On May 2, 2019, following an official announcement by Under Secretary of the Treasury for Terrorism and Financial Intelligence during the American Bankers Association/American Bar Association Conference on December 3, the Office of Foreign Assets Control (OFAC)released its much-anticipated Framework for OFAC Compliance Commitments delineating the key elements that it considers to be essential to an effective sanctions compliance program (SCP).
According to U.S. Treasury, the Framework was created “in order to provide organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States or U.S. persons… with OFAC’s perspective on the essential components of a sanctions compliance program.”
This guidance marks the first time that OFAC has provided prescriptive guidance to companies on its views of what should be included in an effective SCP. Sanctions compliance has always been in a gray area in terms of crafting a robust compliance program. Unlike anti-money laundering compliance, there is no specific legal requirement to create a dedicated sanctions compliance program. This Framework signalsOFAC’s desire to communicate more effectively with the sanctions community, especially beyond the financial sector, and express its compliance expectations.
While the specifics of each SCP will vary, OFAC highlights five essential components of a successful SCP. The Framework also outlines how OFAC may incorporate these components when evaluating future apparent sanctions violations as well as ten main “root causes” that lead to a sanctions misstep.
OFAC’s Five Essential Components
In order to implement an effective SCP, OFAC has outlined five essential components that should be present in each organization’s compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
OFAC has long included a Risk Matrix in its Economic Sanctions Enforcement Guidelines as an appendix to the OFAC federal regulations as a guide for financial institutions, however, the sanctions regulator has never been so clear as to list its expectations.
- Management Commitment: According to OFAC, senior management’s commitment to a organization’s SCP is “one of the most important factors in determining its success”. In order to satisfy this component, OFAC states that senior management should support an SCP by:
- Reviewing and approving the organization’s SCP;
- Ensuring the compliance department has the requisite authority and autonomy to be effective, including direct reporting lines to senior management and periodic meetings;
- Providing the compliance department with adequate resources, such as human capital, expertise, and technology, as well as appointing a “dedicated OFAC sanctions compliance officer”;
- Promoting a “culture of compliance” throughout the organization; and
- Demonstrating recognition of the seriousness of OFAC violations and implementing appropriate measures to ensure reduce their occurrence.
- Risk Assessment: OFAC is clear that anorganization’s should always “take a risk-based approach when designing or updating [their] SCP” and should always “conduct a routine… ongoing risk assessment for the purposes of identifying potential OFAC issues”.
The Framework emphasizes a number of key areas that companies must assess in order to determine potential OFAC sanctions risk, including: clients/customers, products/services, supply chain/intermediaries and counterparties (i.e. third parties), transactions, and geographical location. In addition, OFAC stresses risk assessment should always take place during on boarding of new clients as well as during any merger & acquisition.
OFAC also encourages organizations to develop a “methodology” to address any risks identified and conduct a periodic audit of its program.
- Internal Controls: The Framework sets out seven key internal controls that should be included in an SCP. According to OFAC, implementing these controls provides an organization with the policies and procedures necessary to “identify, interdict, escalate, report, and keep records pertaining to activity that may be prohibited by the regulations:
- Written policies and procedures outlining the SCP that are easy to follow and designed to prevent employees from engaging in misconduct;
- Internal controls that help to identify risks, such as technology solutions that are calibrated to appropriately address the organization’s risk profile;
- Enforcement of internal controls through internal/external audits;
- Adequate recordkeeping policies to account for any requirements imposed by sanctions programs;
- A way to take immediate and effective action to remedy internal controls when a weakness is identified;
- Clear communication of the SCP policies and procedures to relevant staff and third parties; and Appointment of personnel to integrate the SCP into the daily operations of the organization.
It is worth noting that OFAC emphasizes the need for an organization to “be capable of adjusting rapidly to changes published by OFAC”—including changes to the SDN, SSI and other sanctions lists as well as the issuance of general licenses.
- Testing and Auditing: OFAC now encourages organizations to conduct audits to “assess the effectiveness of current processes and check for inconsistencies”. Companies are expected to incorporate three aspects into their SCP to ensure that:
- The audit function is accountable to senior management, is independent of the audited activities and has sufficient authority, skills, and expertise;
- The audit procedures are appropriate to the level of sophistication of its SCP; and
- The organization will take immediate action to remedy any issues determined by the audit.
- Training: OFAC identifies effective training as an “integral component of a successful SCP”. OFAC further explains that, for a training program to be considered adequate, an organization must:
- Ensure the program is tailored effectively and appropriately to all employees and stakeholders, especially “high-risk employees” within the organization;
- Provide training that is specific the organization’s products and services, clients/customers, third parties and geographical location;
- Provide training with suitable frequency based on the organization’s risk profile;
- Ensure training on how to take effective and corrective action upon learning of a deficiency related to sanctions compliance; and
- Include easily accessible resources as a part of the training program.
It is worth noting that OFAC requires training should not only be periodic, but “at a minimum, annually”.
How OFAC May Incorporate The Five Components in Its Evaluations of Sanctions Violations
Though increased engagement by OFAC with the international business community is certainly a positive development,OFAC will now likely come to expect more from an organization’s SCP.
In the framework, OFAC expressly states that it would now consider “the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed ‘egregious’.”Also, in the event of a sanctions violation, it is clear that OFAC will favorably consider organizations that have effective SCPs at the time of the violation. This makes having an effective SCP an even bigger factor in the potential mitigation of a civil monetary penalty.
Ten Root Causes of OFAC Sanctions Compliance Program Breakdowns
The Framework finishes by setting out ten root causes of apparent OFAC violations as well as the common reasons for these violations to occur. OFAC has based these findings on those issues that have led to enforcement actions over the last ten years.
These root causes include:
- Lack of a formal OFAC SCP altogether;
- Misinterpretation or failing to understand the applicability of sanctions;
- Using non-U.S. persons to facilitate transactions with sanctioned parties;
- Exporting or re-exporting S.-origin goods, technology, or services to sanctioned persons or countries;
- Utilizing the U.S. financial system for transactions with sanctioned persons, including by conducting the transaction in U.S. dollars;
- Faulty or outdated sanctions screening software;
- Improper due diligence on customers/clients;
- Decentralized compliance team and inconsistent application of an SCP;
- Utilizing non-standard payment and/or commercial practices, which defy industry norms; and
- Liable individuals who cause companies to be liable for sanctions violations.
Organizations should use these identified root causes as a tool to identify their own potential issues and improve their SCPs accordingly. If an organization’s SCP does not meet these standards, the organization may be at risk for hefty penalties that are otherwise could have been prevented.
Compliance Sector Views Framework As ‘Benchmarking Tool’ and Expect Unregulated Corporates to be the Principal Targets
Most compliance professionals are glad to see OFAC’s expectations delineated in an easy-to-follow document and are treating the Framework as a valuable tool in complying with international sanctions regulations.
Stuart Gamester, Sanctions Compliance Director of GlaxoSmithKline (GSK) says that, “the introduction of the OFAC Compliance Framework was welcomed as a benchmarking tool, as complying with the proliferation of U.S. sanctions activity is burdensome and demanding. Our Sanctions Compliance Team understands that it is not enough to simply be aware of potential sanctions and stay ready to comply with them. It is equally important to have risk based systems and processes in place to accurately gather and translate voluminous amounts of data”.
Noel Brandt, Global Head of Compliance Analytics at Western Union, reiterates the above by saying, “Frameworks like this can help create a consistency, a level-playing field if you will, for the payment services industry that truly protects consumers, encouraging the same laws and regulations to be applied equally across market participants.”
Francisco Rapp, Chief Compliance Officer, Sanctions and Anti-Bribery at Citi, says that“OFAC’s publication is invaluable to Compliance Officers. Its content should serve as a source of affirmation for senior management at financial institutions that have heavily invested in sanctions programs.”
Though many well-established organizations will already have OFAC’s five components in place, less-established businesses, or businesses outside the financial sector may face challenges in getting up to speed.
Stuart Gamester of GSK reminds us that, “although many companies may already have the framework risk based controls in place, for some, the expertise, resource and risk management processes may be somewhat lacking and significant support ‘from the top’ will be required”.
“There is really nothing new for financial institutions coming out of OFAC’s sanctions compliance program framework release as regulators have be looking for this framework for years. The unregulated corporates appear to be the principal targets of the release, not having the robust regulatory oversight that banks have and seemingly becoming an increased focus for OFAC,” adds Ross Marrazzo, Treliant.