OFAC Provides Guidance on the Essential Components of a Risk-Based Sanctions Compliance Program
On May 2, 2019, the Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury issued guidelines designed to provide companies with OFAC’s views on the essential components of a risk-based sanctions compliance program (“SCP”). Not surprisingly, OFAC’s views regarding the elements of an effective SCP mirror the requirements set forth in Section 352 of the Bank Secrecy Act, as amended by the USA PATRIOT Act, and its implementing regulations, which require “covered financial institutions” to establish anti-money laundering programs.
Not only should U.S. companies take note of these guidelines, but others who may find themselves subject to OFAC enforcement should pay attention, including non-U.S. companies that conduct business in or with the United States or that use U.S.-origin goods or services (including U.S. correspondent banking services).
OFAC Compliance Commitments
Subject to a number of factors relating to a company’s size and sophistication, products and services, customer and counterparties, and geographical locations, OFAC identified the following five overarching elements that are essential to any effective SCP:
- Management Commitment – The company’s senior management should demonstrate and communicate its commitment to compliance. Ways to demonstrate such commitment include ensuring that compliance units are delegated sufficient authority, autonomy and resources, and by promoting a “culture of compliance” throughout the organization.
- Risk Assessment – The compliance program should be tailored to the level of sanctions-specific risk posed, based on the company’s activities, products and services, and customers, among other factors. The risk assessment should be conducted “in a manner, and with a frequency, that adequately accounts for potential risks” and inform both the “timing and scope of future due diligence efforts.”
- Internal Controls – Internal controls should be implemented to identify, escalate, report and record activities that are prohibited under US sanctions. OFAC has identified a range of steps for ensuring that adequate controls are in place, including: implementing written compliance-related policies and procedures; maintaining clear and effective internal controls pertaining to the company’s ability to identify, interdict, escalate and report relevant transactions; enforcing the compliance policies and procedures; appointing personnel to integrate such policies and procedures; and maintaining adequate recordkeeping.
- Testing and Auditing – Periodic testing and audits should be conducted on specific elements of the compliance program and across the organization to identify and address any potential weaknesses or deficiencies. Specifically, the testing or audit should be a function that is accountable to senior management, independent of the audited activities or functions, and has sufficient resources and authority within the organization. In addition, the testing and auditing should be conducted at an “enterprise-wide level” to correct any negative findings or gaps across a company’s operations and be updated to reflect changes in a company’s risk assessment and sanctions environment.
- Training – Personnel and stakeholders should be provided sufficient and tailored sanctions-related training to employees and, as appropriate, stakeholders (suppliers, business partners, and counterparties). This includes OFAC-related training with a scope and frequency that accounts for the company’s risk profile and activities; at a minimum, all relevant employees should receive training at least once a year. Any deficiencies should be addressed immediately through training and other corrective action with respect to relevant personnel.
Notably, this is not the first time that OFAC has expressed, both in writing and in detail, its expectations regarding the contents and implementation of an effective SCP. In March 2019, OFAC announced a settlement agreement with US-based Stanley Black & Decker, Inc., (“Stanley Black & Decker”) and its foreign subsidiary, Jiangsu Guoqiang Tools Co., Ltd. (“GQ”), in which Stanley Black & Decker agreed to pay $1,869,144 on behalf of GQ for the subsidiary’s unauthorized export of various tools and related parts to Iran. The settlement agreement is particularly notable because OFAC provided significant guidance on what it appears to consider to be best practices in maintaining a risk-based sanctions compliance program, rather than its customary approach of including compliance “lessons” in its published summaries of settled, enforcement actions.
Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies
In an appendix to the guidelines, OFAC identified the “root causes” of apparent violations of U.S. sanctions that it has witnessed through the course of its investigations and enforcement findings. OFAC detailed a wide range of deficiencies and apparent violations, including: the lack of a formal SCP; a misunderstanding of OFAC’s regulations; facilitation of transactions by non-U.S. persons; non-U.S. persons exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries; non-U.S. persons engaging in violations of OFAC’s regulation by processing financial transactions through U.S. financial institutions; the failure to update or enhance sanctions screening software or filters; improper due diligence of customers, intermediaries, or counter-parties as part of a company’s supply chain; inconsistent application of an SCP; the failure to detect organizations that engage in conduct that is contrary to industry norms and practices in an effort to evade or circumvent OFAC sanctions; or individual, senior-level employees who engage in conduct that cause or facilitate violations of OFAC regulations. The focus on the activities and conduct of non-U.S. persons that have resulted in apparent violations of OFAC sanctions is particularly noteworthy.
By issuing this guidance, OFAC clearly is establishing its expectations of what type of compliance program it expects to see when deciding how to action enforcement cases. Implicit in these guidelines and the accompanying appendix may be a view that many companies have much work to do to align their sanctions compliance activities with the expectations of the agency. While these guidelines may be the latest outgrowth of OFAC’s enforcement guidelines and accompanying OFAC risk matrix issued a decade ago, they provide a more transparent and predictable standard for compliance for a regulated community that has been seeking greater clarity through guidance – as opposed to enforcement actions.
In sum, these guidelines demonstrate the importance that OFAC places on companies maintaining robust compliance programs, both from the standpoint of preventing potential violations but also as a mitigating factor were a violation to occur, and will likely be used by federal and state examiners in evaluating the sufficiency of a regulated institution’s OFAC compliance policies and procedures.