An effective compliance program is critical to mitigating the risk that a sanctions violation will occur. In the US, OFAC encourages a risk-based approach to sanctions compliance. In the UK, the FCA expects regulated entities to tailor their systems and controls to mitigate the risk of financial sanctions violations. In France, companies are encouraged to follow US and UK best practices.
No one size fits all. However, an effective sanctions compliance program will typically include the following:
- a top-down approach;
- up-to-date policies and procedures (including disclosure requirements);
- clear communication of policies and procedures;
- periodic training tailored to risk profile of company and level of involvement of particular types of staff (and third party agents);
- risk-based sanctions screening process;
- dynamic sanctions screening that is aligned to third party due diligence procedures;
- daily updates to US and EU sanctions lists necessitate regular reviews;
- non-US companies should screen for SDNs even without a US nexus to the transaction to avoid secondary sanctions, unknown US nexus, and reputational risks;
- processes in place for considering to whom payments are made and whether these funds come from a legitimate source;
- systems and controls in place that are tailored towards minimizing the risk of a sanctions violation;
- a system for reporting potential violations, conducting appropriate internal investigations, and imposing remedial measures;
- regular audits and reviews of sanctions screening policies, procedures, and training; and
- independent audits and testing.