On May 2, 2019, the US Office of Foreign Assets Control (“OFAC”) published A Framework for OFAC Compliance Commitments (the “Framework”). This long-awaited document sets out OFAC’s expectations for effective sanctions compliance programs (“SCPs”). While the broad elements of the Framework should be familiar to seasoned compliance practitioners, the details highlight the specific significance that OFAC attaches to SCPs in resolving enforcement actions. Indeed, we are already seeing OFAC settlements conditioned on compliance enhancements reflected in the Framework.
Key points include the need for SCPs to be risk-based and continually evolving, the importance of root cause analysis upon identification of potential violations, and details on the metrics that OFAC will apply in assessing the adequacy of a company’s remedial response to violations.
OFAC pointedly directs its guidance not only to persons subject to US jurisdiction, but also to foreign entities that conduct business in or with the United States, with US persons, or involving US-origin goods or services. All companies should therefore look to the Framework as a useful checklist when designing, implementing and updating SCPs in general and, in particular, when remediating identified compliance weaknesses.
Role of an SCP in OFAC Enforcement Actions
The Framework states that, consistent with OFAC’s Economic Sanctions Enforcement Guidelines (the “Guidelines”), it will consider favorably the existence of effective SCPs in any enforcement proceeding under the General Factors outlined in the Guidelines, which are factors considered by OFAC when determining the appropriate resolution of an OFAC enforcement investigation. Parties whose SCPs are predicated on the five essential compliance components described in the Framework will benefit not only from General Factor E (compliance program), but also General Factor F (remedial response), if the SCP results in remedial steps being taken in response to the violations. OFAC will also consider the existence of an effective SCP as a factor in its analysis as to whether a particular violation is “egregious.” Finally, OFAC indicates that in cases where monetary penalties are imposed, it will make a determination as to which elements should be incorporated into the subject person’s SCP as part of any settlement agreement with OFAC.
OFAC’s Five Essential Components of Compliance
The Framework identifies and describes “five essential components of compliance”:
- Management Commitment: OFAC stresses the importance of a top-to-bottom approach to sanctions compliance in order to create a “culture of compliance”. Involvement by senior management, including senior leadership, executives, and/or the board of directors, is critical, as is the allocation of “adequate resources” to the organization’s compliance department. OFAC indicates it will measure these efforts according to a number of criteria, including the appointment of a dedicated OFAC sanctions compliance officer, the quality and experience of the personnel dedicated to implementing the SCP, and the existence of sufficient control functions to support the SCP.
- Risk Assessment: OFAC advises companies to take a risk-based approach to designing and updating their SCPs. Companies should conduct a risk assessment to identify potential OFAC compliance issues in the organization. The SCP should then be tailored to address the issues identified. The Framework refers to OFAC’s Risk Matrix found in the Annex of Appendix A of the Guidelines as a tool for companies to use in evaluating their compliance programs. Due diligence of a particular customer, client relationship, or transaction should be informed by the risk assessment, including on-boarding of new clients or customers and in mergers and acquisitions. OFAC notes that mergers and acquisitions, in particular, “have presented numerous challenges with respect to OFAC sanctions” in recent years.
- Internal controls: An effective SCP should include “internal controls,” including policies and procedures, in order to identify, interdict, escalate, report, and keep records related to OFAC sanctions. These internal controls should be tailored to adequately address a company’s sanctions risks, as identified in a risk assessment.
- Testing and Auditing: Independent testing and auditing is critical to assess the effectiveness of a company’s SCP to identify program weaknesses and deficiencies. OFAC emphasizes that it is the organization’s responsibility to update and enhance its SCP, including all compliance-related software, systems, and other technology. Testing and auditing should focus on a specific element of the SCP or at the enterprise-wide level.
- Training: Finally, OFAC describes its expectations with respect to sanctions-specific training, which OFAC expects organizations to conduct periodically for all appropriate personnel, and at a minimum annually.
While this Framework is new for OFAC, its approach follows many themes that will be familiar to practitioners in other compliance areas. The US Department of Justice (“DOJ”) has for some time sought to set expectations with respect to corporate compliance and how compliance programs are evaluated in the context of corporate criminal enforcement. DOJ updated its own Guidance on Evaluating Corporate Compliance Programs just two days before OFAC published its Framework (for our analysis on the latest DOJ Guidance see here). In addition, DOJ and the Securities and Exchange Commission have jointly discussed “10 hallmarks” of effective anti-corruption compliance in their 2012 joint Resource Guide to the FCPA, and the US Sentencing Guidelines (at §8B2.1) considers “7 Elements of an Effective Compliance Program” relevant to the sentencing of organizations in corporate compliance matters.
We have previously distilled these various expectations into “Five Essential Elements of Corporate Compliance” designed to meet enforcement and regulatory expectations as to corporate compliance in the US and around the world. These Essential Elements are i) leadership, ii) risk assessment, iii) standards and controls, iv) training & communication, and v) oversight (monitoring auditing and response), and align closely with OFAC’s “Five Essential Compliance Components”. Companies that already organize their broader compliance program around these essential elements should be well placed to meet OFAC’s expectations by leveraging that existing infrastructure.
Root Causes of OFAC Sanctions Compliance Program Breakdowns and Deficiencies
Appendix A of the Framework describes several “non-exhaustive” root causes of sanctions compliance program breakdowns and deficiencies that OFAC has identified based on previous enforcement actions. OFAC explains that it is providing this information to assist companies in designing, updating and amending their SCPs.
- Lack of a formal SCP. OFAC notes that the lack of a formal SCP is an aggravating factor under its Guidelines.
- Misinterpreting or failing to understand the applicability of OFAC’s regulations. OFAC explains that several organizations have failed to appreciate or consider the fact that OFAC sanctions may apply to them jurisdictionally. It notes, however, that its enforcement actions have typically identified other aggravating factors with regard to this specific root cause, such as reckless conduct and the size and sophistication of the company.
- Facilitating transactions by non-US persons (including through or by overseas subsidiaries or affiliates). OFAC cautions companies with integrated operations (e.g., non-US affiliates of US companies requiring input from their US headquarters) to ensure that any activities they engage in (e.g., approvals, contracts, procurement, etc.) are compliant with OFAC sanctions.
- Exporting or re-exporting US-origin goods, technology or services to OFAC sanctioned persons or countries. OFAC notes that its enforcement activity in this area has generally been focused on companies or corporations that are large or sophisticated, engaged in a pattern or practice that lasted multiple years, ignored or failed to respond to numerous warning signs, used non-routine business practices, or concealed their activity in a willful or reckless manner.
- Utilizing the US financial system, or processing payments to or through US financial institutions, for commercial transactions involving OFAC sanctioned persons or countries. OFAC has generally focused its enforcement activity in this area on parties who have engaged in willful or reckless conduct, attempted to conceal their activity, engaged in a pattern or practice that lasted for months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, or involved actual knowledge or involvement by company management, causing significant harm to US sanctions program objectives, and that were large or sophisticated organizations.
- Sanctions screening software or filter faults. OFAC explains that this issue often arises when organizations fail to adequately update their sanctions screening tools, fail to include pertinent identifiers in conducting the screening (e.g., SWIFT Business Identifier Codes), or do not account for alternative spellings of restricted parties (e.g., Habana instead of Havana).
- Improper due diligence on customers/clients (e.g. ownership, business dealings, etc.). OFAC cautions that a number of its enforcement actions have involved improper or incomplete due diligence by companies, such as with respect to ownership, geographic location, counter parties, transactions, and knowledge/awareness of OFAC sanctions.
- Decentralized compliance functions and inconsistent application of a sanctions compliance program. Another recurrent root cause cited is a decentralized compliance function, with personnel and decision-makers scattered in various business units and offices. OFAC explains that this type of arrangement can result in improper interpretation and application of OFAC regulations, a lack of escalation process, an incapable oversight or audit function, or miscommunications regarding the company’s SCP.
- Utilizing non-standard payment or commercial practices. OFAC explains that this issue arises most often when organizations attempt to evade or circumvent OFAC sanctions or conceal their activity.
- Individual liability. Individual employees can play integral roles in causing or facilitating violations of OFAC sanctions. OFAC cautions that in such circumstances it will consider enforcement activity against not only the organization, but against the individuals as well.
US and non-US companies are strongly encouraged to look to the details of the Framework as a helpful roadmap and benchmarking tool in designing, implementing, updating and enhancing their SCPs to meet OFAC’s and other regulator’s increased expectations.
* * *
The foregoing is intended only to provide a general summary of recent developments regarding OFAC sanctions compliance and enforcement. If you have any questions about how this development might affect your company or if you require advice on any specific transactions or plans, please contact one of the members of Baker McKenzie’s International Trade Practice Group.