always meaningful or accurate, but when the information is available, use it. It can uncover situations such as someone using a DBA that’s not on any list but which shares the address of a denied or restricted party.
You can also screen by geo-location, IP address or email domain, which can be especially helpful for businesses that take orders online. If you have an order that comes in for shipment to Toronto, but the IP address is from a computer in Cuba, that’s information you would want to know before fulfilling the purchase. While IP and email addresses are easy to mask, there have been instances in which the U.S. Treasury Office of Foreign Assets Control (OFAC), which maintains the government’s most radioactive list of denied parties, has suggested that failure to do this extra level of screening could be deemed negligent.
What’s important is that you act upon the information available to you, even if there are limitations to its accuracy.
Screen in any relevant jurisdictions
The U.S. government maintains several lists, each with its own purpose [see related post: Understanding the Various Restricted Party Lists]. These include:
- Entity List (EAR)
- Denied Persons List (EAR)
- Unverified List (EAR)
- Military End-User List (EAR)
- Debarred Parties List (ITAR)
- Specially Designated Nationals and Blocked Persons List (SDN list of the Office of Foreign Assets Control)
- Consolidated Screening List (aggregated from lists above by the International Trade Administration)
In addition to these, if your own organization has foreign subsidiaries or affiliates that may be involved in a transaction, you should look at any appropriate lists in the countries where these are located.
Finally, screen restricted party lists in the country of the end-user for the items you’re exporting. Doing business with the wrong parties in other countries is one way your own company can end up on some other nation’s denied party list.
Screen beyond public lists
Government agencies can’t keep up with all the relevant information you may need for effective screening. For example, OFAC’s “50 Percent Rule” extends sanctions against an individual to include any companies in which that person owns a 50 percent-or-greater interest. Example: A Russian oligarch who owns a range of businesses. The individual will show up on OFAC’S SDN list, but the ever-changing company names may not.
Further, in some countries, governments may not publish their lists of restricted parties, instead making them available to a small number of third-party vendors or to certain vetted exporters.
There are private-sector businesses that gather and sort this kind of data. Major players include companies like Dow Jones, Thomson Reuters, Kharon and Sayari. The category is sprawling and not clearly defined, but their own descriptions typically include terms like:
- Commercial risk intelligence
- Sanctions compliance
- Denied party screening or restricted party screening
If you’re dealing in sensitive materials, or doing business in places with lots of sanctioned entities, such as Russia and China, these services may provide a welcome additional layer of scrutiny.
Screen early
The best practice is to screen when you first begin to interact with new parties that might develop into business. Some companies have a policy to screen before a name can be entered into the CRM system or sales database.
If you put out an RFQ, screen as responses come in—not after the list has been winnowed to one or two finalists.
And if you don’t already screen visitors but are considering adding that layer of security, the screening should occur when an appointment is made—not when they show up at the front desk. It doesn’t take long to learn that lesson the hard way.
Screen and then screen again
The various restricted party lists change frequently. Companies get sold. People change jobs. So it’s possible that a person or entity that previously passed a screening would get flagged today.
There are two general approaches to rescreening.
Transactional: An entity gets screened each time you do a transaction with them. This is where most companies begin in their export compliance journey.
Partner-based: An entity gets screened before being entered into a company database, and any time a change is made in that entity’s file. Then, whenever there is a change in the relevant restricted parties lists, the entire database gets screened against those changes. This increases the number of individual files that gets screened, but it reduces the overall frequency of screening processes. This tends to be the model companies move to as their compliance programs mature.
Automate the screening process
Manually checking the Consolidated Screening List will work for small businesses that only export occasionally. But as a routine practice, it’s an invitation for error—the most common being, “We’ve screened that name a hundred times and it’s never been flagged, so we don’t bother with it anymore.”
There are lots of enterprise-level software tools to automate the screening process, using fuzzy logic or AI to compensate for misspellings, foreign language translations and other traps.
These systems need ongoing care and attention. If your system never seems to get any matches, it could be a result of low screening volume, or it could mean that it’s not sensitive enough. On the other hand, if you’re overwhelmed with false positives, it’s not doing its job.
Develop process for managing soft matches
If you’ve built responsible screening practices, some of the returns will be ambiguous. An effective compliance program needs to include a clear chain of command: Who is authorized to review soft matches, and what is the process to be followed in deciding?
Maintain good records
As with every aspect of an export compliance program, the most important risk-management feature is that if something does happen, you can demonstrate that you weren’t negligent, and that you faithfully followed a well-designed screening process.
Do better than the minimum
As a final best practice, think beyond the strict regulatory prohibition against export transactions involving restricted parties. For example, in addition to its SDN list, OFAC maintains another roster, called the Non-SDN Chinese Military-Industrial Complex Companies List (NS-CMIC List). There may be no rule against doing business with some of the entities on this list. But it may invite unwanted scrutiny and reputational harm.
Do you have questions about best practices for restricted party screening? Visit bev.169577.com to learn about our company, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars in the U.S., Europe and elsewhere, and live webinars and browse our catalog of 80-plus on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information. Scott Gearity is President of ECTI, Inc.