Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a Framework for OFAC Compliance Commitment (the “Framework”) outlining essential components and guidelines for an effective sanctions compliance program.
The Framework highlights five essential elements on which an effective sanctions compliance program (“SCP”) should be predicated: (1) senior management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. The degree to which these components are incorporated into a SCP will vary depending on a company’s size, sophistication, products and services, customers, and geographic location(s). In evaluating an alleged or apparent violation, or a potential civil monetary penalty, OFAC will consider favorably a SCP that includes each of the five factors outlined in the Framework. Accordingly, it is crucial that companies implement an effective SCP that is based on these five components and adequately accounts for the company’s sanctions compliance risk. Lastly, the Framework includes an appendix that offers a brief summary of the most common root causes of apparent violations that OFAC has identified during past investigations.
Demonstrating senior management commitment to compliance requires both allocating sufficient resources for compliance and fostering a culture that values and prioritizes compliance. The Framework notes that the term “senior management” may vary depending on the size and structure of an organization, but it should generally apply to senior leadership, executives, and a board of directors or other governing body.
The Framework cites the following as critical components evidencing senior management commitment:
OFAC encourages organizations to take a risk-based approach to designing, updating, and implementing their SCPs. OFAC recommends that organizations conduct routine and, ideally, ongoing risk assessments as a “central tenet” of a risk-based approach to identifying potential sanctions issues that the organization is likely to encounter. Such risk assessments will necessarily vary depending on the size and perceived sanctions risk of the organization, but the Framework stresses that they should consist of “a holistic review of the organization from top to bottom and assess[ing] its touchpoints to the outside world.” The OFAC Risk Matrix provided in Appendix A to the Sanctions Enforcement Guidelines (see 31 C.F.R. § 501 app. A (2018)) is a useful resource in assessing an organization’s risk exposure.
The Framework recommends that an organization conduct an assessment of its customers; the organization’s supply chain; any intermediaries; any counter-parties; all products and services (including how products and services are, or may be, incorporated into other products, services, networks, or systems); and the geographic location of the organization, its customers, supply chain, intermediaries, and counter-parties. The Framework also recommends that risk assessments focus due diligence efforts on specific points in a transaction, most notably during the on-boarding of customers, vendors, or transacting parties, and during mergers and acquisitions.
According to the Framework, an effective OFAC compliance program should include policies and procedures to identify, interdict, escalate, report, and maintain records of potential OFAC violations. The criteria for effective internal controls, according to the Framework, are predicated on the following:
The Framework recommends a comprehensive, independent, and objective testing or audit function as part of the SCP that enables organizations to be aware of how the SCP is performing and when updates, enhancements or recalibrations may be needed to account for a changing risk assessment or sanctions environment. A testing and auditing function should adhere to the following guidelines:
The Framework emphasizes that providing an effective training program to all appropriate employees and stakeholders is an integral component of a successful SCP. An effective training program will consist of the following:
Lastly, OFAC included a non-exhaustive list of the typical deficiencies and weaknesses that it encounters in export compliance programs, based on a review of enforcement actions.
While these new guidelines generally don’t include compliance guidance that is completely new, the level of detail that OFAC provides is fairly unprecedented and provides useful insight into OFAC’s current compliance priorities and expectations, such as clear and documented management commitment. It is vital that companies subject to U.S. jurisdiction, as well as foreign companies that conduct business with U.S. persons or that use U.S.-origin goods or services, implement an effective SCP that is based on these five components and adequately accounts for the company’s risk. An effective SCP should also be mindful of the common root causes of OFAC violations that the Framework cites.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.