May 06, 2019
On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released “A Framework for OFAC Compliance Commitments.” This Framework provides guidance for the creation of an effective sanctions compliance program for both U.S. organizations and foreign entities doing business in the U.S. or using U.S. goods or services. In their guidelines, OFAC strongly encourage organizations to adopt a risk-based sanctions compliance program (“SCP”). While the specifics of each SCP will vary, OFAC highlights five essential components to a successful SCP, and outlines many of the “root causes” that lead to sanctions violations.
The release of the Framework is part of a broader trend by regulators to provide greater clarity and transparency around the factors they deem significant in assessing the effectiveness of corporate compliance programs. Last week, the Department of Justice (“DOJ”) released similar guidance entitled “Evaluation of Corporate Compliance Programs” for white-collar prosecutors providing insight into the topics the DOJ’s Criminal Division has found relevant in evaluating a corporate compliance program.
DOJ’s guidance highlights many of the same factors that OFAC stresses in its Framework, including the importance of senior management commitment to compliance, periodic testing and review, and training of directors, officers, relevant employees, and, where appropriate, agents and business partners. More information on DOJ’s Guidance can be found in our recent alert here.
In the event that sanctions violations do occur, OFAC will favorably consider organizations which have effective SCPs at the time of the violation. This may result in the mitigation of a civil monetary penalty. OFAC may also look to the existence of an effective SCP in determining if a violation is “egregious” under OFAC’s Enforcement Guidelines. For an SCP to be considered as a mitigating factor for these purposes, it must be demonstrably effective—simply having an SCP on file is not enough.
In order to implement an effective SCP, OFAC has outlined five areas that organizations should adopt, update, or implement in their programs:
In the Framework, OFAC distills the root causes of many of the sanctions violations that have led to enforcement actions. These are broken down into ten subcategories, including:
If your organization already has an SCP in place, ensure that it is up to date, responsive to the Framework, and is able to adapt to frequently changing OFAC directives.
Review your implementation practices under any SCP. Training, audits, and tests should occur regularly, not on a one-time basis. How effective are your screening tools and programs?
Examine the “root causes” of sanctions violations listed by OFAC in the guidance. If any are relevant to your organization, take proactive steps to eliminate them or mitigate risk.
Remember, having an effective SCP will be factored into any mitigation of penalties imposed by OFAC in the event of a violation. This was already the case under OFAC’s Enforcement Guidelines, but the new Framework provides a roadmap for how to create an “effective” SCP to both avoid violations, and obtain the benefit of mitigation if need be. Existence of a compliance program is not enough—it must also be effective.