International Tech Sanctions: A Summary for Startup Founders
Founder & CEO at Competitive Compliance, Co-host of Hole in the Whole, FinTech Compliance & Regulations Expert
In this article I'll give you a quick overview of the concept of international sanctions, how they work and how it may impact a FinTech company, especially from the standpoint of technical implementation and tools.
There are so many conspiracy theories, wrong interpretations, and misconceptions about sanctions and sanctions scanning. People sometimes get totally overwhelmed and feel like sanctions and embargoes are even more stressful than GDPR or Brexit.
So, where do international sanctions come from?
Sanctions can be imposed by individual countries or international organizations and, simply speaking, there are 4 types of sanctions:
- Against a country or territory (e.g. North Korea or Crimea). These sanctions are extremely rare because territorial sanctions usually impact a lot of innocent people who happen to live or be in that place. Territorial sanctions mean that you cannot offer your services on that territory at all. For example, your perfectly valid Visa card may not work in Crimea.
- Against specific individuals, sometimes called "Specially Designated Nationals" or "SDNs." Usually, those people are criminals, known members of terrorist organizations and politicians responsible for civil wars, human rights violations, and other international crimes.
- Against members of certain groups or organizations. For example, there are specific sanctions against members of Hamas or the Taliban, regardless of their residence or nationality. There are specific sanctions against members of certain governments or governmental organizations (for example, against certain government officials in Venezuela or members of the Iranian Revolutionary Guards). This category of sanctions does not always specify the names of individuals (because people may join these groups at any time), but rather they say that any member of this group or organization is under sanctions, and therefore you cannot offer your financial services to them.
- Against certain industries or types of commercial activities. For example, you cannot buy Iranian or Venezuelan oil, you cannot buy or sell arms with governments of certain African countries, you cannot export certain products to or from Russia, etc.
Why is this important?
People often say “Iran is under sanctions” or “Russia is under sanctions” or “Venezuela is under sanctions” and it’s not correct.
From the technical implementation standpoint, it sometimes makes a huge difference: either you block an entire country and cannot serve anyone there, or you find a way to detect and block a couple of dozens of people and can work with everyone else without breaking any laws.
On the other hand – the consequences of even a single mistake can be huge, especially if those are OFAC (US) sanctions.
"Fun" facts: there are some contradictory and mutually exclusive sets of sanctions, which can make the life of a compliance officer super interesting. The most common examples would be Cuba (the US still has sanctions against most activities in Cuba, but Europe has nothing against Cuba whatsoever) and Russia vs Ukraine (where both countries claim that the other side is an occupant and international criminal).
How do you go about the technical implementation of sanctions compliance to keep it simple and reasonable?
Usually, I recommend to implement the following basic rules (obviously those are a very general set of guiding principles, just for an illustration purpose):
- IP block North Korea and Crimea as a minimum.
- If you have US-based financial partners, they will likely force you to block Cuba, because they would want all their partners to be OFAC-compliant. Even if you are in Europe.
- Don’t support countries where there are lots of problems and little economic opportunity. For example, many of my clients decide not to support countries that are suffering from a long history of civil wars, or with known active terrorist organizations on their territory, simply because it’s hard to know for sure who is who in these countries, and it’s easier not to support these countries than to investigate extensively each application from there and treat it as high risk with enhanced monitoring requirements going forward. So, even though there are no sanctions against certain countries, you may still decide not to support them, purely based on risk/opportunity analysis.
- There are countries with political problems and restrictions around some economic activities there (e.g. various sanctions against certain industries and government officials in Russia) or even with known terrorist groups operating there (e.g. Taliban in Pakistan), but the overall economic opportunity is still interesting for many. In this case, you may decide to invest in good monitoring tools, hire experienced native-speakers for investigative work, and this would allow you to support, for example, Russian or Pakistani clients with reasonable safeguards.
Hope this summary was helpful. If you have any questions - feel free to reach out. You can find my contact details on my company website.
Join Hacker Noon
Create your free account to unlock your custom reading experience.