If you’re like most compliance officers today, you’re hearing the word “sanctions” constantly.

There’s rarely been a period in history with such fast-changing sanctions laws.

And while sanctions violations and risks aren’t new, escalating penalties and new fact patterns emerge all the time.

Take the Toll Holdings settlement announced last Monday.

According to the news release, Toll agreed to pay $6.1 million for 2,958 apparent violations of multiple OFAC sanctions programs, including those relating to North Korea, Iran, and Syria.

Toll is a freight forwarding and logistics provider based in Australia that used banks with a presence in the U.S. financial market and system, which meant that the OFAC rules applied to them concerning those transactions.

The value of the alleged payments totalled approximately $48.4 million, according to OFAC.

What we can Learn

Reading the facts of these settlements is often interesting, but it’s more important to consider what we can learn.

Here are five takeaways from this recent settlement.

Lesson 1: Teach that Changing Words Doesn’t Change Actions

Perhaps the most interesting nugget in this case relates to an email.

After a bank restricted Toll’s U.S. dollar transactions because of a payment to Syria, one of Toll’s employees told their UAE and South Korean affiliates to avoid naming sanctioned jurisdictions on invoices going forward.

It’s amazing how often people think they are cleverer than prosecutors, investigators, and the compliance office. Every day, someone thinks that they can do things like break expensive gifts or hospitality into several receipts just under the recording limit to avoid compliance.

Changing the words or how things are recorded doesn’t change that they happened.

Intent matters.

My colleague Nicole di Schino likes to train people not to try to be tricky. Train people about the spirit of the law and be specific about what they have to do.

Speaking of training…

Lesson 2: You Must have Training

Poorly done training on sanctions is bad, but no training? Way worse!

Toll’s managing director wrote an email saying that “the situation occurred because of a misunderstanding about regulations…”

There is no indication in the statement about the training that may or may not have occurred during the years in which the violations took place. But OFAC noted that as part of the remediation, Toll implemented “a sanctions compliance training program for all relevant employees, training more than 500 employees across five countries.”

Training is critical.

It helps people to know what to do and to be sensitized to when to call compliance.

However, training isn’t enough by itself…

Lesson 3: Implement and Test Controls

According to the Wall Street Journal’s reporting, in February 2017, Toll implemented hard controls, disabling the country and location codes for ports and cities in sanctioned countries. This made it impossible to ship to or from those nations.

The result is stark: of the 2,958 violating payments, only 105 were made after the hard controls were put in place.

Hard controls need to be implemented whenever possible to stop transactions that can be problematic.

Training and hard controls are the 1-2 punch that makes compliance effective.

Lesson 4: Beware Periods of Rapid Expansion

In 2007, Toll began to acquire several small, local, or regional freight forwarding companies. By 2017, Toll had almost 600 invoicing, data, payment, and other system applications spread across its various business units.

The growth was rapid, and with that growth did not come a commensurate increase in compliance staffing, resources, or technology.

Companies must understand the risks they take when they expand rapidly.

Create a pre-and post- M&A policy or procedure and put it in place now. The policy should dictate the risk assessment and due diligence required in the case of an acquisition.

When we at Spark Compliance perform compliance program assessments, pre-and post-M&A due diligence procedures are frequently the lowest scoring area. More attention (and planning) needs to be paid to these risks.

Lesson 5: Remediation is Worth It

OFAC noted that the potential fine was $826 million.

Beefing up the compliance program to reduce a fine by $820 million is a worthwhile thing to do!

OFAC credited Toll’s voluntary disclosure, as well as the measures put in place after the violations were discovered, as reasons for the lower fine.

It will not surprise you to learn that these included:

• A strong compliance training program
• Implementing a risk assessment process with risk mapping
• Audit planning
• Restructuring the compliance program so that the most senior executive is in charge of sanctions compliance
• Risk-based scanning of third-parties and transactions
• Applying their standards and requirements to third parties acting on their behalf

Settlements like the Toll case give us insight into what has gone wrong so we can ensure things go right on our side.

By giving good training, ensuring hard controls are in place, and remediating whenever we discover a live issue, we can protect our company from ending up in the same situation.

*Sources: https://home.treasury.gov/system/files/126/20220425_toll.pdf, https://www.complianceweek.com/regulatory-enforcement/toll-holdings-to-pay-61m-for-widespread-sanctions-violations/31605.article, https://www.wsj.com/articles/logistics-company-toll-reaches-settlement-with-regulator-over-alleged-sanctions-violations-11650917009