Recent times have seen an uptick in sanctions enforcement actions, placing an onus on many compliance suites and officers to take head and build a robust sanctions compliance program.
In April alone, OFAC concluded settlement agreements with Standard Chartered Bank, three UniCredit Bank companies,an oilfield services provider, and Stanley Black & Decker (a well-known U.S. tool manufacturer). As all agreements follow a very similar pattern, it is safe to assume that OFAC has decided upon a standard set of requirements for all companies to be compliant.
Whether you are a company who has been recently fined by OFAC or are looking to avoid being fined by the regulator, these top tips should assist you in trying to stay ahead of the game.
Standard OFAC Requirements
In addition to paying a fine, recent settlement agreements all impose certain commitments with respect to an entity’s sanctions compliance program.
These commitments include:
- A commitment by management to sanctions compliance;
- An assessment of sanctions risk;
- Implementation of an adequate system of internal controls;
- Periodic testing and audits of the sanctions compliance system;
- Sanctions training; and
- An annual certification for five years that the system satisfies these requirements.
This settlement agreement model requires the first certification to be no more than 180 days after the agreement is signed. This means a company only has six months to fulfill all the above requirements and bring their program up to scratch.
Such a short deadline places a premium on prior planning.
Ten Tips on Fulfilling OFAC Settlement Requirements
When working as ING’s Head of Global Sanctions Compliance from 2013to 2014, one of my chief responsibilities was to help ensure that ING satisfied the terms of its settlement agreement with the United States. During that process, I learned a number of lessons that may provide some assistance to companies – whether they are banks, manufacturers, or service providers – that find themselves dealing with an OFAC settlement agreement. Much of this can also be applied to thoseseeking to avoid attention from the regulator.
- Assemble a team responsible for the process. It is essential to form a team at the very beginning that will have primary responsibility for doing whatever must be done to comply/stay compliant. Though the team will normally consist ofexperienced personnel from Compliance and Legal, itmay also include representatives from the business side of the company, as well as personnel from more technical areas, such as trade finance or export processing..If your organization is not a U.S. company, be sure to involve at least one expert on U.S. sanctions as well. While it is fine to call upon at least some external assistance to provide specialized expertise, do not be tempted to outsource the entire process. OFAC compliance requires a thorough understanding of the bank’s internal policies and procedures. In addition, because the system will continue to operate after any outside experts are gone, your own personnel should take the lead.
- Assign one or two people to take primary responsibility for the process. Managing the compliance process will not necessarily be a full-time job, but it may be close to it. You need someone to oversee the process to ensure that progress is being made on a day-to-day basis.
- Identify exactly what the settlement agreement requires, and assign responsibilities for each obligation.A settlement agreement typically imposes a number of requirements. Some of them may be very specific, while others are extremely broad. An obvious starting point is to go through the agreement in detail and assign someone on the team explicit responsibility and authority to address each requirement. If you are looking to enhance your compliance system, use the OFAC commitments as your guidelines.
- Decide who is / how you are going to certify. The new standard settlement agreement simply says that a “a senior-level executive or manager” must make the annual certification. An important first step is to decide who will conduct the actual review of compliance with the terms, and who this certifying executive will be. As important is to specify the process for certification. The responsible executive cannot simply decide at the end “yes, we’re good.” You need to specify how the process will work, including when and in what form the responsible executive will receive the necessary information. A schedule should be an intrinsic part of the process, to make sure that you’re not trying to do everything at the last minute.
- Agree on the terms of certification.Although they now provide more detail, the new model of OFAC settlement agreementsstill leaves many questions open about certification requirements. For example, therecent OFAC agreementsrequire that acompany’s compliance system include “written policies and procedures outlining its sanctions compliance program.” They do not saywhat policies and procedures an adequate sanctions compliance program should include. The team should identify at the start the components of such a program, so that there is a clear guide for certification. The same is true with respect to the other terms, including management commitment, risk assessment, review and audit, and training.
- Draw upon internal technical expertise, when necessary. In the course of reviewing your company’s compliance system, it is likely that highly technical issues will arise in connection with policies and procedures over such topics as payments or trade finance. The team should be able to identify and draw upon the company’s internal experts to resolve these issues.
- Provide adequate training to the certifiers.To ensure objectivity, some function other than Compliance or Legal is likely to make the certification. Internal Audit is an obvious choice. However, it is likely that the people conducting the review know little if anything about sanctions. It is essential to provide them with training at the very start of the process so that they understand exactly what it is they’re doin
- Set up rules of governance. There will be disagreements during the certification process. Your organization should establish rules of governance at the very beginning to specify who is authorized to make decisions, and how the inevitable disagreements will be resolved. Ultimately, this may require a decision by top management or the Supervisory Board/Board of Directors. If you set up the rules of governance at the beginning, you can avoid time-consuming arguments later..
- Use this as an opportunity to improve your compliance system. As a result of the compliance process, you will end up examining its sanctions compliance system in great detail. This provides an excellent opportunity not just to identify gaps in the system, but also to assess how the system is working and how it can be improved.
- Be patient. The process of complying with a settlement agreement can be frustrating. Try and be as patient as possible. If you’re organized, have set up a team and a manager, fixed a schedule, and agreed on exact certification requirements, then the process will most likely be a success. Moreover, you will find your sanctions compliance system is stronger and more effective than ever before.
*Scott Nanceis an attorney based in Washington, DC, with over 30 years’ experience in all aspects of international trade law. Scott is the Principal at Langley Compliance Consulting, where his practice focuses primarily on advising companies on how to comply with U.S. sanctions, export control, and anti-money laundering laws. He is also the Chair of the ACSS Editorial Taskforce.
He can be reached at firstname.lastname@example.org.