United States: OFAC's Framework For Sanctions Compliance And Its Impact On Recent Enforcement Cases

On May 2, 2019, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) published its first-ever  Framework for OFAC Compliance Commitments ("Framework"), detailing the essential components of a sanctions compliance program, and the contents were hardly a surprise. As we indicated in our recent client alert outlining  the top 20 compliance lessons to learn from the past year's OFAC enforcement cases, OFAC has hinted at this Framework since last fall when it began publishing  settlement agreements with compliance commitments included. Although OFAC reiterated that every company's risk-based sanctions compliance program will vary based on its own individual risk factors – including the company's size and sophistication, products and services, customers and counterparties, and geographic locations – OFAC characterized the five "essential components" of compliance as requiring: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Instead of merely summarizing these compliance commitments, the MoFo national security team has linked each commitment to the lessons of enforcement cases of the past year. As the Framework notes, "OFAC recommends all organizations subject to U.S. jurisdiction [including non-U.S. companies that engage in transactions with a U.S. nexus] review the settlements published by OFAC to reassess and enhance their respective [sanctions compliance programs], when and as appropriate."

The Framework resembles in many respects the updated  Evaluation of Corporate Compliance Programs Guidance Document  published by the U.S. Justice Department's Criminal Division in April 2019. At the end of the Framework, OFAC provided a list of common "root causes" of sanctions violations to help companies evaluate their compliance programs, and we've also linked those root causes to recent sanctions enforcement cases. Accordingly, now that OFAC has articulated what it's looking for in a compliance program and described common root causes of violations, it's time for companies to review their programs to make sure they conform to expectations. Companies should do so not just to be the best they can be in terms of sanctions compliance, but also because the Framework makes clear that OFAC will "consider favorably" effective sanctions compliance programs (and unfavorably ineffective ones) when resolving future enforcement cases. Here's what OFAC expects:

1. Management Commitment

As the old saying goes, "it rolls downhill." If management doesn't support or only begrudgingly supports a compliance program, then compliance staff are unlikely to be effective in their roles. Therefore, OFAC notes that it expects senior management to review and approve sanctions compliance programs.

Similarly, compliance staff need to have the authority to do their jobs. If business folks can ignore compliance staff the way they did in OFAC's case against  Ericsson, there is little hope that even a well-designed program will be effective. Compliance staff should be given the autonomy necessary to implement policies and procedures to effectively control an organization's OFAC risk. As part of this effort, senior management should ensure the existence of direct reporting lines between themselves and compliance staff, including by having routine and periodic meetings.

Regardless of their authority on paper, compliance staff are unlikely to be effective at preventing sanctions violations if they are under-resourced. Senior management need to take steps to ensure that their organization's compliance staff receive adequate resources, including human capital, expertise, information technology, and other resources as appropriate, relative to the organization's breadth of operations, target and secondary markets, and other factors affecting its risk profile (see e.g., the  Cobham and  Société Générale cases where OFAC credited the companies with beefing up their compliance staffs). Companies, as in the  Zoltek and  MID-SHIP cases, should appoint a dedicated OFAC sanctions compliance officer, although – depending on the company's size and complexity – that person may also serve in other senior compliance positions (such as the Bank Secrecy Act or export control officer).

Finally, senior management need to promote a "culture of compliance" where employees feel free to report sanctions issues without a fear of reprisal and where serious sanctions issues are rapidly remediated. This can be accomplished when senior management communicate to staff the seriousness of violating sanctions or failing to comply with an organization's sanctions compliance program. To the extent sanctions violations have occurred in the past, senior management should ensure measures are taken to address the root cause through systemic solutions whenever possible. OFAC has explicitly required each party it settled with since fall 2018 to commit to promoting a culture of compliance.

2. Risk Assessment

OFAC has consistently asked companies to have a "risk-based compliance program." In order to develop such a program, companies need to know their risk profile. OFAC's second compliance commitment addresses this issue by placing an expectation on companies that they will conduct sanctions risk assessments on themselves. OFAC notes that while there is "no 'one-size-fits-all' risk assessment," risk assessments should generally consist of a "holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world," including risks posed not just by clients and customers, but also by its supply chain, intermediaries, and counter-parties, as well as by its products, services, and transactions and the geographic locations of the organization and its customers, supply chain, intermediaries, and counterparties.

In assessing sanctions risk, organizations should leverage existing information derived from due diligence occurring at on-boarding and other points in a relationship or transaction. For example, an organization could develop a risk rating system for customers or account relationships using information obtained through a Know Your Customer or Customer Due Diligence process. A helpful tool for assessing sanctions risk in this way is the OFAC Risk Matrix provided as an Annex to OFAC's  Economic Sanctions Enforcement Guidelines.

Risk assessments are essential during mergers and acquisitions. Sanctions violations related to mergers and acquisitions have become commonplace on OFAC's enforcement page with its cases against  Kollmorgen AppliChem Stanley Black & Decker, and  Cobham. Therefore, compliance functions should be integrated into the mergers and acquisitions process to ensure sanctions-related issues are identified, escalated to relevant senior management, and addressed prior to the completion of the merger.

Furthermore, OFAC expects companies to develop a methodology to identify, analyze, and address sanctions risks. OFAC clarified that risk assessments are not a one-off task, but instead should be "routine, and if appropriate, ongoing" to account for any violative conduct or root causes of apparent violations.

3. Internal Controls

Most global businesses should be familiar with the concept of internal controls from the Foreign Corrupt Practices Act or, for financial institutions, from their mandatory anti-money laundering programs. OFAC believes such internal controls should include policies and procedures to identify, interdict, escalate, report, and maintain records pertaining to sanctions. These policies and procedures should be enforced and weaknesses identified and remediated. OFAC recommends seven categories of internal controls:

  1. Written policies and procedures outlining the organization's sanctions compliance program that are easy to follow and designed to prevent employee misconduct;
  2. Internal controls to effectively identify, interdict, escalate, and report sanctions issues to appropriate personnel;
  3. Enforcement of an organization's sanctions compliance program through internal and/or external audits;
  4. Adequate recordkeeping policies and procedures to account for OFAC's recordkeeping requirements;
  5. A system to immediately and effectively respond to weaknesses identified in an organization's internal controls, including by identifying and implementing compensating controls until the root cause of the weaknesses can be determined and remediated;
  6. Clear communication of sanctions compliance policies and procedures to all relevant staff, including compliance personnel, gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, and sales); and
  7. Dedicated staff for integrating sanctions compliance policies and procedures into the daily operations of an organization.

These internal controls should be developed and implemented in response to a company's risk assessment and should be updated to reflect changes to that assessment.

Internal controls such as these would have protected against the apparent violations in OFAC's  AppliChem case, where AppliChem's U.S. parent, Illinois Tool Works, Inc. (ITW), sent directives to AppliChem to cease its business with Cuba. However, ITW didn't have adequate controls in place to ensure clear communication of sanctions compliance issues, letting these violations continue for years. Proper internal controls may also have prevented the finding of violation (with no monetary penalty) in the recent  State Street Bank case, where compliance personnel aligned with the line of business – rather than the bank's centralized sanctions compliance personnel with specialized sanctions expertise – reviewed (and ultimately allowed) beneficiary payments to a U.S. person resident in Iran. 

4. Testing and Auditing

The best laid plans always work in theory. However, OFAC expects companies to make sure their compliance programs work on more than just paper. To accomplish this, OFAC expects companies to engage in regular testing and auditing of their compliance programs to assess the effectiveness of current processes, check for inconsistencies between these and day-to-day operations, and identify weaknesses and deficiencies, including in program-related software, systems, and other technology, including to account for a changing risk assessment or sanctions environment. Such testing and auditing can be conducted on a specific element of a sanctions compliance program or at the enterprise-wide level.

The testing and auditing function of a sanctions compliance program should be accountable to senior management and independent of the activities it is intended to test. Furthermore, just as the compliance program must be tailored to the size and sophistication of the company, so too should the testing and auditing function of the program. Finally, it wouldn't make much sense to test a program if poor results were ignored. OFAC expects companies to take "immediate and effective action" to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

OFAC specifically discussed auditing in its  Stanley Black & Decker e.l.f. Cosmetics, and  Jereh Group cases. In the  Stanley case, OFAC mentioned that Stanley did not implement procedures to monitor or audit its Chinese subsidiary's operations to ensure that Iran-related sales had ceased. In  e.l.f. Cosmetics, OFAC mentioned that e.l.f.'s supplier audits failed to discover that most of its false eyelash kits contained materials from North Korea. In the  Jereh case, an external review found that Jereh's compliance controls were "easily circumvented and, when circumvented, the circumvention could and did go undetected." If Jereh had regularly audited its compliance program and followed up on those audits, it may have detected that its sales team was diverting shipments to Iran. The message from these penalties is clear: sanctions compliance programs should not be paper tigers.

5. Training

Finally, it doesn't matter how easy a compliance program is to follow if no one knows about it. OFAC expects companies to ensure that all appropriate employees and stakeholders (such as clients, suppliers, business parties, and counterparties) are trained on their sanctions obligations. This means making sure high-risk employees receive specialized training. Training should be tailored to the products and services a company offers, the customers, clients, and partner relationships it maintains, and the geographic regions in which it operates.

Training cannot be a one-off. Sanctions come and go at legal speeds equivalent to the speed of light. Therefore, training must be sufficiently regular, based on an organization's risk assessment and risk profile, to ensure employee knowledge doesn't go stale. When regular trainings aren't enough and problems occur, OFAC expects a company to take immediate and effective action to provide training or other corrective action as appropriate. For example, in OFAC's settlements with  e.l.f Cosmetics and  Jereh Group, each company hired third parties to train key employees as part of their remedial efforts.

Additionally, a training program should include easily accessible resources and materials available to all employees who need them. Training would have been especially helpful in OFAC's case involving  Haverly Systems, Inc. At the time of the violations, Haverly did not have a sanctions compliance program and apparently did not recognize that receiving late payments from a sectorally sanctioned entity in Russia is prohibited. If its employees had received effective sanctions compliance training, the violations may not have occurred.

Root Causes of OFAC Sanctions Compliance Program Breakdowns

To assist companies in reviewing their compliance programs, OFAC provided a list of ten specific "root causes" associated with sanctions violations. To assist readers with their compliance program reviews, we've listed OFAC's ten root causes with a citation to relevant OFAC cases.

  1. Lack of a formal sanctions compliance program. OFAC's regulations do not require a formal sanctions compliance program. However, not having one may be viewed by the agency as aggravating and the root cause of sanctions violations, especially for organizations engaged in international trade (see  Haverly, where OFAC found Haverly's lack of a compliance program to be aggravating; see also  Jereh Group where an external review of the company's compliance program noted that Jereh's compliance controls were "largely non-existent").
  2. Misinterpreting or failing to understand the applicability of OFAC's regulations. Many companies fail to understand or simply disregard the fact that certain activity is prohibited and that OFAC sanctions apply to their organizations or operations because of their status as U.S. persons, U.S.-owned or -controlled foreign subsidiaries (in this case of Cuba and Iran sanctions), or their dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods, services, and technology (see  AppliChem, where AppliChem's German management ignored directives from their U.S. management to halt business with Cuba).
  3. Facilitating transactions by non-U.S. persons. U.S. companies with foreign operations sometimes fail to recognize that U.S. management and other U.S.-based personnel and systems cannot be involved in transactions by their foreign subsidiaries with sanctioned persons, even when those transactions would not be prohibited for the foreign subsidiary. Global companies with integrated operations requiring participation by U.S. personnel or locations should ensure their activities, including approvals, contracts, and procurements, are compliant with OFAC rules (see  Zoltek, where Zoltek's U.S. management was aware Zoltek's Hungarian subsidiary was dealing with sanctioned counterparties but apparently didn't realize it was prohibited for Zoltek's U.S. management to be involved in those transactions).
  4. Exporting or reexporting U.S.-origin goods, technology, or services to sanctioned persons or jurisdictions. Many exporters fail to realize that having an intermediary distributor or trade company between them and a sanctioned party does not affect their sanctions obligations and that they must take steps to determine who the end-users are (see  Cobham, where Cobham failed to follow up on warning signs that the purchaser of its products was a sanctioned party).
  5. Utilizing the U.S. financial system or processing payments to or through U.S. financial institutions for transactions involving sanctioned persons or jurisdictions. This is one of the ways global banks and operating companies most frequently get into trouble. One or more of their correspondent relationships will want to clear a dollar-denominated transaction through New York and, despite warning signs, a U.S. bank will process the payment (see  Société Générale, where Société Générale processed payments through the United States involving Cuba, Sudan, and Iran), or a non-U.S. company will attempt to use a U.S. bank to pay on a dollar-denominated contract or clear and settle a transaction involving multiple currencies.
  6. Sanctions screening software or filter faults. While many organizations screen OFAC's lists, they do not always take steps to ensure that their screening software is effective; the software may not have been updated to include recent additions to sanctions lists, certain pertinent information such as SWIFT Business Identifier Codes, or alternative spellings of sanctioned parties (see  Cobham, where Cobham's screening software failed to display specific warnings for "Almaz Antey Telecom" when there was a specially designated national named "Almaz Antey").
  7. Improper due diligence on customers/clients. While many companies conduct due diligence on customers/clients, many fail to realize that they also should conduct due diligence on their supply chain, intermediaries, and other counterparties (see  e.l.f. Cosmetics, where e.l.f.'s inadequate supplier audits failed to discover that many of its products contained North Korean-origin materials).
  8. Decentralized compliance functions and inconsistent application of sanctions compliance programs. When compliance personnel are dispersed throughout various offices or business units of a global organization, violations can result from improper interpretation and application of OFAC's regulations, the lack of a formal escalation process to review high-risk or other potential OFAC issues, an inefficient or incapable oversight and audit function, or miscommunications regarding sanctions compliance policies and procedures (see  State Street Bank, where compliance personnel aligned with the line of business, rather than the bank's centralized sanctions compliance personnel, reviewed sanctions hits related to Iran). 
  9. Utilizing non-standard payment or commercial practices. Organizations attempting to evade or circumvent OFAC sanctions or conceal their activity frequently may implement non-traditional business methods to complete their transactions (see  UniCredit, where UniCredit processed payments on behalf of sanctioned persons in a manner that concealed the involvement of the sanctioned parties in contravention of UniCredit's policies).
  10. Individual liability. Despite the best sanctions compliance programs, sometimes the root cause of a sanctions violation may result from one or more employees – generally in a subsidiary far removed from a global headquarters – engaging in determined action to violate sanctions (see Kollmorgen, where the managing director of Kollmorgen's Turkish subsidiary falsified records and lied to Kollmorgen management to conceal sanctions violations). Such behavior may only be identified by utilizing some of the measures identified above, such as risk assessments, internal controls (including whistleblower hotlines), testing and auditing, and training.

In conclusion, OFAC's compliance commitments are a double-edged sword. On the one side, they provide clarity to companies looking to develop or improve their sanctions compliance programs. But, on the other side, they set a standard with the implicit threat of penalties when compliance programs aren't up to par.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions