Sanctions compliance extends beyond knowing your immediate customers and suppliers. Today, for risk managers across industries, that’s a sobering and daunting reality.
Cristian deRitis
To detect hidden sanctioned-country content in seemingly legitimate business relationships, companies not only need to understand the entirety of their supply chains but must also develop ongoing monitoring, verification and due diligence capabilities.
Indeed, comprehending the complex and evolving sanctions landscape is no longer optional for risk managers. Rather, it’s essential for organizational survival.
So, what are different types of economic sanctions and what’s their global impact on risk management? Why are sanctions so challenging to manage, and what specific steps can firms take to mitigate their risk?
Economic sanctions are restrictive measures governments or international bodies impose against targeted states, entities or individuals. They are foreign policy and national security tools designed to influence behavior without military intervention.
There are several different types of sanctions, including:
Sanctions may be imposed for various reasons, including (1) responding to territorial disputes or military aggression; (2) addressing human rights violations; (3) combating terrorism and weapons proliferation; (4) countering drug trafficking and organized crime; and (5) punishing corruption and dictatorships.
What makes sanctions particularly challenging for compliance is their dynamic nature — they can be implemented, modified or lifted rapidly in response to geopolitical developments, often with little advance notice to the business community.
Hera Smith
Sanctions have evolved into one of the most powerful international relations tools, with unprecedented enforcement and financial penalties. In 2023 alone, the U.S. sanctions authority, OFAC, levied a staggering $1.54 billion in fines against non-compliant organizations. In 2024, European regulators significantly increased their activities, resulting in a higher number and value of fines and more convictions for sanctions violations than U.S. authorities.
Contrary to popular opinion, sanctions don’t just apply to financial companies or large corporations. Penalties for sanction violations affect companies of all sizes across diverse sectors, including freight brokerage, transport, aviation, plastics, insurance, energy equipment and consumer goods.
Figure 1: OFAC Sanctions Penalties
Sanctions can significantly impact affected individuals and businesses, and the macroeconomic consequences can be severe. For example, due to Russia’s invasion of Ukraine in 2022 and the imposition of sanctions against Russia, trade between Russia and the United States plummeted 86% in the first 11 months of 2023 compared to 2021. Similarly, EU imports of Russian crude oil dropped by more than 90% after the invasion of Ukraine. As a result, Russia's GDP for 2023 was $2 trillion, an 11% decline from 2022.
Since sanctioned countries typically seek new trading partners, sanctions can also have unintended consequences. For example, trade between Russia and China rose to $240 billion in 2023, compared to their bilateral trade of $147 billion in 2021. Moreover, Russia's exports to China and India accounted for approximately 70% of its oil exports by November 2022.
The extraterritorial reach of U.S., UK and EU sanctions means that companies worldwide must consider these regulations as part of their risk management framework, regardless of their primary jurisdiction.
Effective sanctions compliance requires controls proportionate to organizational risk exposure. The sanctions evasion risk spectrum ranges from relatively minor concerns to severe violations, including:
Legal Exceptions (Low Risk). Technical carveouts in sanctions rules, such as family remittances to Cuba, may be allowed under U.S. sanctions — subject to applicable conditions and requirements.
Circumvention. Activities that appear legal but intentionally avoid sanctions application, like reducing ownership stakes to 49% to bypass OFAC’s 50% Rule.
Willful Blindness. Intentionally ignoring facts that would have revealed sanctions evasion and one's role in facilitating it.
Undermining. Actions that negate the application of sanctions or harm the national security or foreign policy objectives behind them.
Active Collusion (High Risk). Deliberately concealing or transferring assets for sanctioned individuals or entities.
These risks are not mutually exclusive. They often overlap and compound each other. Higher levels of evasion risk significantly increase the overall risk profile of third parties and goods.
Sanctions compliance can be divided into the following critical segments:
Ownership and Control
Beyond direct designations, sanctions programs increasingly target entities controlled by sanctioned persons. The EU, UK, Canada and Australia consider entities controlled by sanctioned persons to be sanctioned by extension. New reporting requirements exist for Russian-owned entities (EU Article 5r), along with outbound investment restrictions on Chinese-owned entities in strategic sectors.
The 50% Rule
Under this critical rule, property of entities directly or indirectly owned 50% or more in aggregate by sanctioned persons is considered sanctioned itself. This creates a cascade effect that dramatically expands the scope of sanctions. (Note that the 50% rule varies slightly between jurisdictions: while OFAC (US) sets the threshold at 50%, the EU and UK rules can be slightly different, factoring in both ownership and control.)
Export Controls
The U.S., UK and other G-7 countries have issued a Common High Priority List (CHPL) that identifies items Russia seeks for weapons programs. These items face strict export controls, requiring enhanced due diligence for companies in the global supply chain.
IP Address/Geolocation Screening
Failure to screen IP addresses and domains can inadvertently provide goods and services to comprehensively sanctioned territories — a violation regulators actively pursue.
Shell Company Detection
Bad actors frequently use shell companies to obscure ownership, control and the origin or destination of goods. Recent enforcement actions highlight the significant compliance risks these structures pose.
The true scale of sanctions risk extends far beyond the official designation lists. Data from February 2025 shows that "sanctioned-by-extension" entities vastly outnumber those directly listed.
In the EU, sanctioned-by-extension entities outnumber direct designations by approximately 3:1. In the U.S., the ratio is about 3:2, while it exceeds 4:1 in the UK.
Figure 2: Sanctioned by Extension vs. Directly Sanctioned
Russia, China, Iran, the U.S., Cyprus and Ukraine are the top countries of origin for sanctioned-by-extension entities, creating a complex web of potential risk exposure.
Advanced sanctions compliance tools are emerging to help risk managers address these challenges. Technologies like sanctions-enhanced due diligence (EDD) platforms can automate manual due diligence processes, reduce human error, accelerate decision-making, provide intuitive network visualization of ownership and control, and detect hidden shell company risks.
Aside from investing in technology, organizations should consider several other key strategies to strengthen their sanctions compliance.
For example, they can take a risk-based approach, allocating resources based on a thorough risk assessment of their business activities, geographic exposure and third-party relationships. They can also develop sanctions expertise through regular training and share information on sanctions compliance insights and best practices – via public-private partnerships and participation in industry groups. (Regarding the former, multi-jurisdictional sanctions workshops can help train staff in banking, corporate, or government sectors.)
Lastly, firms can improve sanctions compliance through detailed documentation. Comprehensive records of your screening and due diligence processes should be maintained to demonstrate compliance efforts to regulators. Should a situation slip through compliance efforts, evidence of good faith effort and voluntary self-disclosure can reduce penalties.
As sanctions continue to evolve as a primary tool of international policy, risk managers must stay vigilant. The financial, reputational and operational risks of sanctions violations demand a proactive, sophisticated approach to compliance.
Organizations can navigate this challenging landscape by understanding the complex web of direct and indirect sanctions exposure, implementing appropriate technologies, and maintaining robust compliance processes.
Cristian deRitis is Managing Director and Deputy Chief Economist at Moody's Analytics. As the head of econometric model research and development, he specializes in analyzing current and future economic conditions, scenario design, consumer credit markets and housing. In addition to his published research, Cristian is a co-host of the popular Inside Economics Podcast. He can be reached at cristian.deritis@moodys.com.
Hera U. Smith is Director for Financial Crime Compliance and Third-Party Risk Practice at Moody’s. As a lawyer and industry practice leader, she provides thought leadership by analyzing global sanctions and export control regulations and market trends, and by translating them into product capabilities to help practitioners make decisions. She can be reached at hera.smith@moodys.com.