INSIGHT: A Compliance Roadmap to Avoid OFAC Sanctions Violations

On May 2, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments (the Framework), sharing its insight into common causes of U.S. sanctions violations and advising anyone whose business activities have a U.S. nexus to develop, implement, and routinely update a risk-based sanctions compliance program (SCP).

Why Implement a Risk-Based SCP?

OFAC has recently stepped up its enforcement efforts. In 2018, the total value of reported civil monetary penalties or settlements were approximately $72 million. In contrast, during the first four months of 2019 alone, this number has soared to nearly $1.3 billion—a record for OFAC.

In response to an apparent violation, the adequacy of a company’s SCP is one of factors OFAC considers when determining the appropriate enforcement action. Demonstrated adherence to a risk-based SCP is potentially a mitigating consideration, provided that the SCP was in place at the time of the apparent violation.

OFAC identified the following as the most common root causes of U.S. sanctions compliance failures and deficiencies:

• Lack of a formal SCP;
• Misinterpreting or misunderstanding OFAC’s regulations;
• Facilitating transactions by non-U.S. persons, including non-U.S. subsidiaries or affiliates;
• Exporting or re-exporting U.S.-origin goods, technology, or services to sanctioned persons or countries;
• Utilizing the U.S. financial system or institutions in transactions involving sanctioned persons or countries;
• Sanctions screening software or filter fault;
• Improper due diligence of customers and clients;
• Decentralized compliance functions and inconsistent implementation of an SCP;
• Utilizing non-standard payment or commercial practices; and
• Individual employee actions causing or facilitating sanctions violations.

OFAC also stated that it will “consider using its enforcement authorities not only against the violating entities, but against the individual as well.” The focus on individual conduct is likely to shape future investigations and enforcement action.

Essential Components of a Risk-Based SCP

Each company’s SCP will vary depending on its characteristics and operations, such as its size, sophistication, customers, supply chain, intermediaries, counterparties, locations, payment channels, and payment methods. Centralized, company-wide SCPs identify, terminate, document, escalate, and report (as appropriate) activities that may violate U.S. sanctions laws and regulations.

A risk-based SCP consists of five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

1. Management Commitment
OFAC considers senior management’s commitment to supporting an SCP as one of the determinative factors in the success of the SCP. Senior management should review and approve the SCP, provide adequate financial and human resources to the compliance units, and ensure that the compliance units have (i) a direct line of communication with management, (ii) been granted the requisite authority and autonomy to implement and enforce the SCP on a firm-wide basis, and (iii) have sufficient resources to manage the organization’s sanctions compliance risk profile.

2. Risk Assessment
Risk-based SCPs must be tailored for each entity, and refined and updated periodically to identify threats or vulnerabilities that present possible U.S. sanctions compliance risks. Risk assessment helps an entity determine how much due diligence is necessary for a specific relationship or a transaction. Entities should leverage what customers and clients provide to them with independent research conducted at the outset of a relationship. A good SCP will be updated regularly to address the root causes of “any apparent violations or system deficiencies identified by the organization during the routine course of business.”

3. Internal Controls
An entity needs internal controls to address the results of its risk assessment. An SCP should include internal controls, such as policies and procedures, to detect, terminate, escalate, report and keep records of potential sanctions violations. Internal controls outline clear expectations, define procedures and processes pertaining to U.S. sanctions compliance, and minimize the identified risks.

Policies and procedures should be clear and easy to follow to prevent employees from violating U.S. sanctions. The entity should communicate its policies and procedures with all relevant staff and should appoint personnel for integrating them into the daily operations of the entity. Internal controls should be enforced through internal and/or external audits.

4. Testing and Auditing
An effective SCP includes a testing/auditing function to assess the effectiveness of the SCP processes. The audit function needs to be independent, objective, and subject to review by senior management. An entity may conduct enterprise-wide or specific testing and auditing, and should enhance its SCP and SCP-related technology to remediate any identified compliance gaps.

When there is a negative testing result or an audit finding, an entity should take immediate action and implement protective measures until the root cause can be identified and remediated.

5. Training
Periodic SCP training for all relevant employees—occurring at least once per year—is a vital component of an effective SCP. The SCP training program should include easily accessible resources and materials available to all applicable personnel.

It should also endeavor to provide job-specific knowledge, communicate the sanctions compliance responsibilities of each employee or stakeholder, and hold employees accountable for sanctions compliance training through assessments.

Training should be further tailored for high-risk employees.

Given the long reach of U.S. sanctions and the rising costs of noncompliance, it is in all companies’ financial interest to develop and implement a centralized, risk-based SCP if they have not already done so, and to conduct a risk assessment to evaluate their existing SCP.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author information

Ginger T. Faulk and Mark D. Herlach are partners and Vedia Biton Eidelman and Chuck R. Thompson II are associates in the Washington, D.C., office of Eversheds Sutherland (US) LLP. With practices focusing on international trade Faulk, Herlach, Eidelman, and Thompson represent multinational companies in a wide range of matters, including government regulation of foreign trade and investment; regulatory matters, including sanctions (OFAC) and antiboycott matters; cross border transactions; export control and Foreign Corrupt Practices Act investigations; free trade agreements and other international trade issues.