On May 2, 2019, the Office of Foreign Assets Control ("OFAC") of the U.S. Department of the Treasury published guidance (the "Guidance") encouraging corporations subject to U.S. jurisdiction, as well as foreign entities that conduct business with U.S. persons, in or with the United States, or using U.S.-origin goods or services, to develop and employ risk-based sanctions compliance programs ("SCPs") on the basis that such SCPs help corporations detect and prevent sanctions violations in their day-to-day operations and, when sanctions violations occur, help mitigate civil monetary penalties imposed by OFAC.
According to the Guidance, an effective SCP has five essential components:
1. Commitment by Senior Management: Senior manager support of an SCP is essential to ensure the program is fully integrated into a corporation's daily operations and to establish a culture of compliance at the corporation. Specifically, senior management (i.e., senior leadership, executives and/or the board of directors) must ensure that the SCP has the authority and autonomy to effectively operate, receives adequate resources (including screening software and systems) and provides employees with a direct reporting line to senior management and the corporation's compliance officer.
2. Risk Assessment: Risks in the context of sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly addressed, can lead to sanctions violations. To mitigate such risks, a corporation should identify the "touchpoints" where it may find itself exposed to sanctioned persons or sanctioned jurisdictions. Such touchpoints include customers and other counterparties, the products and services offered by the corporation and the geographic location(s) of the corporation and/or its counterparties. Corporations should evaluate these touchpoints at the start of any business relationship and periodically thereafter.
3. Internal Controls: Internal controls set forth clear expectations, define procedures and processes pertaining to sanctions compliance and intend to minimize the risks identified by a corporation's risk assessments. Such controls are most effective when crafted and implemented in the form of written policies and procedures that communicate the corporation's compliance policy to its employees, outline steps for identifying and combatting compliance issues and include associated reporting and escalation chains. Such policies and procedures must be adaptable in order to adjust rapidly to changes to sanctions programs administered by OFAC.
4. Testing and Auditing: Audits assess the effectiveness of current processes and check for control gaps based on identified weaknesses or inconsistencies between such processes and day-to-day operational realities. Each corporation should include a comprehensive, independent and objective testing or audit function as part of its SCP in order to monitor implementation and enforcement of the SCP and identify potential or necessary updates or enhancements.
5. Training: Finally, each corporation should provide periodic, job- and role-specific training to its employees to promote internal compliance with its SCP.
Common Compliance Issues
OFAC also included in the Guidance ten instructive root causes of instances of noncompliance with U.S. sanctions programs administered by OFAC. Such root causes are set forth below:
- The absence of a formal OFAC SCP;
- Misinterpretation or failure to understand the applicability of sanctions regulations to a corporation's operations;
- Facilitation of transactions between a corporation's foreign subsidiaries and a sanctioned person or sanctioned jurisdiction;
- The export or re-export of U.S.-origin goods, technologies or services to sanctioned persons or sanctioned jurisdictions;
- Use of the U.S. financial system to process payments involving sanctioned persons or sanctioned jurisdictions;
- Failure to update sanctions screening software;
- Failure to perform sufficient due diligence on counterparties;
- A decentralized or ineffective SCP;
- Evasion of sanctions through non-standard payment or commercial practices; and
- Failure to provide appropriate training to employees.