OFAC’s new framework guidance for sanctions compliance programs stretched into new territory with its risk assessment requirement.  This new approach reflects OFAC’s recent aggressive enforcement programs.

In recognition of the importance of various economic sanctions programs, particularly Iran, North Korea and Venezuela, OFAC has laid out some important markers.  These enforcement actions, e.g. the Epsilon case (here), and the elf Cosmetics case (here), and the Cobham case (here) have to inform the design and implementation of an effective SCP.

In its Framework, OFAC explained that, as part of its determination of an appropriate penalty for violations of a sanctions program, it will evaluate a subject entity’s SCP under its Sanctions Enforcement Guidelines to determine an appropriate civil monetary penalty and other requirements under a settlement agreement.  If a subject has an “effective SCP” at the time of the violation, or if the company implements remedial compliance measures at the time of the resolution, OFAC may reduce a penalty and/or deem the penalty non-egregious.

To address the risk assessment element, it is important to review  the general elements which should already be in place and identify the new prescriptive requirements.

Under the general requirements, OFAC outlined the following:

• A risk assessment should consist of a “holistic review of the organization from top-to-bottom and asses its touchpoints to the outside world.”

• The organization conducts an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks.

• As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business

These general statements governing an OFAC risk assessment should ordinarily be satisfied by the organization’s ethics and compliance program.  There is nothing here that is earth-shattering.

Now, let’s turn to some of the prescriptive elements, because it is in this area that I foresee most organizations will be worked to devote time and energy.

The scope of a risk assessment has to mirror the breadth of enforcement risks.  A risk assessment now has to include assessment of:

• customers, supply chain, intermediaries, and counter-parties;
• the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks or systems;
• the geographic locations of the organization, as well as its customers, supply chain, intermediaries and counter-parties; and
• potential merger and acquisitions, especially those involving non-U.S. companies or corporations. 

The implications of this list is far-reaching, especially with regard to a company’s supply chain, products and services which are exported and then re-exported by a third party or foreign manufacturer, and a broad geographic location assessment.

Let me explain.  Under the elf Cosmetics case, a US company was found liable for the fact that a Chinese manufacturer was sourcing its products from North Korea, even though the US company had no knowledge of the Chinese company’s sourcing location.   

As a consequence, to meet OFAC expectations in this area, organizations will now have to assess their entire supply chain, identify risky operations that may be manufacturing from locations in close proximity to prohibited countries (e.g. Iran, North Korea).   In addition, organizations will have to push down OFAC compliance representations and audit procedures throughout their respective supply chain. 

As to re-exportation risks, organizations now face two significant risk areas, which reflect OFAC’s aggressive enforcement in the Epsilon case relating to third-party distributors.  Companies have to take steps to ensure that third-party distributors do not re-export items from the U.S. to a prohibited country, such as Iran or North Korea.  Such risks are particularly acute with regard to re-exports to Iran.

Further complicating this issue is the fact that manufacturers often sell products to foreign manufacturers (e.g. OEMs), who then take the US product and use it to produce a product containing the US product.  Depending on the extent of the foreign manufacturers’ ultimate use of the US-origin product, the US manufacturer can be liable for the foreign manufacturers’ ultimate product sale to an otherwise US-prohibited customer/country.  This can raise a number of nightmare scenarios for US companies.

Finally, the OFAC framework requires companies to develop a “sanctions risk rating for customers, customer groups, or account relationships based on a due diligence process and independent research conducted by the organization at the initiation of the customer relationship. This element requires more than just a simple yes or no screening system.  Companies will have to invest time and develop a risk-based scoring system to apply for risk-ranking purposes.