Putting Together Your Sanctions Compliance Program: Management Commitment (Part I of IV)
If you follow my blog, you know I am not one to embrace hyperbole. So, forgive me for stretching a little here, but the OFAC Framework for Sanctions Compliance Programs is a game changer. Let me explain why I am saying that.
When it comes to sanctions compliance programs, most companies are well behind the curve; I am not saying they do nothing, but most companies have a less than mature program. OFAC’s new framework raises the bar by creating a well-crafted framework for companies to assess their current program and then provides some important objectives. OFAC has provided a helpful document.
However, to the extent that a company’s sanctions compliance program operates as part of an overall ethics and compliance program (which it should), a company should already be well positioned in a number of areas that are generally applicable to all ethics and compliance programs.
My point is that the general OFAC framework requirements should be already satisfied. When it comes to some of the more specific sanctions risks, the definition of these sanctions’ risks, and the prescriptive elements of OFAC’s framework, that is where companies need to get to work and implement improvements.
Let me see if I can help map this point out.
As a general matter, OFAC has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.”
OFAC’s Framework is based on five essential components
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing & Audit
Within Element 1, Management Commitment, OFAC requires that:
- The company’s board and senior leaders demonstrate its commitment and support of the organization’s SCP.
- The company’s SCP receives “adequate resources and is fully integrated into the day-to-day operations;”
- Management support includes the provision of adequate resources to the compliance unit(s) and support for compliance personnel’s authority within an organization.
- Senior management has to establish direct reporting lines between SCP functions and senior management, including routine and periodic meetings between these two elements of the organization.
- Senior management promotes a “culture of compliance” through the organization by encouraging personnel to report sanctions related misconduct without fear of reprisal; and
- Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non-compliance with OFAC sanctions; and
These tasks are general enough to the overall ethics and compliance function that companies should already have satisfied these elements. If not, I suspect the company’s ethics and compliance program is suffering.
Now, let’s look at some prescriptive elements that OFAC added to the equation, some of which may already be satisfied but some which may require new efforts.
Under the Management Commitment prong, here are some prescriptive, specific items:
- Senior management has reviewed and approved the organization’s SCP.
- The organization has appointed a dedicated OFAC sanctions compliance officer (who can also be responsible for other compliance programs);
- SCP personnel have the requisite quality and experience to understand complex financial and commercial activities, apply their OFAC knowledge, and identify OFAC-related issues, risks and prohibited activities;
- The organization has appropriate information technology software and systems for its SCP.
There is nothing significant here except for maybe the requirement that the board or senior executives review and approve the SCP. If the company has a trade compliance policy and has been screening transactions for OFAC compliance, it is likely that these issues are already satisfied.