The Office of Foreign Assets Control ( OFAC ) published guidance in May 2019 outlining its vision for effective sanctions compliance programs. Titled “A Framework for Compliance with OFAC’s Commitments,” it is a groundbreaking document for the organization, which had not published anything as comprehensive on how a sanctions compliance program should be structured and what it should achieve.
Compliance professionals can use
this framework to inform the design of their own sanctions compliance programs. Conceptually, it is quite similar to other Department of Justice guidance and the U.S. Sentencing Guidelines. Strong executive support, risk assessment, internal controls, periodic review, and program updates have been the cornerstones of strong compliance programs for years, and are also important themes in the OFAC framework.
That said, the framework also emphasizes several practical points for sanctions compliance, such as how to overcome the challenges of managing a decentralized sanctions compliance program or how to use detection software intelligently. Difficulties in those areas are two of the 10 “root causes of sanctions compliance program failures” that the OFAC framework explores in detail.
Furthermore, the very release of the OFAC framework demonstrates two trends that compliance professionals should be aware of. First, the risks associated with trade sanctions are increasing, as governments around the world become more comfortable using economic sanctions as public policy tools. Second, OFAC and other regulators are putting pressure on the business community to develop effective compliance programs rather than just waiting to take action against companies with compliance failures .
All of this means that studying the OFAC framework is well worth a compliance professional’s time .
Commitment to a strong program
The first issue OFAC cites as a potential cause of sanctions compliance noncompliance is the lack of a formal program. While OFAC regulations do not require organizations to have a sanctions compliance program, this cause underscores the framework’s core message: organizations must give sanctions compliance risk the attention it deserves and commit to addressing it.
First and foremost, a company should designate a sanctions compliance officer. The framework makes clear that this person may also have other compliance obligations (for example, an export control officer or head of financial crime compliance ), but the organization should be able to say, essentially, “This person is responsible for the company’s sanctions compliance.”
In addition, that person (and his or her subordinates) must be competent about the details of the sanctions rules and understand how those rules apply to the company’s transactions. For example, we have seen OFAC find a violation in cases where companies wrongly concluded that sanctions rules did not apply to them because a customer was a U.S. citizen with a U.S. bank account. In reality, those transactions could still violate U.S. law if the customer resides in a nation such as Mexico, Brazil, or Argentina.
Sanctions rules can change quickly and applying
them to specific transactions is not always easy – sanctions compliance teams need the knowledge and resources to do their job well.
Companies can also demonstrate a strong commitment to sanctions compliance by carefully considering the structure of their program. OFAC’s framework warns of the risks of a decentralized approach, where local business units can middle east mobile number list handle sanctions compliance and suspicious transactions. That could lead to inconsistent application of policies and procedures, especially if local compliance staff do not fully understand sanctions rules.
The OFAC framework also cites the importance of training (which should be risk-based); disciplinary measures (which should be carried out as necessary to address employee misconduct); investigations and self-reporting (once suspicious transactions have been discovered), etc.
None of those ideas should be unfamiliar to an organization that has already dealt with anti-corruption compliance, government contracts, or similar regulatory compliance issues. The bottom line is that a company’s sanctions compliance program must have strong executive support, and that support must translate into trained and compliance-savvy personnel who can implement a robust latest ofac sanctions compliance program sanctions compliance program.
Testing and internal control
The OFAC framework also places a strong emphasis on internal controls to maintain an effective sanctions compliance program. Compliance professionals will need to dive into the details of developing and maintaining these controls to ensure their companies’ sanctions compliance programs meet the challenge.
Start with policies and procedures. A sanctions compliance program should include dating data vwritten policies that explain the relevant laws and regulations and what the program is intended to accomplish. Policies should be written in easy-to-understand language and be relevant to how employees actually work with customers and process transactions. Procedures should provide guidance to employees on how to comply with sanctions rules and the consequences for misconduct.
While each company will need to develop
its own procedures, the OFAC framework highlights four specific actions that must be covered in all cases:
- Identify suspicious transactions, which involves a level of due diligence
- Intercept those transactions before they are processed.
- Escalate suspicious transactions to appropriate compliance personnel for further review.
- Report suspicious transactions to external authorities as determined by leadership.
When creating a sanctions compliance program, compliance professionals should consider what data in the company might be needed to execute these objectives and what business processes can be leveraged to intercept and prevent suspicious transactions before settlements are carried out.