The Office of Foreign Assets Control (OFAC) published its long-anticipated “Framework for OFAC Compliance Commitments” (the Framework) on 2 May 2019. OFAC administers and enforces US economic and trade sanctions, and the Framework details its expectations regarding an organisation’s sanctions compliance programme (SCP).

The Framework applies primarily to organisations subject to US jurisdiction. However, companies operating on the global platform and those who conduct business with or employ US persons, deal in goods or services of US origin, or conduct transactions in US dollars would be well advised to take note of OFAC’s expectations and implement appropriate updates to their SCP.

OFAC notes that it is for each organisation to adopt a risk-based approach in respect of sanctions compliance and has identified five essential components that should form, as a minimum, a robust SCP. These are:

• Management control
• Risk assessment
• Internal controls
• Testing and auditing, and
• Training.

Management control

OFAC emphasises the importance of senior management involvement in ensuring compliance with sanctions. When an organisation appropriately engages the senior leadership, executives and/or the board of directors, there is a greater scope for an embedded compliance culture. OFAC identifies that it is incumbent on an organisation to be structured in a such a way as to ensure that the compliance function is autonomous and has authority to draft and deploy policies, procedures and guidance. It should also create and maintain a direct reporting line between, for example, a sanctions compliance officer or the money laundering reporting officer (MLRO) and the senior management. Such a line could include weekly reports or presenting at executive committee meetings.

OFAC lists certain expectations in respect of the personnel employed within the SCP function. Unsurprisingly, familiarisation with OFAC sanctions is a key element. When considering the SCP function and where it fits within an organisation’s compliance team or financial crime team, it is important to ensure that an organisation retains personnel familiar with sanctions, anti-money laundering and anti-bribery and corruption legislation. They should also understand the practical impact of the domestic and international regulatory environment on the organisation and its processes. By doing so, the senior management team can have confidence that sanctions risks will be mitigated and potential breaches investigated in a timely manner.

Risk assessment

Linked to risk mitigation is OFAC’s expectation that an organisation engages in a routine and, where relevant, ongoing risk assessment, which has been suitably tailored. OFAC identifies that a risk assessment may include assessing:

1.  customers, supply chain, intermediaries and counterparties,
2. products and services, including where such items fit into other financial or commercial products, and
3. the geographic locations of the organisation, its customers, suppliers, intermediaries and counterparties.

Additional inherent risks not identified by OFAC might include channels into the organisation, the internal business profile and the external regulatory environment, as well as the mitigants (or internal controls) in place to reduce inherent risk.

Risk assessments will generally inform the extent of the due diligence efforts an organisation is expected to undertake, both at onboarding, during regular review and when considering M&A activity. OFAC identifies that the methodology should be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified during BAU activity. Due diligence has been a particular focus of OFAC’s recent settlements, so organisations should keep this in mind when considering the impact of risk assessments on any due diligence undertaken.

Internal controls

OFAC identifies that internal controls, including policies and procedures and record keeping, are a key part of an effective SCP. However, to be effective, such policies and procedures should be enforced and weaknesses identified through gap or root cause analyses and remediated.

Key to a robust internal control environment is the involvement of internal and external audit, both holistically and in respect of discrete elements of the SCP. As sanctions are responsive to the global geopolitical environment, policies and procedures should be capable of being updated and communicated promptly.

In addition, and linked to the risk assessment, the controls in place should be sufficiently refined to mitigate the inherent sanctions risk an organisation faces. Here, it is important to note that OFAC expects that while the SCP function is responsible for drafting policies, procedures and guidance, an organisation must appoint personnel to ensure that those policies and procedures are workable and implemented at an operational level. To that end, it is a key facet of this component that the first and second lines of defence are consulted to ensure that the SCP programme will work in practice.

Testing and auditing

All organisations require a comprehensive and objective testing or audit function to identify programme weaknesses and deficiencies. The audit function, or third line of defence, may choose to audit holistically or conduct a deep dive in respect of discrete elements of the SCP. This might include, for example, asset freeze and blocking procedures or fuzzy logic employed in a sanctions screening solution.

OFAC states that it expects the audit or testing function to be accountable to senior management. It must be sufficiently skilled, expert and resourced, and carrying the right level of authority to properly perform its function. Audits should be risk relevant and an organisation must commit to remediating any negative findings.

Training

Finally, OFAC identifies that a successful SCP must include an effective training programme. Such training must be delivered to both employees and relevant stakeholders, including clients, suppliers and business partners. For those who represent a higher risk of sanctions exposure, for example, client relationship managers or traders, OFAC indicates that training should be tailored, as it should to the geographic reach of the organisation. Training should be as frequent as necessary for the risk profile of the organisation and should be updated as a result of negative audit findings.

Application of the Framework

OFAC states that it will apply the Framework in three scenarios:

1. Where an investigation results in a civil monetary penalty (CMP) in response to an apparent violation, OFAC will consider which elements of the Framework to mandate as part of its settlement with an organisation;
2.  In circumstances where a CMP is appropriate, OFAC may reduce the level of the CMP under its Enforcement Guidelines if an organisation has incorporated components of the Framework;
3. When establishing whether a case involves “egregious” sanctions violations, OFAC will use the Framework.

OFAC provides an Annex to the Framework, which indicates “Ten Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions”. This list of sanctions-busting typologies is particularly useful for organisations seeking to better understand the current OFAC focus in respect of enforcement and the potential areas in which it can deploy tighter controls.

Comment

The release of the Framework provides yet another tool for organisations seeking to ensure compliance with US sanctions. OFAC has been at the vanguard in providing additional clarity in the sanctions space, with the UK sanctions regulator, the Office of Financial Sanctions Implementation, or OFSI, following suit.

OFAC enforcement has picked up again recently and organisations should be wary. The Framework offers a key insight into how OFAC will approach settlement discussions for apparent violations. For those with an effective SCP, as part of a broader compliance or financial crime function, the Framework serves as a best practice guide against which to benchmark, perhaps as part of the annual risk assessment. For others, the Framework could act as a baseline for a robust SCP which, when considered in conjunction with, for example, the Joint Money Laundering Steering Committee Guidance on the Prevention of Money Laundering/Terrorist Financing, would create the beginnings of an effective anti-financial crime framework.

You can find further information regarding our expertise, experience and team on our Financial Crime page.

If you require assistance from our team, please contact us or alternatively request a call back from one of our lawyers by submitting this form.

Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.