Chief compliance officers seeking some much-needed guidance on how to build a well-crafted sanctions compliance program would be remiss to ignore the first-ever “Framework for OFAC Compliance Commitments” published by the Department of the Treasury’s Office of Foreign Assets Control. The guidance includes a non-exhaustive list of common “root causes” of sanctions violations identified during the investigative process and in the context of recent enforcement actions.

“OFAC developed this framework in our continuing effort to strengthen sanctions compliance practices across the board,” said OFAC Director Andrea Gacki. “This underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.”

The 12-page sanctions compliance framework, published May 2, applies not just to U.S. companies, but also to companies that may find themselves subject to U.S. sanctions laws—such as foreign entities that conduct business in or with the United States, those that employ U.S. citizens, or that use U.S.-origin goods or services.

It comes at a time when the stakes for non-compliance have never been higher. Over the last six months alone, OFAC has issued 18 enforcement actions and a record $1.3 billion in total penalties, according to enforcement data from OFAC’s website.

“OFAC developed this framework in our continuing effort to strengthen sanctions compliance practices across the board. This underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.”

Andrea Gacki, OFAC Director

Chief compliance officers and chief risk officers will not find anything earth-shattering in the guidance, only that “it takes a lot of mystery out of what is expected,” John Melican, global head of Exiger’s financial crime compliance practice, said during a June 25 Webcast on the OFAC framework. “This is not regulation. This is guidance, so there are no standards, no new expectations.”

In fact, much of what is in the framework resembles the revised Evaluation of Corporate Compliance Programs, published by the Justice Department’s Criminal Division on April 30. Specifically, OFAC reiterated that each risk-based, sanctions compliance program (SCP) should take a tailored approach based on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations.

At the same time, however, OFAC stressed that each risk-based SCP should be predicated on and incorporate five “essential components.” Below, we dive into not only what those five essential components are, as outlined in the OFAC guidance, but how to implement them in practice.

1. Senior management commitment 

In its guidance, OFAC said senior management commitment is “one of the most important factors” in determining an SCP’s success. Such commitment is essential in ensuring that the SCP receives adequate resources and is fully integrated into daily operations. It also helps to “legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization,” OFAC said.

Chief compliance officers, particularly, should welcome the guidance in this aspect, as it puts the onus on senior management to ensure compliance units have “sufficient authority and autonomy” to effectively implement policies and procedures designed to minimize risk and ensure compliance has adequate resources. It also calls on senior management to review and approve the SCP.

One way to evidence senior management commitment to OFAC is to have in place a “dedicated” OFAC sanctions compliance officer. Where some companies, depending on size and complexity, designate a single person to oversee all areas of financial crimes or export control compliance, “this may be the same person serving in other senior compliance positions,” like a Bank Secrecy Act officer or an export control officer, OFAC said.

Another way to evidence senior management commitment is through the quality and experience of the personnel dedicated to the SCP, including those with technical knowledge and expertise around OFAC’s regulations, processes, and actions; the ability to understand complex financial and commercial activities and apply their knowledge of OFAC to these items; and someone with appropriate experience and authority within the organization. Compliance personnel should also have an appropriate level of control functions that support the risk-based SCP.

2. Risk assessments 

Risk assessments should “generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world,” OFAC said. Areas to assess for potential risks include customers, supply chains, intermediaries, and counter-parties; the products and services that the organization offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and the geographic locations of the organization.

In the financial services industry, banks have been risk-rating their clients and customers for years now. “Corporates are going to have to engage in that same process,” Melican said, by asking, “‘What are our risky products and services? Which are the ones that cross borders? Which are the ones that are likely to enter sanctioned jurisdictions?’” The Federal Financial Institutions Examination Council (FFIEC) also provides guidance on risk management processes that non-financial institutions could leverage, he said.

When assessing sanctions risks, look to leverage what you have and develop the SCP from there. “There is no expectation of reinventing the wheel,” said David Sewell, a counsel in Debevoise & Plimpton, who also spoke on the Webcast.

An anti-bribery/anti-corruption risk assessment, for example, may be a good foundation for the SCP risk assessment, since regions that pose a high risk for bribery likely pose a high sanctions risk, as well. In its guidance, OFAC also recommends companies leverage existing information derived during onboarding, such as through the Customer Due Diligence (CDD) or Know Your Customer (KYC) process.

“Risk assessments and sanctions-related due diligence is also important during mergers and acquisitions, particularly in scenarios involving non-U.S. companies,” OFAC stressed. In practice, the compliance function should engage in appropriate due diligence to ensure sanctions-related issues are identified, escalated to senior management, addressed prior to the conclusion of any transaction, and incorporated into the risk assessment process.

Following the completion of an M&A transaction, audits “will be critical to identifying any additional sanctions-related issues,” OFAC said. Finally, risk assessments must be updated to account for the root causes of any violations or systemic deficiencies identified by the organization during the routine course of business—for example, through a testing or audit function.

3. Internal controls 

The purpose of internal controls relative to an SCP is to clarify expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the SCP risk assessment. Policies and procedures outlining the SCP should be “relevant to the organization, capture the organization’s day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct,” OFAC said.

There should also be someone with primary responsibility for “integrating the SCP’s policies and procedures into the daily operations of the company,” the guidance states. “This process includes consultations with relevant business units and confirms the organization’s employees understand the policies and procedures.”

In practice, this means if you simply have policies and procedures in place and no one with primary responsibility to integrate them, “I don’t think you’re going to get the credit from OFAC that [you are] looking for if something goes wrong,” Melican said.

Policies and procedures should be enforced, and weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated. Furthermore, internal or external audits and assessments of the program should be conducted periodically.

4. Testing and auditing 

A comprehensive and objective testing or audit function within an SCP ensures the company identifies program weaknesses and deficiencies. Moreover, it is the company’s responsibility to enhance the program to remediate any identified compliance gaps.

Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level. “Make sure that your foreign subsidiaries are subject to the same audit policy,” Melican said.

5. Training 

The training program should be provided to all appropriate employees and personnel on a periodic basis, and at a minimum, annually. Generally, OFAC advised, the training program should provide job-specific knowledge based on need; communicate the sanctions compliance responsibilities for each employee; and hold employees accountable for sanctions compliance training through assessments.

Furthermore, such training should extend to not just employees, but all stakeholders—clients, suppliers, business partners, and counterparties—to support the organization’s OFAC compliance efforts. In the event of a negative testing result or audit finding, further training or other corrective action should be provided concerning relevant personnel. Lastly, training materials should be easily accessible and available to employees on an ongoing basis.

Ten common ‘root causes’ of violations

In addition to outlining the five essential components of an SCP, OFAC also helpfully includes a non-exhaustive list of 10 common “root causes” of sanctions violations it has identified during the investigative process. “These are reoccurring areas where companies have had problems,” Sewell said.

The root causes OFAC has outlined include:

  1. Lack of a formal OFAC sanctions compliance program;
  2. Misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
  3. Facilitating transactions by non-U.S. persons, including through or by overseas subsidiaries or affiliates;
  4. Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries;
  5. Using the U.S. financial system for transactions involving OFAC-sanctioned parties;
  6. Incomplete due diligence on customers/clients; 
  7. Failure to update sanctions screening software;
  8. Using non-standard payments or commercial practices;
  9. Decentralized compliance functions and inconsistent application of an SCP; and
  10. Individual liability playing integral roles in causing or facilitating violations of the regulations administered by OFAC.

Now that OFAC has spelled out what it’s looking for in a robust sanctions compliance program and has described what it has identified as the “root causes” of sanctions violations, compliance officers for U.S. companies and global companies with a U.S. nexus should review the framework to ensure their SCP meets OFAC’s expectations, particularly since OFAC said it will “consider favorably” effective SCPs when resolving an enforcement action.