Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a Framework for OFAC Compliance Commitment (the “Framework”) outlining essential components and guidelines for an effective sanctions compliance program.
The Framework highlights five essential elements on which an effective sanctions compliance program (“SCP”) should be predicated: (1) senior management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. The degree to which these components are incorporated into a SCP will vary depending on a company’s size, sophistication, products and services, customers, and geographic location(s). In evaluating an alleged or apparent violation, or a potential civil monetary penalty, OFAC will consider favorably a SCP that includes each of the five factors outlined in the Framework. Accordingly, it is crucial that companies implement an effective SCP that is based on these five components and adequately accounts for the company’s sanctions compliance risk. Lastly, the Framework includes an appendix that offers a brief summary of the most common root causes of apparent violations that OFAC has identified during past investigations.
Senior management commitment
Demonstrating senior management commitment to compliance requires both allocating sufficient resources for compliance and fostering a culture that values and prioritizes compliance. The Framework notes that the term “senior management” may vary depending on the size and structure of an organization, but it should generally apply to senior leadership, executives, and a board of directors or other governing body.
The Framework cites the following as critical components evidencing senior management commitment:
- Senior management reviews and approves the organization’s SCP.
- Senior management ensures that its compliance units have sufficient authority and autonomy to deploy effective policies and procedures.
- Senior management ensures direct reporting between senior management and compliance units, including routine and periodic meetings.
- Senior management ensures that compliance units have adequate resources.
- Senior management promotes a “culture of compliance,” which may be demonstrated by senior management messaging and actions that discourage misconduct, as well as the ability of personnel to report sanctions shortcomings or misconduct without fear of reprisal.
- Senior management demonstrates recognition of the gravity of apparent violations and of the laws and regulations enforced by OFAC.
OFAC encourages organizations to take a risk-based approach to designing, updating, and implementing their SCPs. OFAC recommends that organizations conduct routine and, ideally, ongoing risk assessments as a “central tenet” of a risk-based approach to identifying potential sanctions issues that the organization is likely to encounter. Such risk assessments will necessarily vary depending on the size and perceived sanctions risk of the organization, but the Framework stresses that they should consist of “a holistic review of the organization from top to bottom and assess[ing] its touchpoints to the outside world.” The OFAC Risk Matrix provided in Appendix A to the Sanctions Enforcement Guidelines (see 31 C.F.R. § 501 app. A (2018)) is a useful resource in assessing an organization’s risk exposure.
The Framework recommends that an organization conduct an assessment of its customers; the organization’s supply chain; any intermediaries; any counter-parties; all products and services (including how products and services are, or may be, incorporated into other products, services, networks, or systems); and the geographic location of the organization, its customers, supply chain, intermediaries, and counter-parties. The Framework also recommends that risk assessments focus due diligence efforts on specific points in a transaction, most notably during the on-boarding of customers, vendors, or transacting parties, and during mergers and acquisitions.
According to the Framework, an effective OFAC compliance program should include policies and procedures to identify, interdict, escalate, report, and maintain records of potential OFAC violations. The criteria for effective internal controls, according to the Framework, are predicated on the following:
- The organization maintains written policies and procedures outlined by the SCP.
- The organization implements internal controls that adequately address its risk profile. These internal controls should enable an organization to identify, interdict, escalate, report, and maintain records of potential OFAC violations.
- The organization enforces the policies and procedures that it implements through internal and/or external audits.
- The organization ensures that it adheres to adequate OFAC-related recordkeeping policies and procedures.
- The organization ensures that upon learning of a weakness in its internal controls, it takes immediate and effective action to identify and implement compensating controls, including determining the root cause of such weakness and remedying the root cause.
- The organization clearly and effectively communicates the SCP policies and procedures to relevant staff, including gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.), and to external parties performing SCP responsibilities on behalf of the organization.
- The organization appoints personnel to integrate the SCP policies and procedures into the daily operations of the organization.
Testing and auditing
The Framework recommends a comprehensive, independent, and objective testing or audit function as part of the SCP that enables organizations to be aware of how the SCP is performing and when updates, enhancements or recalibrations may be needed to account for a changing risk assessment or sanctions environment. A testing and auditing function should adhere to the following guidelines:
- The organization commits to ensuring that testing or auditing is (i) accountable to senior management, (ii) independent of the audited activity or function, and (iii) endowed with the requisite authority, skills, expertise, and resources.
- The organization commits to ensuring that it employs testing and auditing procedures that are sufficiently sophisticated and that such procedures are comprehensive and objective.
- The organization confirms that upon learning of a negative testing result or audit, it will take immediate and effective remedial action to identify and implement compensating controls that correct the root cause of the shortcoming.
The Framework emphasizes that providing an effective training program to all appropriate employees and stakeholders is an integral component of a successful SCP. An effective training program will consist of the following:
- The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and relevant stakeholders (e.g., clients, suppliers, business partners, and counter-parties).
- The organization commits to providing OFAC-related training with a scope and frequency that appropriately reflects the risk profile of the organization.
- The organization commits to ensuring that upon learning of a negative testing result or audit, it will take swift and effective action to provide training or other corrective action with respect to the relevant personnel.
- The materials and resources that are part of the training program are easily accessible to applicable personnel.
Root causes of sanctions compliance program deficiencies
Lastly, OFAC included a non-exhaustive list of the typical deficiencies and weaknesses that it encounters in export compliance programs, based on a review of enforcement actions.
- Lack of a formal OFAC SCP.
- Misinterpreting or failing to understand the applicability of OFAC regulations.
- Facilitating transactions by non-U.S. persons in violation of OFAC regulations.
- Exporting or re-exporting U.S.-origin goods, technology, or services to blacklisted persons or embargoed destinations.
- Using the U.S. financial system for commercial transactions involving blacklisted persons or embargoed destinations.
- Shortcomings in sanctions-screening software or filters (including failing to update screening software).
- Improper due diligence on the ownership, geographic location(s), and counter-parties of customers and transacting parties.
- Relying on a decentralized compliance function and inconsistent application of a SCP.
- Using non-standard payments or implementing non-traditional business methods to complete a transaction.
- Individual employees who cause or facilitate violations of OFAC regulations.
While these new guidelines generally don’t include compliance guidance that is completely new, the level of detail that OFAC provides is fairly unprecedented and provides useful insight into OFAC’s current compliance priorities and expectations, such as clear and documented management commitment. It is vital that companies subject to U.S. jurisdiction, as well as foreign companies that conduct business with U.S. persons or that use U.S.-origin goods or services, implement an effective SCP that is based on these five components and adequately accounts for the company’s risk. An effective SCP should also be mindful of the common root causes of OFAC violations that the Framework cites.