The U.S. Department of the Treasury's Office of Foreign Assets Control last week issued a framework for OFAC Compliance Commitments, which, for the first time, outlines OFAC's views on essential elements of a risk-based sanctions compliance program in a single document that can serve as a roadmap for organizations as they structure and evaluate these programs. The framework should be considered carefully by U.S. organizations with any significant foreign dealings, and foreign organizations that conduct business with the United States or that utilize U.S. goods, services, or financial systems.
The framework also makes clear that OFAC intends to target individual employees who are culpable for violations. That emphasis follows an action from earlier this year, where OFAC sanctioned an individual it deemed responsible for circumventing his employer's compliance protocols.
The framework highlights a number of important developments within OFAC by:
- Formalizing what had previously been implicit expectations. While OFAC has a longstanding policy of considering the adequacy of SCPs when responding to apparent violations, it had issued scant guidance as to their design. Previously, the best guidance was found in OFAC enforcement actions or provided by federal and state banking regulators
- Stating that OFAC intends to use its enforcement authority against individual employees, mirroring recent OFAC enforcement developments
- Providing that, in conjunction with any civil money penalty, OFAC will consider whether to require improvements to a company's SCP as part of a settlement
While the framework acknowledges that that risk-based SCPs will vary based on a company's size, sophistication, products and services, customers, counterparties, and locations, each SCP should include five essential elements.
Senior management should be committed to supporting the SCP by, among other things, ensuring the compliance function receives adequate resources and has the authority and autonomy to effectively control OFAC risks.
Because SCPs should be risk-based, a "central tenet" of an SCP is conducting a routine, and, if appropriate, ongoing risk assessment to identify potential threats and vulnerabilities that, if not properly addressed, can lead to OFAC violations. Internal controls, testing, and training should all be appropriate for an organization's level of risk.
OFAC suggests a "top-to-bottom" review of possible exposure to sanctions-targeted persons and jurisdictions, and because OFAC-administered sanctions are foreign facing, this will include assessing "touchpoints to the outside world."
An effective SCP should include written, risk-based internal controls that outline clear expectations and procedures relating to OFAC-administered sanctions. Among other things, the controls should effectively identify, escalate, and prevent prohibited transactions. If an organization uses technological solutions, such as transaction, customer, or counterparty screening to interdict prohibited transactions, these solutions should be selected and calibrated appropriately, and routinely tested.
Testing and auditing
SCPs should include comprehensive, independent testing or auditing to ensure that the SCP is working as designed and remains appropriate in light of changes in risk profile or the sanctions landscape. The level of testing should be commensurate with the level and sophistication of the SCP. Immediate and effective action should be taken on negative results.
The SCP should include periodic training of all appropriate employees and personnel that provides adequate information and instruction to employees and other stakeholders to support OFAC compliance efforts, and tailored training to high-risk employees.
Finally, OFAC listed what it viewed as common causes of sanctions violations in order to assist persons in designing their SCPs. These include:
- Lack of a formal SCP
- Misunderstanding OFAC's regulations
- Using U.S. operations or affiliates to facilitate foreign transactions with sanctioned persons or jurisdictions
- The exportation of U.S. goods or services to foreign persons who intend to re-export those goods or services to a sanctions-targeted person or jurisdiction
- Foreign persons utilizing the U.S. financial system for transactions involving sanctioned persons or jurisdictions
- Faults in sanctions screening software
- Improper due diligence
- Non-traditional business arrangements used to circumvent OFAC sanctions
- Individual employees taking measures to thwart otherwise fulsome SCPs