On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments, which details more than 10 pages of long-standing OFAC practices on corporate economic sanctions compliance programs. With this publication, companies operating internationally are now on notice that compliance program elements that used to be simply “best practices” guidance will now be expected by OFAC. With the recent strengthening of certain sanctions regimes in countries such as Iran and Venezuela, the release of the guidance is both timely and telling. Companies – both U.S. and non-U.S. – conducting international business should take note and ensure their existing compliance programs include OFAC-enumerated elements.
Further, this guidance is relevant for both U.S. and non-U.S. entities, as in certain instances, U.S. sanctions can reach even wholly non-U.S. entities and individuals. For example, European companies engaging in business with Iran may be subject to U.S. sanctions measures (so-called “secondary sanctions”), or a non-U.S. bank that is processing payments from a sanctioned country may face enforcement actions for dollar-denominated payments or routing through the U.S. financial system.
Five essential compliance program components as identified in the OFAC framework are:
1. Management commitment;
2. Risk assessment (which can be considered broadly in three categories);
a. Enterprise risk assessment,
b. Due diligence on third parties, Know Your Customers (KYC),
c. Mergers & Acquisitions (M&A),
3. Internal controls;
4. Testing and auditing; and
There is no intent requirement for OFAC violations. They are strict liability offenses. Accordingly, every company engaged in international business dealings must adopt an effective compliance program to prevent and detect violations. Further, the existence of an effective compliance program, as highlighted by OFAC, may mitigate potential penalties in the event a violation occurs.
OFAC expects that companies discovering sanctions violations – even if the violations are inadvertent – should be able to point to an existing, effective compliance program to demonstrate that the impact of the violations was limited and the violations were detected quickly, and hence could be remediated quickly.
By contrast, a company without an effective compliance program facing an OFAC enforcement action may find the violations are treated by OFAC as egregious, and the lack of compliance program may serve as an aggravating factor in the calculation of monetary penalties.
The factors highlighted by OFAC are consistent with elements of effective compliance programs in other risk areas. For example, as reported in the GT Alert, “New DOJ Guidance: What Is Your Compliance Program Worth?”, the U.S. Department of Justice recently published an updated version of “The Evaluation of Corporate Compliance Programs,” which provides guidance on how DOJ prosecutors may view corporate compliance programs in other risk areas like AML or anti-corruption, and also highlights the importance of senior management commitment and regular risk assessments. However, it is important that the elements highlighted by OFAC be deployed and addressed with subject-matter expertise that is sanctions-focused. For example, AML or anti-corruption compliance risk assessments are unlikely to detect and address economic sanctions-related compliance with the attention and specificity expected by OFAC. Furthermore, unlike AML and anti-corruption laws, OFAC laws and regulations are often changing and very dynamic. So, what constituted an OFAC violation in the past may no longer be impermissible, and what was permissible in the recent past may now violate U.S. sanctions.
It is critical for businesses operating internationally to determine their sanctions risk profiles (under U.S. and other applicable laws) and design a sanctions compliance program to address the risks inherent to the business, as well as those presented by the rapid pace of regulatory changes in the sanctions space.