The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) administers and enforces U.S. economic and trade sanctions in accordance with national security and foreign policy goals and objectives. OFAC encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ “a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program” (an “SCP”). On May 2, 2019, OFAC released guidance for the structuring, operation, and assessment of an SCP. In its guidance, OFAC sets forth five essential components of sanctions compliance for an organization to follow in its SCP: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Each of these components is discussed below in further detail.
Summary of Components
1. Management Commitment
OFAC stresses that Senior Management should be committed to and supportive of an organization’s risk-based SCP. Senior Management support ensures that the SCP receives adequate resources and is legitimized in the eyes of the organization. OFAC includes senior leadership, executives, and/or the board of directors in the definition of “Senior Management.” The following are ways that Senior Management should show commitment to the SCP:
- Senior Management reviews and approves of the SCP;
- Senior Management ensures that compliance teams have necessary authority and autonomy;
- Senior Management ensures direct reporting lines between it and the SCP function;
- Senior Management provides adequate resources (e.g., human capital, expertise, information technology);
- Examples include: (i) a dedicated OFAC sanctions compliance officer; (ii) quality and experienced personnel dedicated to the SCP that have the ability to understand complex financial and commercial issues; and (iii) existing control functions that adequately address the OFAC risk assessment, including information technology;
- Senior Management promotes a “culture of compliance” throughout the organization such that (i) personnel feel comfortable reporting sanctions-related issues without fear of reprisal; (ii) Senior Management discourages misconduct through messaging and actions; and (iii) the SCP has oversight over the action of the entire organization for sanctions purposes; and
- Senior Management demonstrates recognition of the seriousness of violations or failures by the organization to comply with the SCP’s policies.
2. Risk Assessment
In designing and updating an SCP, OFAC recommends that organizations take into account potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations. The organization should conduct a routine “risk assessment” to identify potential OFAC issues that the organization is likely to encounter. Those risks could be posed by clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. In evaluating the effectiveness of a sanctions risk assessment, OFAC considers the following:
- whether the organization conducts, or will conduct, an OFAC risk assessment in a manner and with a frequency that adequately accounts for the potential risks;
- for example, during onboarding, the organization should develop a sanctions risk rating for customers, customer groups, or account relationship during a Know Your Customer, or Customer Due Diligence process;
- additionally, compliance functions should be integrated into merger, acquisition, and integration processes; and
- whether the organization has developed a methodology to identify, analyze, and address the particular risks it identifies.
3. Internal Controls
An effective SCP should include internal controls, including written policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by sanctions laws and regulations. OFAC considers the following to be important measures when assessing an organization’s internal controls:
- having written policies and procedures outlining the SPC;
- implementing internal controls that adequately address the results of its OFAC risk assessment that enable the organization to identify, escalate, and report any OFAC-prohibited activity;
- enforcing the policies and procedures implemented as part of the organization’s OFAC compliance internal controls through internal or external audits;
- ensuring that OFAC-related recordkeeping policies and procedures adequately account for sanctions requirements;
- ensuring that, if the organization learns of a weakness in its internal controls, that it will take immediate and effective action, to the extent possible;
- communicating clearly the SCP’s policies and procedures to all relevant employees; and
- appointing personnel for integrating the SCP’s policies and procedures into the daily operations of the company.
4. Testing and Auditing
An audit function within an SCP ensures that an entity knows how its programs are performing and whether they should be updated to account for changing risk assessments and/or a changing sanctions environment. An effective testing and auditing function in an SCP includes the following:
- a commitment to ensuring the testing or audit function (i) is independent; (ii) has sufficient authority, resources, and skills; and (iii) is accountable to senior management;
- a commitment to employing appropriate testing or audit procedures and ensuring that the audit function reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls; and
- an assurance that, when the organization learns of a negative testing or audit result, it takes immediate and effective action to determine the root cause and remediate the issue.
An effective training program is necessary for successful operation of an SCP. Training should be provided to appropriate employees and personnel at least annually and should generally (i) provide job-specific knowledge based on need; (ii) communicate sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments. Training components that are a part of an effective SCP include the following:
- a commitment that the organization’s OFAC-related training program provides adequate information and instruction to employees and appropriate stakeholders (i.e., clients, suppliers, business partners, and counter parties);
- a scope of OFAC-related training that is appropriate for the business;
- OFAC-related training that is conducted as frequently as is appropriate based on the risk assessments completed;
- an assurance that, upon learning of a negative testing or audit finding, the organization will take immediate and effective action to provide training or other corrective action as necessary; and
- easily accessible resources and materials available to all applicable personnel.
Root Causes of Deficiencies
In addition to providing guidance on the elements necessary for a successful SCP, OFAC provides a listing of common deficiencies in SCPs that it has witnessed in the course of recent sanctions enforcement actions. OFAC has found the following to be some of the root causes associated with apparent violations of sanctions laws and regulations:
- lack of a formal OFAC SCP;
- misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
- utilizing the U.S. financial system or processing payments to or through U.S. financial institutions for commercial transactions involving OFAC-sanctioned persons or countries;
- sanctions screening software or filter faults resulting from a failure to (i) update sanctions screening software to incorporate updates to the SDN List or SSI List; (ii) include pertinent identifiers; or (iii) account for alternative spellings;
- improper due diligence on customers or clients;
- de-centralized compliance functions and inconsistent application of an SCP;
- utilizing non-standard payment or commercial practices; and
- individual liability where supervisory, managerial, or executive employees of the entities conducted or facilitated dealings with sanctioned persons, regions, or countries.
This list of common deficiencies in SCPs is provided by OFAC as a warning for organizations to help them identify where their sanctions compliance practices may be falling short of providing fulsome sanctions compliance coverage. OFAC notes that highlighting these deficiencies in the guidance was done to assist organizations “in designing, updating, and amending their respective SCP.”
As a whole, this guidance helps shed new light on what OFAC believes to be the essential components of a sanctions compliance program. It also identifies what can be root causes of apparent violations of U.S. economic sanctions programs and how OFAC may consider these components in its evaluation of apparent sanctions violations. This information provides organizations with a valuable tool in developing and assessing their compliance programs so as to meet the compliance expectations of OFAC and reduce the potential of sanctions liability for the organization.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.