3 minute read | May.06.2019
The U.S. Department of the Treasury’s Office of Foreign Assets Control last week issued a framework for OFAC Compliance Commitments, which, for the first time, outlines OFAC’s views on essential elements of a risk-based sanctions compliance program in a single document that can serve as a roadmap for organizations as they structure and evaluate these programs. The framework should be considered carefully by U.S. organizations with any significant foreign dealings, and foreign organizations that conduct business with the United States or that utilize U.S. goods, services, or financial systems.
The framework also makes clear that OFAC intends to target individual employees who are culpable for violations. That emphasis follows an action from earlier this year, where OFAC sanctioned an individual it deemed responsible for circumventing his employer’s compliance protocols.
The framework highlights a number of important developments within OFAC by:
While the framework acknowledges that that risk-based SCPs will vary based on a company’s size, sophistication, products and services, customers, counterparties, and locations, each SCP should include five essential elements.
Management commitment
Senior management should be committed to supporting the SCP by, among other things, ensuring the compliance function receives adequate resources and has the authority and autonomy to effectively control OFAC risks.
Risk assessment
Because SCPs should be risk-based, a “central tenet” of an SCP is conducting a routine, and, if appropriate, ongoing risk assessment to identify potential threats and vulnerabilities that, if not properly addressed, can lead to OFAC violations. Internal controls, testing, and training should all be appropriate for an organization’s level of risk.
OFAC suggests a “top-to-bottom” review of possible exposure to sanctions-targeted persons and jurisdictions, and because OFAC-administered sanctions are foreign facing, this will include assessing “touchpoints to the outside world.”
Internal controls
An effective SCP should include written, risk-based internal controls that outline clear expectations and procedures relating to OFAC-administered sanctions. Among other things, the controls should effectively identify, escalate, and prevent prohibited transactions. If an organization uses technological solutions, such as transaction, customer, or counterparty screening to interdict prohibited transactions, these solutions should be selected and calibrated appropriately, and routinely tested.
Testing and auditing
SCPs should include comprehensive, independent testing or auditing to ensure that the SCP is working as designed and remains appropriate in light of changes in risk profile or the sanctions landscape. The level of testing should be commensurate with the level and sophistication of the SCP. Immediate and effective action should be taken on negative results.
Training
The SCP should include periodic training of all appropriate employees and personnel that provides adequate information and instruction to employees and other stakeholders to support OFAC compliance efforts, and tailored training to high-risk employees.
Finally, OFAC listed what it viewed as common causes of sanctions violations in order to assist persons in designing their SCPs. These include:
If you have questions about the OFAC’s new guidance or related issues, please visit our Anti-Money Laundering and Bank Secrecy Act practice page or contact an Orrick attorney with whom you have worked in the past.