On the 5th of May, the United States (US) Department of Treasury Office of Foreign Assets Control (OFAC) published new guidance on adopting a risk-based approach to manage sanctions compliance, including a suggested framework for a Sanctions Compliance Program (SCP).
This guidance is aimed at organisations that are subject to US jurisdiction, as well as foreign entities that conduct their business in or with the US, with US Persons, or using US–origin goods/services.
Although OFAC encourages a risk-based approach to compliance, and understands that implementation may vary by company, it notes that the framework should incorporate at least five essential components of compliance as listed below:
1. Management Commitment
Key areas include senior management commitment demonstrated through oversight of SCP implementation (via direct reporting lines and routine meetings); adequate resources are given to support compliance including human capital, expertise, information technology, and other resources, as appropriate; promotion of a strong culture of compliance.
2. Risk Assessment
Key areas include conducting OFAC risk assessments addressing all areas of potential risk from clients and customers to geographic locations and products (this should cover on-boarding of business partners as well as M&A activity); a methodology to identify, analyse, and address the particular risks identified.
3. Internal Controls
Key areas include written policies and procedures that are easy to follow; effective internal controls that address the results of the risk assessment; internal/external audits; embedding controls within the functions.
4. Testing & Auditing
Key areas include ensuring a comprehensive testing and auditing function that allows entities to know how their SCPs are functioning and outlines areas of potential improvement or enhancement if needed.
5. Training
Key areas include ensuring an adequate training program is implemented with appropriate content and frequency based on the company’s risk profile.
While the above are intended as guidelines, OFAC notes that if a company has an SCP at the time of an apparent violation, this may mitigate a civil monetary penalty under General Factor E (compliance program) and indeed under General Factor F (remedial response) when the SCP results in remedial steps being taken.
In addition to the framework, based on assessments of prior administrative actions, OFAC has also released some root causes of sanctions compliance programme issues which have led to violations. These include:
In these new guidelines, OFAC has explicitly set out the expected framework to be in place for a sustainable programme to manage sanctions compliance. Organisations subject to US jurisdiction or working with US–origin products, software and technology should carefully consider the above-listed tenets of an effective SCP and implement them in a manner that is appropriate to the risk level of the organisation.