AML enforcement often includes sanctions violations.  The Office of Foreign Asset Control (OFAC) is responsible for regulating and enforcing the sanctions regime.

OFAC has played a critical role in ramping up AML enforcement against major financial institutions.  Major enforcement actions have been built on OFAC violations.

HSBC Holdings paid OFAC $375 million as part of its record AML settlement with US prosecutors; ING Bank forfeited $619 million, JP Morgan paid OFAC $88 million and Standard Chartered gave OFAC $132 million out of combined enforcement actions.

The official OFAC enforcement statistics confirms what everyone already knows – sanctions compliance is a significant risk.   Last year, OFAC enforcement resulted in 27 official actions.  In 2012, OFAC enforcement resulted in 16 official actions.

There are two types of sanctions – country-based sanctions and list-based sanctions such as the Specially Designated Nationals (SDN) list.

The country-based sanctions reflect embargoes, such as those against Cuba, Iran, and Syria.  The list-based sanctions include individuals and entities, such as terrorists, drug traffickers, weapons proliferators, and corrupt leaders.

Companies need to check all customers against the SDN list and should include not only a name check but address and persons involved in specific transactions.

OFAC sanctions apply to commercial and financial transactions, direct and indirect, such as financing, investments, payments, dealings in property and travel, exports, imports and facilitation of a prohibited transaction.  A US company or US person (wherever located) cannot indirectly facilitate a transaction that ultimately involves a prohibited country or person.

When determining penalties for a violation, OFAC considers a firm compliance program, risk mitigation strategies and other related factors, including willfulness, knowledge of conduct, sophistication of the subject, and harm to sanctions program objectives.

A firm’s compliance program needs to incorporate reasonable risk-based procedures.  A company has to adopt clear and concise policies and procedures to ensure compliance with the country-based and SDN.  In most cases, a company should screen every customer, vendor and investment entity against these lists to ensure compliance, and should obtain appropriate end user certifications.  In addition, companies should establish working relationships with major financial institutions with robust OFAC screening for international transactions and transfers.

Another area for compliance focus is foreign investments.  If a US firm has material private investments in foreign companies, the US company has to conduct due diligence on the investment targets, the owners and the managers to determine if there is any OFAC exposure.

A company has to be ready to block suspect transactions, and require further investigation and documentation before allowing the transaction to proceed.   A Chief Compliance Officer has an important duty in this area – to design and implement processes that can identify suspect transactions, review them, and demonstrate a robust due diligence process.  CCOs cannot – and should not even try to – review each and every suspect transaction.