OFAC Screening and Internal Controls
Companies have had over one year to review and implement a sanctions compliance guidance program. This last year, however, has been difficult (to say the least) given the COVID-19 pandemic.
Companies have had unusual challenges. OFAC recognized the impact of COVID-19 when it issued guidance in April 2020 recognizing that companies faced challenging times and may have reallocated resources to meet pandemic needs.
Prior to the issuance of the SCP Guidance, many companies complied with OFAC sanctions by relying on a screening technology. These open source intelligence-based services provide companies with quick sanctions screening results. But many companies have done nothing more than purchasing a screening service.
The SCP Guidance, however, underscores the importance of internal controls that include a screening technology. Companies need to build and implement important controls needed to ensure proper identification, elevation and resolution of OFAC screening results.
First, with respect to the screening technology (i.e. service), OFAC requires companies to document which solution the company selected and the reasons for selecting the specific service. If a company conducts an RFP to select a technology platform, the company should retain documents concerning the RFP process and ultimately the reason for selecting one of the proposals.
Second, the technology has to be calibrated properly to reflect the company’s risk assessment and risk profile. The risk assessment requirement is a separate element under the Sanctions Guidance, and has to be integrated into the operation of the screening system so that risk-based screening is conducted.
Third, a company has to routinely test the screening system to make sure it is accurate. Testing should be conducted using known prohibited parties (“Specially Designated Nationals”) to ensure that the screening system accurately reports on the entity.
Policies and Procedures and Due Diligence
Companies have to build effective internal controls surrounding the use of a screening technology by integrating policies and procedures to ensure proper SCP compliance. Such procedures have to include detailed requirements to identify, interdict and escalate screening results that identify potential risks. Companies can no longer rely on one person or a small group of employees to conduct a check-the-box screening process. Procedures have to include requirements for escalation of red flags, and proper review and approval of any resolution of such red flags.
As part of a due diligence system, companies have to screen potential counterparties and customers, including beneficial owners when relevant. A due diligence system has to be crafted based on the risk assessment and reflect a risk-based ranking of categories of third parties and customers.
Due diligence, however, has to include more than just “screening” and has to incorporate “independent research.” Companies cannot conduct a screening and move forward to conduct business without conducting and documenting independent research, including Internet-based searches and other sources of relevant information (e.g. D&B financial results).
Resolution and Approval
A key aspect of a company’s internal controls has to include red flag resolution and approval procedures. When a red flag result occurs, controls have to require elevation of the issue for further investigation and/or review. It is critical to ensure compliance with a “four eyes” principle – reds flags can only be resolved with the concurrence and approval by at least one other person other than the person conducting the screening. To ensure appropriate compliance, such steps should be documented and reviewed by another person for ultimate approval.