The Need for Robust OFAC Compliance Programs
People are good at complaining. People often say to themselves, “Things are not going my way,” and they love to feel sorry for themselves. People who are professional victims are toxic. Why? Professional victims gain a sense of existence from their own suffering, rather than taking responsibility for their actions.
What does this have to do with ethics and compliance? Believe it or not, it is relevant. Companies are upset about the latest round of Russia-sanctions. It has had a big impact on some businesses, and has been a challenge for compliance professionals. Instead of complaining about the burdensome aspects of the Russia sanctions, companies need to roll up their sleeves and design and implement, or enhance their OFAC compliance programs. Unlike other areas of the law, OFAC compliance requires some special functions and strategies.
First, OFAC sanctions are constantly changing. Each week new SDNs may be designated. It seems like each month the Russia sanctions are expanding, and it is likely they will continue until the controversies with Russia die down.
Second, the Russia sanctions included sectoral sanctions. A risk assessment has to focus on country-based sanctions and individual sanctions. With the new sectoral sanctions, the risk assessment has to expand to the specific sectors cited and the potential for scrutiny of individual transactions given the fact that some prohibit new debt dealings of longer than 90 days.
Third, companies rely on database services to conduct OFAC checks and screening procedures. That is all well in good. However, your program is only as good as your data, and not all data services are infallible. Companies have to double-check these services, conduct random audits of some checks and make sure there are adequate reviews of the screening process.
Fourth, companies have to add to the culture of compliance message to include OFAC compliance. Some have brushed aside the new sanctions risks by rationalizing that they only apply to financial institutions. That is a big mistake. A company’s culture has to embrace this new risk and emphasize the importance of compliance.
Fifth, and final strategy, is the need for companies to conduct a comprehensive risk assessment. Not just to identify the risks, but to look at risk mitigation strategies. In other words, what are out risks? What policies and procedures do we have in place to mitigate those risks?
Such an analysis will provide a clear picture of what needs to be done to reduce risks. Of course, a risk assessment has to start with identifying and assessing the extent of the risks that a company faces. But that is not a real practical inquiry – or it is missing a key component – what controls do we have in place and are they working?
That is where the real rubber meets the road. If there are gaps, the company can quickly prioritize how the company should respond. Taking into account the company’s risk tolerance, a prioritized list of risk mitigation steps has to be developed.
There are many lessons from recent OFAC enforcement actions. Perhaps the most significant and consistent theme is the fact that many companies have little to no commitment to OFAC compliance other than a basic screening protocol. Beyond that, companies have focused on anti-corruption, third-party payments and other “more” significant risks. That calculus has to change.