In May 2019, OFAC published formal guidance on U.S. sanctions compliance programs and, helpfully, identified the most common “root causes” of sanctions violations. The guidance is evidence of a growing focus on effective compliance programs which, while not legally required, are an increasingly critical factor in OFAC’s evaluation of the appropriate penalty after finding an apparent sanctions violation.
Background
On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) – the agency responsible for administering and enforcing U.S. economic sanctions – published “A Framework for OFAC Compliance Commitments” (Framework) setting out not only the five essential components of an effective U.S. sanctions compliance program, but also identifying the most prominent “root causes” of recent sanctions violations. The root cause discussion is particularly noteworthy as it highlights potential landmines for both U.S. and non-U.S. companies to avoid as they seek to navigate the complexities of U.S. sanctions compliance.
The Framework follows months of focus by OFAC on the importance of designing, implementing and maintaining sound compliance practices (as has been communicated through its enforcement actions), along with a marked increase in OFAC enforcement (OFAC has announced 14 civil penalties already this year, compared to seven in all of 2018).
While OFAC acknowledges that no company is legally obligated to have a formal sanctions compliance program, it notes that it will consider the existence and effectiveness of a sanctions compliance program when evaluating the appropriate penalty after finding an apparent sanctions violation.
The Framework
The heart of the new Framework is five “essential components of compliance,” which will inform OFAC’s future evaluation of compliance programs. They include:
- the commitment of management to ensuring that a compliance program is fully integrated and legitimate
- frequently conducted risk assessments
- internal controls for identifying, escalating, reporting and keeping records pertaining to sanctions risks
- a comprehensive, independent and objective testing regime that can identify risks and allow companies to adapt their practices to respond to such risks
- a training program, held at least on an annual basis, to provide all relevant employees with job-specific knowledge pertaining to sanctions risks.
Root causes
However, perhaps of more interest than the Framework’s essential components of compliance, which largely formalize elements on which OFAC had focused in the past, the Framework is followed by an appendix of what are, in OFAC’s view, the “root causes” that most frequently lead to U.S. sanctions violations. While OFAC has made clear that this list of notable “deficiencies or weaknesses” in compliance programs is not exhaustive, it highlights the factors that will assist organizations in “designing, updating and amending” their respective compliance programs. The root causes identified by OFAC in the Framework include where:
- organizations lacked a formal sanctions compliance program
- organizations generally failed to appreciate or consider the territorial reach of U.S. sanctions laws (typically accompanied by additional aggravating factors such as reckless conduct, the presence of numerous warning signs that the activity at issue was likely to be prohibited and the size and sophistication of the subject person)
- an organization that was subject to U.S. jurisdiction facilitated (including referring or approving) transactions or dealings between the organization’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons
- often despite warning signs that such activity might be prohibited by U.S. sanctions law, non-U.S. persons repeatedly purchased U.S.-origin goods with the specific intent of re-exporting, transferring or selling the items to a person, country or region subject to OFAC sanctions
- non-U.S. persons processed financial transactions to or through U.S. financial institutions connected to commercial activity involving an OFAC-sanctioned person, country or region. Indeed, on this point, OFAC stresses that the mere inclusion of a U.S. financial institution in any payments associated with such a transaction often results in a prohibited activity
- organizations failed to update sanctions screening software to, for example, account for updates to the Specially Designated Nationals and Blocked Persons List (the “SDN List”) or the Sectoral Sanctions Identifications List (the “SSI List”) or account for the various ways that prohibited countries or parties could be spelled
- organizations failed to conduct proper due diligence on customers, supply chain, intermediaries or counter-parties relating to things like ownership or geographic location(s)
- compliance programs were inconsistently applied across various offices or business units, owing largely to de-centralized compliance programs
- business practices deviated from norms and practices
- individual employees - oftentimes in supervisory, managerial or executive-level positions - of U.S.-owned or controlled entities operating outside of the U.S., conducted or facilitated dealings with OFAC-sanctioned persons, regions or countries, even in situations where the U.S. entity had a compliance program in place. Where employees of the foreign entities had also made efforts to conceal their activities from others in the organization and/or law enforcement, OFAC will consider enforcement action against both the organization and the individual(s).
Comment
The new Framework provides companies with useful guidance on constructing effective sanctions compliance programs, both to prevent and remediate sanctions risks and to serve as mitigation in the unfortunate event that OFAC identifies an apparent violation. Further, the list of root causes serves as a helpful reminder of risk factors that are often overlooked and can lead to potential liability.
As ever, if you have questions as to whether your program is OFAC-compliant, please contact one of the listed authors.