On May 2, 2019, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) published its first-ever  Framework for OFAC Compliance Commitments ("Framework"), detailing the essential components of a sanctions compliance program, and the contents were hardly a surprise. As we indicated in our recent client alert outlining  the top 20 compliance lessons to learn from the past year's OFAC enforcement cases, OFAC has hinted at this Framework since last fall when it began publishing  settlement agreements with compliance commitments included. Although OFAC reiterated that every company's risk-based sanctions compliance program will vary based on its own individual risk factors – including the company's size and sophistication, products and services, customers and counterparties, and geographic locations – OFAC characterized the five "essential components" of compliance as requiring: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Instead of merely summarizing these compliance commitments, the MoFo national security team has linked each commitment to the lessons of enforcement cases of the past year. As the Framework notes, "OFAC recommends all organizations subject to U.S. jurisdiction [including non-U.S. companies that engage in transactions with a U.S. nexus] review the settlements published by OFAC to reassess and enhance their respective [sanctions compliance programs], when and as appropriate."

The Framework resembles in many respects the updated  Evaluation of Corporate Compliance Programs Guidance Document  published by the U.S. Justice Department's Criminal Division in April 2019. At the end of the Framework, OFAC provided a list of common "root causes" of sanctions violations to help companies evaluate their compliance programs, and we've also linked those root causes to recent sanctions enforcement cases. Accordingly, now that OFAC has articulated what it's looking for in a compliance program and described common root causes of violations, it's time for companies to review their programs to make sure they conform to expectations. Companies should do so not just to be the best they can be in terms of sanctions compliance, but also because the Framework makes clear that OFAC will "consider favorably" effective sanctions compliance programs (and unfavorably ineffective ones) when resolving future enforcement cases. Here's what OFAC expects:

1. Management Commitment

As the old saying goes, "it rolls downhill." If management doesn't support or only begrudgingly supports a compliance program, then compliance staff are unlikely to be effective in their roles. Therefore, OFAC notes that it expects senior management to review and approve sanctions compliance programs.

Similarly, compliance staff need to have the authority to do their jobs. If business folks can ignore compliance staff the way they did in OFAC's case against  Ericsson, there is little hope that even a well-designed program will be effective. Compliance staff should be given the autonomy necessary to implement policies and procedures to effectively control an organization's OFAC risk. As part of this effort, senior management should ensure the existence of direct reporting lines between themselves and compliance staff, including by having routine and periodic meetings.

Regardless of their authority on paper, compliance staff are unlikely to be effective at preventing sanctions violations if they are under-resourced. Senior management need to take steps to ensure that their organization's compliance staff receive adequate resources, including human capital, expertise, information technology, and other resources as appropriate, relative to the organization's breadth of operations, target and secondary markets, and other factors affecting its risk profile (see e.g., the  Cobham and  Société Générale cases where OFAC credited the companies with beefing up their compliance staffs). Companies, as in the  Zoltek and  MID-SHIP cases, should appoint a dedicated OFAC sanctions compliance officer, although – depending on the company's size and complexity – that person may also serve in other senior compliance positions (such as the Bank Secrecy Act or export control officer).

Finally, senior management need to promote a "culture of compliance" where employees feel free to report sanctions issues without a fear of reprisal and where serious sanctions issues are rapidly remediated. This can be accomplished when senior management communicate to staff the seriousness of violating sanctions or failing to comply with an organization's sanctions compliance program. To the extent sanctions violations have occurred in the past, senior management should ensure measures are taken to address the root cause through systemic solutions whenever possible. OFAC has explicitly required each party it settled with since fall 2018 to commit to promoting a culture of compliance.

2. Risk Assessment

OFAC has consistently asked companies to have a "risk-based compliance program." In order to develop such a program, companies need to know their risk profile. OFAC's second compliance commitment addresses this issue by placing an expectation on companies that they will conduct sanctions risk assessments on themselves. OFAC notes that while there is "no 'one-size-fits-all' risk assessment," risk assessments should generally consist of a "holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world," including risks posed not just by clients and customers, but also by its supply chain, intermediaries, and counter-parties, as well as by its products, services, and transactions and the geographic locations of the organization and its customers, supply chain, intermediaries, and counterparties.

In assessing sanctions risk, organizations should leverage existing information derived from due diligence occurring at on-boarding and other points in a relationship or transaction. For example, an organization could develop a risk rating system for customers or account relationships using information obtained through a Know Your Customer or Customer Due Diligence process. A helpful tool for assessing sanctions risk in this way is the OFAC Risk Matrix provided as an Annex to OFAC's  Economic Sanctions Enforcement Guidelines.

Risk assessments are essential during mergers and acquisitions. Sanctions violations related to mergers and acquisitions have become commonplace on OFAC's enforcement page with its cases against  Kollmorgen AppliChem Stanley Black & Decker, and  Cobham. Therefore, compliance functions should be integrated into the mergers and acquisitions process to ensure sanctions-related issues are identified, escalated to relevant senior management, and addressed prior to the completion of the merger.

Furthermore, OFAC expects companies to develop a methodology to identify, analyze, and address sanctions risks. OFAC clarified that risk assessments are not a one-off task, but instead should be "routine, and if appropriate, ongoing" to account for any violative conduct or root causes of apparent violations.

3. Internal Controls

Most global businesses should be familiar with the concept of internal controls from the Foreign Corrupt Practices Act or, for financial institutions, from their mandatory anti-money laundering programs. OFAC believes such internal controls should include policies and procedures to identify, interdict, escalate, report, and maintain records pertaining to sanctions. These policies and procedures should be enforced and weaknesses identified and remediated. OFAC recommends seven categories of internal controls:

  1. Written policies and procedures outlining the organization's sanctions compliance program that are easy to follow and designed to prevent employee misconduct;
  2. Internal controls to effectively identify, interdict, escalate, and report sanctions issues to appropriate personnel;
  3. Enforcement of an organization's sanctions compliance program through internal and/or external audits;
  4. Adequate recordkeeping policies and procedures to account for OFAC's recordkeeping requirements;
  5. A system to immediately and effectively respond to weaknesses identified in an organization's internal controls, including by identifying and implementing compensating controls until the root cause of the weaknesses can be determined and remediated;
  6. Clear communication of sanctions compliance policies and procedures to all relevant staff, including compliance personnel, gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, and sales); and
  7. Dedicated staff for integrating sanctions compliance policies and procedures into the daily operations of an organization.

These internal controls should be developed and implemented in response to a company's risk assessment and should be updated to reflect changes to that assessment.

Internal controls such as these would have protected against the apparent violations in OFAC's  AppliChem case, where AppliChem's U.S. parent, Illinois Tool Works, Inc. (ITW), sent directives to AppliChem to cease its business with Cuba. However, ITW didn't have adequate controls in place to ensure clear communication of sanctions compliance issues, letting these violations continue for years. Proper internal controls may also have prevented the finding of violation (with no monetary penalty) in the recent  State Street Bank case, where compliance personnel aligned with the line of business – rather than the bank's centralized sanctions compliance personnel with specialized sanctions expertise – reviewed (and ultimately allowed) beneficiary payments to a U.S. person resident in Iran. 

4. Testing and Auditing

The best laid plans always work in theory. However, OFAC expects companies to make sure their compliance programs work on more than just paper. To accomplish this, OFAC expects companies to engage in regular testing and auditing of their compliance programs to assess the effectiveness of current processes, check for inconsistencies between these and day-to-day operations, and identify weaknesses and deficiencies, including in program-related software, systems, and other technology, including to account for a changing risk assessment or sanctions environment. Such testing and auditing can be conducted on a specific element of a sanctions compliance program or at the enterprise-wide level.

The testing and auditing function of a sanctions compliance program should be accountable to senior management and independent of the activities it is intended to test. Furthermore, just as the compliance program must be tailored to the size and sophistication of the company, so too should the testing and auditing function of the program. Finally, it wouldn't make much sense to test a program if poor results were ignored. OFAC expects companies to take "immediate and effective action" to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

OFAC specifically discussed auditing in its  Stanley Black & Decker e.l.f. Cosmetics, and  Jereh Group cases. In the  Stanley case, OFAC mentioned that Stanley did not implement procedures to monitor or audit its Chinese subsidiary's operations to ensure that Iran-related sales had ceased. In  e.l.f. Cosmetics, OFAC mentioned that e.l.f.'s supplier audits failed to discover that most of its false eyelash kits contained materials from North Korea. In the  Jereh case, an external review found that Jereh's compliance controls were "easily circumvented and, when circumvented, the circumvention could and did go undetected." If Jereh had regularly audited its compliance program and followed up on those audits, it may have detected that its sales team was diverting shipments to Iran. The message from these penalties is clear: sanctions compliance programs should not be paper tigers.

5. Training

Finally, it doesn't matter how easy a compliance program is to follow if no one knows about it. OFAC expects companies to ensure that all appropriate employees and stakeholders (such as clients, suppliers, business parties, and counterparties) are trained on their sanctions obligations. This means making sure high-risk employees receive specialized training. Training should be tailored to the products and services a company offers, the customers, clients, and partner relationships it maintains, and the geographic regions in which it operates.

Training cannot be a one-off. Sanctions come and go at legal speeds equivalent to the speed of light. Therefore, training must be sufficiently regular, based on an organization's risk assessment and risk profile, to ensure employee knowledge doesn't go stale. When regular trainings aren't enough and problems occur, OFAC expects a company to take immediate and effective action to provide training or other corrective action as appropriate. For example, in OFAC's settlements with  e.l.f Cosmetics and  Jereh Group, each company hired third parties to train key employees as part of their remedial efforts.

Additionally, a training program should include easily accessible resources and materials available to all employees who need them. Training would have been especially helpful in OFAC's case involving  Haverly Systems, Inc. At the time of the violations, Haverly did not have a sanctions compliance program and apparently did not recognize that receiving late payments from a sectorally sanctioned entity in Russia is prohibited. If its employees had received effective sanctions compliance training, the violations may not have occurred.

Root Causes of OFAC Sanctions Compliance Program Breakdowns

To assist companies in reviewing their compliance programs, OFAC provided a list of ten specific "root causes" associated with sanctions violations. To assist readers with their compliance program reviews, we've listed OFAC's ten root causes with a citation to relevant OFAC cases.

  1. Lack of a formal sanctions compliance program. OFAC's regulations do not require a formal sanctions compliance program. However, not having one may be viewed by the agency as aggravating and the root cause of sanctions violations, especially for organizations engaged in international trade (see  Haverly, where OFAC found Haverly's lack of a compliance program to be aggravating; see also  Jereh Group where an external review of the company's compliance program noted that Jereh's compliance controls were "largely non-existent").
  2. Misinterpreting or failing to understand the applicability of OFAC's regulations. Many companies fail to understand or simply disregard the fact that certain activity is prohibited and that OFAC sanctions apply to their organizations or operations because of their status as U.S. persons, U.S.-owned or -controlled foreign subsidiaries (in this case of Cuba and Iran sanctions), or their dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods, services, and technology (see  AppliChem, where AppliChem's German management ignored directives from their U.S. management to halt business with Cuba).
  3. Facilitating transactions by non-U.S. persons. U.S. companies with foreign operations sometimes fail to recognize that U.S. management and other U.S.-based personnel and systems cannot be involved in transactions by their foreign subsidiaries with sanctioned persons, even when those transactions would not be prohibited for the foreign subsidiary. Global companies with integrated operations requiring participation by U.S. personnel or locations should ensure their activities, including approvals, contracts, and procurements, are compliant with OFAC rules (see  Zoltek, where Zoltek's U.S. management was aware Zoltek's Hungarian subsidiary was dealing with sanctioned counterparties but apparently didn't realize it was prohibited for Zoltek's U.S. management to be involved in those transactions).
  4. Exporting or reexporting U.S.-origin goods, technology, or services to sanctioned persons or jurisdictions. Many exporters fail to realize that having an intermediary distributor or trade company between them and a sanctioned party does not affect their sanctions obligations and that they must take steps to determine who the end-users are (see  Cobham, where Cobham failed to follow up on warning signs that the purchaser of its products was a sanctioned party).
  5. Utilizing the U.S. financial system or processing payments to or through U.S. financial institutions for transactions involving sanctioned persons or jurisdictions. This is one of the ways global banks and operating companies most frequently get into trouble. One or more of their correspondent relationships will want to clear a dollar-denominated transaction through New York and, despite warning signs, a U.S. bank will process the payment (see  Société Générale, where Société Générale processed payments through the United States involving Cuba, Sudan, and Iran), or a non-U.S. company will attempt to use a U.S. bank to pay on a dollar-denominated contract or clear and settle a transaction involving multiple currencies.
  6. Sanctions screening software or filter faults. While many organizations screen OFAC's lists, they do not always take steps to ensure that their screening software is effective; the software may not have been updated to include recent additions to sanctions lists, certain pertinent information such as SWIFT Business Identifier Codes, or alternative spellings of sanctioned parties (see  Cobham, where Cobham's screening software failed to display specific warnings for "Almaz Antey Telecom" when there was a specially designated national named "Almaz Antey").
  7. Improper due diligence on customers/clients. While many companies conduct due diligence on customers/clients, many fail to realize that they also should conduct due diligence on their supply chain, intermediaries, and other counterparties (see  e.l.f. Cosmetics, where e.l.f.'s inadequate supplier audits failed to discover that many of its products contained North Korean-origin materials).
  8. Decentralized compliance functions and inconsistent application of sanctions compliance programs. When compliance personnel are dispersed throughout various offices or business units of a global organization, violations can result from improper interpretation and application of OFAC's regulations, the lack of a formal escalation process to review high-risk or other potential OFAC issues, an inefficient or incapable oversight and audit function, or miscommunications regarding sanctions compliance policies and procedures (see  State Street Bank, where compliance personnel aligned with the line of business, rather than the bank's centralized sanctions compliance personnel, reviewed sanctions hits related to Iran). 
  9. Utilizing non-standard payment or commercial practices. Organizations attempting to evade or circumvent OFAC sanctions or conceal their activity frequently may implement non-traditional business methods to complete their transactions (see  UniCredit, where UniCredit processed payments on behalf of sanctioned persons in a manner that concealed the involvement of the sanctioned parties in contravention of UniCredit's policies).
  10. Individual liability. Despite the best sanctions compliance programs, sometimes the root cause of a sanctions violation may result from one or more employees – generally in a subsidiary far removed from a global headquarters – engaging in determined action to violate sanctions (see Kollmorgen, where the managing director of Kollmorgen's Turkish subsidiary falsified records and lied to Kollmorgen management to conceal sanctions violations). Such behavior may only be identified by utilizing some of the measures identified above, such as risk assessments, internal controls (including whistleblower hotlines), testing and auditing, and training.

In conclusion, OFAC's compliance commitments are a double-edged sword. On the one side, they provide clarity to companies looking to develop or improve their sanctions compliance programs. But, on the other side, they set a standard with the implicit threat of penalties when compliance programs aren't up to par.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved