Even though the Department of Justice is getting much of the headlines lately for releasing its "Guidance on Evaluation of Corporate Compliance Programs," the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) recently released a "Framework for OFAC Compliance Commitments" (“Framework”) which is important additional guidance for any company doing business in the global market. In the last nine months, OFAC has been among the most aggressive enforcement regulators of the United States government. As discussed in our prior post, in 2019 alone, OFAC has settled 13 cases against 10 different companies with settlements approaching $1.3B.
As stated in its Framework, OFAC “strongly encourages” companies to “employ a risk-based approach to sanctions compliance by developing, implementing, and updating a sanctions compliance program (“SCP”).” The 12 page Framework outlines five essential elements of any SCP. Experienced practitioners will recognize many similarities between the elements of a SCP and the elements of an effective compliance program as articulated in the U.S. Federal Sentencing Guidelines and also in the recently published DOJ Guidance. Of course, the specific policies and procedures will depend on the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, but OFAC expects that each SCP will incorporate at least five essential components of compliance.
- Management Commitment
- Senior Management Approval
- Compliance Program with sufficient authority, autonomy and a direct reporting channel to senior management
- An adequately resourced Compliance Program
- Management promotion of a “culture of compliance”
- Risk Assessment
- Conducted in a manner and frequency that accounts for potential risks from customers, products, supply chain, transactions and geographic locations
- A methodology in place to identify, analyze and address the particular identified risks
- Internal Controls
- Implemented written policies and procedures
- Implemented internal controls to adequately address the risk and company’s profile
- Enforcement of the policies
- Immediate and effective corrective action of weaknesses in internal controls
- Testing and Auditing
- Testing and auditing procedures are appropriate to the level and sophistication of the program
- Immediate and effective corrective action
- OFAC-related training to appropriate stakeholders
Although OFAC has not adopted a “compliance defense,” the existence of an effective and robust SCP at the time of the violation (and at the time of settlement) is one factor that OFAC will consider when calculating the civil monetary penalty and also in determining whether a violation is “egregious.” Unfortunately, if you end up on the wrong side of an enforcement action, the settlement agreements with OFAC will typically contain a requirement that the company implement a compliance program consistent with the Framework and provide annual certifications of compliance from a senior-level executive for a period of generally five years.
One additional interesting aspect of the Framework was OFAC’s review of Root Causes of prior enforcement actions. OFAC sets out ten common root causes, including:
- Lack of a formal OFAC SCP
- Misinterpreting or failing to understand the applicability of OFAC regulations
- Facilitating Transactions by Non-U.S. Persons
- Exporting U.S. origin goods to OFAC-sanctioned persons/countries
- Utilizing the U.S. Financial System
- Sanction Screening Software failures
- Improper due diligence on customers
- De-centralized compliance or inconsistent application of SCP
- Utilizing Non-standard payment or commercial practices
- Individual liability
OFAC encourages companies to voluntarily disclose a past violation and self-disclosure is considered a mitigating factor in Civil Penalty proceedings. The ramifications of OFAC non-compliance, inadvertent or otherwise, can jeopardize critical foreign policy and national security goals. OFAC will credit a company's compliance program when weighing a disposition. A thoughtful, well-structured compliance program will allow a company to make informed decisions and safeguard its reputation, integrity, and financial health.