Organizations know that a strong sanctions compliance program is necessary to avoid doing business with a designated person or entity. But with global sanctions regimes changing at a dizzying pace, Chief Compliance Officers (CCOs) are up against significant challenges in developing an effective framework. Major global upheaval is driving the issue, and turmoil surrounding US sanctions against Turkish individuals and institutions is just one recent example. With that backdrop, the US Treasury’s Office of Foreign Assets Control (OFAC) issued its first framework for sanctions compliance commitments in May 2019.
The stakes for non-compliance with sanctions laws are steep. US sanctions fines have hit a decade high, so when OFAC issued “A Framework for OFAC Compliance Commitments,” the guidance was welcomed by compliance officers. Although it doesn’t contain new information, the framework does provide transparency into OFAC’s expectations for a sanctions compliance program (SCP). Though non-prescriptive in nature, the guidance provided US businesses, as well as foreign entities that conduct business in or with the United States, with the essential components of an effective SCP. OFAC also included an appendix outlining the common “root causes” of sanctions violations.
In this piece, we look at how OFAC’s guidance has raised the bar for firms and consider top recommendations for achieving stronger sanctions compliance.
The Five Essential Components
The OFAC framework outlines the technical, organizational, and human-resource requirements businesses are expected to implement to enable effective compliance. It acknowledges that one size doesn’t fit all, reiterating that every organization must consider its own circumstances when developing a sanctions compliance program. The guidance offers five essential components that OFAC would expect to be incorporated into a program, irrespective of the size or scope of the business. The five components are:
- Management Commitment: OFAC identified the support of senior management as one of the most critical factors for effective sanctions compliance. OFAC stated that committed management “helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.”
- Risk Assessment: OFAC’s guidance states that risk assessments “should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.” Potential risk areas that need to be reviewed include supply chains, intermediaries, customers, and counterparties.
- Internal Controls: SCPs should include internal controls, such as policies, procedures, and escalation processes, as well as detailed record-keeping pertaining to OFAC compliance. The guidance also states that controls should capture the day-to-day operations of the organization and be easy for employees organization-wide to grasp.
- Testing and Auditing: Checks and balances are always required, and it’s no different with a sanctions compliance program. OFAC’s recommendations are that an organization identifies “weaknesses and deficiencies” through a comprehensive testing/audit function.
- Training: The final component recommended by OFAC is an effective training program. All appropriate employees and stakeholders should receive training based on their role and responsibilities. OFAC views regular training as “critical” to the success of a sanctions compliance program.
Developing More Effective Sanctions Compliance
The message from OFAC is clear: US regulators expect businesses to develop and maintain comprehensive sanctions compliance programs. Here are our top recommendations for achieving stronger sanctions compliance:
Your business is unique. Your SCP should be too.
While it may be tempting to follow a pre-existing program, that won’t impress the regulators should things go wrong. A risk-based approach is at the heart of OFAC’s framework, so tailoring your approach to sanctions compliance is essential to avoid regulatory cross hairs. Understanding which parts of your business are more vulnerable to sanctions risk should drive the development process. For example, identify where your organization has an increased chance of involvement with sanctions targets or their agents and develop your policies accordingly.
Think about your business holistically.
The US sanctions framework is one of the most stringent internationally, so an SCP based on the OFAC sanctions compliance framework will set a high benchmark. Programs must be considered globally, however, to be truly compliant. In addition, a strong compliance program must reflect the changing nature of business and sanctions. Consider the frequency of your screening programs and make sure they can incorporate changes and accommodate continuous monitoring as needed.
Get your due diligence right.
Improper due diligence on third parties, customers, or clients is a major area of concern for OFAC, and is listed as one of its ten root causes of SCP breakdowns or deficiencies. Holes in your knowledge of your organization’s customers, supply chain, intermediaries, an counter-parties can expose your business to unnecessary regulatory scrutiny. Comprehensive due diligence throughout the relationship lifecycle identifies warning signs and problems with partners before they escalate. Ongoing monitoring of your high-risk entities should form a critical part of your sanctions strategy.
Interested in learning more about applying OFAC’s framework to your sanctions compliance program? Contact us to speak with an expert from our team and to learn more about how our due diligence services can help you manage complex risk management and compliance concerns.