Office of Foreign Assets Control (OFAC) Compliance Commitments Framework

On the 5th of May, the United States (US) Department of Treasury Office of Foreign Assets Control (OFAC) published new guidance on adopting a risk-based approach to manage sanctions compliance, including a suggested framework for a Sanctions Compliance Program (SCP).

This guidance is aimed at organisations that are subject to US jurisdiction, as well as foreign entities that conduct their business in or with the US, with US Persons, or using US–origin goods/services.

Although OFAC encourages a risk-based approach to compliance, and understands that implementation may vary by company, it notes that the framework should incorporate at least five essential components of compliance as listed below:

1. Management Commitment

Key areas include senior management commitment demonstrated through oversight of SCP implementation (via direct reporting lines and routine meetings); adequate resources are given to support compliance including human capital, expertise, information technology, and other resources, as appropriate; promotion of a strong culture of compliance.

2. Risk Assessment

Key areas include conducting OFAC risk assessments addressing all areas of potential risk from clients and customers to geographic locations and products (this should cover on-boarding of business partners as well as M&A activity); a methodology to identify, analyse, and address the particular risks identified.

3. Internal Controls

Key areas include written policies and procedures that are easy to follow; effective internal controls that address the results of the risk assessment; internal/external audits; embedding controls within the functions.

4. Testing & Auditing

Key areas include ensuring a comprehensive testing and auditing function that allows entities to know how their SCPs are functioning and outlines areas of potential improvement or enhancement if needed.

5. Training

Key areas include ensuring an adequate training program is implemented with appropriate content and frequency based on the company’s risk profile.

While the above are intended as guidelines, OFAC notes that if a company has an SCP at the time of an apparent violation, this may mitigate a civil monetary penalty under General Factor E (compliance program) and indeed under General Factor F (remedial response) when the SCP results in remedial steps being taken.

In addition to the framework, based on assessments of prior administrative actions, OFAC has also released some root causes of sanctions compliance programme issues which have led to violations. These include:

• Lack of a Formal OFAC SCP
• Misinterpreting, or failing to understand, the applicability of OFAC’s regulations
• Facilitating transactions by Non-US person (including through or by overseas subsidiaries or affiliates)
• Exporting or re-exporting US origin goods, technology, or services to OFAC-sanctioned persons or countries
• Utilising the US financial system, or processing payments to or through US financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
• Sanctions screening software or Filter Faults
• Improper due diligence on customers/clients (e.g. ownership, business dealings etc.)
• De-centralised compliance functions and inconsistent application of an ICP
• Utilising non-standard payment or commercial parties
• Individual liability

In these new guidelines, OFAC has explicitly set out the expected framework to be in place for a sustainable programme to manage sanctions compliance. Organisations subject to US jurisdiction or working with US–origin products, software and technology should carefully consider the above-listed tenets of an effective SCP and implement them in a manner that is appropriate to the risk level of the organisation.