Here is another profound grasp of the obvious (for which I have a knack for delivering) – compliance and legal professionals can learn a number of lessons from individual enforcement actions.  In many cases, however, there is much more to the story than the headline or the list of so-called lessons learned.

One category of enforcement actions is a perfect example – OFAC has brought several significant enforcement actions in last two years that are described as the result of “screening errors.” These screening errors are sometimes described as the fault of sanctions screening software or human error. 

OFAC Sanctions Compliance Guidance

To bring some light to these cases, I am posting a three-part series to review the OFAC Sanctions Compliance Guidance and four relevant enforcement actions focused on screening issues.

As set forth in OFAC’s Sanctions Compliance Guidance, one of the five requisite elements of an effective sanctions compliance program is titled, “Internal Controls,” which should “enable the organization to clearly and effectively identify, interdict, escalate, and report” potential violations.  With specific reference to automated screening programs, OFAC stated:

To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.

A company’s OFAC compliance program is built on a screening system.  But, a screening program is just one piece of an effective set of internal controls.  It is imperative that a company build appropriate controls around the screening technology to ensure that relevant information is collected, the screening system is calibrated to work efficiently, and that controls are in place to identify, escalate and report to appropriate personnel potential transactions and risks of an OFAC violation. 

Sanctions Screening Errors

The Sanctions Compliance Guidance included an appendix of the ten most common root causes of OFAC sanctions violations, one of which is entitled, Sanctions Screening Software or Filter Faults.  Under this heading, OFAC explained

[O]rganizations have failed to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties—particularly in instances in which the organization is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.),

In this last description, OFAC highlights in a passive voice “instances” in which the organization failed to account for alternative spellings; in other words where errors (human or machine) occurred.  However, in context, OFAC’s expectations are clear that internal controls should account for human and/or machine error and include specific processes to mitigate those specific risks. 

With respect to the technology solution or screening software, OFAC has made it clear that organizations should calibrate their systems and test the system to make sure it operates correctly.  To the extent human error may be the root cause, OFAC expects that organizations conduct regular training of responsible control persons, which would obviously include persons responsible for conducting and processing screening for OFAC compliance purposes.