OFAC Emphasizes Importance of Risk-Based Sanctions Compliance Programs for US and International Companies

Authors: John O'Donnell, Jonathan Cross, Geng Li, Christopher Milazzo, Susannah Cogman and Daniel Hudson

Further emphasizing its expectation that all companies whose business touches on the United States should maintain a robust, risk-based US economic sanctions compliance program ("SCP"), the US Treasury's Office of Foreign Assets Control ("OFAC") has published a detailed "Framework for OFAC Compliance Commitments" (the "Framework") setting forth the key components of an adequate SCP. OFAC's release of the Framework heightens the need for US and international companies to review their existing policies, procedures and controls relating to sanctions compliance, and to make appropriate changes to update relevant policies in line with OFAC's guidance. As the number and scale of US sanctions enforcement actions increase, maintaining an effective SCP is an essential tool for managing sanctions risk; conversely, the Framework makes clear that the absence of an adequate SCP will be viewed negatively by OFAC pursuant to its Economic Sanctions Enforcement Guidelines.

The Framework includes a discussion of the typical "root causes" of sanctions violations leading to OFAC enforcement action; in most cases, SCP deficiencies are key elements in these examples. Thus, all companies whose business directly or indirectly involves the US or US persons should review their SCP carefully in consideration of these identified root causes.

• Who needs to implement an SCP?
• What are the essential components of an SCP?
• Key internal controls elements
• Conclusion

Who needs to implement an SCP?

The Framework explains that OFAC does not "require" a formal SCP, meaning that in the absence of an underlying violation of sanctions requirements, failing to maintain an SCP is not itself a basis for enforcement. Nevertheless, OFAC "strongly encourages" "organizations subject to US jurisdiction, as well as foreign entities that conduct business in or with the United States, US persons, or using US-origin goods or services" to implement an SCP. The Framework further reiterates that a company's SCP, both at the time of the apparent violation and after the violation, will be evaluated in an enforcement action, and is a substantial factor in OFAC's analysis as to whether a case is deemed "egregious," meriting higher penalties.

This expectation is not limited to companies that are organized under US laws, because most non-US companies doing business internationally would have exposure to US persons and/or US-origin goods or services. For example, almost all transactions denominated in US dollars are processed by banks based in the US who are US persons; while at the same time many companies use US based computer servers and other IT infrastructure. Many non-US companies also have employees who are US citizens or permanent residents. Further, causing US persons to violate US sanctions requirements, as well as causing the prohibited export of services from the US in aid of sanctioned transactions, may lead to liability for non-US persons. Each of these "touchpoints" to the US can expose non-US companies to criminal and civil risks under US law, especially in the absence of an SCP.

Furthermore, a number of the root causes identified are generally more relevant to non-US persons. For example, non-US persons might re-export US-origin goods, technology or services to, or use the US financial system for commercial transactions with, OFAC-sanctioned persons or countries. Even though OFAC has in the past focused on organizations that are large or sophisticated, even smaller companies now should consider that, with the publication of the Framework, they are on fair notice of OFAC's expectations that they have a risk-based SCP.

What are the essential components of an SCP?

While emphasizing that there is no one-size-fits-all program and all SCPs should be risk-based, the Framework lays out five essential components for the SCP: (i) management commitment; (ii) risk assessment; (iii) internal controls (including written policies and procedures); (iv) testing and auditing; and (v) training. Most notably:

• The Framework expressly recommends that senior management review and approve the organization's SCP. "Senior management" typically should include senior leadership, executives, and/or the board of directors. Review and approval should be clearly documented. The Framework notes that visible, senior management endorsement and support for a company's SCP will generally improve the policy's effectiveness by demonstrating senior management commitment and empowering other constituencies within the company to take action in order to prevent violations of the SCP or of underlying sanctions requirements.
• The Framework states that organizations should appoint a dedicated OFAC sanctions compliance officer – this could be the same person serving in other senior compliance positions, such as the Bank Secrecy Act Officer (for financial institutions) or export control officers. The key is that OFAC compliance responsibility is clearly assigned to named personnel within the organization, who are themselves adequately trained to implement and administer the policy.
• The Framework also recommends "direct reporting lines between the SCP function and senior management, including routing and periodic meetings between these two elements of the organization." If the designated sanctions compliance officer reports to the senior management through a dotted line (e.g., through the General Counsel or the head of another business function), the reporting structure may need to be revised to provide more direct interactions between the compliance officer and senior management.
• The Framework emphasizes the use of information technology software and systems to support sanctions compliance. Screening software has now been commonly adopted by many large organizations as part of their SCP; however, companies should avoid simply using standard software without attention to its capabilities and parameters and how those relate to the company's other business processes. Some manual review and testing are still generally expected. For example, companies should review which parties are being screened (e.g., customers, supply chain participants, intermediaries, counterparties of customers, and owners and controllers of these persons in some cases), and make sure that the screening software periodically re-screens these parties. Notably, one root cause identified indicates that software that does not account for alternative spellings is a common cause for sanctions violations, so a "fuzzy lookup" function should be used. As another example, software that generates many false hits could deplete compliance resources for higher-risk monitoring, and therefore customization may be needed to systematically rule out "false hits" and other spurious results. The sanctions compliance officer is expected to work closely with software experts in this area to optimize the software performance and to reduce faults and errors.
• The Framework specifically calls for a routine sanctions risk assessment, taking into consideration specific clients, products, services, and geographic locations. The Economic Sanctions Enforcement Guidelines also provides a useful OFAC Risk Matrix for this purpose. While it is common for the risk assessment to be part of a larger exercise reviewing a variety of the company's financial controls and operational risks (usually carried out by an organization's internal audit function), the detailed analysis will need proper input from people who have specific knowledge and expertise in sanctions compliance. Guidance from other US regulators, such as the Justice Department, also characterizes the process of risk assessment as the "starting point" for a prosecutor's evaluation of a company's compliance program.
• The Framework puts a greater emphasis on the need for the SCP to be capable of adjusting rapidly to changes in US economic sanctions. This is an issue that merits particular attention compared to other financial crime issues, because sanctions are usually put in place at short notice and some restrictions imposed in recent years are quite complex. The relevant gatekeepers should stay alert for any such changes.
• The Framework indicates that, at minimum, companies should provide annual training to appropriate employees and personnel on sanctions compliance. It also encourages companies to train other stakeholders, such as clients, suppliers, business partners, and counterparties.

Key internal controls elements

Even though the Framework specifically covers sanctions compliance, not every element in a company's SCP needs to be sanctions-specific. There are many key internal controls that could use a shared structure with a company's general compliance system, which are also highlighted in the recently updated guidance by the Justice Department. These include:

• Employee and third party management – the risk assessment for such parties can be done as an integrated step to consider all relevant information relating to sanctions, corruption and other reputational risks, with proper input from relevant compliance functions.
• Policies and procedures – companies are expected to implement sanctions compliance policies and procedures, but other general compliance policies and procedures should also have a bearing on the company's SCP. For example, companies should ensure that their record keeping policies cover sanctions-compliance related documents. In addition, a company's financial controls policies serve as a key component of its sanctions compliance approach (e.g., by preventing the making of payments to accounts in sanctioned countries without proper review and approval).
• Training – the design and implementation of training can be managed by a single function to cover different areas. The key is to identify the proper audiences, determine the right frequency of training, and design the training's form and content to engage and involve the audience, maximizing effectiveness.
• Reporting lines and internal investigations – there should be an efficient mechanism to allow employees to report potential misconduct, including potential sanctions violations. The handling process for an alleged sanctions violation should generally be in line with other types of alleged misconduct. For example, there should be proper escalation based on the nature of the allegation, the investigation should be conducted by qualified personnel (in some cases by outside counsel), and the results of such investigations should be tracked.
• Testing and auditing – Internal audits usually carry out the testing and auditing for many risk areas at the same time. While companies now need to ensure that the audit topic includes sanctions compliance, it is also critical to examine the entire audit process. For instance, the audit scope should be informed by the risk assessment (a company's Middle East or Russian operations might need more frequent sanctions compliance auditing), the information collection methods should be sound (in many cases, review of general ledger information is not enough, supporting documents, relevant policies and procedures should also be reviewed, and on-the-ground interviews are often needed), and recommendations should be made to reflect weaknesses identified in the auditing process and should actually be implemented.
• Mergers and acquisitions – The business functions carrying out mergers, acquisitions and integration should be familiar with the compliance risk (including sanctions risk) due diligence expectations and be a partner in the process. Sanctions due diligence as to the business of the target company or merger partner is a particular challenge where the target or partner itself may have less than a fulsome SCP and, therefore, may have difficulty confidently representing that there are no historic violations of applicable sanctions. Post-transaction, the acquirer may face challenges in integrating the target's SCP with the acquirer's, especially if the target is a non-US company with limited, or no, formal SCP.

Conclusion

Designing and implementing an effective compliance program is not an easy task. In the area of sanctions compliance, compliance requires a thorough understanding of evolving sanctions regimes, operational integration, robust implementation, and continuing improvements. Both the Framework and the updated guidance from the Justice Department serve as valuable resources in this area, but every company must tailor its programs to its risk profile, resources, and structure. Despite the challenges, the reward for an effective compliance program is tremendous – not only does it help with the resolution of specific enforcement actions, but also increases a company's operation efficiency, promotes a better culture and raises a company's profile with its partners and counterparties. Thus, companies should seriously evaluate their investment in this area.

We have a global platform specializing in compliance and investigations work, and are ready to help companies design and implement sanctions and other compliance programs to meet regulators' expectations. Please contact the authors of this e-bulletin or your usual Herbert Smith Freehills contact for more information.