Refreshing and Elevating Your Sanctions Compliance Program (Part II of III)
Let’s move beyond the headline – trade compliance is the new FCPA. We get it. The next step is to do something about it. The Justice Department has repeated this refrain – it is one of its greatest hits. In addition, DOJ, OFAC and the Bureau of Industry and Security have sent a loud message — $629 million from British American Tobacco and $300 million from Seagate.
We know there is more in the pipeline and with the addition of 25 new prosecutors and a focus on corporate prosecutions, more cases are coming. Trust me. The days of a less than $10 million resolution for violation of trade sanctions or export controls are over.
Chief compliance officers along with their trade compliance colleagues have to inform their boards and senior executives that this is a direct and immediate threat. In response, companies need to go back to basics – review, refresh and enhance their trade compliance programs. No more excuses.
As a starting point, OFAC issued important guidance in 2019, focusing on five elements of an effective sanctions compliance program: (1) Management Commitment; (2) Risk Assessment; (3) Internal Controls; (4) Testing & Audit; and (5) Training.
Each element includes important factors:
(1) Management Commitment:
- Actions and communications concerning the importance of sanctions compliance;
- Board or senior management approval of a trade compliance policy;
- Regular and periodic in-person reporting with sanctions compliance officer(s) and relevant team members;
- Company-wide awareness and full integration of sanctions compliance controls and scope of operation; and
- Assignment of a trade compliance officer (with requisite experience, authority and position in the organization) as part of a trade compliance function that includes adequate resources (human capital, expertise, Information technology and other resources) needed to ensure effectiveness.
(2) Risk Assessment:
- Holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world;
- Subjects: clients and customers; products and services; supply chain; intermediaries and counter-parties; transactions; locations; and potential mergers and acquisitions.
- Risk factors: Prohibited persons, entities and countries; Foreign Government ownership; Application of 50 percent rule; and Geographic risk factor.
(3) Internal Controls:
- Operationalization of sanctions compliance policies and procedures in day-to-day activities;
- Written policies and procedures tailored to risk assessment;
- Process to identify, interdict, escalate, resolve and document compliance activities;
- Monitor, intervene and audit policies and procedures;
- Implement technology solution (document selection, calibration and routine testing); and
- Communicate policies and procedures to all relevant internal and external staff (e.g. business units which interact with customers, vendors/suppliers)
(4) Testing & Audit
- Testing or audit function, which is independent, accountable to senior management, and has sufficient authority, skills, expertise, resources, and authority within the organization;
- Comprehensive and objective” testing and assessment of the organization’s risk assessment and internal controls to identify program weaknesses, and remediate; and
- Quarterly audits (sampling as appropriate) to ensure compliance with risk management controls, due diligence of customers and third parties, which consists of screening and independent research, and end-user verification and documentation procedures.
(5) Training
- A training program should be tailored to an entity’s risk profile and all appropriate employees and stakeholders; and
- Companies have to conduct (at least) annual training for relevant employees and personnel on a periodic basis.