Q&A DUE DILIGENCE ON RESTRICTIVE MEASURES FOR EU BUSINESSES DEALING WITH IRAN

Q&A DUE DILIGENCE ON RESTRICTIVE MEASURES FOR EU BUSINESSES DEALING WITH IRAN

The conclusion of the Joint Comprehensive Plan of Action (JCPoA) with Iran produced the comprehensive lifting of all UN sanctions as well as multilateral and national sanctions related to Iran’s nuclear programme.1 The European Union is fully committed to the continued, full and effective implementation of the JCPoA, as long as Iran respects its nuclear-related commitments. The lifting of nuclear-related sanctions allowing for the normalisation of trade and economic relations with Iran constitutes an essential part of the JCPOA. This Q&A is meant to support European businesses, especially Small and Medium-sized Enterprises (SMEs), that wish to engage in business with Iran.


1. Joint statement by EU High Representative Federica Mogherini and Iranian Foreign Minister Javad Zarif Vienna, 14 July 2015

Despite the phased sanctions-lifting under the Joint Comprehensive Plan of Action (JCPoA) with Iran, a number of EU restrictive measures remain in place (more information on the applicable EU sanctions is available in the EU's JCPOA Information Note here).

EU operators2 interested in engaging with Iran must consider whether their activities would fall under the applicable EU restrictive measures. Before engaging in any business activity, EU operators must ensure that appropriate due diligence procedures are carried out.

2. Those measures applied by EU operators are without prejudice to the applicable requirements for obliged entities under Directive (EU) 2015/849 (“Anti-Money Laundering Directive”, AMLD). Obliged entities shall apply the specific requirements for preventing money laundering and terrorist financing under the AML Directive. This document is not intended to provide guidance to obliged entities on the application of relevant AML legislation.
An overview of all applicable EU sanctions is available on the EU Sanctions Map.3

3. The remaining sanctions concerning Iran target: serious human rights violations, proliferation of restricted goods and technology, support for the Assad regime in Syria and support for terrorism.

A consolidated list of persons, groups and entities subject to EU financial restrictive measures is provided on the European Commission’s website. Note that you will need to create an EU login to access the full list.

The UN Secretariat also makes available all United Nations Security Council sanctions lists in the six official languages of the United Nations.

Several private providers offer paid access to databases allowing for a search of sanctions lists (such as DowJones, Refinitiv (Worldcheck), Lexis Nexis (World Compliance), Arachnys or Dun&Bradstreet).4


4. The above list reflects the information available to the Commission on the available private data providers. It is not meant to be exhaustive. The Commission is not recommending, nor endorsing these private data providers.

 

The following Iranian domestic sources provide some website contents in English; however, the search function is usually limited to Farsi. Historical information of management and shareholders are partly available.

Official Gazette
of Iran

The Official Gazette of Iran publishes updates in the official company register. This source searches by company name for notices mentioning that entity. On the site itself, users can also search by company number, or restrict the search to a certain year or city. The Official Gazette is the main source for background checks of legal entities.
 Registration office
The Company Registration General Office within the State Organisation for the Registration of Deeds and Properties in August 2013 introduced a new portal to register legal entities. Basic information about legal entities can be searched by the ID and/or the name.
Iranian Chamber
of Commerce, Industry,
Mines and Agriculture
The Iran Chamber of Commerce provides a list of approximately 400 individual members of the Iranian Chamber of Commerce including their contact details, dates of birth and education are available online in Farsi.
Tehran Stock
exchange

The website of the Tehran Stock Exchange allows searching for details about listed entities.
Codal
The Iranian Securities and Exchange Organisation maintains the Codal database, which hosts announcements and financial statements of traded Iranian companies. It contains information about shareholders and management.
Central Securities
Depository
(“CSD Iran”)

The website of the Iranian Central Securities Depository provides basic information for deposited securities for (foreign) investors.

 

The main Iranian news portals often contain a search function and allow for queries about companies, management or shareholders.

Some of the most relevant online news portals in Iran are:

Name

Description

farsnews.com

Fars News Agency is widely described by news media to be a "semi-official" news agency of the Government of Iran.5

yjc.ir

The Young Journalists Club (YJC) is a news agency in Iran. It was established by the political affairs bureau of Islamic Republic of Iranian Broadcasting (IRIB).6

asriran.com

Asriran describes itself as Iran's leading independent news portal.7

tasnimnews.com

Tasnim News Agency is a private news agency in Iran.8

isna.ir

The Iranian Students News Agency (ISNA) is a news organisation run by Iranian university students.9

mehrnews.com

The Mehr News is an Iranian news agency, owned by the Islamic Development Organisation (IDO).10

tabnak.ir

Tabnak is a non-governmental news portal.

khabaronline.ir

Khabar Online is an independent news portal according to its website.11

mashreghnews.ir

Mashreghnews is a non-governmental news portal.

irna.ir

The Islamic Republic News Agency (IRNA) is the official news agency of the Islamic Republic of Iran. It is government-funded and controlled by the Iranian Ministry of Culture and Islamic Guidance12.


Possibly useful information for due diligence checks available on online news portals relates to issues such as:

  • Links to organised crime or arms trafficking;
  • Money laundering;
  • Regulatory investigations and material litigation;
  • Association with terrorist financing or terrorist activities; and
  • Regulatory investigations or sanctions.

5. https://www.reuters.com/article/us-iran-security-missiles/iran-can-expan....
6. https://www.yjc.ir/en/about.
7. http://www.asriran.com/fa/about.
8. https://www.tasnimnews.com/en/about.
9. https://www.isna.ir/news/95031711051/.
10. https://www.mehrnews.com/news/2408725/.
11. https://www.khabaronline.ir/news/822035.
12. http://www.irna.ir/.
Some Chambers of Commerce of Member States offer support for due diligence checks to EU operators dealing with Iranian business partners (e.g. Advantage Austria for Austrian businesses or the German-Iranian Chamber of Commerce). You should check with your Member State’s embassy or competent ministry to see if such a service is available to your business.

Additional sources of information are available through the engagement of local consultants and agencies with a broad network in Iran who can obtain further information by conducting interviews.
One possible way of conducting due diligence checks for EU restrictive measures compliance could consist of the following major steps:
 


Note that sanctions screening for designated entities is an absolute requirement. This is a rule-based obligation that applies to everybody, natural and legal persons alike and needs to be complied with regardless of any risk-based assessment of a transaction.

A risk assessment is a process to identify potential risks by evaluating the probability of the occurrence of an event and the potential damage caused by the event. The scope and extent of the assessment could take into account the following points:

/fpi/file/graph-quest-8_enGraph Quest 8



The output of the risk assessment should be the expected risk (low, medium and high). The process of assessing risk can be part of a project to mitigate overall risks for the business across all parts of the organisation and the product portfolio.
A simplified risk evaluation process could contain the following steps:
9.1. Identifying risks

The risk identification process precedes the risk assessment and produces a comprehensive list of risks (and often opportunities as well). This list can be organised by risk category (financial, operational, strategic, compliance) and sub-category (market, credit, liquidity, etc.) for business units, corporate functions, and capital projects.

9.2. Developing assessment criteria

The first activity within the risk assessment process is to develop a common set of assessment criteria. Risks and opportunities are typically assessed in terms of impact and likelihood.

9.3. Assessing risks

Assessing risks consists of assigning values to each risk and opportunity using the defined criteria. An initial screening of the risks may employ qualitative techniques followed by a more quantitative analysis of the most important risks.

9.4. Assessing risk interactions

Risks do not exist in isolation. Therefore, businesses may increasingly take an integrated or holistic view of risks using techniques such as risk interaction matrices, bow-tie diagrams, and aggregated probability distributions.

9.5. Prioritising risks

Risk prioritisation compares the level of risk against predetermined target risk levels and tolerance thresholds. Risk is viewed not just in terms of its impact on finance and the probability of its occurrence, but also subjective criteria such as the impact a risk has on health and safety, on reputational impact, how vulnerable an entity is towards this risk, and the speed of onset.

9.6. Respond to risks

The results of the risk assessment process are the primary input to risk response. Risk response examines response options (accept, reduce, share, or avoid), takes account of cost-benefit analyses, formulates a response strategy and develops risk response plans.

A typical and very basic example for a constellation where a risk assessment would indicate a low risk could be the following:

Example: Low risk scenario:
An EU-based SME (Small or Medium-sized Enterprise)13 intends to enter into a contract for the sale of personal care products. The Iranian customer, a limited company, is an Iranian family-owned medium sized entity with clear structures and shareholders and claims to have no ties to entities subject to EU restrictive measures.

The volume of the contract is EUR 50 000. An intermediary, a legal entity based in a third country (non-EU), will deliver the goods. The contract will include the payment terms (in EUR) through a bank in the third country (non-EU) to a bank in the EU.

/fpi/file/graph-quest-10_enGraph Quest 10


The EU SME performs an appropriate risk assessment that includes all aspects of the business with the Iranian customer. Even with an intermediary involved for logistics and payment, the first risk assessment may indicate a low risk, as such structures are common in trading with Iran.

/fpi/file/graph-quest-10b_enGraph Quest 10b



13. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
An example for a constellation where a risk assessment would indicate a medium risk could be the following:

Example: medium risk scenario
An EU-based SME14 intends to enter into a contract for the sale of hospitality equipment for hotels with a contract volume of EUR 500 000. The buyer is a private joint stock company in Iran (PJSC), a well-known company in the hotel market with distribution lines for hospitality equipment in Iran. An agent, an individual in a third country (non-EU), is responsible for the logistics and maintenance of the business relationship with the Iranian customer. The agent receives a commission from the EU-based SME. The goods will be delivered through the third country and the delivery conditions are “ex works” (from the factory of the EU-based company in the EU). The Iranian customer remains responsible for the logistics. A subsidiary of the Iranian customer, located in the third country, will release the payment from a bank account in the third country to the bank account in the third country of the subsidiary of the EU-based SME.

/fpi/file/graph-quest-11_enGraph Quest 11


The risk assessment of the EU-based SME results in a medium level risk for the company, especially because of the legal structure of the Iranian customer, which is registered as a Private Joint Stock Company (“PJSC”).

/fpi/file/graph-quest-11b_enGraph Quest 11b


In this case, the legal type of the company does not allow a third party to access the shareholder information. Shareholder information is not publicly available and the EU-based SME has to rely on the information provided by its Iranian customer. The commission payment to the agent increases the risk for the EU-based SME. Therefore, a background check on the agent may avoid compliance risks.

14. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
An example for a constellation where a risk assessment would indicate a high risk could be the following:

Example: High risk scenario
A producer of electric engines based in EU Member State A15 intends to sell a set of electric engines to an Iranian customer, a state-owned airline. The contract includes warranty and spare part delivery. A factory in EU Member State B would carry out warranty repairs. The contractual volume amounts to EUR 5 million. The Iranian airline operates aircraft for cargo and civil transportation. The engines are required for the installation in passenger aircraft. The goods are to be delivered “ex works” and the payment is to be transferred to the bank account (held in EU Member State C) of the electric engines producer (based in EU Member State A). Technical engineers from the electric engine producer shall provide trainings and assist in case of technical matters. During the course of the establishment of a business relation and several visits in Iran, the electric engine producer has heard rumours that one of the board members of the Iranian airline has ties to the Iranian Revolutionary Guard Corps, which is listed under EU restrictive measures.

/fpi/file/graph-quest-12_enGraph Quest 12


/fpi/file/graph-quest-12b_enGraph Quest 12b


The rumours that the Iranian airline is potentially linked to an entity that is subject to EU restrictive measures, the type of goods (dual use) and the contract value (above EUR 1 million) would indicate a high risk transaction for the electric engine producer. Furthermore, the target is state-owned and the structures complicated. Persons with major control on the operations of the company cannot easily be found. A thorough due diligence would be necessary before proceeding with the transaction.

15. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
Based on the risk assessment, a three-level approach to due diligence could be envisaged. Level I would cover due diligence for basic or low risk transactions, level II includes level one plus searches in Farsi for open source information and level III includes level I and II with local background checks based on interviews.

/fpi/file/graph-quest-13_enGraph Quest 13

Level I checks are based on self-disclosure of the Iranian business partner and the gathering of open source information.
14.1. Self-disclosure
The basis for the due diligence could be a self-disclosure of the target that may contain the following information:
  • Full name of the entity;
  • Legal form;
  • Registration ID;
  • Governmental or state-owned;
  • Key contact, address, phone and homepage URL;
  • Management ID (full names, date and place of birth, ID Number, Politically Exposed Person (“PEP”) status);
  • Shareholder (full names and number of shares, date and place of birth, ID Number, politically exposed person (“PEP”) status);
  • Ultimate parent company;
  • Ultimate beneficial owner;
  • Origin of capital information;
  • Ties of management and shareholders to politically exposed persons (“PEP”);
  • Activities, products;
  • Ties to government (actors of the company with a position or function in state-owned and/or governmental institutions/organisations);
  • Ties to military and/or Iranian Revolutionary Guard Corps (“IRGC”);
  • Involvement in Iran’s nuclear program.


A translated version of the Official Gazette and/or further translated documents could usefully be attached to the self-disclosure.

It may be advisable to obtain the following additional information from the target, especially in case of dealing with dual use goods:

  • Company presentation;
  • Financial situation;
  • Name of auditor;
  • Financials (last two financial statements or audit reports);
  • Default of payments, bankruptcy proceedings;
  • Number of employees;
  • Legal proceedings;
  • Criminal sentences of management and shareholders and/or beneficial owners;
  • Compliance cases in the past 5 years.
14.2. Open source intelligence
As a minimum requirement the information in the self-disclosure should be crosschecked with
  • The website of the target; and
  • Information available on the internet.


Compliance checks on a basic level should include checking names (similar names included) in the EU restrictive measures lists.

14.3. What is the “ultimate beneficial owner” and why does it matter?
For an EU operator, it is not always evident who has direct or indirect control over its Iranian business partner.

However, EU operators must ensure that they do not make economic resources available (directly or indirectly) to a person or entity who is subject to EU restrictive measures by dealing with an entity, which is controlled or owned by such a person or entity.

An ultimate beneficial owner is any natural person who ultimately owns or controls a corporate entity or other legal entity and/or the natural person(s) on whose behalf a transaction or activity is being conducted. As a general rule of thumb (and without prejudice to the specific circumstances of a case), the ultimate beneficial owner of a legal entity may be the natural person who:
 
  • holds an equity interest of at least 25%; or
  • wields at least 25% of the voting rights; or
  • is the beneficiary of at least 25% of the equity.


Other legal rights may confer control over the EU operator’s Iranian business partner to a person or entity who is subject to EU restrictive measures. Such rights may include the possibility to appoint the members of the management or supervisory board, to exercise a dominant influence on legal and business decisions or to act as a major financier.

EU operators might consider referring to Article 3(6) of Directive (EU) 2015/849 (Anti-Money Laundering Directive) in order to find further details on identifying beneficial owners for legal persons and legal arrangements.16


16. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1561390430105&uri=CE....

Example: Low risk scenario
An EU-based SME (Small or Medium-sized Enterprise)17 intends to enter into a contract for the sale of personal care products. The Iranian customer, a limited company, is an Iranian family-owned medium sized entity with clear structures and shareholders and claims to have no ties to entities subject to EU restrictive measures.

The volume of the contract is EUR 50 000. An intermediary, a legal entity based in a third country (non-EU) will deliver the goods. The contract will include the payment terms (in EUR) through a bank in the third country (non-EU) to a bank in the EU.

In this case study (see question 10), a first level due diligence on both targets, the Iranian customer and the intermediary based in the third country, should be performed. If any red flags appear, an extension of the background checks is necessary.

/fpi/file/graph-quest-15v2_enGraph Quest 15v2



In this case, the self-disclosure and checks on the website of the targets revealed that the shareholders of the targets, the Iranian customer and the intermediary based in the third country, are individuals. While the Iranian customer has one beneficial owner with 80% of the shares, two shareholders, each owning 50% of the shares, control the intermediary based in the third country. One of the shareholders is CEO. Both shareholders are therefore considered as beneficial owners. The EU-based SME searched for the names of the targets, the Iranian customer and the intermediary based in the third country, and the names of their shareholders and management in the EU financial sanction list without identifying any matches. An internet search has confirmed the activities of both companies as distributors of goods in the civil sector.

/fpi/file/graph-quest-15b_enGraph Quest 15b



The EU-based SME confirmed with its Iranian customer that it had carried out the necessary due diligence checks; it consequently forwarded the request for financing of the transaction to its bank. Furthermore, the EU-based SME applied for an export credit insurance at an EU-based export credit agency.
17. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
On levels II and III, domestic Iranian sources should be used to obtain background information and be crosschecked with the information from the self-declaration of the target.

A distinction is made between second and third level as a global best practice approach. To define steps for different risk levels, measures which result in an intermediate level of effort and costs (2–3 weeks) are included in level II and measures with an extended approach and maximum efforts and costs (up to 6 weeks) in level III.

In certain cases, a combination of the second and third level approach can be reasonable.
Level II checks could contain but need not be limited to the following type of checks and measures.
17.1. Corporate details
The research on corporate details should aim to obtain the following information, which are available in Farsi:

17.1.1. For private companies, listed on the Tehran Stock Exchange:
  • Details of registration;
  • Identification of directors;
  • Shareholder structure.


17.1.2. For private companies, registered with the State Organisation for the Registration of Deeds and Properties in Iran:

  • Details of registration;
  • Identification of directors;
  • Direct shareholders and Ultimate

Beneficial Owners (available for the legal form limited).

17.1.3. For state-owned companies:

  • Organisation exercising the major control;
  • Identification of representatives.
17.2. Compliance
To identify any references to the entity and its identified shareholders and directors, relating to money-laundering, sanctions, terrorist-financing and political exposure any potentially harmful information published by regulatory databases should be collected; such information can be gathered by consulting:
 
  • Listings on the EU sanctions list;
  • Politically exposed persons (“PEP”) listings; and
  • Enforcement lists and court filings.
17.3. Media
Media databases and general Media should be consulted in order to detect information related to issues such as:
 
  • Association with terrorist financing or terrorist activities;
  • Links to organised crime or arms trafficking;
  • Money laundering;
  • Regulatory investigations and material litigation;
  • Allegations of involvement in bribery and corruption; and/or
  • Regulatory investigations or sanctions.
Example: medium risk scenario
An EU-based SME18 intends to enter into a contract for the sale of hospitality equipment for hotels with a contract volume of EUR 500 000. The buyer is a private joint stock company in Iran (PJSC), a well-known company in the hotel market with distribution lines for hospitality equipment in Iran. An agent, an individual in a third country (non-EU), is responsible for the logistics and maintenance of the business relationship with the Iranian customer. The agent receives a commission from the EU-based SME. The goods will be delivered through the third country and the delivery conditions are “ex works” (from the factory of the EU-based company in the EU). The Iranian customer remains responsible for the logistics. A subsidiary of the Iranian customer, located in the third country, will release the payment from a bank account in the third country to the bank account in the third country of the subsidiary of the EU-based SME.

The targets for the due diligence in a medium risk scenario (see question 11) are the Iranian customer, a private joint stock company in Iran (“PJSC”), and the business agent in a third country (non-EU). The actual end user of the hospitality equipment should be identified to ensure that there are no links to entities subject to EU restrictive measures. The risk assessment of the EU-based SME results in a medium level risk for the company, especially because of the legal structure of the Iranian contract partner.

/fpi/file/graph-quest-18v2_enGraph Quest 18v2



The due diligence process – after obtaining a self-disclosure and crosschecking the information submitted with open source intelligence or databases – would include research on corporate details through the relevant company registry. While it is compulsory for Private Joint Stock Companies (“PJSC”) in Iran to be registered (not in the Tehran Stock Exchange but in the State Organisation for the Registration of Deeds and Properties in Iran and/or the Official Gazette), the information available may not always be complete or up-to-date. Usually, shareholder information for PJSCs is not available from public registers.

In addition, parties known to be linked to the entity should be reviewed with regard to money-laundering, sanctions, terrorist-financing and political exposure by consulting the relevant listings.

In this case, the Iranian customer disclosed the shareholders and a search in the relevant lists did not reveal any adverse results. Further checks did not bring about any issues relevant to compliance. The names of the management group and corporate details could be crosschecked with the data available in the Official Gazette. The EU-based SME was ready to proceed with the business with its Iranian customer und provided the information to the bank in the third country (non-EU).

/fpi/file/graph-quest-18b_enGraph Quest 18b



18. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
Level III checks could entail site visits and human source intelligence.
19.1. Site visits
A site visit could verify the real existence of the address and the company, including the company’s capability and the conditions of the facilities.
19.2. Reputational checks
A level III due diligence could include interviews with experts and employees (such as competitors, former employees, clients) to evaluate the company’s repute and thereby gather information on:
 
  • Background, track record, reputation and perceived integrity of the subjects, from the perspective of the local market and international business community;
  • Ties to the Iranian Revolutionary Guard Corps (IRGC);
  • Compliance issues (in the past);
  • Current legal proceedings and legal proceedings in the past;
  • Market interests;
  • Activities of the company; and
  • Real existence of the company.
19.3. Management interview
In certain cases, it can be advisable to conduct further interviews with members of the company’s management to gain insight into the above-mentioned areas. An onsite visit, especially in case of manufacturing companies could help to gather insights into the goals and strategy of management.
Example: High risk scenario
A producer of electric engines based in EU Member State A19 intends to sell a set of electric engines to an Iranian customer, a state-owned airline. The contract includes warranty and spare part delivery. A factory in EU Member State B would carry out warranty repairs. The contractual volume amounts to EUR 5 million. The Iranian airline operates aircraft for cargo and civil transportation. The engines are required for the installation in passenger aircraft. The goods are to be delivered “ex works” and the payment is to be transferred to the bank account (held in EU Member State C) of the electric engines producer (based in EU Member State A). Technical engineers from the electric engine producer shall provide trainings and assist in case of technical matters. During the course of the establishment of a business relation and several visits in Iran, the electric engine producer has heard rumours that one of the board members of the Iranian airline has ties to the Iranian Revolutionary Guard Corps, which is listed under EU restrictive measures.

In this high risk scenario (see question 12), an EU-based electric engine producer has to check whether electric engines are dual-use goods and whether it needs to apply for a certificate at the export control authority of the EU Member State in which it is based. The export control authority supports the electric engine producer with background information regarding the target, an Iranian airline. The combination of several factors (i.e. rumours that the Iranian airline potentially has links to an entity that is subject to EU restrictive measures, the type of goods and the contract value) may indicate a high risk transaction for the electric engine producer.

/fpi/file/graph-quest-20_enGraph Quest 20



Because of the high risk attributed to this transaction, a level III due diligence is recommended, especially in case of potential ties to the Iranian Revolutionary Guard Corps (IRGC).

Interviews with experts and competitors in the relevant Iranian business environment as well as with target’s management may allow gathering relevant information. Such interviews could reveal information on the company’s reputation and identify ties to persons subject to EU restrictive measures. The electric engine producer likely needs to assign a third-party consultant to run the appropriate background checks. Furthermore, the identification of the stakeholders of the Iranian airline and the individual(s) actually controlling the company would be challenging.

In this case, the background checks have revealed that a board member of the Iranian airline is a consultant to the board of a sanctioned entity but has no official position as a representative and no control on daily operations of the sanctioned entity. Further due diligence and background checks have yielded no results. Some litigation cases in the past as well as some financial matters have come up during the checks but without any impact on the specific deal with the electric engine producer.

Consequently, the electric engine producer could proceed with the deal and apply for the certificates and guarantees.

19. Note that all practical examples are fictitious and do not relate to existing persons or businesses.
Information regarding the target should be updated on a regular basis. EU operators could oblige the Iranian counterpart in their contract to inform the EU operators regarding any changes in the management or shareholder structure.

Some international suppliers provide electronic tools to monitor all business partners for a fee. Alternatively, revising the due diligence report on a regular basis (e.g. once a year) is advisable.