OFAC outlines expectations for global sanctions compliance 6 June 2019 On 2 May 2019 the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued "A Framework for OFAC Compliance Commitments" (the framework), which outlines five components OFAC considers to be essential for an effective risk-based sanctions compliance program (SCP). In addition to the five key components, OFAC highlights "root causes" of sanctions violations in the framework. This is the first time OFAC has offered detailed insight into the agency's expectations with respect to an organization's SCP. To date, organizations have generally referred to the OFAC Risk Matrix in assessing the effectiveness of their compliance measures. See 31 Code of Federal Regulations Part 501, Appendix A. The framework is not meant to replace the matrix but instead weaves components of the OFAC Risk Matrix into the various elements of the framework. The framework was released just days after the U.S. Department of Justice (DOJ) published an updated version of its guidance titled "Evaluation of Corporate Compliance Programs." Please see this Hogan Lovells alert for more information on the guidance. OFAC had already begun to implement the new framework, beginning with compliance program elements in enforcement actions and settlement agreements beginning in 2018. Taken together, these publications signal the U.S. government's intention to focus on increasing regulatory enforcement and scrutiny of compliance programs. Characteristics of an effective sanctions compliance program The five "essential components" of an effective SCP outlined in the framework are: management commitment, risk assessment, internal controls, testing and auditing, and training. Management commitment Senior management's commitment is the cornerstone of a successful SCP. In fact, OFAC considers it to be "one of the most important factors" in determining an SCP's success, and is essential for ensuring that an organization's SCP program is fully integrated into the organization's daily operations. OFAC emphasizes the importance of having a designated compliance officer charged with enforcing the organization's sanctions compliance policies and procedures. In addition, OFAC sets out senior management responsibilities including: Review and approve the organization's SCP. OFAC outlines expectations for global sanctions compliance 2 Ensure that compliance personnel have sufficient authority and autonomy to effectively implement policies designed to minimize risk. Ensure the organization has the necessary resources to adequately enforce its SCP (e.g., human capital, expertise, information technology). Promote a culture of compliance (e.g., compliance violation reporting without fear of reprisal, misconduct openly discouraged, SCP oversight throughout the organization). Recognize the seriousness of sanctions violations and SCP failures (e.g., address root causes of violations, deploy systemic solutions). Senior management attention to these obligations contributes to the creation of a robust SCP and fosters a culture of compliance throughout an organization. Risk assessment Conducting a comprehensive risk assessment will help an organization to identify any potential threats or vulnerabilities that can lead to violations of OFAC regulations. The risks should be reflected in the frequency and manner of the risk assessment. Specifically, OFAC notes that an effective assessment will capture potential risks associated with "clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization." In particular, OFAC recommends that organizations incorporate comprehensive risk assessments into customer onboarding and that the compliance function be incorporated into the mergers, acquisitions, and integration processes. Internal controls In the framework, OFAC describes acceptable internal controls, including procedures designed to identify, appropriately respond to, and document any activities that may run afoul of OFAC regulations. An effective SCP will have procedures that are easy to implement, are reflected in the organization's day-to-day operations, and that are updated to implement the results of risk assessments, and testing/auditing. It is important that organizations stay informed of OFAC actions and announcements as they can impact an organization's implementation of internal controls. Testing and auditing Organizations should have an objective testing or audit function to evaluate the effectiveness of their SCP, and to identify and correct deficiencies. Testing can be done internally or by a third party, and enterprisewide or on a specific portion of the SCP. Training All appropriate employees, particularly those in high-risk positions, should be provided training periodically, or at a minimum, annually. Training should be customized, role-specific, and include assessments to hold employees accountable for sanctions compliance. Training materials should be made easily accessible and available to employees on an ongoing basis. Finally, in the event of negative testing or audit results or detection of a deficiency in the SCP, training or other corrective action should be provided to the personnel involved. Causes of sanctions violations In addition to outlining the five essential components of an SCP, OFAC sets forth a nonexhaustive list of the "root causes" of sanctions violations. The list is based on historic enforcement cases and includes: OFAC outlines expectations for global sanctions compliance 3 1. Lack of a formal SCP. 2. Misinterpreting, or failing to understand the applicability of, OFAC's regulations. 3. Facilitating transactions by non-U.S. persons (including by overseas subsidiaries or affiliates). 4. Exporting or reexporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries. 5. Utilizing the U.S. financial system for commercial transactions involving OFAC-sanctioned persons or countries. 6. Sanctions screening software or filter problems. 7. Improper due diligence on customers/clients (e.g., ownership, business dealings, etc.). 8. Decentralized compliance functions and inconsistent application of an SCP. 9. Utilizing nonstandard payment or commercial practices. 10. Wrongdoing by key employees that may result in individual liability. What this means The OFAC and DOJ publications underscore the increasing scrutiny of regulators on compliance and the need for organizations to implement comprehensive and effective risk-based compliance programs. These publications can now be read in conjunction with long-standing export program guidance documents from the State Department's Directorate of Defense Trade Controls and the Commerce Department's Bureau of Industry and Security. See "Getting and Staying in Compliance with the ITAR"; "BIS Export Compliance Program (ECP)." The new OFAC guidelines not only apply to U.S. companies, but also to companies who may find themselves subject to U.S. sanctions laws, such as foreign entities that conduct business in or with the United States, that employ U.S. citizens or use U.S.-origin goods or services. The list of "root causes" includes issues frequently encountered by non-U.S. companies. For example, OFAC notes in the framework that many non-U.S. entities have violated U.S. sanctions laws by processing transactions that involve a sanctioned country or person through U.S. financial institutions (almost all of which have been denominated in U.S. dollars), even if there is no other U.S. nexus to the transaction. The framework aims to ensure that management understands and promotes corporate compliance through a top-down approach to adhering to U.S. sanctions regimes. OFAC has encouraged management to implement internal compliance programs by including the existence of a sanctions compliance program in its baseline penalty calculation, specifically to help determine whether a corporate violation was "egregious." This supports the view that implementing a robust compliance program may help mitigate any enforcement action in the event of an apparent sanctions violation. The framework is particularly relevant given U.S. sanctions developments such as the U.S. government's recent reimposition of sanctions against Iran and Cuba. Sanctions escalation will inevitably put more businesses at risk. U.S. government expectations regarding effective SCPs should serve as a starting point for organizations looking to reassess or enhance their SCP. In addition, companies should review the terms and conditions of settlement agreements with the agencies as well as statements made in these settlement agreements with respect to regulatory expectations. Accordingly, organizations OFAC outlines expectations for global sanctions compliance 4 should review their sanctions compliance policies and procedures in light of the new guidance and these enforcement actions. For more information on U.S. sanctions and export controls and developing a robust sanctions and international trade compliance program, please contact any of the lawyers identified below. Thanks to Stephanie Lopez and Lindsay Brown for assisting in the preparation of this alert. OFAC outlines expectations for global sanctions compliance 5 Contacts Aleksandar Dukic Partner, Washington, D.C. T +1 202 637 5466 [email protected] Beth Peters Partner, Washington, D.C. T +1 202 637 5837 [email protected] Anthony V. Capobianco Partner, Washington, D.C. T +1 202 637 2568 [email protected] Ajay Kuntamukkala Partner, Washington, D.C. T +1 202 637 5552 [email protected] Stephen F. Propst Partner, Washington, D.C. T +1 202 637 5894 [email protected] Lourdes Catrain Partner, Brussels T +32 2 505 0933 [email protected] Aline Doussin Partner, London T +44 20 7296 2961 [email protected] Anne Salladin Partner, Washington, D.C. T +1 202 637 6461 [email protected] Imogen Brooks Associate, London T +44 20 7296 2119 [email protected] Brian P. Curran Partner, Washington, D.C. T +1 202 637 4886 [email protected] Roy (Ruoweng) Liu Counsel, Washington, D.C. T +1 202 637 4837 [email protected] www.hoganlovells.com "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, the partners and their qualifications, see www. hoganlovells.com. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not connected with the firm. © Hogan Lovells 2019. All rights reserved.