OFAC’s Framework for Sanctions Compliance
Kelley Drye Client Advisory
In a first for the agency, OFAC recently published guidelines on the key elements of an effective sanctions compliance program and identified important risk areas for U.S. and non-U.S. companies. Any company conducting international business should review the document in detail, as it outlines OFAC’s compliance expectations and provides a path to mitigate the risk of unintentional violations of U.S. sanctions regulations. Similar to compliance guidelines issued by other trade compliance regulators, OFAC outlines five essential components of a compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. OFAC has also explored these elements in recent settlement agreements, including with Zoltek Corporation, Standard Chartered Bank, Unicredit Group Banks, and MID-SHIP Group LLC.
An effective compliance program helps you identify and stop problems before they become widespread, limiting the chances that your company will be subject to substantial penalties. If unintentional errors do occur, an effective sanctions compliance program is an important mitigating factor under OFAC’s Enforcement Guidelines, which can reduce any penalty issued in an enforcement context and shows enforcement personnel that the company was serious about compliance. Based on OFAC’s guidelines, recent enforcement cases, and our experience with clients, these are some key considerations for companies that wish to maintain an effective sanctions compliance program:
1. THE PROGRAM
Successful compliance programs have two elements – a written, documented program and internal controls that implement that program. There are lots of great written compliance program “manuals” and program documents out there, but they don’t do much good for a company if they are not actually implemented through effective controls. Written programs should set minimum compliance standards for the enterprise and require business units to adopt controls that address the specific risks presented by their lines of business and markets of operation. Companies should provide centralized oversight to ensure that their written program is up-to-date and that businesses’ internal controls meet the program’s enterprise-wide expectations.
When developing or updating your written program, it is also important to remember that the document has two audiences – internal company personnel and regulators. The document should be readable and usable for your employees, but also contain all of the elements that OFAC and other regulators consider essential to a successful program. Depending on the industry, the sanctions compliance program may be part of a broader international trade compliance program or financial regulatory compliance program.
And while a compliance program can be a mitigating factor in an enforcement proceeding, the lack of an effective program is a considered an aggravating factor increasing the likelihood of a larger penalty, as in the recent e.l.f. Cosmetics, Inc. case.
Sanctions compliance programs should be flexible and adaptable to changing rules, personnel, business, and technology. OFAC’s rules are notoriously complex and often change suddenly in response to U.S. foreign policy concerns. Companies must monitor these regulatory developments and be ready to respond quickly. Business also changes, which can create significant compliance risks, including when new products are not sufficiently integrated into the program, critical compliance personnel move on to new opportunities, or new business technology, including compliance screening programs, are rolled out. Successful programs are resilient when change happens – programs should not be dependent on specific personnel to operate, new products should be analyzed for sanctions risks before they are brought to market, and IT systems should be sufficiently tested for sanctions compliance before they are deployed.
3. IDENTIFYING RISKS
OFAC emphasizes that companies need to proactively identify sanctions risks applicable to their business by conducting formal risk assessments. Risk assessments can be enterprise-wide or product-specific and should focus both on how you sell goods and services, and your supply chain. Take a scientific, empirical look at your products and services. You should be asking, how does my company buy and sell goods and services based on real world data collected by the company? What are the sanctions compliance risks presented by that business activity? Consulting with data scientists can be a good idea – they can help identify procurement, sales, and use patterns that may highlight previously unidentified sanctions risks.
As recent OFAC settlement agreements have highlighted purchasing an overseas business can expose a U.S. company to heightened sanctions compliance risks. Under the doctrine of successor liability, a U.S. purchaser becomes liable for any past OFAC violations committed by an acquired entity in the five years prior to closing. If an acquired entity conducted business with sanctioned parties or countries in the past, and that activity was subject to U.S. jurisdiction, the purchaser can be left with the cost of any future OFAC penalties. Incorporating a robust sanctions due diligence process into the M&A process helps to address (and price) this risk. After closing, it’s also critical that U.S. purchasers monitor the activity of newly acquired foreign subsidiaries, particularly if they that have a history of dealings with sanctioned territories or persons. Foreign subsidiaries can generate substantial liability for U.S. parents if they continue business with sanctioned territories and/or persons after closing.
When compliance gaps are identified, companies should move to swiftly mitigate them. In its guidelines, OFAC recognizes that it can take time to implement formal measures to address newly identified sanctions compliance risks. This is particularly true where new technology must be developed or deployed to address the gap. OFAC also emphasizes, however, that companies should adopt interim compliance measures as soon as possible while the formal measures are being designed and deployed. This also a critical step to limit the company’s liability in an enforcement context, as repeated errors can be deemed “egregious” by OFAC, seriously increasing the company’s penalty exposure. The PayPal, Inc. case is a good example of how penalties can rapidly multiply if OFAC determines that violations are egregious – the company faced a nearly $7.7 million penalty, primarily for failing to cease repeated transactions with a sanctioned party that were valued at only $7,092.
Remember to document your interim and final remediation steps and to test those enhancements to make sure they are working as intended.
Sanctions compliance can be complex and designing effective controls can be challenging, particularly for companies that conduct or process large volumes of transactions. Regular testing is the only way to determine whether your program is operating as intended. As with any complex system, gaps in IT systems can develop over time. Companies that rely on teams of human analysts to review sanctions alerts must also systematically test and assess analyst determinations to ensure that alerts are reviewed according to company procedures. Ongoing testing and monitoring is essential to catch these issues before they become widespread problems, which could generate substantial liability in an enforcement context.
General, all-hands sanctions training is a great first step, but it is often not sufficient to address sanctions risks for many companies. Effective training programs should be specific to the company’s business and products and provide relevant groups of employees an overview of their obligations under the compliance program. Of course, all employees do not need to become experts in U.S. sanctions, but company personnel should understand how the sanctions compliance program affects their job responsibilities, who they should contact for help, and the implications of violations for themselves and the company. In some cases, training materials should be shared with third party partners, such as agents, distributors, and vendors.
Beyond compliance program considerations, OFAC also highlights a number of common pitfalls that have resulted in violations of OFAC’s regulations. These are some of the highlights:
1. LACK OF A PROGRAM
OFAC cites the lack of a formal sanctions compliance program as an underlying cause of many OFAC violations. As noted above, companies that conduct international business should adopt a formal sanctions compliance program to address this concern and to mitigate any future penalties.
2. MISUNDERSTANDING OFAC’S RULES
Many OFAC enforcement cases have involved companies that failed to understand how OFAC rules applied to their business or that OFAC’s rules applied to their activities. Unlike most countries, U.S. law can apply broadly to the activities of foreign persons operating outside of the United States. It is therefore critical that non-U.S. companies understand how OFAC may claim jurisdiction over non-U.S. operations. Non-U.S. companies should examine the full life cycle of transactions that involve parties subject to sanctions to determine whether U.S. rules apply and whether the conduct at issue is prohibited. For example, activities involving U.S. persons, including U.S. companies, citizens, and permanent residents are subject to U.S. jurisdiction. Transactions involving U.S. goods and services can also trigger OFAC jurisdiction and implicate U.S. export control laws. Directly or indirectly involving the U.S. financial system in transactions involving sanctioned persons or territories is also prohibited, including denominating transactions in U.S. dollars in most instances.
U.S. companies and individuals are broadly barred from assisting non-U.S. persons with any transaction or dealing that the U.S. person could not conduct herself. Such “facilitation” includes referring sanctions-related business to foreign affiliates, approving foreign affiliate dealings with sanctioned parties or territories, and providing back office support, among other activities.
4. SCREENING FAILURES
The only way to comply with OFAC’s rules is to screen transactions for the involvement of sanctioned persons and territories. Screening failures include failures to update screening lists, which change on a regular basis, failures to screen relevant information, and failures to use sufficient “fuzzy” matching to identify alternative spellings of sanctioned parties’ names or sanctioned jurisdictions. Companies that conduct a high volume of international transactions with a diverse array of customers, including money transfer businesses and certain e-commerce companies, are at the highest risk of compliance gaps resulting from screening failures.
Sanctions compliance is more complex than ever, with OFAC issuing new and highly tailored sanctions rules on an increasing basis. Adopting a robust and tailored compliance program is essential to ensure compliance in this ever-changing environment. A written program, backed up by trained personnel and properly deployed screening technology can help companies prevent violations and avoid egregious penalty determinations. Ongoing assessments, based on real world data, will help to ensure that the program is up-to-date and prevent minor issues from becoming systemic and widespread.