OFAC outlines baseline considerations for evaluating a risk-based sanctions compliance program.
On May 2, 2019, the US Treasury Department’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments (the Compliance Framework), which identifies five essential components of an effective Sanctions Compliance Program (SCP). While companies are not legally required to implement an SCP, a failure to adhere to these principles increases the risks of sanctions violations and more aggressive enforcement by OFAC when violations do occur.
Even before the publication of the Compliance Framework, OFAC had articulated the underlying principles in a number of recent settlement agreements, including those with Stanley Black & Decker, Inc. (March 2019) and other recent enforcement actions. Indeed, the core elements described in the Compliance Framework align with compliance best practices and guidance issued by other US government agencies, including the Departments of Commerce and Justice. By publishing this guidance, however, OFAC is signaling the importance of these elements to OFAC’s enforcement policies and practices. Latham & Watkins expects that OFAC will continue to draw heavily from the Compliance Framework when assessing potential mitigation credit for sanctions violations and imposing compliance requirements in future settlements.
The Compliance Framework is relevant to all persons and entities that engage in activities subject to US sanctions. This includes US persons and entities, wherever they are located or operating. It can also include activities by non-US persons and entities where there is some nexus with the United States, US persons, or US-origin goods, technology, or services. Given the broad international reach of US sanctions and OFAC’s aggressive approach to enforcement, all businesses operating internationally are welladvised to take into account the Compliance Framework to review the robustness of their existing and future SCPs.
OFAC has identified these five compliance program elements as essential:
1. Senior Management Commitment
Commitment to and support by senior management of a risk-based SCP is critical. The definition of “senior management” typically includes senior leadership, executives, and boards of directors.
Senior management must ensure that an SCP has adequate resources, including human resources, subject matter expertise, and information technology; that compliance units are given the necessary authority; and that the SCP is fully integrated into day-to-day operations. OFAC will look to senior management to create a “culture of compliance” that is supported through “routine and periodic” meetings between senior management and the personnel implementing the SCP. Additionally, it may be appropriate for senior management to install a dedicated OFAC sanctions compliance officer, depending on the size and risk profile of the organization.
2. Risk Assessments
OFAC views routine risk assessments as another essential component of an SCP. Risk assessments, which OFAC defines as a “holistic review of the organization from top-to-bottom [to] assess ... touchpoints to the outside world,” may include an evaluation of specific clients, suppliers, products, services, and geographic locations. The purpose is to identify potential touchpoints for direct or indirect contact with OFAC-sanctioned persons, parties, countries, or regions.
OFAC notes that risk assessments and sanctions-related due diligence are particularly important in the context of mergers and acquisitions involving non-US companies or corporations.
3. Internal Controls
Robust internal controls are key to establishing clear expectations, defining appropriate procedures, and minimizing risk.
OFAC notes that, given rapid changes in US economic and trade sanctions, a successful SCP should have controls in place to respond quickly to changes to US sanctions, including the addition of entities to the Specially Designated Nationals and Blocked Persons List (SDN List) and modifications to countrybased sanctions programs.
Written policies related to an SCP should be relevant, easy to follow, and consistent with day-to-day operations. The controls — including any information technology solutions — should be tailored to the results of the organization’s risk assessment and profile such that employees can effectively identify, escalate, and report potential sanctions issues. Policies and procedures should be communicated to all employees, particularly personnel within the SCP program and business units operating in higher-risk areas, as well as any third parties performing SCP responsibilities on behalf of the organization.
OFAC advises that organizations enforce controls through internal and/or external audits and take prompt action to identify and remediate the root cause of identified issues. Organizations should also appoint personnel to integrate controls into daily operations, including consulting with relevant business units and ensuring that staff members understand the policies and procedures.
4. Testing and Auditing
A comprehensive testing and auditing function is important for identifying and remediating existing weaknesses in an SCP. Depending on the risk, audits can focus on a specific element of an SCP or be enterprise-wide.
The testing and auditing function should be appropriate to the level and sophistication of the SCP and accountable to senior management. In addition, it should operate independently from the audited activities and have sufficient authority, skills, expertise, and resources to be effective. The testing and auditing procedures should reflect a complete and objective assessment of the organization’s OFAC risk profile and related controls. In the event of a negative audit finding or test result, organizations should commit to identifying and remediating the root cause of the weakness.
An effective training program is integral to a successful SCP. Training should be conducted periodically — or annually, at a minimum — and should provide customized, role-specific advice, delivered in easily accessible resources and materials, and provided to all employees and, as appropriate, relevant stakeholders (such as clients and suppliers). It should also include assessments to hold employees accountable for sanctions compliance.
Training should be tailored to the organization’s risk profile, reflecting the products and services offered, the relationships maintained, and the regions in which the organization operates. If a negative testing or audit result occurs, the organization should commit to providing training or other corrective action for the personnel involved.
OFAC’s Economic Sanctions Enforcement Guidelines place significant weight on the adequacy of an organization’s SCP when assessing whether and to what extent a civil monetary penalty is warranted. Going forward, it is clear that OFAC will evaluate a company’s SCP against the Compliance Framework in determining, among other things, whether an apparent violation will be deemed “egregious” (triggering a heightened penalty scheme) and whether an organization will be granted mitigation credit in the final penalty calculation.
The Compliance Framework formalizes OFAC’s views of what constitutes an effective SCP and allows companies to benchmark their programs against OFAC standards. At the same time, it provides a readymade menu of compliance enhancements from which OFAC may draw in resolving enforcement cases. Companies should be aware that with the Compliance Framework, OFAC may be more assertive in seeking to impose compliance obligations as part of future settlement agreements.