OFAC Framework for Sanctions Compliance Programs – Risk Assessment and Internal Controls (Part II of IV)
The Volkov Law Group has scheduled a free webinar to review OFAC’s new Framework for Sanctions Compliance Programs for May 22, 2019, at 12 Noon EST. Sign Up Here.
OFAC’s Framework for Sanctions Controls Program is a heightening of the importance of ethics and compliance program and reflects significant expectations for implementing effective compliance strategies.
In Risk Assessment, OFAC recommends that organizations conduct a routine, and if appropriate, ongoing risk assessment to inform its SCP policies, procedures, internal controls and training. In this respect, OFAC explained that such a risk assessment should consist of a “holistic review of the organization from top-to-bottom and asses its touchpoints to the outside world.”
As an example, an organization’s SCP should include assessment of: (i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks or systems; (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries and counter-parties; and (iv) potential merger and acquisitions, especially those involving non-U.S. companies or corporations.
To meet the Risk Assessment requirement, OFAC’s framework notes two specific elements:
- The organization conducts, or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business: (a) The risk assessment should leverage existing information to inform the process, and then guide due diligence efforts at various points in a relationship or in a transaction. This may include: (i) On-boarding: The organization develops a sanctions risk rating for customers, customer groups, or account relationships based on a due diligence process and independent research conducted by the organization at the initiation of the customer relationship. This information will guide the timing and scope of future due diligence efforts. Important elements to consider in determining the sanctions risk rating can be found in OFAC’s risk matrices.;(ii) Mergers and Acquisitions (M&A): OFAC noted the importance of M&A transactions (“which, in recent years, appears to have presented numerous challenges with respect to OFAC sanctions”). Compliance functions should also be integrated into the merger, acquisition, and integration process.
- The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.
An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and document SCP compliance activity. The purpose of internal controls is to define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments.
Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis. OFAC sanctions program are dynamic and often change. As a result, a company’s SCP has to adjust rapidly to changes.
To implement effective internal controls for an SCP, the following seven requirements should be satisfied:
- The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, and are easy to follow.
- The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC: (a) Under this element, to the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.
- The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.
- The organization ensures that its OFAC-related record-keeping policies and procedures adequately document its SCP.
- The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
- The organization has clearly communicated the SCP’s policies and procedures to all relevant staff, including personnel within the SCP program, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization.
- The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation. This process includes relevant business units and confirms that employees understand the policies and procedures.