May 6, 2019
OFAC Issues Framework for Compliance Commitments
By Ted Posner and Glenda Bleiberg
On May 2, 2019, the Office of Foreign Assets Control (OFAC) the Department of Treasury agency chiefly responsible for administering and enforcing U.S. economic and trade sanctions law issued guidance for companies and other organizations on developing and implementing an effective sanctions compliance program ("SCP"). The guidance document, available here and entitled "A Framework for OFAC Compliance Commitments," was issued just days after the Department of Justice issued its own guidance on Corporate Compliance Programs (which we covered here), and the two documents highlight a number of similar themes, including the importance of risk assessment, the deployment of policies and procedures calibrated to identified risks, auditing and testing of a program's effectiveness, and training.
Although companies are not legally required to adopt SCPs, OFAC "strongly encourages" that they do so if they are subject to U.S. jurisdiction or if they "conduct business in or with the United States, U.S. persons, or using U.S.origin goods or services." In addition to the obvious benefit of helping to ensure compliance with U.S. sanctions law, having an effective SCP is an important factor that OFAC will take into account when investigating and deciding the appropriate penalty or other response to conduct that may violate sanctions law.
OFAC recognizes that there is no one-size-fits-all SCP. Rather, programs will vary from organization to organization depending on factors such as size, level of sophistication, products and services the organization handles, the identity of its customers, suppliers, and other counterparties, and the geographic location of its business. Nevertheless, OFAC identifies "five essential components" that any SCP should have. We summarize those components here.
1. Management Commitment: OFAC considers the commitment of senior management critical to any SCP's success. Such commitment is demonstrated by: (i) review and approval of the SCP; (ii) delegation of sufficient authority and autonomy to compliance personnel; (iii) allocating adequate human and technological resources to the compliance function; (iv) promoting a culture of compliance, including by giving employees a channel to report sanctions-related misconduct to senior management
Weil, Gotshal & Manges LLP
International Trade Currents
without fear of reprisal; and (v) demonstrated recognition of the seriousness of apparent sanctions violations by implementing appropriate responses to apparent violations.
2. Risk Assessment: An effective SCP should be designed according to each organization's sanctions risk profile based on factors such as the organization's clients and suppliers, the products and services it handles, and the parts of the world in which it does business. A risk assessment should be updated periodically, and it should inform the due diligence that an organization does when it transacts with new counterparties, including when it expands its business through mergers or acquisitions.
3. Internal Controls: In view of its risk assessment, an organization should adopt internal controls consisting of written policies and procedures that enable it to identify activity of concern and then "interdict, escalate, report (as appropriate), and keep records" pertaining to the activity. Such policies and procedures should be clearly communicated, easy to follow, and integrated into the day-to-day operations of the organization.
4. Testing and Auditing: An organization should use routine audits to assess the effectiveness of its SCP and identify any weaknesses or deficiencies. To the extent it identifies weaknesses or deficiencies, the organization should be able to update, improve, and recalibrate
its SCP accordingly. The testing and auditing function should be accountable to senior management and independent of the activities and functions that are being tested.
5. Training: The final component that any effective SCP should have is training. Training should be provided at least annually to all appropriate employees and personnel. It should provide jobspecific information, communicate each employee's sanctions compliance responsibilities, and hold employees accountable through assessments. Training also should make resources easily accessible to applicable personnel.
In addition to setting forth the essential elements of an effective SCP, OFAC's Framework for Compliance Commitments summarizes causes for breakdowns in compliance that have been observed in prior OFAC administrative actions. These include, among other deficiencies, failure to have an SCP at all, disregard for red flags, failure to engage in appropriate due diligence, and failure to recognize the applicability of U.S. sanctions law in appropriate situations.
OFAC's Framework for Compliance Commitments is an important tool for organizations adopting new SCPs or revising existing SCPs. Weil's International Arbitration and Trade practice regularly works with clients in addressing matters related to sanctions compliance, and we would be happy to discuss compliance efforts in the wake of OFAC's Framework.
If you have questions concerning the contents of this issue, or would like more information about Weil's International Arbitration and Trade practice group, please speak to your regular contact at Weil, or to:
Ted Posner (DC)
+1 202 682 7064
Glenda Bleiberg (DC)
+1 202 682 7016
2019 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to firstname.lastname@example.org.
Weil, Gotshal & Manges LLP
May 6, 2019