An interview with Himadri Bora, Chief Strategy Officer, Dun & Bradstreet South Asia Middle East Africa Limited.

1) Something went wrong in the world of cosmetics. Tell us about it.

Himadri: Indeed! Eyelashes, to be specific. In 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement with e.l.f. Cosmetics, Inc., a company based in Oakland, California.

e.l.f. paid fines of almost $1 million for 156 apparent violations of the North Korea Sanctions Regulations. The violations involved importing false eyelash kits from two suppliers in China that contained materials sourced by these suppliers from North Korea. The value of the eyelash kits was $4.4 million.

The e.l.f. case is an example of pass-through sanctions risks becoming real – the risk emanated from a supplier’s supplier!

2) Couldn’t pass-through sanctions risk become an issue with customers as well?

Himadri: Absolutely! In 2018, OFAC issued fines to Epsilon Electronics Inc. of Montebello, California, for violating Iranian sanctions. Epsilon was selling equipment to a company (not based in Iran), but this customer of Epsilon reexported the goods to Iran.

The Epsilon case is an example of pass-through sanctions risks emanating from a customer’s customer.

It is interesting to note that one of the aggravating factors that OFAC mentioned was that Epsilon had no compliance program at the time of the alleged violations. In contrast, one of the mitigating factors was that Epsilon was a small business. Together, the two factors mean that OFAC expects even small companies to have some form of a compliance program.

3) You shared examples of American companies getting fined by OFAC. How are OFAC regulations relevant for the D&B SAME region?

Himadri: OFAC regulations are relevant in at least two ways.

Firstly, American companies with customers or suppliers in the D&B SAME region need to extend due diligence to their customers’ customers and suppliers’ suppliers. American companies need to take reasonable steps to ensure that they are not indirectly facilitating violations of sanctions regimes through their business partners.

Secondly, OFAC regulations apply to all U.S. persons, including “all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply.” The U.S. person definition means that American subsidiaries operating in our region must also comply with OFAC regulations.

Taking a step back, the above are relevant for all WWN countries – the same rules apply. Also, the E.U. and U.K. regulations are not very different, which means that the same challenges apply to British and European companies.

4) What role is D&B SAME looking to play in all this?

Himadri: We believe that D&B SAME can play a critical role in helping customers perform third-party due diligence as part of their sanctions compliance programs. The D&B Onboard solution is one such tool that can help our customers.

5) What are the challenges?

Himadri: There are multiple challenges, and the biggest one is the lack of awareness among companies. As of now, many American companies secure representations in their legal contracts with business partners (suppliers and customers) that the business partners are not in violation of OFAC and other regulations. While this is a good measure, companies now need to do much more.

In 2019, OFAC released the “Framework for OFAC Compliance Commitments” in which it strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).” OFAC clarified that sanctions compliance program should “incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.”

We are evaluating how we can play a more significant role in helping companies with their SCPs and providing the D&B Onboard data needed to run these programs. Many companies lack the awareness, senior management attention, know-how, and resources to run effective SCPs.

To create awareness, we have hired a law firm to participate in a series of soon-to-be-launched webinars discussing these risks and what companies could do about them. Along with the webinars, we will also launch social media and email campaigns that break down the issues in bite-sized ways.

We believe that the solutions lie in the efficient use of data, trained human resources, technology adoption (e.g., robotic process automation), artificial intelligence, and robust processes. In this, D&B SAME is exploring a strategy to form alliances to offer a comprehensive screening solution to our customers.

Wish us luck!