The Office of Foreign Assets Control (OFAC) published guidance in May 2019 outlining its vision of effective sanctions compliance programs. Titled modestly as “A Framework for OFAC Compliance Commitments,” this was in truth a groundbreaking document for OFAC, which had not previously published anything so comprehensive about how a sanctions compliance program should be structured and what it should achieve.
Compliance professionals can use this framework to inform the design of their own sanctions’ compliance programs. Conceptually, it’s quite similar to other guidance from the Justice Department and U.S. Sentencing Guidelines. Strong executive support, risk assessment, internal controls, periodic review and updates to the program – those things have been the pillars of strong compliance programs for years, and they are all major themes in the OFAC framework as well.
That said, the framework also stresses several practical points for sanctions compliance, such as how to overcome the challenges of managing a decentralized sanctions compliance program or how to use screening software wisely. Difficulties in those areas are two of the 10 “root causes of sanctions compliance program breakdowns” that the OFAC framework explores in detail.
Moreover, the very publication of OFAC’s framework demonstrates two trends compliance professionals should consider. First, the risks around trade sanctions are rising, as governments around the world become more comfortable using economic sanctions as policy tools. Second, OFAC and other regulators are prodding the business community to build effective compliance programs rather than merely waiting to take enforcement action against companies with compliance failures.
All of this means that studying the OFAC framework is well worth a compliance professional’s time.
Commitment to a Strong Program
The first issue that OFAC names as a possible cause of sanctions compliance failure is the lack of any formal sanctions compliance program at all. While OFAC regulations don’t require organizations to have a sanctions compliance program, this root cause does underline the framework’s fundamental message: that organizations must give sanctions compliance risk the attention it deserves and commit themselves to addressing it on a risk basis.
Foremost, a business should designate a sanctions compliance officer. The framework makes clear that this person can have other compliance duties as well (say, an export control officer or head of financial crimes compliance), but the organization should be able to say, essentially, “This person is responsible for the firm’s sanctions compliance issues.”
Moreover, that person (and his or her subordinates) should be competent in the details of sanctions rules and understand how those rules apply to the company’s transactions. For example, we’ve seen OFAC find a violation in cases where firms mistakenly concluded that sanctions rules didn’t apply to them because a customer was a US citizen with a US bank account. In reality, those transactions could still violate US law if the customer resides in a nation such as Iran.
Sanctions rules can change quickly and applying them to specific transactions is not necessarily easy – sanctions compliance teams will need the knowledge and resources to do that job well.
Companies can also demonstrate a strong commitment to sanctions compliance by carefully considering the structure of their sanctions compliance program. The OFAC framework warns about the risks of a decentralized approach, where local business units might handle sanctions compliance and suspicious transactions themselves. That could lead to inconsistent application of policies and procedures, especially if local compliance staff aren’t fully versed in sanctions rules.
The OFAC framework also cites the importance of training (which should be risk-based); disciplinary measures (which should be carried out as necessary to address employee misconduct); investigations and self-reporting (once suspicious transactions have been uncovered); and so forth.
None of those ideas should be unfamiliar to an organization that has already dealt with anti-corruption compliance, government contracting, or similar regulatory compliance issues. The bottom line is that a company’s sanctions compliance program should have strong executive support, and that support should translate into skilled, empowered sanctions compliance staff who can implement a strong sanctions compliance program.
Internal Controls and Testing
The OFAC framework also puts a heavy emphasis on internal controls to maintain an effective sanctions compliance program. Compliance professionals will need to immerse themselves in the details of developing and maintaining these controls to ensure that their companies’ sanctions compliance programs meet the challenge.
Start with policies and procedures. A sanctions compliance program should include written policies explaining the relevant laws and regulations and what the program aims to accomplish. The policies should be written in easy-to-understand language and be relevant to how employees actually work with customers and process transactions. The procedures should provide guidance to employees on how to comply with sanctions rules and consequences for misconduct.
While each company will need to develop its own procedures, the OFAC framework singles out four specific actions that should be covered in all cases:
- Identify suspicious transactions, which implies a level of due diligence.
- Interdict those transactions before they are processed.
- Escalate suspicious transactions to appropriate compliance personnel for further review.
- Report suspicious transactions to external authorities, as determined by leadership.
When building a sanctions compliance program, compliance professionals should consider what data in the enterprise might be necessary to execute these goals and what business processes can be leveraged to intercept and impede suspicious transactions before the deals proceed.
Compliance professionals will also need to focus on record-keeping and reporting procedures, since they are critical for OFAC itself to fulfill its own mission. A single individual might work with multiple companies to evade sanctions rules, and OFAC relies on suspicious activity reports from all those firms to build a complete picture of potentially illegal activity.
Lastly, the OFAC framework expects companies to review and improve their sanctions compliance programs through audits, testing, and remediation of any weaknesses found. That testing can be done either internally or through an outside party, but again, OFAC expects those audits to be done with the competence and resources necessary to do them well.
Once those audits are completed, the company must take “immediate and effective action” to remedy any gaps found. As a stop-gap measure, compliance professionals should introduce compensating controls, where they’ll need to answer these questions: How do we fill this gap right now? What procedures or business functions do we need to adjust to do that? Then the compliance function should perform a root-cause analysis to see what deeper changes might be necessary to address the gap permanently.
Better Use of Technology
The OFAC framework singles out companies’ use of screening or filtering software. Specifically, OFAC warns companies that whatever software they use, that software must do three things: (1) stay current with the agency’s Specially Designated Nationals (SDN) list, (2) screen for relevant red flags such as SWIFT codes for blocked financial institutions, and (3) account for alternative spellings of prohibited firms or people.
In 2018, for example, OFAC imposed an $87,500 fine on an electronics distributor where to a firm that used screening software but had miscalibrated the software’s settings. As a result, the distributor didn’t notice that one of its customers was the subsidiary of a banned Russian business. The screening software only searched for full company names and didn’t include partial ones.
Compliance officers will need to consider how they use screening software and how they work with external vendors to avoid such mistakes. Some of those considerations will be technical, such as assuring those screening software settings cast a wide net for potential matches on the SDN list or blocked financial firms. Compliance professionals will also need to consider how they combine external data (say, from a screening vendor) and internal data (such as a customer’s transaction history) into a complete understanding of suspicious transactions.
Again, compliance professionals need to ask: What capabilities does your sanctions compliance program need to have? Clearly the sanctions compliance program will need sophisticated analytics, tied closely to a repository of past customer transaction records. It also implies the need for a strong, centralized sanctions compliance team that can navigate such complex issues.
In essence, establishing sanctions compliance programs is not just about complying with a set of rulings. It is about detecting risks, avoiding losses and, therefore, improving your business performance.