The Office of Foreign Assets Control of the US Department of the Treasury has published guidance to help organizations that do business with US persons or are subject to US jurisdiction to understand and comply with economic and trade sanctions requirements. The new publication, A Framework for OFAC Compliance Commitments, outlines the five essential components of a sanctions compliance program:
- A commitment on the part of senior management to support a company’s risk-based sanctions compliance program;
- Risk assessment, including routine, potentially ongoing assessments to identify potential OFAC issues likely to be encountered in a company’s business;
- Effective internal controls, including policies and procedures designed to identify, interdict, escalate, report and document activity that may be prohibited by OFAC-administered sanctions;
- A comprehensive and objective testing or audit function, followed by compliance program enhancements to remedy weaknesses and deficiencies identified by the audit; and
- A training program that provides appropriate employees with job-specific knowledge, communicates the sanctions compliance responsibilities of each employee; and uses assessments to hold employees accountable for the training.
The Framework also uses past OFAC administrative actions to illustrate the ten root causes of sanctions compliance program deficiencies, which include the use of non-standard payment methods; decentralized compliance functions; improper due diligence; defects in or failure to update sanctions screening software; use of the US financial system to process transactions involving sanctioned parties; approval or referral of business transactions between the foreign subsidiary of a US company and an OFAC-sanctioned entity; the export or re-export of US-origin goods or technology to sanctioned persons or countries; lack of a formal OFAC sanctions compliance program; misinterpretation of the scope and application of OFAC regulations; and failure of management of US-owned entities operating outside of the United States to comply with the US entity’s compliance program.
When assessing a civil monetary penalty, OFAC may consider the adequacy and nature of an entity’s compliance program, counting it as a mitigating factor if effective, and as an aggravating factor rendering a case “egregious” when inadequate or ineffective.