Sanctions risk in 2025: practical tips for compliance and beyond

As geopolitical tensions rise, sanctions compliance is no longer just a concern for defence contractors or financial institutions. 

In today’s globalised economy, any business with cross-border operations, international clients or complex supply chains or corporate relationships may be at risk of breaching sanctions, often without realising it. The Australian Sanctions Office (ASO), the sanctions regulator, is increasingly expecting not just technical compliance, but a proactive culture of diligence and accountability.

Australian sanctions laws impose strict liability offences. This means a company can be found liable for a breach, even if it did not intend to contravene the law – the act of breach itself is enough. However, if a company can show that it took reasonable precautions and exercised due diligence, this may provide a defence to sanctions liability.

From 31 March 2026, AUSTRAC will also be handed significant enforcement powers in relation to compliance with sanctions laws for entities subject to the AML/CTF regime.

With limited guidance available, it is crucial that legal and risk teams know where sanctions exposure can arise and how to manage it. In this article, we outline some practical steps businesses can take to identify and reduce sanctions risk in 2025.

1. Recognise sanctions as a strategic and board-level issue

Sanctions risk is not just a legal or compliance issue – it is a strategic concern that requires board-level oversight. Regulatory expectations, investor scrutiny, and reputational risk mean that boards must actively engage with sanctions exposure as part of broader governance, risk and ESG frameworks.

Investors and regulators expect organisations to embed sanctions awareness into their governance structures, including:

• Building in scenario planning for geopolitical developments;
  
  
• Determining clear escalation pathways;
  
  
• Integrating it into broader enterprise-wide risk management and ESG frameworks;
  
  
• Establishing a culture of compliance; and
  
  
• Making global business decisions and entering global transactions with sanctions risk front of mind.

2. Identify sanctioned activities

Sanctioned conduct under Australian law generally arises in four key contexts: supply or export of goods, import of goods, provision of services and commercial activity with certain countries or persons.

Activities that may trigger sanctions obligations include:

• Sanctioned supply: Sanctions laws prohibit supplying, selling or transferring goods that are designated as ‘export sanctioned goods’ for a particular country, region or group. These designations vary depending on the specific sanctions framework that applies in a particular scenario.
  
  
• Sanctioned import: Importing, purchasing or transporting 'import sanctioned goods' that originate in, or have been exported from, a sanctioned country, region or terrorist group is prohibited. The designation of ‘import sanctioned good' depends on the specific sanctions framework that applies in a particular scenario.
  
  
• Sanctioned commercial activity: Engaging in certain activities with or in sanctioned countries or regions is prohibited. There is no general definition of what types of dealings or activities constitute a sanctioned commercial activity. Instead, sanctioned commercial activities tend to be bespoke and context-dependent, relating to specific activities described in the regulations for the relevant sanctions framework.
  
  
• Sanctioned service: Sanctions laws prohibit the provision of technical, financial or other services in connection with a sanctioned supply, import, commercial activity or country-specific restrictions.
  
  
• Other measures: These include restrictions relating to vessels, cultural property unlawfully removed from Iraq and Syria, and the use or dealing of assets from the Saddam Hussein regime. The scope of prohibitions is specific to particular countries, entities or persons.

Organisations should conduct thorough risk assessments by mapping your operations and counterparties against known sanctions frameworks, identifying potentially restricted goods or services, and screening proposed activities for links to sanctioned countries or entities.

3. Identify sanctioned persons and entities and watch out for common evasion tactics

Determining whether an activity involves a designated person or entity can be complex – especially given increasingly sophisticated evasion tactics.

The ASO maintains and continuously updates a Consolidated List of designated individuals and entities, but relying on this list alone is not enough. Sanctioned parties often conceal their identity or involvement through the use of intermediaries or transhipment points.

Red flags to look out for in order to detect potential sanctions evasion include:

• Use of shell companies or complex legal structures to obscure ownership, source of funds or the involvement of sanctioned jurisdictions.
  
  
• Use of aliases to conceal the identities of intermediaries or end-users.
  
  
• Complex international businesses using residential addresses or addresses associated with multiple closely held entities.
  
  
• International wire transfers through financial institutions in unrelated jurisdictions.
  
  
• Transhipment of goods via re-sellers in intermediary countries.
  
  
• Payments from third parties not named on the End-User Statement or other end-user documentation.
  
  
• Proposed end-use of dual use items in sectors with limited regulatory oversight.

Organisations should screen all parties in a supply chain, not just direct counterparties. Investigate ownership structures, payment flows and transhipment routes. They should seek detailed end-user statements where appropriate, and pay attention to red flags like unusual payment structures or unknown beneficial owners, intermediary payments through unrelated jurisdictions and residential addresses used by international traders. 

Organisations should also check the AHECC codes of exported goods to ensure they are not classified as restricted or dual-use items under Australian sanctions and export control regulations.

4. Understand sanction permits and their limits

A sanctions permit, issued by the Minister for Foreign Affairs (or their delegate), authorises conduct that would otherwise be in breach of Australian sanctions laws.

Permits should only be sought where a clear and specific sanctions contravention is likely. The ASO encourages entities to prioritise risk identification and mitigation through due diligence and preventative internal controls, rather than relying on permits as a fallback.

Important points to remember about permits:

• Applications must clearly identify the proposed activity and the legal basis for the permit.
  
  
• Each permit is assessed on a case-by-case basis.
  
  
• Processing can take three months or more.
  
  
• Permits are subject to a ‘national interest’ test.
  
  
• Permits are typically narrow in scope and may be granted subject to specific conditions.
  
  
• Most permits are valid for 12 months, but can be extended with justification.

Organisations should engage proactively with the ASO to determine whether a sanctions permit is required. Where a permit is obtained by one party in a multi-party contract, this may trigger the ASO to request other contracting parties to apply for a permit.

5. Understand the reasonable precautions and exercise of due diligence defence

A company will not be found liable for a sanctions offence if it can demonstrate that it took reasonable precautions and exercised due diligence to prevent the contravention.

There is no set definition of what ‘reasonable precautions and due diligence’ means in the legislation. The standard is context-specific, and will be based on factors such as business size, complexity of transactions, jurisdictions involved, and sanctions frameworks engaged.

Examples of steps likely to support this defence include:

• implementing robust internal controls;
  
  
• screening transactions and counterparties against the Consolidated List; and
  
  
• ensuring staff receive regular training to identify and respond to potential sanctions risks.

Organisations should take a proactive approach to sanctions compliance and keep detailed records of your compliance efforts. A well-documented process is critical if a breach is ever alleged. The Australian Sanctions Office has recently released guidance setting out its expectations for a Sanctions Compliance Program (SCP). An SCP is one of the strongest ways to demonstrate that an organisation has taken reasonable precautions and exercised due diligence. A well-structured SCP not only reduces an organisation’s legal risk but also demonstrates to the ASO that the organisation has a culture of compliance – an increasingly important factor in enforcement decisions.

The ASO has said that an effective SCP should be tailored to an entity’s risk profile (based on its size, operations, customer base and geographic reach) and include:

• Senior management commitment: Visible support from and appropriate resource allocation by leadership.
  
  
• Risk assessments: Regular review of exposure across products, services, customers, suppliers and jurisdictions.
  
  
• Screening and due diligence: Ongoing screening of customers, transactions and third parties, with escalation pathways for potential red flags.
  
  
• Training and awareness: Regular and role-specific training for staff on sanctions policies, procedures, and risks.
  
  
• Monitoring and enforcement: Mechanisms to detect, investigate and implement corrective actions, including alerts, internal reviews and issue escalation procedures.
  
  
• Auditing and oversight: Periodic independent reviews of the SCP to test its effectiveness and identify areas for improvement.

Organisations should establish a SCP that is well tailored to their business and in line with current ASO expectations. They should update risk assessments and test their SCP with internal audits regularly.

6. Sanctions-proof contracts

Contracts that involve cross-border transactions, international supply chains, or counterparties in high-risk sectors should include clear sanctions-proofing provisions. These may include:

• Sanctions compliance warranties: warranties that neither party is subject to sanctions and that both will comply with applicable sanctions regimes throughout the contract’s duration;
  
  
• Amendment, termination and suspension rights: these rights should be engaged where performance becomes illegal or impracticable due to sanctions;
  
  
• Force majeure clauses: these clauses should expressly include sanctions-related restrictions or government action.
  
  
• Audit and due diligence rights: these rights are important to allow verification of counterparties’ compliance efforts, including in relation to sanctions.
  
  
• Dispute resolution clauses: parties should opt for select arbitration forums or courts that are neutral and not affected by relevant sanctions regimes. Choosing arbitration in a suitable jurisdiction will also enable a swift, low-cost dispute resolution process. This can help parties manage disruption without spending more on the dispute than the contract, escalating conflicts, or exposing themselves to unenforceable awards or public policy barriers to enforcement in domestic courts.

7. Remember that sanctions are global

International coordination is increasing. The United States, European Union and United Kingdom are sharing intelligence and investigating circumvention, dual-use violations, and control failures – even where Australia is not the lead regulator. Monitoring global trends and aligning compliance frameworks accordingly is important.

Australian companies may also be exposed to sanctions laws of other jurisdictions, including those in the US, EU and China – depending on the nature of their operations, ownership, transactions and financial flows. For example, a transaction conducted in US dollars, routed through a European bank, involving dual-use goods with a US-origin component, or with Chinese nationals on a board, may require consideration of US, EU, or Chinese sanctions regardless of the company’s domicile. Australian subsidiaries of multinational groups may also be subject to group-wide compliance obligations, while dealings with Chinese counterparties can trigger exposure to China's own counter-sanctions regime. Multinational supply chains, offshore financing arrangements, and the use of international digital platforms can all create multi-jurisdictional risk. As a result, sanctions compliance is increasingly a global, not just domestic, concern.

8. The level and type of exposure risk can be sector specific

Sanctions risks do not arise uniformly across all sectors. The nature of operations, partners, and supply chains affect the exposure profile. Below are some examples of where pressure points may emerge in practice within certain high-risk sectors.

Banking

Exposure often arises through international money transfers, correspondent banking relationships, or financing arrangements for goods that may later be exported to sanctioned jurisdictions. Banks are prohibited from making assets available to, or dealing with assets belonging to, a sanctioned person or entity. Banks should be particularly alert to disguised end-use risk and clients with opaque beneficial ownership.

To manage this, banks should implement enhanced due diligence, monitor transactions for red flags including those from high-risk jurisdictions, integrate real-time sanctions screening into payment processing systems, and know when to block or freeze funds.

Trade finance

Transactions supported by documentation, such as letters of credit, can mask the true origin of goods or conceal the identity of the end-user, especially when intermediaries or transhipment routes are involved. Risk also arises when financial institutions rely solely on representations from counterparties.

Businesses in trade finance should verify trade routes, screen intermediaries and commodity classifications independently, and establish escalation procedures for potentially sensitive transactions.

Logistics and shipping

Risks may arise through indirect routing, the use of sanctioned vessels and ports, or transhipment through intermediary countries. Freight forwarders and customs brokers may inadvertently facilitate breaches where they do not have full visibility into the origin, destination or ownership of goods.

Companies should use vessel tracking tools, screen transit points and counterparties, and require sanctions declarations from shippers and carriers.

Resources and commodities

Companies in energy, mining and agriculture sectors may be exposed when exporting sanctioned or dual-use goods, entering joint ventures, or selling to buyers operating in sanctioned regions. Risk can also arise through indirect provision of technical services such as engineering support.

Businesses should screen buyers and partners, assess end-use risks, include sanctions clauses in contracts, and consider consulting the ASO where permit requirements may apply. Checking AHECC codes can also help identify goods subject to export or sanctions restrictions. Contractors and service providers should also assess the sanctions risk of their principals, as indirect exposure may arise through broader project relationships.

Technology and telecommunications

Sanctions may apply to the export or provision of software, network infrastructure or cyber services, particularly where they can be used in restricted jurisdictions or by designated persons. Service providers should implement controls to monitor and prevent access or use by sanctioned parties.

Companies should screen customers and users, restrict access from sanctioned jurisdictions, and implement controls to detect unauthorised use of sensitive technologies.

Universities and research institutions

Collaborations involving dual-use technologies or sensitive research areas (such as AI, biotech, quantum computing or advanced materials) may require a sanctions permit, particularly where foreign nationals or sanctioned institutions are involved through funding or partnerships.

Institutions should review the sanctions risk of research projects and partners, seek permits where required and ensure researchers are trained in relevant compliance obligations.

Key lessons for managing sanctions risk

Sanctions risks are broader than many businesses realise. Exposure can arise through indirect channels such as international supply chains, logistics, financing, customers in high-risk jurisdictions or third-party intermediaries.

Sanctions law is complex, high-stakes and is constantly evolving. The risk of enforcement is rising. The best protection is a proactive, well-documented and tailored compliance program. With limited judicial guidance and significant penalties at risk, early legal advice can be critical to avoiding inadvertent breaches.

Beyond Australian enforcement, international coordination is also on the rise. The US, EU, and UK increasingly collaborate on investigations and share intelligence. Authorities are actively pursuing circumvention, dual-use goods breaches, and failures in internal controls – even where the primary regulator is offshore. Organisations should monitor developments in allied jurisdictions and align compliance frameworks accordingly.