OFAC Issues Guide on Sanctions Compliance
The Treasury’s Office of Foreign Assets Control published a 12-page guide on sanctions compliance for U.S. and foreign businesses, detailing what OFAC defines as effective compliance programs and outlining several “root causes” of sanctions violations. The guide, published May 2, delves into the level of compliance that OFAC expects from companies and how best to avoid sanctions violations. The guide covers five categories: management commitment, risk assessment, internal controls, testing and auditing, and training.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
OFAC said management’s commitment to compliance “is one of the most important factors in determining its success,” helping to “legitimize the program” and “empower its personnel.” OFAC said all management should review and approve their organization’s compliance program, ensure the “existence of direct reporting lines” between the program and senior management and make sure the program has sufficient resources.
A lack of risk assessments can damage a business’ “reputation” and profits, OFAC said. The agency calls for companies to conduct “routine” assessment of “potential OFAC issues they are likely to encounter.” “While there is no 'one-size-fits all' risk assessment,” OFAC said, “the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.” This may include assessments of “on-boarding” (including developing a “sanctions risk rating” for customers) and mergers and acquisitions (completing “appropriate due diligence” of new acquisitions).
Compliance programs should also include internal controls, OFAC said, which keep records of potentially sanctioned activity to “minimize the risks identified by the organization’s risk assessments.” This may also include keeping “written policies and procedures” for compliance programs.
OFAC also stressed the importance of testing and training. Specifically, employers should be auditing the “effectiveness of current processes" and checking "for inconsistencies between these and day-to-day operations” and providing employee training on a “periodic basis.”
In the guide’s appendix, OFAC details several main causes of violations, in an effort to help companies prevent them. While some of the causes are straightforward -- such as using U.S. banks to process payments involving sanctioned people or exporting goods to sanctioned countries -- others are more complex. Some common causes, OFAC said, are misinterpreting OFAC’s regulations, facilitating transactions by non-U.S. people or companies, faulty filters and screening software, improper due diligence and individual liability.
OFAC said “numerous organizations” violate sanctions because they simply misinterpret OFAC’s regulations, not understanding that the sanctions apply to them. “For example, several organizations have failed to appreciate or consider … the fact that OFAC sanctions applied to their organization based on their status as a U.S. person ... [or as] a U.S.-owned or controlled subsidiary,” OFAC said. OFAC also said conducting transactions with non-U.S. people or companies is a leading cause of sanctions violations because many are later discovered to be sanctioned. OFAC warned against failing to update sanctions screening software with updates to OFAC’s Specially Designated Nationals List or not accounting for alternative spellings of sanctioned people or entities. Other leading causes include improper due diligence and individual liability, in which certain company employees, such as those working at foreign-based affiliates, purposely violate sanctions and “conceal their activities from others within the corporate organization.”