OFAC’s new framework guidance for sanctions compliance programs stretched into new territory with its risk assessment requirement. This new approach reflects OFAC’s recent aggressive enforcement programs.

The scope of a risk assessment has to mirror the breadth of enforcement risks and has to include review of:

(i) customers, supply chain, intermediaries, and counter-parties;

(ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks or systems;

(iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries and counter-parties; and

(iv) potential merger and acquisitions, especially those involving non-U.S. companies or corporations.