Over 400 multinational corporations have pulled out of Russia as a result of its invasion of Ukraine. It’s not only reputational risk at stake, but a complex web of sanctions imposed by the U.S. government as well as a global financial systems blockade that makes operating in Russia difficult, if not impossible — and the list of sanctioned entities and individuals keeps getting longer.
As the economy’s largest companies protect their brands and operations, Main Street may breathe a sigh of relief that, at least this time, being small and local is better than being big and global. That would be a mistake. The risk may be the exception to the rule for many Main Street firms, but experts say small businesses need to take basic steps to investigate their own potential links to sanctioned Russian businesses and individuals, or else face the potential for what should be an avoidable worst-case scenario.
Take cybersecurity training firm INE as an example. It is a mid-sized business that did not expect to run afoul of sanctions, but taking a few basic precautions once the sanctions started hitting led it to uncover potential violations which it might have otherwise missed. And its path to uncovering the issues was somewhat coincidental. One of its founders is married to a former government official and Citigroup compliance executive, and she mentioned that it is hard for companies beyond the Wall Street banks to stay on top of all of the sanctions, and support from the Treasury Department isn’t going to filter down through the economy. This knowledge led INE to run its own client list against the U.S. Treasury sanctions database, and to its surprise, INE was doing business with sanctioned banking entities.
“We found two Russian businesses sanctioned at the highest levels,” said Scott Cederbaum, INE’s chief marketing officer, whose wife is the Citi executive. “We were shocked when we found it,” he said. “It would not have occurred to me we would have ever sold to Russian clients.”
The Treasury’s Office of Foreign Assets Control website was the starting point for the discovery, but the results led to questions the firm couldn’t find sufficient answers for from the government.
INE had to immediately sever ties with the two clients to which it had been providing IT training services.
“From a small business perspective, there is no visibility, no one talking about it. I’ve talked to a lot of people and no one is thinking about it,” Cederbaum said.
While legal firms and Wall Street banks work with their top-tier clients, small businesses are not likely to find as much help even if they have banking relationships. CNBC contacted PNC, JP Morgan, Wells Fargo, Bank of America and Goldman Sachs, all of which declined to comment or did not return calls seeking comment.
Silicon Valley Bank, which INE works with and Cederbaum said has been helpful, said through a spokeswoman that it is advising clients to contact their law firms.
While the risk of a small business having ties to Russian entities on sanctions lists may be low, in a global digital economy where services are offered instantaneously through the internet and technology talent is sources globally, the risk is there.
Instilling fear on Main Street isn’t the goal, and the risk of being in violation of sanctions may be small, but it is a much better posture to investigate than assume the business is safe. “The specter is there,” Cederbaum said. “If you have that risk you should know it. Any small business who has any dealings that might have a Russian tie, at least perform the due diligence,” he said.
Sanctions safety steps for small business
In fact, experts say a little prevention can go a long way in this case. While it is impossible to know how hard a line the U.S. government would take against a small business in violation of sanctions — firm size alone is no excuse for breaking the law — the government may at least be more understanding of violations if the business can prove that it took steps to investigate, that it had protocols in place to search for potential violations, even if it ended up making a mistake. The government does often take into account efforts to comply that are documented, even if those efforts were ultimately lacking.
The first step is to access the sanctions lists that are searchable and downloadable from the Treasury OFAC website and run the database against a client list.
Doreen Edelman,partner and chair of Lowenstein Sandler’s global trade and national security practice, said there is a big gap between start-ups in technology and smaller companies in general when it comes to compliance. Typically, “it’s not on their top 10 list,” Edelman said. “Now, everyone has a problem.”
Potential issues are not only limited to OFAC sanctions, but Commerce Department export controls which ban export or transfer of products to Russian entities on export lists, and which can be interpreted broadly to include researchers or research institutions. And it doesn’t need to be a physical product — putting data on the web or in the cloud could be a violation based on who can access it. “And that’s just general products,” Edelman said.
If items have an export classification number, such as a scientific measurement device, all products need a license in almost every category and Edelman said to expect a presumption of denial from the government. It also includes any Russian foreign nationals working for U.S. firms, for example, at a software or machine development company, a situation in which sharing of any technology with them can be deemed the same as sending it out of the U.S. “A Russian working for you living in the U.S. is an export to Russia,” Edelman said.
On the Treasury OFAC side of sanctions, most small companies will assume they are not sending anything out of the U.S. and therefore it doesn’t apply to them. But businesses need to be screening every single relationship because even companies based in the U.S. could be Russian entities. “You are supposed to be screening absolutely everyone you do business with — suppliers, customers and partners. This is a strict liability and it doesn’t matter if you didn’t know,” Edelman said.
Technology industry risk
Physical product chains may be easier to track, but software companies need to screen to make sure no restricted parties are accessing their website. Russia has hundreds of thousands of technology professionals in Moscow and St. Petersburg, in particular. From graphic design to web development and marketing, Russia is a place where business ties exist at all levels of firm sizes.
“People selling goods and services into Russia are not even thinking about it,” Cederbaum said. “There are tons of companies that might have two or three customers in Russia,” he said.
The largest banks in Russia which are sanctioned have many subsidiaries operating across business types, from web development to cyber products, and as INE found, just having any associated entity as a client is a violation of Treasury Department sections.
“This is uncharted territory in terms of having OFAC sections at a time of digital connections with countries, and the degree of interconnectivity with Russia,” Cederbaum said.
Edelman said in addition to screening client lists against government sanctions databases, putting geolocation blocks on web platforms is a wise move so that restricted parties in certain areas can’t access online services. In the strictest sense of the law, it does not matter if a client is paying or not. “You can’t do ‘business’ with them” isn’t a restriction measured only by payment received for services, she said. Providing access to software on a website is enough.
Financial services and fintech companies, computer services and IT companies, and software development firms, all are involved in outsourcing relationships and Eastern Europe has become a popular place for tech outsourcing and that means there is a greater chance there might be a Russian investor or parent company.
“It won’t be the local flower shop in all likelihood,” said Andrew Sherman, a partner at Seyfarth Shaw who specializes in business law.
And it can extend to a business that may be partially owned by oligarchs or Russian entities operating in other countries that a U.S. firm had no reason to know about previously. The issues for the tech sector run to the highest levels of Silicon Valley, but also the smallest start-ups individually.
“You need to look at distributors, consultants, programmers and engineers overseas,” Edelman said. “We’re seeing with start-up tech companies investors who say, ‘it is a Cayman Islands company, but who owns it?’ If it turns out to be a Russian sovereign wealth fund, you can’t do business with them,” she said. “I think it is surprising everyone, the extent to which either foreign funds with Russian investors in them, investing entities in places like Singapore, or Russian investors directly are in U.S. entities, because you have to pierce the veil a few levels,” she added.
Treasury has made it easier to identify violations
The government has made it easier in recent years to perform due diligence with the companies now able to go on OFAC’s website and run the screening on sanctioned entities — but it can still be cumbersome with additional Treasury, Commerce and Postal Service lists.
There are a few dozen lists in all that involve U.S.-sanctioned entities, and there are also UK and EU lists for businesses that operate in those markets, Edelman said. As an example, software that is commonly used today might have to screen against a total of 60 lists. But the best place to start, she said, is by running a screen of a company’s relationships against the consolidated list OFAC, which also includes Customs and Commerce data.
Taking these steps is critical, experts say, even if a company misses a potential violation. Inadvertent violations do happen, but companies that can show they had a policy in place, and were doing screenings — more than once as sanctions are added — may lead the government to be less punitive if a violation is found. “These sanctions are a reason to start a compliance program,” Edelman said. And for firms that have a compliance policy in place for global trade but have not been actively managing it, “if the last time you screened was three years ago, I’m not sure OFAC will give you much credit,” she said.
Size of business, too, can be a mitigating factor, as is self-disclosure if a firm does find a violation. But ultimately a violation is a violation and it is based on each transaction. “If it is $1 each time, one thousand times, it is a thousand violations,” Edelman said. “I don’t want to scare companies because if they make the disclosure and show they are trying to be complainant and it is their first offense, they can end up without a fine and just a notification letter, but it’s better not to have a problem.”
For any firms doing business abroad, in Europe for example, it is a good idea to do a deep dive of business relationship lists against sanctions lists, Sherman said.
“If you’ve got software under development and you’re shipping monthly and making wire transfers to Eastern bloc countries or one of the former members of the USSR, you might want to at least ask questions,” said Sherman.
For smaller firms, it would be a bitter irony if as a result of the current situation they unintentionally ended up on the wrong side of the U.S. government.
“Many small to medium-sized businesses are too small to have any significant interest or holders in Russia, but they do want to be seen as standing with Ukraine and in particular, for entrepreneurs, it’s a little bit of a David and Goliath story, and they relate to the Davids. It is probably a 1%, a 2% kind of chance, but substantiating your attempt to comply will go along way,” Sherman said. “If you do nothing and do get audited or run into problems, you won’t have a very good case. Make the effort. … It is not like 20 years ago. You can get lots of work done on the internet, just a few Google searches and emails and pack in a compliance file and at least know, if asked, you did take steps to protect.”
Edelman said the process does not need to be costly and simple steps like preparing a sanctions compliance policy document to prove your business is aware of the risk and has taken basic steps is a start.
“Every business in this county has an obligation to try to comply regardless of the likelihood,” Cederbaum said. “It’s worth leaning on the side of caution. … We are the quintessential company that at the end of the day could easily have sleepwalked into sanctions violation. Two clients out of 150,000 individuals and businesses working with us.”