Five Important Mandates from OFAC Compliance Framework
Based on its aggressive enforcement program and its recently issued Framework for Sanctions Compliance Programs, OFAC has established a new era in sanctions compliance. Trade compliance is often siloed into its own operation, sometimes in, and other times outside of, the compliance function.
Over the next five years, we will witness a sea-change in sanctions compliance programs (or at least we better witness such a sea-change). Compliance programs have to break down the silos, seek cross-function efficiencies, and unify compliance functions.
OFAC’s Framework is direct and clear about expectations and benefits that can be earned. There is no question that companies will receive significant benefits if they suffer apparent violations after implementing an effective sanctions compliance program. In some minor cases, a compliance program may make the difference between a warning letter and a civil penalty.
Companies have to keep their respective eyes on the ball and plan for implementation of a sanctions compliance program. To do so, companies have to keep their focus on five important issues:
Risk Assessment: OFAC has outlined a robust “holistic” risk assessment process that reviews a company’s geographic locations, as well as its clients and customers, products and services, supply chain, intermediaries and counter-parties, transactions, and potential mergers and acquisitions, particularly non-US companies. Two aspects of this assessment will require significant work – customers and clients and the company’s supply chain.
Senior Commitment: OFAC did not just mouth the talismanic words – “tone-at-the-top.” Instead, OFAC defined leadership commitment as requiring approval of a specific sanctions compliance program, including policies and procedures, appointment of a dedicated CCO for sanctions compliance, creation of a culture of compliance, communications to reinforce the importance of sanctions compliance, and establishment of a direct reporting line between compliance and senior management and a board committee.
Screening Technology: OFAC recognized the importance of sanctions screening systems to a compliance program. Instead of outlining broad principles, OFAC zeroed in on three specific requirements governing: (1) selection of screening technology; (2) calibration of screening system to match risk profile; and (3) testing of screening program to ensure its accuracy.
Internal Controls: OFAC described a specific requirement that companies define (in writing) a set of controls for the screening, review, elevation and resolution of sanctions compliance issues. Companies have to design and implement specific controls to address these issues so that sanctions issues are identified, elevated, reviewed and appropriately resolved. OFAC’s intent is clear – it wants companies to avoid situations where an employee uncovers a potential sanctions issue but fails to raise the issue through an established procedure for further analysis and resolution.
Annual Training: OFAC joined various states in mandating annual training programs. OFAC prescribed a requirement that companies conduct sanctions training for relevant employees at least annually.