Five Common Weaknesses in OFAC Sanctions Compliance Programs
As companies elevate their “game” in sanctions compliance, it is important that compliance officers critically examine the strengths and weaknesses of their compliance programs. Many companies already have a screening technology but little else beyond a basic screening process.
From my vantage point, I have observed some common weaknesses:
Segregation of Duties and Control Process: Many companies maintain a screening program and assign the responsibility to a single person. Such an arrangement can be risky. A single employee may incorrectly or corruptly “approve” a transaction despite significant red flags or even a negative result. By segregating the process into discrete tasks (e.g. review and approval), a company can eliminate this risk. Further, a company should create a specific procedure for identifying a red flag, elevating the red flag and resolving the red flag. A documented and established process for screening and resolution of issues is a critical component of an effective sanctions compliance program.
Beneficial Ownership and the 50 Percent Rule: The compliance community recognizes the importance of identifying beneficial owners of a specific organization. It is a critical part of due diligence and risk management for not only sanctions but anti-corruption and money laundering risks. Compliance officers have to implement information gathering processes to include beneficial ownership and verification of such ownership. In the sanctions context, such information is critical for applying the 50 Percent Rule, which extends a sanctions prohibition against a named entity or individual to any related entities in which the entity or individual (or combination thereof) owns 50 percent or more. The OFAC prohibition therefore extends beyond those entities or individuals listed as a Specially Designated National to unlisted but related entities as well. Too often companies ignore the beneficial ownership requirement and the 50 Percent Rule when evaluating a specific transaction.
Sanctions Search Mistakes: On occasion, companies make mistakes when conducting searches. They fail to recognize close “matches” or ignore refinements to identifiers or common spellings in specific geographic areas. Unfortunately, OFAC screening is not just a “yes” or “no” process – it involves more judgment calls and investigation than recognized. As the stakes increase, companies have to invest in training and auditing to ensure consistent quality and accuracy in searches.
Third-Party Risk Mitigation: In order to mitigate potential third-party risks and transfers of products to prohibited persons and countries, companies have to employ a robust set of controls to ensure compliance by third parties. A company cannot sell its products to a distributor, who in turn, redistributes the product to a prohibited party. To mitigate such risks, companies have to secure robust OFAC compliance certifications as part of a contract, and monitor and verify resale of products to lawful parties. Such activity has to be included in regular training and auditing programs.
Failure to Audit, Measure and Improve: A vital part of any compliance program is to review its performance. An independent review of a compliance program provides important insights into performance, weaknesses in the program, and remediation of the program. If a company is committed to maintaining an effective sanctions compliance program, the company has to audit, test and monitor the program.