For an agency not known to show its cards when it comes to enforcement priorities, the release by the Treasury Department's Office of Foreign Assets Control (OFAC) of "A Framework for OFAC Compliance Commitments" (the Framework) offers a rare, helpful glimpse into the agency's expectations around sanctions compliance. In fact, the title of the document is accurate: the Framework offers a fairly comprehensive set of standards for organizations to benchmark their compliance programs against.
Moreover, the document also includes a list of specific "root causes" of prior sanctions violations identified by OFAC. The "root causes" may be the best place to start for organizations seeking to refresh or revise their sanctions compliance program, as they highlight prior compliance breakdowns that have resulted in OFAC enforcement.
Given OFAC's record pace of enforcement cases this year, and continuing efforts in both the Executive Branch and Congress to expand the use and scope of OFAC sanctions to promote US national security and foreign policy interests, organizations that are or may be subject to OFAC sanctions should consider evaluating their existing sanctions programs in light of the framework and making adjustments or improvements as necessary to align with OFAC's newly articulated expectations.
What makes a sufficient OFAC sanctions compliance program?
The first half of the Framework includes a comprehensive set of expectations or standards around what OFAC describes as the five "essential components" of a sanctions compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
1. Management Commitment. With respect to management commitment, OFAC offers a variety of expectations that all relate to the same core theme: sanctions compliance is something that top management at an organization should be aware of and encourage. OFAC expects that someone at each organization should be designated as an OFAC sanctions compliance officer.
2. Risk Assessment. OFAC's discussion of risk assessment is more interesting. In general, OFAC encourages all organizations to conduct risk assessments in a matter and with a frequency that "adequately accounts for the potential risks," such as "risks [that] could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization." However, OFAC focuses on what it appears to perceive as the two biggest areas of sanctions risk: customer onboarding and mergers.
- With respect to customer onboarding, OFAC emphasizes the need for adequate due diligence and independent research.
- Likewise, with respect to mergers, OFAC notes that beyond due diligence (which of course is important in this context), organizations need to be sure that compliance functions are adequately integrated post-merger (a consistent, global compliance function is a theme of the Framework, and a lack of a consistent compliance function is also identified by OFAC as a "root cause" of several recent enforcement cases).
Here, OFAC also notes that risks that are identified should be evaluated for root cause and mitigated. In fact, the need for a thorough root cause analysis is a theme repeated throughout the guidance.
3. Internal Controls. Flowing from the expectation to conduct ongoing risk assessment, OFAC also indicates in the Framework that it expects organizations to have written sanctions policies and procedures and, of course, mechanisms and processes that demonstrate these written documents are adaptable and utilized. In short, written policies are necessary but not sufficient: only if an organization can demonstrate it actually publicizes, relies on, and follows such written materials in day to day operations will it get credit for having established internal controls.
4. Testing and Auditing. Logically then, OFAC also considers sanctions compliance programs to be meeting expectations only when organizations have an objective testing and audit function that evaluates compliance with the organization's sanctions program, identifies gaps and the root cause of such gaps, and has the authority to implement compensating, and ultimately remediating, controls.
5. Training. Finally, OFAC expects that organizations will implement a training program that is tailored to meet the needs of the organization and that is appropriate for the personnel being trained (e.g. sales personnel in high risk countries or regions may need more or more specific training than other departments). OFAC also expects that all sanctions training materials and guidance should be in a readily accessible place within the organization (presumably, visible and accessible somewhere like a company's intranet).
In short, OFAC states in the Framework that it expects a sanctions program that is supported from top management, and that flows logically and appropriately from a risk assessment of the organization's activities and risk profile. Developing a written policy on sanctions and placing it in a drawer, of course, is not sufficient, but neither is imposing policies or procedures that are not tailored to an organization's needs, adaptable, and regularly tested and revised as needed.
What root causes of sanctions compliance program breakdowns have OFAC identified?
The second half of the Framework provides a list of ten "root causes" of sanctions violations that OFAC appears to have derived from previous enforcement cases. We have outlined below three main categories under which OFAC's identified root causes generally fit: (1) inadequate compliance programs; (2) misunderstanding of OFAC regulations; and (3) bad or negligent actors. While these are all often interrelated, the way OFAC frames and focuses on particular root causes is insightful.
1. Inadequate Compliance Programs. Perhaps most obviously, several of OFAC's identified "root causes" stem directly from either a lack of any compliance program whatsoever, or inadequacies within existing programs. These potential inadequacies include:
- Decentralized compliance functions that lead to inconsistent application of rules and procedures;
- Reliance on insufficient or faulty screening or filtering software (for example, software that did not capture misspelled names, which OFAC notes is very important given the use of alternative spellings in many geographies subject to OFAC sanctions); and
- Improper or incomplete due diligence on customers, business partners, counterparties, suppliers, etc.
2. Misunderstanding OFAC Regulations. OFAC also identified a number of types of compliance issues and enforcement cases that all appear to relate to an inadequate understanding of the scope of OFAC sanctions. In particular, the following types of violations reflected a lack of awareness that OFAC sanctions applied to a given transaction:
- Transactions involving entities that may not be aware they are subject to OFAC sanctions, such as foreign subsidiaries of US companies that are treated as "US persons" subject to OFAC restrictions under many sanctions programs;
- Persons subject to OFAC sanctions restrictions "facilitating" (i.e. indirectly assisting with) transactions by non-US persons who are not subject to sanctions restrictions. Such a violation might include a US person referring a prohibited customer to a non-US person;
- Exporting or reexporting to prohibited parties or destinations US-origin goods, services, or technology. Non-US persons often may not realize that if they are transferring US-origin items, they may be subject to export controls and OFAC sanctions restrictions;
- Using US banks, even merely as intermediaries to clear transactions between two third party banks, where the payments being processed involved prohibited parties.
3. Bad or Negligent Actors.Finally, OFAC notes that many of the root causes it identified also involved employees or others either intentionally or unintentionally working to circumvent sanctions. In fact, this is one identified root cause in itself. However, the guidance also indicates that OFAC will not generally consider an organization guiltless even where bad actors within the organization were violating policies or procedures. Instead, OFAC considers a valid compliance program to include appropriate venues and procedures for employees to effectively report potential violations and to have those potential issues escalated and addressed. For example, a recent OFAC enforcement case involving the subsidiary of a US company involved violations that were repeatedly reported to supervisors by other employees but were never appropriately escalated.
OFAC also notes that many sanctions violations involve the use of special or nonstandard practices, such as special procedures for paying certain suppliers, or nonstandard practices of recording certain customers, often aimed at obfuscating the involvement of sanctions-restricted parties. OFAC considers it a failure of internal controls for such nonstandard procedures to be deployed and used undetected or, worse, detected in an organization, but not addressed.
Accordingly, OFAC considers an effective sanctions compliance program one that can identify bad actors and/or prevent them from being able to violate sanctions.
* * *
Organizations that are or may be subject to OFAC sanctions should consider carefully reviewing their sanctions compliance programs to bring them into alignment with the expectations articulated by OFAC in the Framework. While there is no guarantee that following OFAC's Framework would result in a favorable outcome should an OFAC enforcement matter arise, it is likely that OFAC would look disfavorably on a compliance program missing one or more of the identified elements when assessing culpability in a subsequent enforcement case.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.