Back to Insights

The Hidden Dangers of Third-Party Transactions: Compliance Challenges in the Era of Russia Sanctions


On March 3, 2022, the U.S. Department of Commerce's Bureau of Industry and Security ("BIS"), the U.S. Department of Justice ("DOJ"), and the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") jointly issued the "Tri-Seal Compliance Note: Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls” ("Compliance Note").[1] The Compliance Note aims to alert international organizations, the private sector, and the public to any attempts to violate the sanctions and export control regulations imposed by the United States against Russia to prevent "any support that could contribute to Russia's unlawful and unjustified war against Ukraine" and draws attention to the use of "third parties" as one of the most common methods to evade the regulations. The Compliance Note highlights the use of third parties to obscure the identities of Russian persons who are the real beneficiaries, in particular, to conceal persons and entities on prohibited lists, and identifies several "red flags" in transactions involving third parties to evade sanctions or trade control arrangements.

Under the Compliance Note, U.S. persons, financial institutions, and other entities doing business with U.S. persons or entities subject to U.S. sanctions and export control regulations are expected to comply with the regulations relating to U.S.-origin goods or services. Similarly, those who engage in activities involving foreign-origin goods or services that are subject to U.S. export control regulations should also be aware of and stay on alert to potential evasion attempts.

It is stated that for an efficient and effective compliance program to be established within this scope, a risk-based approach should be developed and implemented for compliance with sanctions and export controls; compliance programs should be regularly updated depending on the extent, size, complexity, nature of products and services, customers, business partners and related geographical locations of the organization or its activities and the risks inherent in the business in this context.

Manufacturers, distributors, resellers, and transporters are often in the best position to determine whether a particular transaction or activity is consistent with or compatible with operational or market requirements. They are obliged to recognize suspicions of potential violations of sanctions and export control regulations and, where suspicions arise, to conduct due diligence and make necessary determinations.

Within the scope of the Compliance Note, as well as the establishment of an effective and efficient compliance program, emphasis was also placed on the protection and ongoing maintenance of this program in order to minimize the risks. A risk-based and effective compliance program requires management commitment, risk assessment, internal controls, testing, auditing, and training. Ideally, compliance programs should be a tailor-made system of internal controls to respond to the risks faced by an organization based on its unique characteristics, particularly third-party risks. It was also mentioned that the top management commitment may also provide incentives, such as some form of compensation. All these efforts are intended to motivate employees to identify potential violations of sanctions and export control regulations and to make voluntary reports to the US government.

Red Flags that May Indicate a Potential Violation by Third Parties

The Compliance Note specifically identifies the most common red flags that may indicate a third party is attempting to violate sanctions or export control regulations. Relevant persons and entities should be aware of these red flags and adapt their compliance programs to continuously detect and manage these risks. The red flags include:

  • The use of legal entities, such as shell companies or legal arrangements, to conceal the actual beneficiary, source of funds, or countries involved, especially sanctioned ones;
  • Reluctance from customers to share information about the end use of a product or to complete an end-user form;
  • Use of shell companies for international wire transfers and involvement of financial institutions located in jurisdictions other than the company registration;
  • Refusal to install, train, or maintain the purchased product(s);
  • IP addresses that do not match a customer's reported location data;
  • Last-minute changes to shipping instructions that contradict customer information and history;
  • Receiving payments from third-party countries or individuals/businesses not on the End User list;
  • Use of personal email accounts instead of company email addresses;
  • Use of residential addresses in complex or international companies and/or use of common addresses for multiple companies;
  • Changes to declarations and commitments to obscure the end customer;
  • Changes to shipments or payments previously scheduled for Russia or Belarus
  • Transactions involving assets with little or no online presence(e.g., website, social media);
  • Routing purchases through specific transshipment points commonly used for illegal shipments of restricted goods to Russia or Belarus (e.g., China, Hong Kong Macau, Armenia, Turkey, and Uzbekistan);
  • Using complex sales and distribution models to disguise the end user of the product, service, or technology in question.

The Compliance Note also outlines best practices to mitigate such risks, including:

  • Screening current and new customers, intermediaries, and all other third parties,
  • Using the Consolidated Screening List and Sanctions List, which are regularly updated and can be found on OFAC's official website, for customer, real beneficiary, and third-party screening processes,
  • Applying risk-based due diligence to all counterparties, including customers, intermediaries, and business partners.

In addition, companies are encouraged to regularly consult the US Department of Treasury and Commerce for guidance and advice to obtain information and strengthen their compliance programs.

The Compliance Note also highlights the enforcement and targeting methods of the BIS and OFAC. For instance, in November 2022, OFAC added individuals and entities to the prohibited lists for their involvement in a global supply network run by a Russian microelectronics company that transferred its funds through a shell company to another shell company in a third country, which then shipped microchips to Russia. The Compliance Note cites several cases in which OFAC imposed administrative fines, and mentions that techniques used to evade sanctions and regulations include falsifying commercial documents and records, omitting certain information from internal correspondence, and shipping products through third countries.

Criminal Enforcements

The Compliance Note also mentions criminal investigations initiated by the DOJ into individuals and entities attempting to circumvent sanctions and export control regulations against Russia. The most common techniques used in these cases include:

  • Claiming that shell companies based in third countries are intermediaries or end-users;
  • Claiming that certain risky goods (e.g., dual-use and sensitive substances) will be used in a different activity or sector than their actual intended use (e.g. declaring that a product that will be used in fighter jets will be used in the Russian space program);
  • Shipping controlled goods in smaller batches in order to evade surveillance and control;
  • Using aliases in intermediary and end-user information;
  • Transferring funds from shell companies in foreign countries to U.S. bank accounts, and quickly sending or distributing the funds to hide the account audit trail or the foreign source of the funds;
  • Making false or misleading statements on shipping forms, such as understating the purchase price of the product;
  • Declaring that they are acting on behalf of a US-based shell company and not on behalf of an end-user on the prohibited lists.

These cases emphasize the importance of designing and implementing a compliance program to verify the authenticity of all information received by obligated persons and entities.


The use of third parties to circumvent sanctions and export control regulations against Russia takes many different forms, including the use of shell companies, multiple intermediaries, and transfer locations. These techniques are designed to sever the link to the original source and make it difficult to trace the transaction. The US government expects obligated persons and entities to be aware of these risks and has outlined the main red flags that should raise suspicion of third-party transactions and fraudulent practices.

The Compliance Note emphasizes the importance of a risk-based, efficient, and effective compliance program tailored to an organization's specific risks. This includes the organization's structure, the amount and nature of transactions, the industry, the number of third parties, the product or service, and the relevant geography. Active risk assessment and internal controls are key components of an effective compliance program. It's important to note that obligated persons and entities that fail to respond to these risks and implement a compliance program to the required levels cannot escape liability for violations of US law, even if they were carried out by third parties.

Yazımızın Türkçe versiyonuna buradan ulaşabilirsiniz.