Save content
Have you found this content useful? Use the button above to save it to your profile.
A map of Eastern Europe with drawing pins scattered across it

Sanctions: Compliance, evasion and enforcement


As the world’s commercial relationship with Russia and its oligarchs changes dramatically, Bill Mew offers a tech perspective on some of the considerations you need to make to comply with sanctions and looks at the extent to which cryptocurrencies are being used to avoid them.

23rd Mar 2022
Save content
Have you found this content useful? Use the button above to save it to your profile.

Supply chain rigour

In any kind of trade, goods and services move in one direction, funds flow in the opposite direction and data flows both ways. Organisations also need to consider who they are trading. Legal and ESG considerations have always applied. 

Legal sanctions against Russia, Iran and Myanmar have applied for some time now, as have regulations around funding terrorist organisations, but even some of the largest organisations have fallen foul of these. 

Following a disclosure by tech giant Ericsson that it had potentially made payments to terrorist organization ISIS to facilitate the sales of its goods in Iraq, its shares fell dramatically, the company faces large fines (on top of the $1bn fine in 2019 for bribery) and there is a real risk of it becoming ‘uninvestible’.

ESG measures tend to be upstream, ensuring that your suppliers don’t have unsafe working environments with factories at risk of collapse or exploitative work practices such as the use of child or slave labour. 

The current sanctions are far more rigorous than those imposed on Russia in the wake of its 2014 invasion of Crimea. They are also more widespread, focusing on numerous individuals, and are changing all the time, as further organisations and oligarchs are added to the list.

If you had effective measures in place already, then it is a matter of revising and expanding these to ensure that you are not supplying goods or funds to newly sanctioned entities. 

Don’t overlook cyber risk

A further supply chain measure that can be overlooked is cyber risk. Even where organisations audit supply chains from both the ESG and cyber perspective, these are not always integrated or aligned. 

You should be well aware of supply chain risk in cybersecurity as it has been the cause of many of the largest and most high profile attacks - such as the Solarwinds incident that impacted thousands of organisations, including many US government departments and even the Pentagon (see a recent lecture of mine on cyber supply chain risk).

While existing measures could well be largely upstream (focused on suppliers), they may need to be expanded to include a downstream focus as well (on clients). You will not only need to consider sanctioned entities and individuals (from a legal and ESG perspective) but also need to consider organisations that have taken a public stance against the sanctions as these are likely to be the main targets from a cyber perspective.

On top of this, you also need to consider the resilience and risk mitigation measures across your supply chain. If they have operations in the cloud, then what service-level agreements do they have and what measures do they have for incident response and recovery? You also need to find out which organisations in your supply chain have cyber insurance cover and assess the extent to which these policies either conflict with each other or include common exclusions that would negate cover for all.

Policies often do not cover incidents involving a ‘third party…not unduly restricted or financially limited by any term in any of your contracts’. This is meant to ensure that the insurer is able to pursue any third party involved for unlimited damages. Unfortunately, this excludes almost all service providers or supply chain partners as they themselves tend to specify some kind of limitation to damages in their contracts with you, such as damages being limited to the value of the contract. Unlimited liability is not at all common these days, so you may well find that both your and your suppliers’ cover is void.

Most policies include an exclusion for ‘acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not)’. This is bad enough for everyday attacks that originate from Russia, China, North Korea or Iran, countries that are the sources of the majority of all attacks. Indeed the NotPetya malware that originated from Russia and impacted many businesses in Ukraine as well as the NHS, Merck, Maersk and FedEx was deemed an act of war by many insurers. It took years for Merck to pursue its own insurers through the courts and it has only just succeeded in getting a $1.4bn payout. And while Russia (and China) may deem its operation in Ukraine as a ‘special military operation’ rather than an invasion or war, the rest of the world and all insurers most definitely see it as a war.


Spotting evasion is easy - it’s all in Bitcoin, right?

Many people expected cryptocurrencies to be used to evade sanctions, and while there was an initial burst in rouble/Bitcoin exchange, this was brief and was not significant in volume. It was likely small investors seeking stability as the rouble plunged.

As an authoritarian government, Russia has historically been hostile to cryptocurrencies so there are few accessible off-ramps and on-ramps to crypto in Russia or indeed other frameworks to facilitate Web3 alternatives.

Once funds have been converted to crypto they are relatively illiquid - few places accept payment even in the most common currency Bitcoin. And cryptoassets are nothing like as private or anonymous as some people assume. All transactions are visible in the blockchain, making the entire ledger visible to all - both Bitcoin and Etherium are open blockchains. 

Crypto wallets were once a security risk, but at least offered a degree of anonymity. However, as security on such wallets has improved, so have the tactics employed to associate wallets with their owners. Crypto exchanges now have know your customer requirements, just as banks do, and a recent executive order from the White House has laid out how cryptocurrencies need to be regulated.

Indeed crypto is actually being used far more heavily by the Ukrainians to raise money for armoured vests, equipment and humanitarian aid.

While homes across the EU and UK are being opened to Ukrainian refugees and massive amounts of humanitarian and military aid is being provided by the West, we also need to be diligent in helping to apply the sanctions, however difficult this can be

Replies (1)

Please login or register to join the discussion.

By Paul Crowley
25th Mar 2022 19:19

I always considered Cryto was for the sole benefit of Money laundering terrorism and crooked deals.
Now I need to add Sanction busting.
Time the banks started to report all transfers to Cryto platforms
And of course, no de minimus figure

Thanks (0)