In May 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published A Framework for OFAC Compliance Commitments to provide organizations with a framework for the five essential components of a risk-based sanctions compliance program (“SCP”). In this Advisory, we briefly review each of the five components expected for an SCP and some of the root causes of OFAC violations.
While OFAC regulations do not require a formal SCP, we (and OFAC) strongly encourage institutions to adopt a formal, written SCP. One reason for this suggestion is that, in an enforcement scenario, OFAC will evaluate an SCP consistent with the contours of its Economic Sanctions Enforcement Guidelines and “will consider favorably” those institutions that had an effective SCP at the time of an apparent violation.
For financial services companies and institutions otherwise subject to U.S. AML regulations issued by the Financial Crimes Enforcement Network, the components for an SCP outlined below should look remarkably familiar since they are similar to the four pillars of an effective AML program.
OFAC outlines the following components for an effective SCP:
- Management Commitment – Support through the provision of adequate resources and authority for the compliance function, as well as a dedication to a culture of compliance.
- Risk Assessment – Utilization of periodic risk assessments the results of which will assist in informing and updating the policies, procedures, internal controls, and training to mitigate risks.
- Internal Controls – Controls should include policies that outline expectations, define procedures and processes for compliance, and minimize risks identified in the risk assessment.
- Testing and Audit – Comprehensive testing/audit to ensure that weaknesses and deficiencies are identified and compliance gaps are remediated.
- Training – Periodic training for all appropriate personnel should provide job-specific knowledge, sanctions responsibilities, and assessments to hold personnel accountable.
In addition to the components of an effective SCP, OFAC includes a brief review of some of the root causes associated with apparent violations of the OFAC regulations, which include, but are not limited to:
- Lack of a formal SCP
- Failure to understand the applicability of OFAC regulations
- Exporting or re-exporting U.S.-origin goods or services to sanctioned persons/countries
- Processing transactions involving sanctioned persons/countries through U.S. institutions
- Failure to update sanctions screening software or filters
- Improper or incomplete due diligence conducted on customers
- Decentralized compliance functions and inconsistent application of the SCP
- Use of non-standard payment or commercial practices
Key Considerations (KCs):
- Consider developing a formal, written SCP if you are subject to the OFAC regulations.
- Consider the most recent risk assessment and where there are areas for improvement in your SCP.
- Consider recent enforcement actions by OFAC and update training and your SCP accordingly.
Howard & Howard has a dedicated team of financial services attorneys with deep experience handling complex transactional, regulatory, and litigation matters. Our attorneys regularly advise clients on M&A, strategic transactions, third party engagements, enforcement matters, and regulatory compliance. For more information or for questions related to this Financial Institution Advisory, please contact the author(s), your Howard & Howard attorney, or visit our Financial Institutions Group page.