What Happened: On May 2, 2019 US Department of Treasury's Office of Foreign Assets Control (OFAC) published "A Framework for OFAC Compliance Commitments" (the Framework), which provides a specific outline of what OFAC considers to be essential elements of an effective sanctions compliance program (SCP). OFAC also released a settlement with MID-SHIP Group LLC (MID-SHIP), a US-based shipping and logistics company, that demonstrates the benefits of a company's efforts to achieve such "Compliance Commitments" included in the Framework (and the consequences of non-compliance).

The Bottom Line: OFAC is using its most forceful language to date on the need for an effective sanctions compliance program and "strongly encouraging" companies to identify and quantify their OFAC risks and to design and implement OFAC compliance programs similar to those imposed on financial institutions in respect of Anti-Money Laundering compliance. Companies subject to US jurisdiction, as well as foreign entities that conduct business in or with the United States, US persons, or using US goods or services, should promptly assess their sanctions risk and develop, implement and routinely update a risk-based SCP or enhance their existing SCPs in line with the Framework.

The Full Story

On May 2, 2019, OFAC published the Framework, strongly encouraging organizations conducting business in or with the United States to adopt and routinely update SCPs and describing five essential components of compliance that SCPs should incorporate. Not coincidentally, earlier that day, OFAC also released its settlement agreement with MID-SHIP, which included settlement terms with reference to such "Compliance Commitments" for MID-SHIP to follow. According to the Framework and as exemplified in OFAC's handling of the MID-SHIP violations (discussed in further detail below), OFAC recommends that each SCP at least consist of: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training, though each risk-based approach could vary depending on the industry and company.

Specifically, according to the Framework, management commitment is essential in ensuring that adequate resources and support, as well as sufficient authority and autonomy, are allocated to compliance units and personnel within the organization. Risk assessments should then help the organization identify potential OFAC issues that could inform SCP policies, procedures, controls, and training. Once the risks have been identified, internal controls, such as policies and procedures, should reduce these risks and outline clear expectations pertaining to OFAC compliance. Similarly, testing and auditing should help the organization evaluate the effectiveness of current processes, identify any weaknesses in its programs, and remediate compliance gaps. Lastly, training should provide job specific knowledge, communicate sanctions compliance responsibilities, and hold employees accountable through assessments.

OFAC appears to have already put the Framework into practice in its settlement with MID-SHIP, in which the terms included "Compliance Commitments" for MID-SHIP to follow in addition to, among other things, requiring MID-SHIP to pay $871,837. The settlement resulted from MID-SHIP's apparent violation of the Weapons of Mass Destruction Proliferators Sanctions Regulations (the WMDPSR). According to the settlement, MID-SHIP violated the WMDPSR by processing outgoing and incoming electronic funds transfers that pertained to payments associated with blocked vessels identified on OFAC's List of Specially Designated Nationals and Blocked Persons. Importantly, despite the underlying agreements resulting in such payments having been negotiated and executed offshore by MID-SHIP's non-US subsidiaries, OFAC found a violation because MID-SHIP's accounting functions were performed in the United States and its main office, located in Port Washington, New York, receives commission payments from transactions handled by its subsidiaries and branches. It was not clear whether commission payments associated with blocked vessels were received by Mid-Ship's main office directly, or only as a result of the main office's ownership of the non-US subsidiaries. OFAC deemed MID-SHIP's culture of compliance as "deficient", with aggravating factors including the fact that it "reckless[ly] disregard[ed]" US economic and trade sanctions despite knowing of the conduct giving rise to the apparent violations and being a "commercially sophisticated shipping and logistics company that operates in a high-risk industry". OFAC essentially penalized MID-SHIP for not developing or implementing an SCP or controls or measures to ensure its own actions were compliant, despite receiving an email from its non-US subsidiary shedding light on the potential violation of the payments.

The MID-SHIP settlement and the publication of the Framework illustrate, among other things, the importance of carefully analyzing, as part of a sanctions risk assessment, whether OFAC sanctions applies to your organization based on its status as a US person, the existence of a US -owned or controlled subsidiary, or because of its dealings in or with US persons, the US financial system, or US -origin goods and technology. Further, as evidenced by the MID-SHIP settlement and the publication of the Framework, OFAC and the Office of Compliance and Enforcement will, in response to apparent violations, continue to consider whether a company had effective SCPs at the time of the violations, whether there was any response to indications of a potential violation, and now, when applicable, whether the existing SCP followed the Framework. It is likely that OFAC's "Compliance Commitments" will be an essential requirement for many companies in settlement agreements with OFAC going forward, much like enforcement orders imposed on financial institutions by federal banking regulators in connection with sanctions, as well as Anti-Money Laundering, compliance.

Companies subject to US jurisdiction, as well as foreign entities that conduct business in or with the United States, US persons, or using US goods or services should promptly assess their sanctions risk and develop, implement and routinely update a risk-based SCP or enhance their existing SCPs in line with the Framework. Such companies, especially those in high-risk industries, can benefit from developing and maintaining a compliance-first culture led by senior management with the proper risk-assessments, internal controls, testing and auditing and employee training.