On May 2, 2019, the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") released extensive new guidance regarding what constitutes an effective sanctions compliance program. The document, titled "A Framework for OFAC Compliance Commitments," is significant in that it represents the most detailed statement to date of OFAC's views on the best practices that companies should follow to ensure compliance with U.S. sanctions laws and regulations. As described by OFAC, the document is meant to serve as a roadmap for how to prevent sanctions violations from occurring in the first place and, when violations do occur, to provide greater transparency with respect to how OFAC will assess the adequacy of a company's existing compliance program in determining what penalty to impose.

As we described in our 2018 Year-End Sanctions Update, this guidance reflects OFAC's increasingly aggressive approach to enforcement.  In December 2018, Treasury Under Secretary Sigal Mandelker announced that OFAC intended to outline the hallmarks of an effective sanctions compliance program and described those elements in broad strokes.  The May 2 guidance expands upon those elements and will serve as a key benchmark for the evaluation of sanctions compliance programs going forward.

Notably, the OFAC compliance guidance was published on the heels of another compliance-related pronouncement from the U.S. Department of Justice ("DOJ"), as described here.  Taken together, the DOJ and OFAC guidance supports our oft-given warnings against a siloed approach to compliance for multinational companies.  To date, many organizations that developed anti-corruption compliance programs in line with the extensive criteria set forth by the DOJ and the Securities and Exchange Commission ("SEC") have not benefitted from the same kind of prescriptive guidance with respect to sanctions risks.

Five Components of an Effective Sanctions Compliance Program

Consistent with longstanding policy, OFAC in its newly published compliance framework continues to take the view that there is no such thing as a "one-size-fits-all" sanctions compliance program, and that a company should generally take a risk-based approach tailored to that company's particular profile.  Where OFAC breaks new ground is in publishing a detailed framework that—while recognizing that there will be some variability from one organization to the next in terms of the particulars—sets out what OFAC views as the five essential components of any strong sanctions compliance program.  In order, those components are:

  1. Management commitment;
  2. Risk assessment;
  3. Internal controls;
  4. Testing and auditing; and
  5. Training.

In addition to the similarities to the DOJ compliance focus areas, the five OFAC elements loosely correspond to the elements of compliance as articulated by the Financial Crimes Enforcement Network ("FinCEN") with respect to financial institutions.  Broadly speaking, the new OFAC framework corresponds with the lifecycle of a compliance program—starting with a deep commitment on the part of senior management to creating a culture of compliance backed by sufficient resources.  OFAC then advises that companies conduct a thorough assessment of, among other things, their customers, supply chain, intermediaries, counterparties, products, services and geographic locations to identify potential sources of sanctions-related risk.  To prevent those risks from materializing, OFAC makes clear that it expects companies to develop appropriate internal controls, including policies and procedures designed to detect and report upward potential sanctions violations.  Such policies and procedures should also be regularly tested and updated to address any weaknesses that may be identified.  At the same time, to ensure the program is properly implemented, relevant employees should receive training on the company's sanctions compliance policies and procedures at regular intervals of no more than a year.

Within each of the five components of an effective sanctions compliance program, OFAC also provides concrete examples of best practices that companies are expected to follow.  For example, when conducting a risk assessment, companies are advised to develop an onboarding process for new customers and accounts that includes a sanctions risk rating based on both know-your-customer information provided by the potential counterparty and independent research conducted by the company.

Consistent with OFAC's existing Economic Sanctions and Enforcement Guidelines, when apparent violations do occur, the nature and extent of a company's compliance program will continue to be a potential aggravating or mitigating factor for purposes of determining what penalty to impose.  With the publication of the new OFAC compliance framework, companies subject to U.S. jurisdiction now have the benefit of a more granular understanding of what policies and procedures will lead OFAC to conclude that their sanctions compliance program is adequate or deficient.

Moreover, in recent settlement agreements OFAC has often required companies to certify on an annual basis that they have implemented and maintained an extensive set of sanctions compliance commitments.  Now that OFAC has clearly staked out what it views as the essential components of an effective sanctions compliance program, we assess that such periodic certifications are likely to become a regular feature of OFAC settlements going forward.

Ten Common Pitfalls of Sanctions Compliance Programs

In addition to spotlighting what it views as the components of an effective sanctions compliance program, OFAC also identifies in an appendix to its new framework common areas where sanctions compliance programs fall short.  Derived from recent OFAC enforcement actions, this section of the framework is designed to alert U.S. and non-U.S. companies to common pitfalls that could cause a company to incur U.S. sanctions liability.

OFAC identifies a total of ten common causes of U.S. sanctions violations, including:

  1. Lack of a formal OFAC sanctions compliance program;
  2. Misinterpreting, or failing to understand the applicability of, OFAC's regulations;
  3. Facilitating transactions by non-U.S. persons;
  4. Exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries;
  5. Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
  6. Sanctions screening software or filter faults;
  7. Improper due diligence on customers and clients;
  8. De-centralized compliance functions and inconsistent application of a sanctions compliance program;
  9. Utilizing non-standard payment or commercial practices; and
  10. Individual liability.

These root causes of sanctions violations are best viewed as traps for the unwary.  While many of the above potential causes of U.S. sanctions violations—each discussed at greater length in the framework—will be familiar to sophisticated parties and their counsel, the document nevertheless serves as a useful refresher of the various ways in which companies commonly run afoul of OFAC regulations and may be especially useful for employee training purposes.

Recommendations

Now that OFAC has finally provided a detailed statement of what it views as sanctions compliance best practices, companies engaging in activities with a U.S. nexus should take this opportunity to carefully review the strengths and weaknesses of their existing sanctions compliance programs.  In particular, companies should use the OFAC framework as a baseline, carefully assess whether their own compliance program contains all of the basic components that OFAC has indicated that it expects to be present, and update their compliance program accordingly.  By taking these simple steps, compliance-minded companies may reduce their risk of incurring U.S. sanctions liability and may also reduce their potential exposure if, despite their best efforts, a violation somehow occurs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.