In May 2019, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published the Framework for OFAC Compliance Commitments (“Framework”), which is intended to help organizations subject to U.S. jurisdiction, as well as foreign entities doing business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to develop and implement an export control and economic sanctions compliance program (SCP). While acknowledging that each company’s SCP will vary depending upon a variety of company-specific and risk‑based factors, OFAC has indicated that any program should include, at a minimum, the following compliance components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Although not mandated by law, OFAC has long acknowledged that the implementation of a structured SCP can be a mitigating factor in any enforcement proceeding when an export control or economic sanctions violation is discovered. And, while the existence of an SCP may not provide complete protection against any civil monetary fine, the Framework makes clear that companies that have an effective SCP at the time of an apparent violation would be viewed favorably, and could be a factor in any analysis as to whether a case is deemed “egregious.”

OFAC’s Five Essential Compliance Components

1) Management Commitment: OFAC stresses the importance of senior management commitment for the success of any SCP. The term “senior management” includes senior leadership, executives and/or the board of directors. The crucial points of effective management commitment include (i) review and approval of the SCP, (ii) delegation of sufficient authority and autonomy to the compliance department and/or officials, (iii) allocation of adequate resources, including human capital, expertise and information technology to the compliance department relative to the breadth of company operations, (iv) promotion of a “culture of compliance” throughout the organization, and (v) recognition of the seriousness of apparent violations of laws and regulations, and implementation of necessary measures to reduce the occurrence of apparent violations in the future.

2) Risk Assessment: OFAC recommends that organizations take a “risk-based” approach when designing or updating their SCPs. This approach should include the review of the organization “in a holistic manner” (as there is no “one-size-fits-all” assessment) to identify potential OFAC issues the company could encounter. The Framework suggests an assessment of the following may be appropriate: (i) the company’s customers, supply chain, intermediaries and counter‑parties; (ii) the company’s products and services, including how and where such items fit into other financial or commercial products, services, networks or systems; and (iii) the company’s geographic locations, as well as those of its customers, supply chain, intermediaries and counter-parties. OFAC notes that risk assessments and sanctions-related due diligence is also an important aspect of any mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.

3) Internal Controls: OFAC states that an effective SCP also includes policies and procedures to “identify, interdict, escalate, report and keep records” of the activities that may be prohibited by applicable U.S. laws and regulations. As such, the Framework recommends that companies establish written internal controls with the purpose of outlining clear expectations, defining procedures and minimizing any identified or potential risks. An SCP should be able to adjust to rapid changes in laws and regulations administrated by OFAC, including (i) updates to OFAC’s Specially Designated Nationals (SDN) List, the Sectoral Sanctions Identification (SSI) List and other sanctions-related lists; (ii) new, amended or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions or persons; and (iii) the issuance of general licenses.

4) Testing and Auditing: OFAC’s Framework recommends a testing and auditing function within an SCP to ensure that the company is able to identify program weaknesses and deficiencies, and to check for inconsistencies in any day-to-day operations. Such functions should be updated, enhanced or recalibrated to account for a changing risk assessment or sanctions environment. The recommendations include: (i) accountability and independence of the testing and auditing function, (ii) employment of testing and auditing procedures, and (iii) immediate actions to identify and implement compensating controls on negative results.

5) Training: OFAC states that an effective training program must be a key component of an SCP. Training should be provided to employees, at a minimum, on an annual basis, and should “(i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.” The Framework indicates that a training program should provide adequate information and instruction to employees and appropriate stakeholders with an appropriate scope determined based on “the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.”

Root Causes of Breakdowns or Deficiencies in Company Compliance

OFAC also provided a helpful annex to the Framework which summarizes common root causes and deficiencies the agency has identified in numerous sanctions enforcement actions over the years. These weaknesses, as listed in the Framework, are:

  • Lack of a Formal SCP;
  • Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations;
  • Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates);
  • Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries;
  • Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries;
  • Outdated Sanctions Screening Software or Filter Faults;
  • Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.);
  • De-Centralized Compliance Functions and Inconsistent Application of an SCP;
  • Utilizing Non-Standard Payment or Commercial Practices; and,
  • Individual Liability.

Department of Justice Updates Guidance on Evaluation of Corporate Compliance Programs

The U.S. Department of Justice’s (DOJ) Criminal Division has also updated its Guidance Document for white-collar prosecutors on the “Evaluation of Corporate Compliance Programs.” This Guidance Document is intended to assist prosecutors “in making informed decisions as to whether, and to what extent, [a] corporation’s compliance program was effective at the time of [any] offense.” While DOJ states it has no “rigid formula to assess the effectiveness of corporate compliance programs,” it does identify three “fundamental questions” a prosecutor should ask:

  • Is the corporation’s compliance program well designed?
  • Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  • Does the corporation’s compliance program work in practice?

The Guidance Document provides sample topics and questions that should be considered by a prosecutor in undertaking any evaluation of a company’s compliance performance.

Although OFAC’s Framework and DOJ’s Guidance Document are intended to address different audiences, they have some commonalities that companies should consider while preparing their compliance programs. For instance, similar to the Framework, DOJ recommends that prosecutors evaluate “how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” Similarly, DOJ also emphasizes the importance of training, management commitment and periodic testing and auditing. Overall, companies looking to establish a compliance program should take a holistic approach and evaluate different perspectives provided by both DOJ and OFAC in order to achieve an effective compliance program.