Making Sure Your Internal Controls Address Sanctions Risks (Part III of IV)
The term “internal controls” is a loaded one – it morphs in various ways depending on the context. Sometimes it is a shorthand for financial accounting controls; other times it encompasses a company’s compliance controls (i.e. policies and procedures).
OFAC embraced the term to equate with a company’s policies and procedures for sanctions compliance. OFAC recognized that OFAC compliance functions have to begin with the business, and that from this point on sanctions compliance depends on clear rules for identifying, elevating and resolving potential red flags. This may not sound like a big deal for ethics and compliance programs, given the myriad risks that companies face, but in the sanctions context it is important because companies tend to relegate sanctions compliance to a lower priority than required. OFAC’s aggressive enforcement record and its compliance framework should change this landscape.
Under general requirements, OFAC’s internal controls element, lists the following:
- An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and document SCP compliance activity.
- The purpose of internal controls is to define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments.
- Policies and procedures should reflect the organization’s day-to-day operations and procedures, and should be enforced;
- Internal and/or external audits and assessments of the program should be conducted on a periodic basis.
- Again, OFAC’s general requirements are probably covered by existing compliance programs, especially in the trade compliance area.
On the more specific level, however, there are two interesting items that will require revision of an SCP.
- To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.
- The organization ensures that its OFAC-related recordkeeping policies and procedures adequately document its SCP.
The new focus on an organization’s technology solution reflects OFAC’s unwillingness to ignore any potential screening error as mitigation for a sanction’s violation. This reflects OFAC’s important enforcement action in the Cobham case in which the company was found liable despite a clear screening error.
Under this new and important requirement, a company has to document why it selected an information technology; how it calibrated the system to conform to its risk profile; and whether it tested the accuracy of the technology (at least annually). This is a new and important compliance requirement.