Is Your Sanctions Compliance Program Compliant? — A Quick Five-Question Quiz

Checklists can be handy — by simplifying and focusing on specific issues, a checklist can organize thinking and prioritize tasks.

Here are five (5) questions that are fairly simple but revealing as to whether a company’s Sanctions Compliance Program (“SCP”) is effective.  This is not an exhaustive list but it is my top 5.

Question 1 — Does the Company conduct annual sanctions compliance training for relevant employees?

I have written about this and reminder everyone since 2019 about the importance of conducting sanctions training.  OFAC’s Sanctions Compliance Guidance issued in 2019 mandates, at a minimum, that companies provide annual sanctions compliance training.  Notwithstanding this directive, which is reinforced by compliance professionals (including me), most companies are not offering annual sanctions compliance training.  I cannot understand why companies are ignoring this requirement. 

Several States require annual training on sexual harassment and other topics.  Companies are able to meet this requirement, but when it comes to sanctions compliance, companies lack the commitment.

Question 2 — Does the Company have a trade compliance officer responsible for sanctions and export control compliance?

Depending on the specific risk profile and assuming a tangible level of international activity, companies have to designate a Trade Compliance Officer and additional staff to ensure that the company can design and implement a trade compliance program. Companies that rely on old silos, or embed a compliance person in the business to screen shipments to counterparties and customers on their way out the door as the last step in the process, should be a thing of the past. 

Question 3 — Does the Company conduct “one-and-done” screening of counterparties and customers?

OFAC’s Sanctions Compliance Guidance directs that companies conduct “independent” research beyond a screening of a counterparty or customer.  One-and-done screening is, by definition, deficient because it can fail to uncover beneficial owners of the company or the relationship of the company to an otherwise prohibited entity.  Hence, OFAC mandated that companies conduct independent research of a prospective counterparty or customer to ensure that the screened party is not prohibited.  This requires company familiarity with the 50 Percent Rule and the need to investigate relationships with affiliated companies or individuals.  Realistically, companies should prioritize such investigations in high risk areas given potential resource limitations.

Question 4 — Does the Company know its supply chain down to the level of sourcing of inputs and raw materials?

Supply chain risk management is a key consideration in global businesses.  Regulation is increasing, particularly in Europe, and stakeholders are demanding that companies know their supply chain, map the vendors, suppliers and sources of inputs and raw materials.  Companies have to identify potential forced labor, child labor and slavery risks.  This demands additional resources to uncover these potential risks.  OFAC has made it clear that companies have to examine their supply chain risks and conduct periodic audits, as needed, to ensure compliance with global regulations and stakeholder demands.

Question 5 — Does the Company manage its third-party distribution risks and secure end-user certificates as required to mitigate risks?

Companies that rely on third-party distributors and agents have to mitigate and monitor their risks.  Given the complexity of sanctions and export controls, companies have to employ end-user certificates and monitoring systems to ensure that products are not being diverted to prohibited entitles, individuals or locations.  If your company does not secure end-user certificates, potential enforcement risks escalate significantly based on intentional or “deliberate indifference” evidence that can be cited by OFAC and the Justice Department. 

In response to the comprehensive Russian sanctions program, many companies have relied on end user certificates as an effective means to ensure that third parties are not diverting shipments to prohibited entities or individuals.  Contractual certifications are not sufficient to meet compliance requirements.  OFAC has stated that such commitments, while important, are not sufficient to mitigate distribution risks to prohibited parties.

You may also like...