On Thursday, May 2, 2019, the Department of the Treasury's Office of Foreign Assets Control (OFAC) published a framework for sanctions compliance programs. The framework provides guidance on OFAC's views on the essential components of a risk-based sanctions compliance program (SCP). It also explains how OFAC will consider a SCP during enforcement proceedings, including potentially commitments to incorporate certain components into an SCP as part of a settlement agreement. OFAC's guidance is targeted at a broad range of entities -- both organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or U.S.-origin goods and services. OFAC also provided a list of root causes why entities may have failed in complying with OFAC sanctions, and how those factors affect OFAC's enforcement activity.
OFAC's framework makes clear that an SCP must include at least the following five essential components:
1. Management Commitment
- Senior Management should be committed to and support the SCP. This includes providing adequate resources for and supporting the authority of compliance departments and personnel. An organization can show its commitment to compliance by having an OFAC sanctions compliance officer and employing qualified individuals for the compliance program.
2. Risk Assessment
- Organizations should conduct a routine and ongoing risk assessment by evaluating risk with each external party with which the organization interacts. The assessment should be done at the on-boarding of a relationship using Know Your Customer diligence processes, and when conducting compliance during a merger and acquisition process.
- Potential points of exposure include customers, intermediaries, and other counterparties, the products and services the organization offers, and the geographic locations of the parties involved.
3. Internal Controls
- Processes and procedures to identify, report, and respond appropriately to potential sanctions issues are crucial to an SCP. These policies and procedures must reflect the organization's day-to-day operations, be integrated with the relevant business units and external parties, and be easy to follow.
- To properly identify potential issues, entities must stay abreast of any updates to OFAC's Specially Designated Nationals list, sanctions programs or prohibitions, general licenses, and any other OFAC guidance or actions.
4. Testing and Auditing
- The audit or testing unit can be internal or external, but must be independent from the compliance unit and conduct a comprehensive analysis of the organizations OFAC-related risk assessment and internal controls. The organization must respond to any negative results swiftly and effectively with the necessary changes.
- The organization should provide periodic training to all appropriate employees and personnel.
OFAC will consider an organization's SCP and these five elements as potential mitigating factors if they existed at the time of an apparent violation. OFAC will also consider any remedial actions taken that stem from the existence of an SCP as mitigating factors.
Root Causes of Sanctions Violations
Based on its history of enforcement action, OFAC also provided a non-exhaustive list of root causes of sanctions violations. These include the lack of a formal SCP or lack of effective application of the SCP, misinterpreting OFAC regulations, poor sanctions screening, and decentralized compliance functions. Additionally, organizations should be aware of whether a particular transaction uses non-traditional business practices outside of industry norms, as that can indicate a potential violation of sanctions laws.
In addition to organizations subject to U.S. jurisdiction, non-U.S. persons can also face repercussions for violating U.S. sanctions laws through transactions with a U.S. nexus. OFAC's explanation of common root causes makes clear that U.S.-origin goods, technology, or services may be subject to U.S. sanctions. Therefore, any party that purchases such items with the intent of re-exporting, transferring, or selling the items to an OFAC-sanctioned party will be subject to U.S. sanctions jurisdiction. In enforcing sanctions laws with respect to these types of transactions, OFAC has focused on large, sophisticated organizations, those that made repeated violations, or those that ignored multiple warning signs. Non-U.S. persons that utilize the U.S. financial system for commercial transactions involving OFAC-sanctioned parties have also faced enforcement actions from OFAC.
In a press release about the framework, OFAC Director Andrea Gacki said the guidance "underlines [OFAC's] commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements." Sigal P. Mandelker, Under Secretary for Terrorism and Financial Intelligence, said that protecting the "U.S. financial system from abuse is a key part" of the strategy to enhance sanctions programs.
These guidelines are an indication of OFAC's focus on sanctions enforcement. They come on the heels of a spate of OFAC settlements, which OFAC has increasingly used as an opportunity to provide public guidance on its compliance expectations. We urge U.S. and international companies to ensure their economic sanctions policies and procedures are up to date and comprehensive, and to remain vigilant for potential exposure and violations. If you have any questions regarding OFAC sanctions or how they may affect your business, please reach out to the contacts listed below.