On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a detailed guide for implementing an effective sanctions compliance program. In “A Framework for OFAC Compliance Commitments,” OFAC sets forth, for the first time, five components that the agency views as essential for a sanctions compliance program. Since OFAC gives significant weight to the efficacy of a company’s compliance program in its enforcement actions, companies can now use OFAC’s guidance as a roadmap to determine whether their own compliance controls align with OFAC’s expectations.
OFAC published its compliance guidance just two days after a similar announcement from the U.S. Department of Justice (DOJ), which we previously discussed here. This recent spate of guidance from the federal government confirms the significance the federal government places on robust and comprehensive compliance programs when evaluating companies in both the civil and criminal enforcement contexts.
OFAC’s Five Components for Sanctions Compliance Programs
The guidance begins by reiterating OFAC’s long-held position that corporate compliance programs should be tailored to the unique risk profile of each company, taking into account a company’s size, customer base, products, and geographic location. OFAC emphasizes that all corporate compliance programs should be based around five core components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
- Management commitment
OFAC first identifies management commitment as an essential piece of a compliance program. Senior leadership, executives, and the board of directors must support a company’s sanctions compliance program, including: (1) reviewing and approving the program; (2) implementing direct reporting lines between the sanctions compliance function and senior management; (3) appointing a dedicated OFAC sanctions compliance officer; (4) fostering a culture of compliance that allows personnel to report sanctions violations and discourages prohibited activities; and (5) applying systemic solutions that address apparent past violations and reduce the risk of future violations.
- Risk assessment
Companies should undertake a company-wide assessment of their “touchpoints to the outside world” to identify vulnerabilities and identify threats that could lead to sanctions violations. The assessment may include the development of a risk-rating method for customers and key accounts based on information from the customer and on companies’ own due diligence. In addition, OFAC stresses the importance of integrating sanctions compliance assessments into a company’s mergers and acquisitions processes through appropriate due diligence that can address sanctions issues before transactions are completed. Indeed, one need only look at OFAC’s recent enforcement history to find examples of significant unexpected post-acquisition sanctions liability.
- Internal controls
Sanctions compliance programs must have strong internal controls, and policies and procedures must be enforced. OFAC emphasizes that the purpose of internal controls is to identify clear expectations, define the procedures and processes pertaining to OFAC compliance, such as reporting, and then minimize the risks identified by the company’s compliance program. OFAC makes clear that a “paper program” without effective implementation will not suffice.
- Testing and auditing
Independent and objective audits of a company’s sanctions compliance program are recommended to identify weaknesses within the program. Regardless of whether the audits are carried out by third parties or the company itself, the auditors should have the appropriate expertise and resources. Following testing for weaknesses, the company should take immediate steps to implement interim controls until the root cause of any identified weakness can be permanently remediated.
Finally, company personnel involved with the company’s overseas business, customer onboarding, or other relevant activities should receive job-specific sanctions compliance training in addition to information on their specific sanctions compliance responsibilities. The company should hold employees accountable for sanctions compliance training through periodic assessments, and training programs should be easily accessible for employees. The company should also retain these training records to be able to demonstrate compliance to OFAC should it become necessary.
Common Causes of Sanctions Compliance Program Breakdowns and Deficiencies
OFAC concludes its roadmap by identifying 10 common pitfalls for sanctions compliance programs, which were compiled from recent OFAC enforcement actions. OFAC identifies the following root causes for sanctions violations:
- Lack of a formal OFAC sanctions compliance program.
- Misinterpreting, or failing to understand the applicability of, OFAC’s regulations.
- Facilitating transactions by non-U.S. persons.
- Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries.
- Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries.
- Sanctions screening software or filter faults.
- Insufficient due diligence on customers and clients.
- Decentralized compliance functions and inconsistent application of a sanctions compliance program.
- Utilizing non-standard payment or commercial practices.
- Employees of U.S. companies operating outside the U.S. and actively circumventing an existing sanctions compliance program.
With this new framework and list of common pitfalls, companies should take the opportunity to scrutinize the adequacy of their compliance programs and update them accordingly. Taking these steps now may prevent sanctions problems from occurring and will certainly help mitigate penalties should a violation occur despite the existence of a compliance program.