Five months after Sigal Mandelker, Under Secretary of the US Treasury for Terrorism and Financial Intelligence, presented five of the hallmarks of an effective sanctions compliance program, the Office of Foreign Assets Control (OFAC) has finally published long-awaited guidance for national and international organizations subject to its regulation (the Framework). OFAC is the organization responsible for administering and enforcing US economic and trade sanctions programs, and its inaugural "Framework for OFAC Compliance Commitments" will likely be incorporated into compliance programs for entities worldwide.
The Framework is the most detailed statement to date of OFAC's views on sanctions compliance best practices. It articulates guidance on the essential components of a sanctions compliance program and describes how OFAC may evaluate these components in resolving investigations and determining the amount of any penalties. The document also includes a brief root cause analysis of some frequent violations of US economic and trade sanctions laws.
The Framework recommends that organizations employ a riskbased approach to sanctions compliance programs that involves leadership buy-in and support, tested and functioning internal controls, and robust and targeted training for employees and partners. The Framework is organized around these five "essential" elements of a risk-based compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
1. Management Commitment
The Framework emphasizes the importance of senior management's commitment to, and support of, the sanctions compliance program. This commitment is demonstrated through the allocation of adequate resources, support for compliance personnel's authority and autonomy, and full integration into daily operations. These essential elements help legitimize the sanctions compliance program, empower its personnel and foster a culture of compliance. OFAC will consider whether there is a direct line of reporting between the compliance function and senior management, and whether there are routine and periodic meetings between management and compliance. The Framework recommends a dedicated OFAC sanctions compliance officer who oversees highquality, experienced personnel who understand complex financial and commercial issues.
Under the Framework, "culture of compliance" will also be measured by employees' ability to report misconduct without fear of reprisal, the presence of messaging from senior management that misconduct will not be tolerated and the existence of repercussions for non-compliance with sanctions laws.
2. Risk Assessment
Organizations should conduct routine and ongoing "risk assessments" to identify "potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC's regulations and negatively affect an organization's reputation and business." Such assessments should be holistic, allowing the organization to identify potential risks in areas where it may, directly or indirectly, engage with OFAC-prohibited persons or regions. It should include an assessment that "adequately accounts for the potential risks" posed by clients, customers, products, services, supply chains, intermediaries, counterparties, transactions and geographic locations. In other words, no one size will fit all. Rather, risk assessments should assess a specific company's inherent risks and corresponding controls to arrive at a residual risk level applicable to that one company. Risk assessments should then be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified through testing or auditing.
The Framework specifically emphasizes the importance of conducting due diligence from a sanctions risk perspective during new customer onboarding (i.e., as part of the KYC, CDD processes) and in the context of mergers and acquisitions. Purposeful integration of new employees, partners, customers and acquisition compliance functions will reduce risks inherent with those changes.
3. Internal Controls
The third "essential" element of a strong sanctions compliance program is internal controls, including policies and procedures that identify, escalate, investigate and maintain records of violations. Internal controls should include clear expectations, define procedures and processes pertaining to OFAC compliance, and identify weaknesses. Upon learning of a weakness, an organization should take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
US economic and trade sanctions are dynamic, and a compliance program should be capable of adjusting rapidly to changes published by OFAC, including SDN updates and new sanctions prohibitions imposed through the enactment of legislation, executive orders, regulations, or OFAC actions and guidance.
4. Testing and Auditing
The Framework emphasizes the importance of comprehensive, independent and objective audits in assessing the effectiveness of an organization's controls. The organization should enhance its program's technology as deficiencies are identified and updates become available. The audit function should be independent, with sufficient authority, skills, expertise and resources, though still accountable to senior management. Upon learning of a confirmed negative audit finding, the Framework recommends that an organization take immediate and effective action to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
Finally, the Framework highlights the need for periodic OFAC compliance-related training. Such training should be appropriately tailored in the following ways: to an entity's risk profile; to a trainee's specific role; scoped in a manner that is appropriate for the products and services the organization offers; specific for the types of customers, clients and partner relationships it maintains; and targeted to the geographic regions in which the organization operates.
OFAC will consider whether an organization holds its employees accountable for sanctions compliance training through assessments, and how the organization takes immediate and effective action to provide training upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program.
OFAC's Insights on "Root Causes"
To assist organizations in designing, updating and amending their sanctions compliance programs, OFAC also provided a nonexhaustive list of root causes associated with apparent violations of the regulations administrated by OFAC. The list was generated from numerous enforcement actions where deficiencies or weaknesses were identified in a sanctions compliance program. This section is arguably more useful that the Framework itself because it provides OFAC's summary of particular deficiencies in sanctions compliance programs that contributed to OFAC's enforcement decisions in the past.
The included examples of root causes are as follows:
- Lack of a formal, sanctions-specific compliance program
- Misinterpretation of OFAC's regulations, including reckless conduct or negligent disregard of multiple warning signs
- Facilitation of transactions by non-US persons and OFACsanctioned countries, regions or persons based on a misunderstanding of OFAC's regulations
- Failure to recognize warning signs that US economic sanctions laws prohibit the export or re-export of US-origin goods, technology or services to OFAC-sanctioned persons or countries
- Utilization of the US financial systems for commercial transactions with sanctioned parties where no organizations subject to US jurisdiction are involved in the underlying transaction
- Failure to update sanctions-screening software to incorporate updates to the SDN List, include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked or sanctioned financial institutions, or account for alternative spellings of prohibited countries or parties
- Deficient, improper or incomplete due diligence regarding customer information, including ownership, geographic locations, counterparties and transactions
- Decentralized compliance functions where personnel and decision-makers are scattered throughout various offices or business units, resulting in improper interpretation and inconsistent application of OFAC's regulations, lack of a formal escalation process to review high-risk customers or transactions, inefficient oversight and audit function, or miscommunications regarding the organization's sanctionsrelated policies and procedures
- Utilization of non-standard payment or commercial practices, which are frequently attempts to evade or circumvent OFAC sanctions, or conceal illegal activity
- The presence of individual bad actors within an organization who cause or facilitate violations of the regulations and make efforts to obfuscate and conceal their activities, even where robust sanctions compliance programs are in place
The OFAC Framework is not a revolutionary development in the world of compliance programs. It does not necessarily offer new insights into the constitution of strong versus weak compliance programs. However, it does serve as further evidence of a trend among US enforcement agencies to emphasize transparency and cooperation with regulated entities. Indeed, Ms. Mandelker presented her hallmarks of an effective sanctions compliance program expressly to "aid the compliance community in strengthening defenses against sanctions violations." Further, upon issuance of the Framework, Andrea Gacki, Director of OFAC, explained that it underscores a "commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements."
Moreover, just last week, the Department of Justice released a similar update, titled, "Evaluation of Corporate Compliance Programs," providing guidance on how federal prosecutors will evaluate the effectiveness of a company's corporate compliance program. Additionally, the five necessary elements of a risk-based sanctions compliance program, per OFAC, generally accord with earlier guidance published by the Financial Crimes Enforcement Network (FinCEN) in order to assist financial institutions to strengthen Bank Secrecy Act (BSA) and anti-money-laundering (AML) compliance cultures.
Companies subject to US jurisdiction, or foreign entities that conduct business in US dollars or with US entities, can learn a lot from the Framework. Regulated organizations should assess their sanctions risk and evaluate the robustness of their compliance programs in light of this guidance. In particular, organizations should take the following steps in light of OFAC's Framework:
- Ensure that your organization's sanctions compliance program is current, and can easily be adapted to reflect OFAC's dynamic changes
- Engage management in the sanctions process, and consider how management buy-in related to sanctions compliance is perceived throughout the organization
- Bring any risk assessment and auditing in line with the Framework by conducting frequent, independent, risk-based testing related to US trade and economic sanctions
- Evaluate sanctions controls to ensure they are designed to capture currently sanctioned entities and individuals, and have systems in place to update along with any regulatory changes
- Consider centralizing the compliance function to ensure consistency in interpretation and application of sanctions laws
- Establish tailored training and education programs for all levels of personnel, including management
- If there is any doubt as to whether your compliance program contains the five necessary elements discussed within, consult experienced sanctions counsel to ensure alignment with the Framework and/or to refine as necessary to address individual sanctions risks
As mentioned at the outset, the Framework will likely be very important in future in the context of settlement conversations with OFAC. First, because it will be used by the regulator to assess the adequacy of a compliance program when determining any commensurate penalty; second, because it will likewise be used by the company under scrutiny as an agenda for discussions designed to establish and emphasize mitigating factors.