Seyfarth Synopsis: On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released explicit guidance outlining its expectations for effective written sanctions compliance programs (“SCPs”) for organizations subject to U.S. jurisdiction. These guidelines are meant to help such organizations avoid sanctions violations and to inform if and how OFAC will evaluate such violations and assess penalties. OFAC focuses on M&A transactions within these compliance guidelines and highlights certain data points that it will assess in the context of scrutinizing any M&A transaction in relation to sanctions violations-related enforcement actions.

The U.S. government imposes economic and trade sanctions against certain targeted foreign governments, individuals, groups and entities in accordance with national security and foreign policy goals and objectives. Consequently, OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the U.S., U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating an SCP.

If and when there is a sanctions-related violation implicated in any given transaction, OFAC may bring an enforcement action against the parties subject to U.S. jurisdiction. These enforcement cases usually entail an investigation by OFAC and a determination based on OFAC’s Economic Sanctions Enforcement Guidelines (Appendix A to Part 501 of 31 C.F.R.) (“Guidelines”). Historically, OFAC has not provided any specific, prescriptive guidance on the form and content of an SCP until now.

On May 2, 2019, OFAC released “A Framework for OFAC Compliance Commitments,” (the “Framework”) which serves as a roadmap that will guide OFAC in applying the Guidelines to any given factual situation. It also further informs, in detail, if and how OFAC will consider the existence, nature and adequacy of an SCP and, when appropriate, if and how OFAC will rely on these considerations in mitigating any civil monetary penalties it may choose to impose upon sanctions violators. The Framework is intended to provide organizations with a framework for what OFAC describes as five essential components upon which a risk-based SCP should be predicated:

  1. Management Commitment;
  2. Risk Assessment;
  3. Internal Controls;
  4. Testing and Auditing; and
  5. Training.

Within each of these five elements of an effective SCP, the Framework also provides concrete examples of best practices that companies are expected to follow. For example, in the context of “Management Commitment,” OFAC states that “one of the most important factors in determining” the success of an SCP is the idea that senior management of any given organization must promote a “culture of compliance” throughout the organization. “Culture of compliance” is given no specific definition but is instead a subjective standard that OFAC states can be measured by the following criteria:

  1. The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal;
  2. Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlights the potential repercussions of non-compliance with OFAC sanctions; and
  3. The ability of the SCP to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.

M&A advisors should take special heed of this “culture of compliance” guideline, as it is a subjective standard which serves as an impetus to ensuring a truly holistic evaluation of parties involved in any given merger or acquisition — especially in scenarios involving non-U.S. companies or corporations and when the surviving entity remains subject to U.S. sanctions compliance. This holistic approach should involve not just a review of written policies and protocols, but also a granular understanding of human behaviors and patterns of conduct in any given organization, be it the acquirer or the target.

The Framework focuses on M&A transactions in the context of “Risk Assessment,” stating that mergers and acquisitions in particular have presented “numerous challenges with respect to OFAC sanctions.” In stressing that compliance functions should be incorporated into the merger, acquisition and integration process of any M&A deal, OFAC cites the following points as critical in undertaking an effective risk-assessment in connection with an M&A transaction:

  1. Whether an organization engages in appropriate due diligence to ensure that sanctions-related issues are identified;
  2. Whether such issues are escalated to the relevant senior levels;
  3. Whether such issues are then addressed prior to the conclusion of any [M&A] transaction; and
  4. Whether adequate safeguards are then incorporated into the organization’s risk assessment process going forward.

These concerns last beyond a pre-acquisition or consummation phase of an acquisition transaction, for example, but also have post-acquisition impact. To this end, OFAC’s Framework states: “After an M&A transaction is completed, the organization’s Audit and Testing function will be critical to identifying any additional sanctions-related issues.”

In the context of “Testing and Auditing,” the Framework explains that audits assess the effectiveness of an organization’s current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps.

M&A advisors should also remain sensitive to the published list of certain common “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies” which concludes the Framework. As stated, the following are essentially common causes of U.S. sanctions liability which can taint or otherwise derail an M&A transaction either from its inception or well into a post-closing integration phase:

  1. Lack of a formal OFAC SCP;
  2. Misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
  3. Facilitating transactions by non-U.S. persons (including through or by overseas subsidiaries or affiliates);
  4. Exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries;
  5. Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
  6. Sanctions screening software or filter faults;
  7. Improper due diligence on customers and clients;
  8. De-centralized compliance functions and inconsistent application of an SCP;
  9. Utilizing non-standard payment or commercial practices; and
  10. Individual liability.