Between Compliance and Geopolitics: Navigating the Labyrinth of Global Sanctions

As a former internal audit supervisor for International Sanctions and Embargoes at a European bank, what did your work look like?

Internal audit is a key regulated function within banks, defined by the Order of 3 November 2014 on internal controls in the banking sector. Internal audit represents the third line of defence in a bank, after controls carried out by operational staff and by permanent control functions. In concrete terms, it first involves assessing — for a given entity or scope — the level of risk management with respect to the topic of International Embargoes and Sanctions, based on documentary analysis. It then involves issuing recommendations whose implementation will improve the framework for managing these risks. Finally, it involves monitoring the effective implementation of those recommendations and reporting on them to the relevant departments.

On the specific topic of international sanctions and embargoes, this means ensuring compliance with international regulations — and in particular the correct application of rules and lists. Indeed, various regulatory authorities publish public lists of individuals and legal entities with whom transactions are prohibited in whole or in part.

That brings us to clarify who sets these sanctions and within what framework they operate.

Many bodies do so, at both national and supranational levels. Europe does so — there are currently, for example, 36 sanctions regimes and more than 5,400 targeted entities — but it is above all the United States that has led the way on this subject. And within the United States itself, different bodies issue sanctions. This multiplicity of actors creates a situation that is difficult to read — a kind of regulatory layer cake. Take the example of a company based in France. It must apply the sanctions in force on national territory, but that company may have subsidiaries in other countries, each of which may have its own sanctions regime. One of the main challenges is therefore precisely to determine which sanctions are applicable depending on the type of transaction being carried out, the country in which you operate, the various jurisdictions that may apply depending on — for example — who holds a majority stake in the company, and the counterparties you are dealing with.

American sanctions are widely discussed because the extraterritoriality of US law proves very effective. Simply put, the extraterritoriality of American law means that even if you — as an individual or legal entity — are not American and are not based in the United States, numerous criteria can nonetheless subject you to US law and the obligation to apply American sanctions. Thus, as soon as you use dollars, conduct transactions on American soil, use software or processes of American origin, or have your data stored in the United States, you fall under the scope of US law.

Once the rules are known and understood, it is necessary to ensure they are correctly implemented. Sanctions can target a natural person or a legal entity. What are known as primary sanctions are those that directly target listed entities: individuals, companies, banks, vessels, and so on. Secondary sanctions target those who participate in circumventing primary sanctions. Preventing circumvention is a genuine cat-and-mouse game: each time an entity is sanctioned, it still has the option of attempting to carry out transactions via countries or circuits that fall outside the imposed sanctions regime.

In what way do sanctions serve objectives of power, and how do companies find themselves caught up in these power dynamics?

Sanctions are economic levers whose effect is to put pressure on organisations, including states, in particular to influence local policies. By way of illustration, any entity that facilitates the Russian war effort is exposed to the risk of American or European sanctions.

But responses to these pressures exist, among them counter-sanctions. A company can thus find itself caught in a vice between the sanctions and counter-sanctions of the territories in which it operates.

Take the example of Hong Kong. In Hong Kong, you may be required to apply American sanctions issued against certain Chinese officials on matters relating to the Uyghurs. In return, Beijing has imposed sanctions against individuals who participated in establishing those sanctions. In this situation, imagine being a French operator active in Hong Kong, with both American and Chinese clients. You risk finding yourself caught between two antagonistic sanctions regimes. And whatever approach you take, there is always the risk of falling foul of one of the two parties.

Another example: Russia before February 2022. On one side, the Americans demand that their sanctions regime be applied wherever you have operations — including in Russia. On the other side, Moscow developed regulations prohibiting the application of extraterritorial sanctions on Russian soil. So as a company, you can find yourself caught in the middle of geopolitical issues without being a party to them and while wishing to remain outside them entirely.

Can one say that geopolitical allies are generally less exposed to these sanctions regimes?

General de Gaulle is often quoted as saying that states have no friends, only interests — and in my view this is particularly true in this domain. Moreover, allied countries will generally have more deeply intertwined economies and will therefore potentially find themselves more exposed to these extraterritorial sanctions issues.

There is much talk today of the emergence of a post-globalisation era. Does this mean that, as economies become less interconnected, they will be less exposed to sanctions?

Many commentators do indeed speak of deglobalisation or even de-dollarisation of the economy. While it is true that transactions are increasingly carried out in currencies other than the dollar, the dollar remains today the principal currency of international transactions and the principal foreign exchange reserve currency. The question is therefore legitimate over the long term, but in practice we remain extremely interconnected. That said, if there are not fewer international exchanges, they are taking place in a more fragmented way, less connected to our Western systems. The exclusion of certain Russian banks from the Swift system as a result of the war in Ukraine has encouraged the use of a Swift equivalent between China, Russia, and India, for example. The development of cryptocurrency — and in particular stablecoins — is another example of the growth of systems running parallel to the established transaction channels.

Can you explain how sanctions, or the risk of sanctions, concretely affect a company in terms of financial flows, supply contracts, partners, and so on?

First and foremost, it requires significant resources, which comes at a cost: experts must be recruited, legal firms — mostly American — must be engaged, software must be acquired to analyse flows in real time, and teams capable of processing alerts must be mobilised. Beyond that, it affects your entire commercial policy. Every time you have a new prospect or a potential new client, you must ensure that you have what is known as KYC — Know Your Customer — in place.

Finally, depending on the geographic area, certain institutions may apply less strict rules than those in force in our Western banks, which can create competitive distortions.

In short, it slows down operations, makes them more complex, and increases their cost.

To what extent are American companies themselves affected by American sanctions?

In theory, the rules are the same for everyone. In practice, it is easier for them: it is simpler to have the right local contacts, to understand the legal workings, and so on.

Beyond pure sanctions, the anti-corruption regime — the FCPA — is a good example. In a recent executive order, it was decided that it would no longer apply to American companies, on the grounds that it was limiting their capacity to grow commercially. But it remains in force for other companies. This clearly illustrates how this type of regulation can serve as a weapon of economic warfare. Furthermore, a comparison of the total amounts paid by European companies — approximately 90 billion dollars in 2024 — and American companies — less than 60 billion dollars — is a telling indicator of the geographic reality of how sanctions are applied.

Does China's growing economic and commercial power create the conditions for an extraterritoriality of Chinese law?

China is indeed beginning to equip itself with extraterritorial measures. That said, there is a difference between defining extraterritorial laws and actually enforcing them. To my knowledge, we have not yet seen prosecutions by Chinese authorities on these matters. It does not exist today, or at least I am not aware of it. Nevertheless, local regulations are being strengthened in ways that could allow for it.

And Europe — where does it stand in the face of these challenges?

The main extraterritorial subject for Europe today is the GDPR — the General Data Protection Regulation — where Europe has truly been at the forefront in creating an extraterritorial regulatory framework. The result is that today various partners and other countries must apply the GDPR when processing data belonging to European citizens. Furthermore, on the subject of sanctions, a number of anti-sanctions mechanisms have been defined by Europe, notably in the context of Iran.

Concretely, what can I do as a company to be proactive on these issues — to act rather than simply react?

The first point is to accept that these things can happen to you. These issues can affect large companies including banks, but also many small businesses, without necessarily attracting any publicity. The first step is therefore to be aware that all companies can be affected by extraterritorial issues. There is a genuine awareness problem. Beyond that, what can be done concretely is to identify and map the risks, in order to be fully conscious of them, and to implement risk-mitigation measures where appropriate — for example by limiting the use of the dollar, by selecting certain suppliers over others, and so on.

Leaders must clearly identify their areas of exposure: dollar-denominated transactions, subsidiaries in the United States, US persons among their staff, and so on. Each factor can trigger the application of extraterritorial rules. Is one aware that by using American software or American messaging services, everything contained therein can be exploited for extraterritorial purposes? Beyond that, a key element remains KYC — knowing your client. Do we truly know who our counterparties are and who the beneficial owners of our operations are? It is indispensable.

Who should carry out this risk mapping within the company? And what do you think of the possibility of creating Chief Geopolitical Officer positions within companies?

In my view, this falls to the compliance department. If you are a large company, you can have a dedicated officer responsible for the specific question of "sanctions compliance"; if you are a small company, you have someone who is the compliance director and handles all compliance matters, including this one.

As for the Chief Geopolitical Officer (CGO), it seems relevant to me insofar as it exists alongside a compliance officer. The latter would be responsible for applying regulations as they exist at any given moment, while the Chief Geopolitical Officer would take a prospective approach. I can cite a recent example: the conflict between India and Pakistan. What impact would an escalation of the conflict have on outsourced activities? How can business continuity be ensured in that context? The CGO could look into this, and also monitor the nature of relations between the Indian and French governments, or observe the political evolution of India: are we witnessing a conservative retreat there? How would it affect the business environment? What is the contingency plan — how can one anticipate the re-internalisation of certain key competencies? It seems important to me to engage in a kind of foresight around all these political issues, which are becoming increasingly significant, so that the company can adapt and anticipate risks.

What reading, programmes, films, or podcasts would you recommend to someone wishing to learn more about geopolitics?

I won't be very original, but I would say "The Art of War" by Sun Tzu. Because ultimately, sanctions can be seen as weapons of economic warfare aimed at seizing, preserving, or expanding power without firing a single shot: "Supreme excellence consists in breaking the enemy's resistance without fighting."

This work also helps to better understand a certain Chinese approach to geopolitics — one rooted in the long term and a logic of multi-domain encirclement.