OFAC’s New Sanctions Compliance Training and Testing Requirements (Part IV of IV)
When providing compliance program guidance, the Justice Department and OFAC, like every compliance practitioner, will pay homage to the relatively obvious point that there is no one-size-fits-all compliance solution. In other words, as is often repeated, a company’s compliance program will vary depending on a variety of factors, including the company’s size, sophistication, products and services, and geographic configuration.
These factors eventually form the basis for a company’s risk profile, which informs every aspect of a company’s compliance program. A company’s risk profile is the DNA foundation for a company’s business and ultimately its ethics and compliance program.
As the company’s risk profile changes, so should its compliance program. This is why monitoring, testing and auditing functions are so important. But this is where compliance technology, data and other fast-evolving tools promise real and significant change.
As companies make better use of real-time data, the old model for continuous change, based on testing against rules and auditing for compliance with rules, will be replaced with new capabilities for data analysis and management using artificial intelligence, super-computer processing and analytics and eventually blockchain distributed ledger technology.
In the meantime, however, most companies are relying on existing testing and audit programs.
With respect to training, OFAC outlined a number of general principles, already known and hopefully followed by compliance professionals. In particular, a training program should be “tailored to an entity’s risk profile and all appropriate employees and stakeholders.” And a training program has to be accessible to foreign language employees.
But OFAC did not stop there – instead OFAC mandated an annual training requirement for relevant employees on sanctions compliance. Companies have to conduct training for relevant employees and personnel on a periodic basis (and at a minimum, annually). Such training has to be updated to reflect identified deficiencies in the SCP.
In the testing and audit area, however, OFAC offered general principles, which already should be known and implemented by companies in carrying out their audit and testing functions. OFAC noted that an organization’s testing and audit operations should be “comprehensive and objective” and that program weaknesses and deficiencies, as well as compliance gaps, should be remediated.
For example, OFAC stated that companies should:
Assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations.
Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.
On the prescriptive level, OFAC explained that testing and audit functions should:
- Be accountable to senior management, independent of audited activities, and possess the requisite skills to conduct relevant tests and audits;
- Have sufficient authority, resources and authority within the organization.
While these requirements should not be surprising, there are still a small number of organizations where auditing and testing results are viewed as “suggestions” rather than required changes with the full-blown support of senior management and the audit committee. In most cases, internal audit receives greater attention, authority and resources than an ethics and compliance operation. Hopefully, this will change in the future but for now, testing and auditing of a sanctions compliance program should be added to the list of compliance program elements requiring monitoring and auditing.