On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published its first-ever Framework for OFAC Compliance Commitments (“Framework”), detailing the essential components of a sanctions compliance program, and the contents were hardly a surprise. As we indicated in our recent client alert outlining the top 20 compliance lessons to learn from the past year’s OFAC enforcement cases, OFAC has hinted at this Framework since last fall when it began publishing settlement agreements with compliance commitments included. Although OFAC reiterated that every company’s risk-based sanctions compliance program will vary based on its own individual risk factors – including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations – OFAC characterized the five “essential components” of compliance as requiring: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
Instead of merely summarizing these compliance commitments, the MoFo national security team has linked each commitment to the lessons of enforcement cases of the past year. As the Framework notes, “OFAC recommends all organizations subject to U.S. jurisdiction [including non-U.S. companies that engage in transactions with a U.S. nexus] review the settlements published by OFAC to reassess and enhance their respective [sanctions compliance programs], when and as appropriate.”
The Framework resembles in many respects the updated Evaluation of Corporate Compliance Programs Guidance Document published by the U.S. Justice Department’s Criminal Division in April 2019. At the end of the Framework, OFAC provided a list of common “root causes” of sanctions violations to help companies evaluate their compliance programs, and we’ve also linked those root causes to recent sanctions enforcement cases. Accordingly, now that OFAC has articulated what it’s looking for in a compliance program and described common root causes of violations, it’s time for companies to review their programs to make sure they conform to expectations. Companies should do so not just to be the best they can be in terms of sanctions compliance, but also because the Framework makes clear that OFAC will “consider favorably” effective sanctions compliance programs (and unfavorably ineffective ones) when resolving future enforcement cases. Here’s what OFAC expects:
1. Management Commitment
As the old saying goes, “it rolls downhill.” If management doesn’t support or only begrudgingly supports a compliance program, then compliance staff are unlikely to be effective in their roles. Therefore, OFAC notes that it expects senior management to review and approve sanctions compliance programs.
Similarly, compliance staff need to have the authority to do their jobs. If business folks can ignore compliance staff the way they did in OFAC’s case against Ericsson, there is little hope that even a well-designed program will be effective. Compliance staff should be given the autonomy necessary to implement policies and procedures to effectively control an organization’s OFAC risk. As part of this effort, senior management should ensure the existence of direct reporting lines between themselves and compliance staff, including by having routine and periodic meetings.
Regardless of their authority on paper, compliance staff are unlikely to be effective at preventing sanctions violations if they are under-resourced. Senior management need to take steps to ensure that their organization’s compliance staff receive adequate resources, including human capital, expertise, information technology, and other resources as appropriate, relative to the organization’s breadth of operations, target and secondary markets, and other factors affecting its risk profile (see e.g., the Cobham and Société Générale cases where OFAC credited the companies with beefing up their compliance staffs). Companies, as in the Zoltek and MID-SHIP cases, should appoint a dedicated OFAC sanctions compliance officer, although – depending on the company’s size and complexity – that person may also serve in other senior compliance positions (such as the Bank Secrecy Act or export control officer).
Finally, senior management need to promote a “culture of compliance” where employees feel free to report sanctions issues without a fear of reprisal and where serious sanctions issues are rapidly remediated. This can be accomplished when senior management communicate to staff the seriousness of violating sanctions or failing to comply with an organization’s sanctions compliance program. To the extent sanctions violations have occurred in the past, senior management should ensure measures are taken to address the root cause through systemic solutions whenever possible. OFAC has explicitly required each party it settled with since fall 2018 to commit to promoting a culture of compliance.
2. Risk Assessment
OFAC has consistently asked companies to have a “risk-based compliance program.” In order to develop such a program, companies need to know their risk profile. OFAC’s second compliance commitment addresses this issue by placing an expectation on companies that they will conduct sanctions risk assessments on themselves. OFAC notes that while there is “no ‘one-size-fits-all’ risk assessment,” risk assessments should generally consist of a “holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world,” including risks posed not just by clients and customers, but also by its supply chain, intermediaries, and counter-parties, as well as by its products, services, and transactions and the geographic locations of the organization and its customers, supply chain, intermediaries, and counterparties.
In assessing sanctions risk, organizations should leverage existing information derived from due diligence occurring at on-boarding and other points in a relationship or transaction. For example, an organization could develop a risk rating system for customers or account relationships using information obtained through a Know Your Customer or Customer Due Diligence process. A helpful tool for assessing sanctions risk in this way is the OFAC Risk Matrix provided as an Annex to OFAC’s Economic Sanctions Enforcement Guidelines.
Risk assessments are essential during mergers and acquisitions. Sanctions violations related to mergers and acquisitions have become commonplace on OFAC’s enforcement page with its cases against Kollmorgen, AppliChem, Stanley Black & Decker, and Cobham. Therefore, compliance functions should be integrated into the mergers and acquisitions process to ensure sanctions-related issues are identified, escalated to relevant senior management, and addressed prior to the completion of the merger.
Furthermore, OFAC expects companies to develop a methodology to identify, analyze, and address sanctions risks. OFAC clarified that risk assessments are not a one-off task, but instead should be “routine, and if appropriate, ongoing” to account for any violative conduct or root causes of apparent violations.
3. Internal Controls
Most global businesses should be familiar with the concept of internal controls from the Foreign Corrupt Practices Act or, for financial institutions, from their mandatory anti-money laundering programs. OFAC believes such internal controls should include policies and procedures to identify, interdict, escalate, report, and maintain records pertaining to sanctions. These policies and procedures should be enforced and weaknesses identified and remediated. OFAC recommends seven categories of internal controls:
I. Written policies and procedures outlining the organization’s sanctions compliance program that are easy to follow and designed to prevent employee misconduct;
II. Internal controls to effectively identify, interdict, escalate, and report sanctions issues to appropriate personnel;
III. Enforcement of an organization’s sanctions compliance program through internal and/or external audits;
IV. Adequate recordkeeping policies and procedures to account for OFAC’s recordkeeping requirements;
V. A system to immediately and effectively respond to weaknesses identified in an organization’s internal controls, including by identifying and implementing compensating controls until the root cause of the weaknesses can be determined and remediated;
VI. Clear communication of sanctions compliance policies and procedures to all relevant staff, including compliance personnel, gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, and sales); and
VII. Dedicated staff for integrating sanctions compliance policies and procedures into the daily operations of an organization.
These internal controls should be developed and implemented in response to a company’s risk assessment and should be updated to reflect changes to that assessment.
Internal controls such as these would have protected against the apparent violations in OFAC’s AppliChem case, where AppliChem’s U.S. parent, Illinois Tool Works, Inc. (ITW), sent directives to AppliChem to cease its business with Cuba. However, ITW didn’t have adequate controls in place to ensure clear communication of sanctions compliance issues, letting these violations continue for years. Proper internal controls may also have prevented the finding of violation (with no monetary penalty) in the recent State Street Bank case, where compliance personnel aligned with the line of business – rather than the bank’s centralized sanctions compliance personnel with specialized sanctions expertise – reviewed (and ultimately allowed) beneficiary payments to a U.S. person resident in Iran.
4. Testing and Auditing
The best laid plans always work in theory. However, OFAC expects companies to make sure their compliance programs work on more than just paper. To accomplish this, OFAC expects companies to engage in regular testing and auditing of their compliance programs to assess the effectiveness of current processes, check for inconsistencies between these and day-to-day operations, and identify weaknesses and deficiencies, including in program-related software, systems, and other technology, including to account for a changing risk assessment or sanctions environment. Such testing and auditing can be conducted on a specific element of a sanctions compliance program or at the enterprise-wide level.
The testing and auditing function of a sanctions compliance program should be accountable to senior management and independent of the activities it is intended to test. Furthermore, just as the compliance program must be tailored to the size and sophistication of the company, so too should the testing and auditing function of the program. Finally, it wouldn’t make much sense to test a program if poor results were ignored. OFAC expects companies to take “immediate and effective action” to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
OFAC specifically discussed auditing in its Stanley Black & Decker, e.l.f. Cosmetics, and Jereh Group cases. In the Stanley case, OFAC mentioned that Stanley did not implement procedures to monitor or audit its Chinese subsidiary’s operations to ensure that Iran-related sales had ceased. In e.l.f. Cosmetics, OFAC mentioned that e.l.f.’s supplier audits failed to discover that most of its false eyelash kits contained materials from North Korea. In the Jereh case, an external review found that Jereh’s compliance controls were “easily circumvented and, when circumvented, the circumvention could and did go undetected.” If Jereh had regularly audited its compliance program and followed up on those audits, it may have detected that its sales team was diverting shipments to Iran. The message from these penalties is clear: sanctions compliance programs should not be paper tigers.
Finally, it doesn’t matter how easy a compliance program is to follow if no one knows about it. OFAC expects companies to ensure that all appropriate employees and stakeholders (such as clients, suppliers, business parties, and counterparties) are trained on their sanctions obligations. This means making sure high-risk employees receive specialized training. Training should be tailored to the products and services a company offers, the customers, clients, and partner relationships it maintains, and the geographic regions in which it operates.
Training cannot be a one-off. Sanctions come and go at legal speeds equivalent to the speed of light. Therefore, training must be sufficiently regular, based on an organization’s risk assessment and risk profile, to ensure employee knowledge doesn’t go stale. When regular trainings aren’t enough and problems occur, OFAC expects a company to take immediate and effective action to provide training or other corrective action as appropriate. For example, in OFAC’s settlements with e.l.f Cosmetics and Jereh Group, each company hired third parties to train key employees as part of their remedial efforts.
Additionally, a training program should include easily accessible resources and materials available to all employees who need them. Training would have been especially helpful in OFAC’s case involving Haverly Systems, Inc. At the time of the violations, Haverly did not have a sanctions compliance program and apparently did not recognize that receiving late payments from a sectorally sanctioned entity in Russia is prohibited. If its employees had received effective sanctions compliance training, the violations may not have occurred.
Root Causes of OFAC Sanctions Compliance Program Breakdowns
To assist companies in reviewing their compliance programs, OFAC provided a list of ten specific “root causes” associated with sanctions violations. To assist readers with their compliance program reviews, we’ve listed OFAC’s ten root causes with a citation to relevant OFAC cases.
In conclusion, OFAC’s compliance commitments are a double-edged sword. On the one side, they provide clarity to companies looking to develop or improve their sanctions compliance programs. But, on the other side, they set a standard with the implicit threat of penalties when compliance programs aren’t up to par.