On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments. In this document, OFAC outlines its expectations for effective sanctions compliance programs (SCPs). This guidance provides a roadmap for companies to mitigate future liability by implementing compliance programs that adhere to this guidance.
OFAC highlights five key components of effective SCPs: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Even if a company violates OFAC’s Economic Sanctions Enforcement Guidelines (the Guidelines), OFAC reiterates that it will “consider favorably” a company that had implemented an effective SCP, especially if the SCP is predicated on these five key components.
OFAC provides further elaboration of its expectations in each of these five areas:
OFAC emphasizes that support by senior management is “one of the most important factors in determining” a SCP’s success. OFAC provides the following guideposts to evaluate support by senior management:
- Senior management should review and approve the SCP;
- Senior management must endow its compliance unit(s) with sufficient authority and resources to effectively control the company’s OFAC risk;
- Senior management must promote a “culture of compliance”; and
- Senior management must demonstrate its recognition of the seriousness of past violations and must implement measures to mitigate future violations.
OFAC recommends that companies implement routine — and, in some circumstances, ongoing — risk assessments to identify potential compliance issues. These risk assessments should include a “holistic review” to assess the company’s contacts with OFAC-prohibited persons, parties, countries, or regions. In addition, OFAC states that the risk assessment should:
- Be conducted frequently enough and in a manner to account for potential risks posed by a variety of outside contacts;
- Be updated to address root causes of any apparent violation identified during the routine course of business; and
- Include a methodology to identify, analyze, and address the particular risks noted in the assessment or during the routine course of business.
OFAC notes that internal controls are an integral component of effective compliance programs. These internal controls should include policies and procedures to identify, record, escalate, and (if appropriate) report prohibited activity. Specifically, OFAC advises that internal controls should:
- Include policies and procedures that outline the SCP;
- Address the results of the OFAC risk assessment and profile;
- Enforce policies and procedures;
- Have sufficient recordkeeping policies;
- Require immediate and effective action if an internal control weakness is identified;
- Clearly communicate the SCP policies and procedures internally; and
- Appoint designated personnel to integrate the SCP’s policies into the company’s operations.
Testing and Auditing
OFAC recommends that compliance programs include a comprehensive and objective testing or auditing function to ensure that companies spot problems as early as possible. In this process, a company should:
- Ensure that the testing/auditing function is accountable to senior management and is provided sufficient authority;
- Implement testing/auditing procedures that are commensurate with the “level and sophistication” of the SCP; and
- Take immediate action if it learns of a negative testing/auditing result.
OFAC highlights the importance of an effective training program in its evaluation of an effective SCP. In developing these training programs, companies should:
- Provide adequately tailored training programs with sufficient frequency;
- Provide training programs that have an appropriate scope;
- Take immediate and effective steps to provide training or other remedial action if the company learns of a negative testing/audit result; and
- Provide training programs that include resources that can be accessed by all relevant personnel.
OFAC’s recently published guidance provides a detailed roadmap for companies seeking to mitigate future risk. This guidance outlines OFAC’s expectations for effective SCPs and explicitly states that OFAC may “consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed ‘egregious.’” In publishing this guidance, OFAC has provided companies with an opportunity to revisit their existing compliance programs with an eye toward preventing a crippling OFAC enforcement action.