OFAC Joins the Compliance Club – Issues Framework for Sanctions Compliance Programs (Part I of IV)
The Volkov Law Group has scheduled a free webinar to review OFAC’s new Framework for Sanctions Compliance Programs for May 22, 2019, at 12 Noon EST. Sign Up Here.
On the heels of the Justice Department’s announcement of its new compliance guidance, on May 2, 2019, the Treasury Department’s Office of Foreign Asset Control (“OFAC”) issued its promised guidance for sanctions compliance programs (“SCP”) (Here).
Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.”
OFAC has demonstrated an aggressive policy of enforcement this year in particular — especially with respect to the Iran sanctions program. In this new era of aggressive OFAC sanctions enforcement, companies subject to OFAC jurisdiction should be mindful of the requirements for an effective SCP. Companies that are in the process of implementing or updating their OFAC sanctions compliance program should review these documents and should incorporate these compliance expectations and elements into their own analysis.
In its Framework, OFAC explained that, as part of its determination of an appropriate penalty for violations of a sanctions program, it will evaluate a subject entity’s SCP under its Sanctions Enforcement Guidelines to determine an appropriate civil monetary penalty and other requirements under a settlement agreement. If a subject has an “effective SCP” at the time of the violation, or if the subject implements remedial compliance measures at the time of the resolution, OFAC may reduce a penalty and/or deem the penalty non-egregious.
Framework Structure
OFAC’s Framework is based on five essential components and includes an important Appendix outlining several of the root causes underlying violations of OFAC’s sanctions programs.
OFAC noted the each risk-based SCP will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, each SCP should be based on and incorporate at least five essential components of compliance:
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing & Audit
- Training
Under Management Commitment, subject companies have to ensure that senior management (e.g. directors, executives, senior leaders) demonstrate its commitment to, and support of, the organization’s SCP. This commitment is critical to ensure that the SCP receives “adequate resources and is fully integrated into the day-to-day operations,” and helps “legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.” OFAC’s Framework notes that effective management support includes the provision of adequate resources to the compliance unit(s) and support for compliance personnel’s authority within an organization.
To meet this requirement, OFAC’s framework notes five specific elements:
- Senior management has reviewed and approved the organization’s SCP.
- Senior management ensures that its compliance unit(s) have been delegated sufficient authority and autonomy to deploy the policies and procedures in a manner that effectively controls its OFAC risks. Senior management has to ensure the existence of direct reporting lines between SCP functions and senior management, including routine and periodic meetings between these two elements of the organization.
- Senior management has taken and will continue to take, steps to ensure that the compliance unit(s) receive adequate resources – including in the form of human capital, expertise, information technology and other resources, as appropriate – that are relative to the organization’s breadth of operations, target and secondary markets, and other factors affective its overall risk profile. Under this element, OFAC outlined the following criteria: (a) The organization has appointed a dedicated OFAC sanctions compliance officer (who can also be responsible for other compliance programs); (b) The quality and experience of the SCP personnel, including their technical knowledge and expertise, the ability of the personnel to understand complex financial and commercial activities, apply their OFAC knowledge, and identify OFAC-related issues, risks and prohibited activities; (c) The efforts to ensure that personnel dedicated to the SCP have sufficient experience and appropriate “position” within the organization; and (d) Sufficient control functions exist to support the SCP, including but not limited to information technology software and systems.
- Senior management promotes a “culture of compliance” through the organization. Under this element, OFAC outlined the following criterial: (a) The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal; (b) Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non-compliance with OFAC sanctions; and (c) The ability of the SCP to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.
- Senior management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, or malfunctions, deficiencies, or failures by the organization and its personnel to comply with the SCP’s policies and procedures, and implements necessary measures to reduce the occurrence of apparent violations in the future. Such measures should address the root causes of past violations and represent systemic solutions whenever possible.