Five Basic Steps to Implement a Sanctions Compliance Program
Companies have to implement a sanctions compliance program (SCP). When I use the term SCP, I mean much more than just having one employee screen a customer before a shipment is sent. Too many companies are behind the 8-ball when it comes to sanctions compliance.
The Treasury Department Office of Foreign Asset Control’s sanctions guidance issued in May 2019 is an extraordinary document and includes numerous prescriptive requirements. Companies ignore the SCP Guidance at their peril. If there is one area that companies need to address – and do so now – it is sanctions compliance. If you have not implemented a SCP, or you are still relying on a basic screening protocol, your company is at risk for a sanctions compliance investigation.
The stakes surrounding sanctions compliance have multiplied several times. The Justice Department expects companies to voluntarily disclose potential sanctions violation where there is evidence that the violation may be willful.
The Treasury Department’s Office of Foreign Asset Control (OFAC) has a robust and mature enforcement program. Over the last few years, OFAC has successfully expanded its enforcement focus beyond the financial industry and now targets manufacturing, service and other industries.
A good starting point for an SCP includes the following five basic measures:
Senior management adoption of a trade compliance policy: A company’s board of directors and senior management need to adopt and release a trade compliance policy that addresses SCP requirements, including sanctions compliance, export controls, if relevant (ITAR and dual-use EAR/CCL items), and anti-boycott requirements. The trade policy has to reference screening and internal controls requirements needed to identify and elevate any potential sanctions issues for further review.
Risk assessment and supply chain audit: OFAC described a robust risk assessment requirement to address all third-party and customer risks. OFAC extended this assessment to include a company’s supply chain. OFAC has brough enforcement actions against companies that included supply chains that sourced materials from prohibited entities or countries. Remember, supply chain liability may be imposed even if you do not specifically know that your supply chain includes materials from prohibited entities or countries.
Screening technology and internal controls: While many companies have subscribed to an open source intelligence screening technology (or an export focused screening database), this is just the beginning of satisfying the requirement for internal controls to identify, elevate and resolve screening results. A company cannot assign the responsibility for screening, research and resolution of results to one person.
OFAC has prescribed a number of requirements on this topic. With respect to a screening technology or platform, a company has to document the reasons for selecting the specific service. If this is conducted by an RFP, a company should preserve these documents. In addition, a company has to calibrate its technology to match its risk profile. High-risk third parties have to be identified based on established factors (e.g. geographic location and annual revenue). Finally, a company has to test its technology regularly to ensure it is operating properly. Amazon, Apple and other companies have suffered OFAC enforcement actions because of basic screening errors.
Aside from the screening technology, a company’s internal controls have to identify and describe third-party due diligence procedures and research requirements, elevation of potential red flags, and a formal review and approval process, as well as follow up monitoring activities and oversight requirements.
Annual training: Many companies are unaware of a specific SCP Guidance requirement – sanctions compliance training for responsible persons must be conducted annually. Sanctions compliance has to be added to the list of required training programs, including sexual harassment, code of conduct, and other relevant topics.
Periodic audits and monitoring: To ensure sanctions compliance, companies have to adopt an auditing and monitoring program. It is not enough to rely on a screening technology to alert an official of new adverse media – a substantive monitoring program has to focus on high-risk activities, including third-party distributors and verification of end-use shipments to lawful customers and countries. An annual audit program of a sanctions compliance program has to include testing and verification of screening, due diligence, beneficial ownership, and geographic locations.
There is much more needed for an effective SCP; companies have to get started on this important compliance area. DOJ and OFAC are sure to increase their enforcement efforts and companies need to prepare for the upcoming aggressive enforcement environment.