On May 2, 2019 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)(1) published “A Framework for OFAC Compliance Commitments”(2). The publication is intended to provide OFAC’s perspective, to entities subject to US jurisdiction, on what are essential components of an effective sanctions compliance program.
“OFAC developed this framework in our continuing effort to strengthen sanctions compliance practices across the board…This underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanction requirements.” - Andrea M. Gacki, Director of the Office of Foreign Assets Control (3)
OFAC continues to emphasize and “strongly encourage” entities subject to U.S. jurisdiction to take a risk-based approach to sanctions compliance by “developing, implementing, and routinely updating a sanctions compliance program (“SCP”).
Regardless of company size, sophistication, products/services, geographic locations, etc…each SCP should incorporate at least these five (5) components: management commitment, risk assessment, internal controls, testing and auditing, and training.
In enforcement cases, OFAC will evaluate an entities SCP against the Economic Sanctions Enforcement Guidelines (the “Guidelines”)(4) and when applying the Guidelines will favorably consider an entity that had an effective SCP in place at the time a violation occurred.
A Few Key Points
Effective senior management commitment, among others, includes providing adequate resources for compliance and support for the authority of compliance personnel within the organization.
Adequate resources includes ensuring there are enough personnel with sufficient expertise dedicated to compliance, and adequate information technology, and other resources, as appropriate.
OFAC recommends a risk-based approach to implementation of a SCP and one of the integral components of this approach is to conduct periodic risk assessments.
The assessment should include, among others, a review of customers, vendors, products, services, third-party intermediaries, and geographic locations.
An effective SCP should include policies and procedures. These policies and procedures should be enforced and updated when weaknesses are detected or requirements change.
Sufficient personnel should be appointed to ensure proper integration of the company’s policies and procedures into the daily operation of the company.
The organization should clearly communicate their policies and procedures to all relevant staff.
Testing and Auditing
An effective SCP include’s a comprehensive and objective testing or audit function that identifies program weaknesses and deficiencies.
Any deficiencies identified, including software systems, should be addressed.
An effective training program is considered an integral component of a successful SCP. The training should be provided to all appropriate employees and personnel on a periodic basis (at a minimum, annually).
Root Causes of OFAC Compliance Program Breakdowns - OFAC has identified the following common areas where deficiencies resulted in sanctions compliance failures:
Lack of a formal OFAC sanctions compliance program;
Misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
Facilitating transactions by non-US persons (including through or by overseas subsidiaries or affiliates);
Exporting or re-exporting US-origin goods, technology, or services to OFAC sanctioned persons or countries;
Utilizing the US financial system, or processing payments to or through US financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
Sanctions screening software or filter failures;
Improper due diligence on customers/clients;
De-centralized compliance functions and inconsistent application of their SCP; and
Utilizing non-standard payment or commercial practices.
Contact us to learn more about OFAC’s guidance and to find out how GCSG’s Advisory and Audit teams can guide and partner with you to reduce your sanctions compliance risk and protect your company’s bottom line and reputation.
(1) OFAC - administers and enforces U.S. economic and trade sanctions programs against targeted foreign governments, individuals, groups, and entities.
(2) OFAC: "A Framework for OFAC Compliance Commitments” - 05/02/2019.
(3) US Department of the Treasury Press Releases: “OFAC Issues a Framework for Compliance Commitments” - 05/02/2019.
(4) 74 FR 57593-57608: “31 CFR 501 - Economic Sanctions Enforcement Guidelines” - 11/9/2009.
(5) Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business.(2)