OFAC Framework for Sanctions Compliance Programs – Review of Lessons Learned from Enforcement Actions (Part IV of IV)
The Volkov Law Group has scheduled a free webinar to review OFAC’s new Framework for Sanctions Compliance Programs for May 22, 2019, at 12 Noon EST. Sign Up Here.
OFAC’s new compliance framework includes a valuable section on common root causes of OFAC violations. OFAC has included this discussion to assist companies in designing, updating and amending their respective Sanctions Compliance Programs (SCPs). The discussion is broken down into ten basic categories, each of which includes important compliance reminders.
- Lack of a Formal SCP
OFAC regulations do not require a formal SCP, but the reality is that companies should have a formal SCP as an important protection against an enforcement action and mitigation arguments. In numerous OFAC enforcement actions, OFAC has determined that the root cause of a violation was a lack of an SCP, which can also constitute an aggravating factor in an enforcement calculation.
- Misinterpreting or Failing to Understand Application of OFAC Regulation
OFAC cited the fact that numerous organizations violated sanctions regulations because of misinterpreting OFAC regulations, particularly in those cases where the organization determined that the transaction or activity was not covered by the specific regulations. As an example, OFAC cited the failure of organizations to appreciate that OFAC sanctions applied because the entity was a US person, a US-owned or controlled subsidiary (Cuba and Iran programs), or dealings in or with US persons, the US financial system or US-origin goods and technology. In this area, OFAC has found instances where red flags were present and ignored by an organization, thereby constituting an aggravating circumstance.
- Facilitating Transactions by Non-US Persons (Including Through or By Overseas Subsidiaries or Affiliates)
OFAC cited organizations with foreign-based operations and subsidiaries have engaged in transactions or activity that violated OFAC’s regulations by facilitating transactions by non-US locations and OFAC sanctions countries or persons. Companies with integrated operations, particularly with US-based headquarters, locations or personnel, should ensure that any activities they engage in (i.e. approvals, contracts, procurement) comply with OFAC regulations.
- Exporting or Re-exporting US-origin Goods, Technology or Services to OFAC-Sanctions Persons or Countries
Non-US persons have violated OFAC regulations by purchasing US-origin goods with the intent to re-export, transfer or sell the items to a person, country or region subject to OFAC sanctions. These violations occurred despite the presence of warning signs that US sanctions law prohibited the activity, and typically involved large and sophisticated companies that engaged in the practice over the course of years, where the company ignored or failed to respond to warning signs, use non-routine business practices and concealed the activity.
- Utilizing the US Financial System or Processing Payments through US Financial Institutions for Transactions involving OFAC-Sanctions Persons or Countries
Many non-US persons have violated OFAC’s regulations by processing US dollar transactions involving an OFAC-sanctioned country or person. Although no US organization is involved in the underlying transaction, the involvement of a US financial institution in any payments often results in a prohibited activity. OFAC’s enforcement actions have focused on persons who engaged in willful or reckless conduct, attempted to conceal their activity, engaged in a pattern or practices for several months or years, ignored warning signs, involved actual knowledge or involvement by management, and were large and sophisticated organizations.
- Sanction Screening Software or Filter Faults
Most companies rely on screening software programs to identify potential violations of OFAC regulations. Companies have to screen their customers, supply chain, intermediaries, counter-parties, commercial and financial transactions for prohibited locations, parties or transactions.
OFAC observed that, at times, companies have failed to update their screening software to include SDN and SSI parties, failed to include pertinent identifiers such as SWIFT Business Identifier Codes or did not account for alternative spellings of prohibited parties or countries. In particular, OFAC cited instances that account for where an organization is domiciled or conducts businesses in locations where alternative spellings may be used (e.g. Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan).
- Improper Due Diligence on Customers/Clients (e.g. Ownership, Business Dealings)
A fundamental component of an effective OFAC risk assessment and SCP is conducting due diligence of an organization’s customers, supply chain, intermediaries and counter-parties. Various OFAC enforcement actions involve improper or incomplete due diligence on ownership, geographic locations, counter-parties and transactions as well as their knowledge and awareness of OFAC sanctions.
- De-Centralized Compliance Functions and Inconsistent Application of an SCP
OFAC explained that several enforcement actions involved situations where SCP personnel were scattered in different offices or business units, especially where there was a lack of a formal review process for high-risk transactions, absence of an escalation process, an inefficient oversight and audit functions or miscommunications regarding a company’s sanctions policies and procedures.
- Utilizing Non-Standard Payment or Commercial Practices
Companies have violated OFAC regulations by attempting to evade or circumvent OFAC sanctions or conceal their activities by relying on non-traditional business methods to complete transactions.
- Individual Liability
In several instances, individual employees, especially in supervisory, managerial or executive-level positions – have played central; roles in OFAC violations. OFAC has observed situations where US-owned companies operating outside the US, in which higher-level executives or managers facilitated transactions with OFAC-sanctioned entities or persons, despite the fact that the US headquarters maintained a robust sanctions compliance program. OFAC intends to initiate enforcement actions against those individuals in the future.