All the financial news stories about the recently reimposed comprehensive US sanctions against Iran seem to have neglected the fact that compliance officers at American financial institutions, and foreign institutions connected to the US financial structure, are again bound by the greatly increased enhanced due diligence responsibilities on the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010*, more commonly know by its acronym, CISADA.
CISADA imposes an increased responsibility upon Compliance officers regarding their obligation to access public information on their assigned individuals and entities, above and beyond what has been regarded as best practices, to the "knowable" level. If significant or relevant information is freely available in the public domain, there is an expectation that such information is knowable, and therefore it must be obtained. This raises the bar significantly for front line compliance staff, as they are now responsible for information that "should have been known**."
To pass the knowingly test, compliance officers must now increase their level of due diligence to enhanced due diligence, in order to retrieve all possible publicly-available information on their subject. This means going beyond sanctions lists, building a robust and wide-ranging program, which includes cloud-based resources, resources that lie behind paywalls, and other compliance assets that did not exist when CISADA was enacted or amended.
CISADA also means that a close examination of social media/social network sites, and other image resources, using effective facial resolution software systems, has become mandatory for any query in which Iran, its nationals, or any company which may have, directly or indirectly, been linked to Iran or Iranians. Given that social media, and other relevant image resources, are freely and publicly available, the failure to deploy a facial recognition software system, as an integral part of an effective enhanced due diligence program, may not only constitute compliance malpractice, it may expose compliance staff, and their bank as well, to potential civil, or even criminal, liability, under CISADA.
Therefore, to summarize:
(1) "Check the box," meaning sole reliance upon sanctions lists, and lists of high-risk individuals and entities is grossly insufficient for any inquiry even remotely involving Iran. Enhanced due diligence, using all the resources that this term entails, is the order of the day.
(2) An examination of the complete spectrum of public-available social media, and related images resources, employing facial recognition software technology to access and locate all possible relevant information, including image capture, satisfies CISADA, making social media searches now one of the central components of your inquiries, as to neglect them appears to violate both the plain meaning, as well as the intent, of the statute.
Finally, inasmuch as these expanded inquiries are now mandatory for any searches might possibly involve Iran or Iranians, it would be prudent to apply them to all your compliance tasks, to insure that you do not unwittingly fail to employ CISADA-level enhanced due diligence to a subject later found to have indirect links to Iran.
___________________________________________________________________________
*
https://www.treasury.gov/resource-center/sanctions/documents/hr2194.pdf
** One major provider of commercial off-the-shelf data provider to compliance officers actually expanded their clients' access to publicly-available information, based upon its understanding of the impact and thrust of CISADA.