Today, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published “A Framework for OFAC Compliance Commitments” (“Framework”). In doing so, OFAC some what broke with tradition by providing detailed guidance on the key elements of an effective sanctions compliance program. In addition, they have highlighted some key considerations in regard to how the existence and nature of an OFAC compliance program can impact an enforcement matter, as well as highlighted common root causes of sanctions violations.
I. Essential components of an OFAC sanctions compliance program
OFAC’s Framework set out five essential components to a sanctions compliance program: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training. Each of these is discussed below.
Management Commitment: OFAC asserts that the commitment of senior management–to include leadership, executives, and directors–is critical to a sanctions compliance program’s success. Indicia of this commitment can be found in the provision of adequate resources to a business’ compliance units and support for compliance personnel’s autonomy and authority within an organization. To demonstrate this support, senior management should review and approve an organization’s sanctions compliance program; allow compliance to manage sanctions risk and ensure direct reporting lines between compliance and senior management; make sure adequate personnel, expertise, technology and other resources are available to compliance; promote a culture of compliance; and recognize the importance of OFAC compliance through implementation of remedial measures to mitigate or prevent sanctions violations or compliance failings.
Risk Assessment: OFAC recommends that parties engage in routine and on-going risk assessments to identify an organization’s touch points to the outside world in order to identify and assess sanctions risk. For example, this could include review of the organization’s customers and counter-parties; products, services, and systems; and the geographic reach of the organization. These types of assessments are particularly necessary during mergers and acquisitions. In order to properly conduct a sanctions risk assessment, the organization should conduct on-going risk assessments that account for root causes of apparent violations and systemic deficiencies. In addition, risk assessments should also be conducted pursuant to a methodology to identify, analyze, and address sanctions risk.
Internal Controls: Internal controls are the hallmark of an effective sanctions compliance program. These controls include policies and produces to identify, interdict, escalate, report, and record activity implicating OFAC-administered sanctions programs and regulations. These internal controls will be effective if certain criteria are met. First, there should be written policies and procedures that capture the organization’s operations and are designed to prevent misconduct. Second, the internal controls should address the results of the OFAC-risk assessments and the organization’s risk profile. If technology is relied upon, those tools should be calibrated and tested to ensure effectiveness. Third, internal and/or external audits should be performed to ensure enforcement of the policies and procedures. Fourth, the organization’s record-keeping requirements should be consistent with OFAC’s record-keeping and reporting requirements found in, inter alia, 31 C.F.R. Part 501. Fifth, upon learning of a weakness in its internal controls, the organization will identify and implement controls to identify and remediate that weakness. Sixth, sanction compliance policies and procedures should be communicated within an organization and to external parties performing responsibilities on behalf of the organization. Finally, personnel should be assigned to integrate policies and procedures into an organization’s operations in order to ensure understanding of the requirements of those policies and procedures.
Testing and Auditing: Testing and auditing of a sanctions compliance program ensures that an organization identifies that program’s weaknesses and deficiencies in order to remediate and enhance the program. To make sure that this function is robust it should be accountable to senior management, independent from those functions it audits, and has sufficient expertise, resources, and authority to properly serve its role. Further, it should account for the organization’s OFAC-related risk assessment and internal controls. Finally, the organization should react immediately to compensate for any weaknesses identified by the auditing function until appropriate remedial measures can be deployed.
Training: Finally, OFAC notes that periodic training on a sanctions compliance program is an integral part of its success. This training should be tailored to an organization’s business lines and operations, and account for high risk employees so that they have adequate information and instructions in order to support the sanctions compliance program’s objectives. This could be done, for example, by providing accessible resources and and materials to relevant personnel. Training should also be conducted frequently enough to appropriately address an organization’s OFAC-risk assessment and risk profile. Training should not be a stand alone objective, and should also occur as part of remedial measures to correct or mitigate deficiencies in program.
II. Why the egregiousness standard in base penalty calculations have changed
Sanctions practitioners know that OFAC’s Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, Appendix A, (“Guidelines”) govern OFAC investigations and enforcement actions. Those Guidelines also account for “egregiousness” determinations made by as part of base penalty calculations. These egregiousness determination can dramatically increase the value of the base penalty calculation. The Guidelines determine egregiousness by looking to General Factors A-D of the Guidelines’ General Factors Affecting Administrative Action, with a particular focus on General Factor A (“willful or reckless violation of law”) and General Factor B (“awareness of the conduct at issue”). General Factors C (“harm to sanctions program objectives”) and General Factor D (“individual characteristics”) also are considered, but not are not weighed as heavily as General Factors A and B. It is important to note that a separate General Factor found in the Guidelines–General Factor E–accounts for whether a person subject to OFAC enforcement has a sanctions compliance program, as well as the nature and adequacy of that program.
OFAC’s new Framework, however, drops a hint that OFAC may now be shifting this standard. Specifically, page 1 of the Framework highlights the fact that “OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed egregious.”
I suppose they can justify that consideration under General Factor D–individual characteristics–given that General Factor D is a general factor considered in making an egregiousness determination, and whether or not a party maintains a sanctions compliance program would be a characteristic of the individual subject person. From my knowledge, however, this would be a new direction for OFAC to take, as the Guidelines have traditionally accounted for the existence of a compliance program under General Factor E. In doing so, OFAC’s new Framework expands the scope of egregiousness determinations, thereby allowing for higher base penalty calculations and doubling the instances by which a party can receive an aggravated enforcement response for lack a sanctions compliance program–which, by the way, OFAC regulations do not require persons to have. In short, although you don’t have to have a sanctions compliance program, you will really suffer the consequences if you don’t and a violation occurs.
III. Common causes for sanctions violations
OFAC’s Framework also helpfully identifies a number of scenarios that traditionally have led to violations of OFAC-sanctions programs. Each of these scenarios could have entire blog posts dedicated to them, but I intend no such exercise here. Instead, I have reduced those instances into a Dos and Don’t List:
Do: Have an OFAC sanctions compliance program.
Do: Consult legal counsel or OFAC sanctions expertise to understand the scope and applicability of OFAC-administered regulations.
Don’t: Refer business opportunities to, or otherwise approve or facilitate those opportunities of, your company’s foreign based operations and subsidiaries.
Don’t: As a non-U.S. person, re-export U.S.-origin goods, services, or technology to sanctioned jurisdictions or sanctioned persons, particularly if you have signed a contract or received other documentation that has informed you that you cannot do so.
Don’t: As a non-U.S. person, cause U.S. dollar payments to be remitted through the U.S. or by U.S. persons for transactions that in any way involve sanctioned persons or jurisdictions, and definitely do not in any way try to hide that a cross border U.S. Dollar payment is related in some way to a sanctioned person or jurisdiction.
Do: Make sure that your sanctions screening software and filters are adequate, continuously tested, and calibrated to ensure that sanctions risk is being appropriately mitigated.
Do: Good due diligence. Don’t slack on the quality of your due diligence, and if you don’t have the knowledge or resources to do it appropriately outsource it until you can devote adequate resources and processes to conduct it. Account for ultimate beneficial ownership, geographic risk, and all counter-parties. Also, conduct transactional due diligence and monitoring.
Do: Follow OFAC’s Framework and ensure that your sanctions compliance program is addressing sanctions-risk globally and is consistent applied and tested across operations and business lines.
Don’t: Engage in strange payment practices. This particularly true when it comes to receipt or remittance of payments from or to third parties. If the manner of payment requested by a counter-party appears unusual or novel, ensure that the payment can be made through normal channels.
Don’t: Be the person at your company that comes up with a novel way to “get around” the sanctions. If you’re looking for loopholes, you’re looking for trouble. OFAC and other law enforcement agencies are becoming bullish on going after individuals for facilitating sanctions violations of the companies they work for. Don’t get the horns–promote compliance before OFAC promotes enforcement.
OFAC’s Framework is a welcome development for many in the sanctions compliance world. That said, it does signal that expectations are being elevated and that organizations need to make sure they have their compliance practices in order now that OFAC has made clear what good practices look like.