Denied party screening: the who-what-when-where-why-how

The first step in organizing denied party screening, as with any other compliance issue, is to run a risk analysis. For EU-based companies, this means identifying any applicable restrictions under EU sanctions law. In addition, US sanctions law includes financial sanctions with secondary sanctions that may apply, and restrictions under US re-export controls must be observed as well when trading with civilian US products. Only companies that are aware of the relevant bans and licensing requirements can take the appropriate action to prevent violations.

At this point it’s already clear that the risk analysis for denied party screening is not as simple as it appears at first glance. In addition to the provisions of EU sanctions law, companies must know and understand the provisions of US sanctions law and US re-export control law. Another persistent source of confusion is the sanctions imposed by the many other countries that also use restricted party lists. Questions about Swiss, Chinese, or Canadian restricted party lists, for example, are not uncommon.

Completing the risk analysis provides a decision-making basis for everything that follows. Only after the risk of noncompliance is known can a company see what needs to be done. If the risk analysis identifies no risk of noncompliance, then no further screening is needed, not even a denied party screening.

Denied party screening is the process by which companies check whether their business partners are on any restricted party list. If so, business relations with the listed business partner are subject to all the specific legal restrictions associated with the list in question.

Denied party screening is always run with the help of software. The software compares the name of the business partner to the names on the lists that are set up for screening. If the software identifies an identical or similar name, it reports a match.

Next, a verification must be run to check whether the identical or similar list entry reported in the match is the same person as the business partner. This verification is referred to in practice as match handling. If the business partner is indeed found to be the same as the listed entity identified by the software, this is classified as an actual match.

The consequences of the listing for subsequent business transactions with the business partner depend on which list the business partner is on. A match with the EU’s CFSP list makes EU companies subject to a comprehensive ban on the provision of economic and/or financial resources. A match with a US list typically unfolds quite differently. If the business partner were on a list that does not apply to the company, the match would have no legal consequences, and business activities could continue without restriction.

In most cases in practice, match handling does not confirm an identical match, so business with the partner in question is not subject to any restrictions, and business relations can commence or continue without restriction.

EU-based companies can find the legal basis for the denied party screening in the EU’s sanctions and embargo regulations.

The idea of sanctioning individuals (natural persons, companies, and organizations) by imposing financial sanctions is now found in all EU country-specific embargo regulations and also in the country-independent sanctions regulations relating to terrorism, human rights violations, cybercrime, and the proliferation of chemical weapons.

Although the objectives are different, the content of the financial sanctions is identical. The legal requirements that companies need to pay attention to are always the same: “No funds or economic resources shall be made available, directly or indirectly, to or for the benefit of natural or legal persons, entities, or bodies listed in Annex I.” Annex I to the cited regulation contains a list of names and additional information on the entities to whom these bans apply. 

EU law does not contain any further legal provisions – regarding implementation, for example. Most notably, nowhere is there any stated obligation to carry out a denied party screening. Instead, the companies themselves are responsible for ensuring that no funds or economic resources are made available, directly or indirectly, to the listed entities.

The EU defines the terms “funds” and “economic resources” uniformly in the definitions of all regulations. The definition of “economic resources” in particular is very broad. It covers “assets of every kind, whether tangible or intangible, movable or immovable, which are not funds but may be used to obtain funds, goods, or services.”

EU sanctions do not provide for restrictions such as lower limits or exemptions. An EU Council document restricts the scope of the bans to business-to-business (B2B) transactions. Business-to-consumer (B2C) transactions do not fall within the scope of economic resources.

The EU consolidates all name entries from its sanctions and country embargo regulations relating to bans on the provision of economic and/or financial resources in a database known as the CFSP list, the latest version of which is always available in machine-readable format. Software providers import the CFSP list into their solutions daily and make it available to users for screening their business partners.

In practice, automated screening of business partners against the CFSP list is usually the only way to efficiently ensure compliance with the EU bans.

Customers, suppliers, freight forwarders, employees, banks, visitors, contacts …? The question of who needs to be screened and who does not is a headache for many companies. But it’s not all that complicated if you remember the following rule of thumb: All business partners to whom funds or economic resources are made available must be screened.

That is, anyone who receives assets. The business partner in this context is always the contracting party. In the B2B realm, contracting parties are typically companies. This means that it is generally company names that are screened against restricted party lists.

One question that often arises is whether contacts or visitors to your company need to be screened. If you apply the rule of thumb above, this is what you find:

The contacts at your customers, suppliers, and other business partners are not contracting parties, and they do not receive any asset from the business in question. In the absence of any risk of a violation of sanctions, screening them does not make any sense. It’s similar with visitors to your company. They also do not typically receive any asset, so they do not generally need to be screened.

It should be noted that the bans on the provision of economic and/or financial resources are aimed solely at business partners. The country and goods have no bearing on the screening. That means that all business partners, even those in the same country, should be screened against the relevant restricted party lists.

You should screen against the relevant restricted party lists as early as possible.

This basic precept leads many companies to run an initial denied party screening as soon as a new business contact is entered into the system. From a legal perspective, however, it should be noted that entering a business contact into your system does not yet constitute an exchange of assets. The earliest point at which this occurs is when a binding quote is submitted or before a contract proposal is accepted. These are the relevant criteria for a denied party screening.

Please note that the EU and US bans on the provision of economic and/or financial resources apply not only to the direct provision but also to the indirect provision. Indirect provision occurs when the business partner itself is not listed but is owned by a listed entity. 

Indirect bans require that you identify and verify who owns the business partner. Companies that feel they are at risk of falling within the scope of the bans on indirect provision often carry out a due diligence check as soon as the potential business partner has been entered into their system. This involves asking about the ownership structure of new business partners, then running a denied party screening on the owners.

We’ll address this question as well with an example of a company in the EU. As the lists of names in the EU sanctions and embargo regulations change frequently, the answer varies depending on the type of business activity:

The situation for an equipment manufacturer with long project lead times is not the same as that of a company with a 24-hour helpdesk. While it may be advisable for the equipment manufacturer to screen all their business partners at regular intervals, companies with a shifting customer base are better off running document-related screenings.

Commercial software solutions can be fine-tuned to a company’s various business activities.

Strictly separate from US sanctions law is US export control law under the US Export Administration Regulations (EAR). US export control law is extraterritorial and must be observed worldwide when trading US products subject to the US EAR. The definition of US products under the EAR can be found in § 734.3, 4 & 9 EAR.

The following four US restricted party lists are linked to US products as part of US export controls:

1. Denied Persons List (DPL): Trade in US products in business transactions with persons, companies, or organizations listed on the DPL is prohibited.
2. Entity List (EL): Trade in US products in business transactions with persons, companies, or organizations listed on the EL requires a license.
3. Unverified List (UVL): Trade in US products in business transactions with entities listed on the UVL is subject to special obligations of due diligence. The transaction can continue if a requested UVL statement ensures in writing that the US products will not be used for any prohibited end-use.
4. Military End User List: Trade in the US products named in Supplement No. 2 of Part 744.21 of the EAR requires a license in business transactions with the military end users named in Supplement No. 7 of Part 744 of the EAR.