On May 2, 2019, OFAC (Office of Foreign assets Control) published guidance titled “A Framework for OFAC Compliance Commitments”. The purpose of the OFAC Framework guidance is to encourage a “risk-based” approach to “Sanctions Compliance” through developing, implementing, and routinely updating a Sanctions Compliance Program (SCP).
OFAC Compliance Applies to all “U.S. Persons”
This includes all US citizens and permanent resident aliens regardless of where they are located, all persons and entities within the US, all US incorporated entities and their foreign branches, all organizations subject to US jurisdiction, foreign entities that conduct business in or with the US or US persons, or that use US origin goods or services and organizations that facilitate or engage in online commerce or process transactions using Virtual Currency (VC).
OFAC SCP’s are tailored made programs designed according to the uniqueness of a specific organization (not a “one size fits all” proposition). A SCP depends on the organization’s size and sophistication, products and services, customers and counterparties, and geographic locations. The OFAC guidance states that each SCP should be predicated on and incorporate at least five essential components of compliance: management commitment; risk assessment; internal controls; testing and auditing; and training.
The OFAC Guidance presents the “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies”
One of the purposes of the OFAC guidance dated May 2, 2019 is to “alert persons subject to U.S. jurisdiction, including entities that conduct business in or with the United States, U.S. persons, or U.S.-origin goods or services, about several specific root causes associated with apparent violations of the regulations it administers in order to assist them in designing, updating, and amending their respective SCP”. There are ten specific root causes:
- Lack of a Formal OFAC SCP: Everyone must adopt a formal SCP
- Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations: Be able to determine if a transaction, dealing, or activity is prohibited or not and if it applies to the organization or operation
- Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates): Organizations with integrated operations should ensure any activities they engage in (approvals, contracts, procurement) are compliant with OFAC’s regulations.
- Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC Sanctioned Persons or Countries: Follow “warning signs” that U.S. economic sanctions laws prohibit certain activities.
- Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries: Understand what financial transactions to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned country, region, or person can or can’t be processed.
- Sanctions Screening Software or Filter Faults: sanctions screening software to incorporate updates to the SDN List or SSI List: Sanctions screening software for the SDN (Specially designated National) List or SSI (Sectoral Sanctions Identifications) List needs to be updated.
- Improper Due Diligence on Customers/Clients (Ownership, Business Dealings): Understand customer’s ownership structures, geographic location(s), counterparties, and transactions, and knowledge and awareness of OFAC sanctions.
- De-Centralized Compliance Functions and Inconsistent Application of an SCP: OFAC compliance ought to be a centralized function in order to assure uniform interpretation and application of OFAC’s regulations.
- Utilizing Non-Standard Payment or Commercial Practices: Best to not evade or circumvent OFAC sanctions or conceal activity in order to complete a transaction.
- Individual Liability: OFAC can use its enforcement authority against the entities that violate the regulations administered by OFAC and against the individuals as well.
The existence of an effective SCP at the time of a violation will be considered by OFAC’s Office of Compliance and Enforcement when determining civil monetary penalties
While OFAC SCPs are tailored made programs designed according to the uniqueness of a specific organization, there are certain fundamental “mindsets” applicable across the commercial business environment that are teachable. Seeking professional third-party assistance in the development and implementation of a SCP within the OFAC framework can be a practical step in the right direction.