In May 2019, the Treasury’s Office of Foreign Assets Control (OFAC) published a set of sanctions compliance guidelines, A Framework for OFAC Compliance Commitments, to help companies better understand their compliance obligations as they relate to sanctions and how to establish internal and external procedures for adhering to those obligations. The agency is already using components of the new framework in its settlement agreements, including a $611 million settlement just a few months ago. There are important considerations businesses should consider with this new framework, and key ways in which OFAC’s guidelines could impact your organization.
What is OFAC?
OFAC is the U.S. Treasury Department’s financial intelligence and enforcement agency which administers and enforces trade sanctions in support of U.S. national security and foreign policy objectives. At its core, the group acts as an enforcement agency, meaning that its guidance on compliance issues must be taken into consideration by any entity conducting foreign transactions. OFAC works with the Department of Justice to enforce the U.S. government’s various sanctions regimes, including the comprehensive trade embargos impacting Cuba, North Korea, Syria and Iran, as well as the evolving programs affecting Russia and Venezuela.
Who is Impacted by OFAC Regulations?
OFAC’s compliance mandates affect any U.S. person and entity, including U.S.-owned or controlled subsidiaries abroad, as well as foreign groups that work with the U.S.—be it physically in the U.S., with U.S. entities or persons abroad, with the U.S. financial system or using U.S.-origin goods or services. The bottom line is that all of these groups are subject to OFAC regulations.
Possible Penalties for Violating OFAC Regulations
Sanctions enforcement is on track to hit 10-year highs for both the number of actions taken and settlement values. In fact, penalties have already reached $1.2 billion. Just six months into 2019, enforcement totals already amounted to 25% of the enforcement totals of the last 10 years.
OFAC has outlined the following general components that can influence the outcome of an investigation conducted in response to an apparent violation:
- Findings of willful or reckless violation of law
- Existence and strength of a compliance program
- Awareness of conduct
- Harm to sanctions program objectives
- Whether or not the entity acts on its own
- Cooperation with OFAC
- Timing of violation in relation to imposition of sanctions
- Other federal, state or local agency enforcement action
Importantly, the OFAC guidance emphasizes that subjects that have an effective sanctions compliance program (SCP) in place at the time of the potential violation will be considered in a more favorable light. That means that having a strong SCP not only helps your organization improve the likelihood that you’re staying in step with OFAC regulations, but it also shows regulatory bodies that you have the tools to take corrective action if a violation occurs.
If violations are found, the offender may be subject to penalties, and OFAC’s Office of Compliance and Enforcement (OCE) will determine how the offender’s SCP should be strengthened as part of an accompanying settlement agreement. OFAC will evaluate the offender’s SCP in a manner consistent with the Economic Sanctions Enforcement Guidelines.
What Should an OFAC-Worthy SCP Entail?
An effective SCP can help businesses in several ways. If your business is already under investigation, a credible SCP can minimize the consequences. However, having a strong SCP in the first place will help you avoid trouble altogether.
It’s rare for an enforcement agency, particularly OFAC, to offer the kind of public guidance that it has with its framework, making the recent documentation that much more valuable. Here’s a simple guide to the five components OFAC says are essential in an SCP:
- Management Commitment
An effective SCP will give the compliance team authority and autonomy. It will consider upper management oversight and set up consistent reporting to monitor progress. More importantly, an effective SCP should encourage a culture of compliance that runs organization-wide and should identify vulnerabilities and potential violations and work to fix their root causes.
- Risk Assessment
Risk assessment is at the core of strong SCPs. This means identifying relevant risks and vulnerabilities that could lead to violations and damage an organization’s reputation. Healthy risk evaluation will include regular reviews of potential weaknesses, such as insufficient compliance program resources, and apply adjustments where necessary. A proper risk assessment also means looking beyond risks posed internally to vulnerabilities among partners, supply chains, customers, intermediaries and counterparties.
- Internal Controls
Internal controls should stop violations before they happen. This includes setting up policies and procedures that address identified risks in a consistent and systemic way. Internal controls should reinforce a culture of compliance, outline operational expectations, document compliance activities and promote accountability. They should include regular assessments, both internal and external, and address the root causes of compliance breaches immediately.
- Testing and Auditing
Thorough testing and auditing can be the difference between problem-free operations and permanent damage. Auditors should communicate openly with the organization’s management. If a problem is identified, thorough audits will prompt quick action and reveal the core issues threatening sanctions compliance. Proper checks and balances can also mitigate enforcement penalties should they arise.
Training can create a deep culture of compliance. For organizations, this should stem from the code of conduct and be available to all employees and updated frequently. Effective training will educate the workforce on compliance expectations for the workforce and relevant partners. It will consider negative results from audits and address those potential pitfalls directly, as well as teach how to avoid past compliance failures.
What Causes Failures and Violations?
Nobody wants to be found liable of a compliance violation or deal with the lasting reputational damage penalties cause. Knowing the most common mistakes that lead to violations can keep you from costly fines, criminal prosecution and bureaucratic headaches.
- Improper or Incomplete Due Diligence
Organizations don’t always have the capacity, knowledge or oversight to effectively screen their customers, intermediaries, counterparties and supply chains. In such cases, it’s crucial for organizations to engage the right resources, including partnering with experts who are well-versed in OFAC sanctions and have the appropriate language skills and regional expertise. This is especially important when complying with regulatory elements like OFAC’s 50 percent rule—whereby OFAC considers any entity at least 50-percent owned by a sanctioned individual/entity to be itself sanctioned—or when dealing with areas like Russia or Venezuela where sanctions programs continue to evolve.
- Misinterpreting or Failing to Understand OFAC’s Regulations
If you’re not a compliance expert, it’s easy to misread, misunderstand or otherwise overlook requirements. It’s also important to stay on top of regulatory updates and changes. Having dedicated team members review OFAC regulations on a set schedule will help you identify changes as they arise and adjust your compliance program accordingly.
- Decentralized Compliance Functions
When compliance isn’t at the core of an organization, there’s a danger of leaving departments, branches or individuals out of compliance programs altogether. Centralized compliance functions ensure compliance initiatives are working uniformly and reaching all corners of an organization. Having executive leadership involved in the creation and maintenance of your compliance program not only creates a unified function, it also sends a message to the entire organization that compliance is taken seriously.
- Individual Liability
If an individual is out of step with your organization’s legal and regulatory responsibilities, that person can easily put the entire company at risk. Instituting proper compliance training is the first line of defense, and auditing your employees’ understanding of compliance procedures can help ensure the training was received and understood. Furthermore, instituting a culture of accountability will go a long will in underlining the importance of compliance.
An effective SCP can identify liabilities, pick out suspected hazards, and report on the underlying causes of these weaknesses. They should prevent violations, but they should also help organizations improve their ability to independently promote a stronger internal culture of compliance and equip them with custom tools for success.
The Kroll Difference
As OFAC’s direction confirms, having the right SCP goes hand-in-hand with following OFAC guidelines. However, not every SCP meets, let alone exceeds, expectations. For organizations across industries, Kroll can make a positive difference when it comes to sanctions compliance.
As a global screening and due diligence solutions provider, we take a multi-pronged approach when it comes to assessing sanctions risk at almost every level of due diligence. In addition to determining whether a target party is sanctioned or based in a jurisdiction subject to OFAC sanctions, our team of skilled, multi-lingual researchers look for the party’s connections, whether via subsidiaries or business dealings, to other sanctioned jurisdictions. We also offer beneficial ownership screenings to ensure compliance with OFAC’s 50 percent rule.
Experts from Within
Our team of senior experts includes former law enforcement officials and compliance professionals. We know how to create a culture of compliance and can provide companies with the tools to develop their own.
Tailored Due Diligence
Our team recognizes the fact that your organization needs wide-reaching, risk-based due diligence. We have a range of options from light-touch screenings to deep-dive due diligence. That also means customizing research to the client’s needs and assessing sanctions vulnerabilities quickly and thoroughly.
Protection Beyond Sanctions
We know due diligence is about more than just sanctions. We help organizations comply with a wide range of regulatory requirements, including anti-money laundering and anti-bribery and corruption regulations, as well as reputational risk—tailored to your organization.
Tools for Success
We use the latest technology to help companies manage third-party risk. The Kroll Compliance Portal allows companies to run automated sanctions screenings in real time and set up ongoing monitoring.
Talk with Compliance Experts
Have questions about your organization’s compliance needs? Get in touch with our sanctions compliance experts today.