On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued guidance entitled “A Framework for OFAC Compliance Commitments” (the “Framework”), that strongly encourages companies to “develop, implement, and routinely update” a risk-based sanctions compliance programs (“SCPs”). OFAC made clear that the guidance was intended for U.S. companies as well as non-U.S. companies that conduct business in or with the United States, with U.S. persons, or using U.S. origin goods or services. The guidance describes five “essential components” of an effective sanctions compliance program: (i) management commitment, (ii) risk assessment, (iii) internal controls, (iv) testing and audit, and (v) training.
In December of last year, Under Secretary of the Treasury for Terrorism and Financial Intelligence Sigal Mandelker previewed that OFAC would be issuing this guidance on the “hallmarks of an effective compliance program,” marking a new effort by Treasury to more clearly and comprehensively communicate its compliance expectations. OFAC Director Andrea Gacki explained that it was developed as part of OFAC’s continuing effort to strengthen sanctions compliance practices “across the board,” and “underlines [OFAC’s] commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.” Consistent with OFAC’s Enforcement Guidelines, the Framework emphasizes that in the event of an OFAC enforcement action, the agency will consider favorably that a company had an effective SCP at the time of the apparent violation; it will also consider the Framework in evaluating a company’s remedial actions. The Framework also states that, in appropriate cases, it will consider the effectiveness of a company’s SCP at the time of the apparent violations in determining whether the apparent violations were “egregious” under OFAC’s Enforcement Guidelines.
Consistent with the Framework, OFAC has already incorporated 23 compliance commitments into over half a dozen public settlement agreements since December 2018; these public settlements have involved both financial institutions and non-financial institutions. Notably, OFAC has already imposed in these settlements a requirement that the settling party annually certify its compliance with the commitments over a five-year period. Complying with the commitments and the annual certification obligation will likely require settling parties to invest additional resources in their SCPs and increase the costs associated with OFAC settlements.
As an appendix to the Framework, OFAC also describes some of the common “root causes” of the apparent violations that were the subject of its prior enforcement actions. This appendix is meant to assist companies in “designing, updating and amending” their compliance programs.
Five Essential Components of Sanctions Compliance
The Framework outlines five components of an effective SCP, described below.
- Management Commitment. OFAC notes that “Senior Management’s commitment to, and support of, an organization’s risk-based SCP is one of the most important factors in determining its success. This support is essential in ensuring the SCP receives adequate resources and is fully integrated into the organization’s daily operations, and also helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.” The key elements of management commitment include the following undertakings by Senior Management:
- Review and approval of the organization’s SCP.
- Ensure compliance units have sufficient authority and autonomy to deploy policies and procedures to effectively control OFAC risk.
- Ensure that compliance units receive adequate resources (including human capital, expertise, information technology) relative to breadth of operations, target and secondary markets, and risk profile. OFAC states that these efforts could generally be measured by whether the company has appointed a “dedicated OFAC sanctions compliance officer” (which may be dual-hatted with another compliance function), the “quality and experience of the personnel” dedicated to the SCP (including their knowledge of OFAC regulations and risk and their ability to understand complex financial and commercial activities, and the existence of a sufficient control function).
- Promote “culture of compliance,” measured by the ability of personnel to report sanctions related misconduct without fear of reprisal, senior management messages and actions that discourage misconduct and prohibited activities, and ability of the SCP to have oversight over actions of the entire organization.
- Demonstrate recognition of the seriousness of apparent violations of laws and regulations, deficiencies/failures to comply with the SCP’s policies and procedures, and implement necessary measures to reduce the occurrence of apparent violations in the future by addressing root causes and system solutions.
- Risk Assessment. As is consistent with OFAC’s past practice, the Framework recommends that SCPs be designed and updated pursuant to a “risk-based approach . . . [o]ne of the central tenets of [such an] approach is for organizations to conduct a routine, and if appropriate, ongoing ‘risk assessment’ for the purposes of identifying potential OFAC issues they are likely to encounter.” OFAC identifies two core elements of a commitment to meet this compliance component:
- The organization conducts, or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. Such risks may be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business. OFAC notes that the result of this assessment will “generally inform the extent of the due diligence efforts at various points in a relationship or in a transaction,” including with respect to onboarding (by leveraging information provided by the customer (g., through a Know Your Customer or Customer Due Diligence process) and independent research conducted by the organization at the initiation of the customer relationship) and mergers and acquisitions (the Framework states that an organization should engage in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction).
- The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function onboarding.
- Internal Controls. The Framework states that effective OFAC compliance programs generally include internal controls, including policies and procedures, in order to identify, interdict, escalate, report, and keep records pertaining to prohibited activity. Key elements include:
- Written policies and procedures tailored to the organization’s operations and risk profile and that are enforced through internal and/or external audits.
- Internal controls that adequately address the results of a company’s OFAC risk assessment. These controls should enable the company to “clearly and effectively identify, interdict, escalate, and report” potentially prohibited activity. Information technology solutions should be “selected and calibrated” in a manner that is appropriate for the company’s risk profile, and the company should routinely test the solutions to ensure effectiveness.
- Immediate and effective remedial actions, to the extent possible, to identify and implement compensating controls until the root cause of any weakness in internal controls can be determined and remediated.
- Clear communication of policies and procedures to all relevant staff, including relevant gatekeepers and business units operating in high-risk areas (g., customer acquisition, payments, sales, etc.) and to any external parties performing compliance responsibilities on behalf of the organization.
- Identification of designated personnel responsible for integrating policies and procedures into daily operations.
- Testing and Auditing. The Framework provides that a comprehensive and objective SCP audit function ensures the identification of program weaknesses and deficiencies, and notes that it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Core commitments include:
- Ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
- Employ audit procedures appropriate to the company’s level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.
- Upon learning of a deficiency, taking immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
- Training. The Framework describes training as “integral,” and outlines OFAC’s expectation that training programs “be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.” Specifically, OFAC highlighted the following commitments:
- Ensuring that the OFAC training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support OFAC compliance efforts. Such training should be further tailored to high-risk employees within the organization.
- Provide OFAC-related training with a scope that is appropriate for the products and services offered; the customers, clients, and partner relationships maintained; and the geographic regions served.
- Providing OFAC-related training appropriately often.
- As part of remediation efforts, taking immediate and effective action to provide training to or other corrective action with respect to relevant personnel.
- Making training resources and materials easily accessible to all applicable personnel.
Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies
The Framework enumerates a number of causes of SCP breakdowns or deficiencies identified in prior OFAC enforcement actions, including:
- Lack of a formal OFAC SCP;
- Misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
- Facilitating transactions by non-U.S. persons (including through or by non-U.S. subsidiaries or affiliates of U.S. persons);
- Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries;
- Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
- Sanctions screening software or filter faults;
- Improper due diligence on customers/clients (g., ownership, business dealings, etc.)
- De-centralized compliance functions and inconsistent application of an SCP; and
OFAC also highlighted individual liability, highlighting that “individual employees—particularly in supervisory, managerial, or executive-level positions—have played integral roles in causing or facilitating” sanctions violations, even in instances where “the U.S. entity had a fulsome sanctions compliance program in place” and in some cases these non-U.S. employees “made efforts to obfuscate and conceal their activities from others within the corporate organization, including compliance personnel, as well as from regulators or law enforcement.” The Framework states that in such instances, OFAC will consider enforcement actions not only against the entities, but against the individuals as well. OFAC has previously brought enforcement actions against individuals only in rare instances.
Outside of the civil enforcement context, OFAC earlier this year took the unprecedented step of concurrently designating a foreign sanctions evader and announcing a related settlement with a U.S. company. OFAC designated the former managing director of a non-U.S. subsidiary whom OFAC determined to be primarily responsible for directing the apparent violations at issue and seeking to conceal them. This action highlights increased personal risk for non-U.S. personnel that violate U.S. sanctions.
The Framework, and the related “compliance commitments” in recent OFAC settlements, represent a new effort by OFAC to more clearly and comprehensively communicate its expectations about appropriate sanctions compliance practices. S. and non-U.S. companies would be well advised to study the Framework and the compliance commitments carefully.
The Framework describes numerous sanctions compliance best practices and largely aligns with the compliance expectations of the federal banking regulators as described in the Federal Financial Institutions Examination Council (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering Examination Manual. Accordingly, many banks operating in the United States likely already incorporate the sanctions compliance elements described in the Framework. Many large, sophisticated companies outside the financial sector probably do as well.
For the large majority of U.S. and non-U.S. companies that engage in international trade, however, there may be gaps between their current practices and the elements described in the Framework. It is important for such companies to study the Framework in light of their own sanctions risk profiles (including factors such as the company’s size and sophistication, products and services offered, customers and counterparties, and geographic locations) to determine whether updating or enhancing their programs would be appropriate. In many ways, the Framework can be viewed as the “gold standard” for compliance, and companies with lower risk profiles may be able to implement lesser measures.
The Framework is also notable because it explains how OFAC may apply its guidance in evaluating apparent violations and resolving investigations resulting in settlements. Consistent with OFAC’s Enforcement Guidelines, the Framework emphasizes that in the event of an OFAC enforcement action, the agency will consider favorably that a company had an effective SCP at the time of the apparent violation; it will also consider the Framework in evaluating a company’s remedial actions. More notably, the Framework states that “OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed ‘egregious.’” While OFAC’s Enforcement Guidelines have always made clear that the agency’s egregious determination will be based on an analysis of the General Factors, historically, OFAC has focused this determination almost solely on Factors A (‘‘willful or reckless violation of law’’), B (‘‘awareness of conduct at issue’’), C (‘‘harm to sanctions program objectives’’) and D (‘‘individual characteristics’’), with, as prescribed by the Guidelines, “particular emphasis on General Factors A and B.” The Framework’s explicit recognition of compliance as a factor for consideration in OFAC’s egregiousness determination is novel and reflective of OFAC’s increased focus on compliance.