May 7, 2019 – On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued “A Framework for OFAC Compliance Commitments” (the “Framework”). The Framework highlights the need for companies to implement risk-based sanctions compliance programs, and establishes OFAC’s expectations for how it will establish compliance commitments that will be included in settlement agreements for companies charged with violations.
The Framework was released just days after the Criminal Division of the U.S. Department of Justice (“DOJ”) published an updated version of its “Evaluation of Corporate Compliance Programs,” which provides guidance on how DOJ assesses the effectiveness of a company’s compliance program and explains the role this assessment plays in enforcement. (We summarized the DOJ’s guidance here.) The OFAC and DOJ publications underscore the increasing scrutiny regulators place on compliance and the need for companies to implement comprehensive and effective, risk-based compliance programs.
Summary of OFAC’s Framework
OFAC’s Framework encourages those subject to OFAC regulations to implement sanctions compliance programs with five essential elements:
Management Commitment - A company’s senior management, including senior leadership, executives, and the board of directors, must actively support the company’s sanctions compliance program. This means senior managers should review and approve the program; establish direct reporting lines from the sanctions compliance function to senior management; and recognize the seriousness of potential OFAC sanctions violations by analyzing the causes, and implementing systemic solutions. It is important that senior management promote a company-wide culture of compliance through their messaging and actions, establishment of non-retaliation policies, and being subject to compliance oversight themselves. Senior management should also allocate sufficient resources to enable effective compliance program implementation.
Risk Assessment - Companies should conduct an enterprise-wide assessment of the vulnerabilities and threats that could lead it to run afoul of OFAC regulations. Based on that assessment, companies should then take a risk-based approach when designing or updating their sanctions compliance programs. Important risk factors may be raised by a company’s size; its products or services; the geographic regions in which it operates; its customer base; intermediaries and counterparties involved in its transactions; and the type of transactions it undertakes as part of its business. OFAC’s Framework explains that companies should develop a risk-rating system for its customers, customer groups, or key account relationships, based on information provided by the customer and the company’s own due diligence about the customer. Further, sanctions compliance assessments should be integrated into a company’s mergers and acquisitions processes through appropriate due diligence designed to identify, escalate, and address potential sanctions issues before the transaction concludes.
Internal Controls - Effective sanctions compliance programs have appropriate internal controls in place. These include policies and procedures that identify, interdict, escalate, report (as appropriate), and keep records of any activities that may violate OFAC regulations. Notably, policies and procedures should be clearly communicated and easy to follow, address the risks identified in the company’s risk assessment, account for the requirements of OFAC sanctions programs, and clearly designate personnel charged with carrying out the sanctions compliance policies and procedures.
Testing and Auditing - Comprehensive, independent, and objective audits of a company’s sanctions compliance program, including its internal controls, are necessary to identify deficiencies and assess where sanctions compliance programs should be enhanced or updated. Whether or not the audits are conducted by a third party or by in-house personnel, those carrying out audits should have sufficient authority, skills, and resources. Additionally, audit procedures should be commensurate with the compliance program’s level of sophistication, and should include a root cause determination of and propose ways to remediate any negative findings.
Training - Under OFAC’s Framework, all appropriate company personnel should receive tailored, job-specific sanctions compliance training at least annually, as well as information on their specific sanctions compliance responsibilities. Companies should make training resources easily accessible to pertinent personnel, hold personnel accountable for sanctions compliance through assessments, and provide training and corrective instruction responsive to any misconduct or program deficiency. Companies should ensure appropriate stakeholders (e.g., clients, suppliers, business partners, and counterparties) also receive sanctions compliance training.
OFAC emphasizes that effective sanctions compliance programs will be viewed favorably in assessing potential violations. In instances where violations result in civil monetary penalties, OFAC may incorporate one or more of these five elements into the settlement agreement.
Root Causes of OFAC Sanctions Compliance Breakdowns or Deficiencies
OFAC also highlights 10 specific root causes of sanctions compliance program breakdowns or deficiencies, gleaned from its recent enforcement actions. These root causes are generally categorized as follows:
Failure to understand or appreciate the law - OFAC believes that many companies fail to understand the reach of OFAC regulations. One such example is foreign companies that fail to appreciate that OFAC sanctions apply based on their status as U.S. persons or U.S.-owned or controlled subsidiaries (for the Cuba and Iran sanctions programs), or because they are doing business with U.S. persons, engage the U.S. financial system, or use U.S.-origin goods and technology.
Non-U.S. person facilitation, export and re-export, or use of U.S. financial system or institution - OFAC notes that companies can violate OFAC sanctions by facilitating business between the company’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons. Companies have also repeatedly purchased U.S.-origin goods with the specific intent to re-export, transfer, or sell them to a person, country, or region subject to OFAC sanctions – even amid warnings signs that this activity is prohibited by U.S. economic sanctions laws. Additionally, many non-U.S. persons have violated OFAC regulations by processing financial transactions (typically in U.S. dollars) to or through U.S. financial institutions, where the underlying commercial activity involves an OFAC-sanctioned country, region, or person. In such cases, it is often the inclusion of a U.S. financial institution alone that causes violations of OFAC regulations.
Purposeful or individual actions to evade sanctions - Many OFAC sanctions violations involve companies that conceal wrongful transactions through non-traditional business methods, or individual employees who play key roles in causing or facilitating OFAC sanctions violations, sometimes obfuscating or concealing their activities.
Deficient sanctions compliance program or implementation - In some cases, companies violate OFAC sanctions because they have no formal compliance program in place. In other cases, companies have established sanctions compliance programs but display deficiencies in program implementation. Deficiencies in implementation may include, for example, the failure to update sanctions screening software with new designated entities or identifiers, or the failure to account for alternative spellings of prohibited countries or parties. Companies may also fail to conduct adequate due diligence on customers, counterparties, and third parties. Further breakdowns in implementation may occur when companies have decentralized compliance personnel, resulting in ineffective oversight, auditing, and communication of policies or procedures, as well as the lack of a formal process for escalating high-risk transactions.
As noted, OFAC’s Framework was released just days after the DOJ’s Evaluation of Corporate Compliance Programs update, and both guidance documents highlight similar key compliance program elements. Companies should take these developments as a signal to critically assess the adequacy of their own compliance programs and determine what updates may be appropriate or necessary. In an increasingly complex regulatory environment, it is more important than ever that companies have comprehensive risk-based compliance programs in place, with adequate controls and procedures to detect and respond to misconduct.