Treasury Department’s Office of Foreign Assets Control Issues Framework for Developing Sanctions Compliance Programs
On May 2, 2019, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments to provide organizations subject to U.S. jurisdiction a guide for developing an effective sanctions compliance program that should include, from OFAC’s perspective, five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
Under existing OFAC regulations, all covered organizations are required to confirm that their business dealings do not involve blocked persons or entities contained on the OFAC Specially Designated Nationals and Blocked Persons list. In this publication, OFAC encourages organizations to establish a sanctions compliance program to avoid violating the laws that OFAC administers. As guidance, the publication provides an outline of how OFAC may incorporate each of the five essential components into its evaluation of apparent violations and the resolution of OFAC’s investigations. In addition, OFAC may consider whether subject organizations have implemented a sanctions compliance program that is predicated on such five components, which may result in benefits of further mitigation of a civil money penalty when remedial steps are taken after being identified by such a program. To summarize, the five components should address certain items, including the following:
Management Commitment:
- Senior management should provide adequate support and resources to the compliance unit, such as by appointing a dedicated OFAC sanctions compliance officer; and
- Senior management should promote a culture of compliance throughout the organization, for example, highlighting the potential repercussions of non-compliance with OFAC sanctions.
Risk Assessment:
- The organization should conduct an OFAC risk assessment in a manner, and with a frequency that adequately accounts for the potential risks; and
- The organization should develop a methodology to identify, analyze, and address the particular risks it identifies.
Internal Controls:
- The organization has designed and implemented written policies and procedures outlining the sanctions compliance program in order to identify, interdict, escalate, report and keep records pertaining to prohibited activities under the OFAC sanctions programs.
Testing and Auditing:
- The organization commits to a comprehensive and objective testing or audit function that adequately identifies weaknesses and deficiencies of the sanctions compliance program, and ensures the enhancement of the program by updating program-related technology.
Training:
- The organization provides training to all appropriate employees and personnel on a periodic basis (at a minimum, annually), and provides easily accessible resources and materials to all applicable personnel.
Additionally, the document includes an appendix that details some of the root causes of apparent violations of the OFAC sanctions program based on OFAC’s prior investigative process, including the following deficiencies, such as: (1) the lack of a formal OFAC sanctions compliance program; (2) misinterpreting or failing to understand the applicability of OFAC’s regulations; and (3) facilitating transactions by non-U.S. persons including through or by overseas subsidiaries or affiliates.