OFAC (Office of Foreign Assets Control) is a department of the US Treasury that administers and enforces economic and trade sanctions based on US foreign policy and national security goals.
On May 2, 2019, OFAC published guidance titled “A Framework for OFAC Compliance Commitments”. The purpose of the OFAC Framework guidance is to encourage a “risk-based” approach to “Sanctions Compliance” through developing, implementing, and routinely updating a Sanctions Compliance Program (SCP).
Who must comply with OFAC Sanctions?
OFAC compliance applies to all US persons; including, all US citizens and permanent resident aliens regardless of where they are located, all persons and entities within the US, all US incorporated entities and their foreign branches, all organizations subject to US jurisdiction, foreign entities that conduct business in or with the US or US persons, or that use US origin goods or services and organizations that facilitate or engage in online commerce or process transactions using Virtual Currency (VC).
The management of sanctions in the US is administered by the US Secretary of the Treasury. OFAC is responsible for promulgating, developing, and administering sanctions on behalf of the Secretary of the Treasury. Economic sanctions are foreign policy tools that include trade embargoes, blocked assets controls, and commercial and financial restrictions; which are used against certain groups who threaten the security, economy, and safety of the US. OFAC maintains a “Sanctions Programs and Country Information” site as well as a “Specially Designated Nationals And Blocked Persons List”.
OFAC Sanctions Compliance
An adequate OFAC Sanctions Compliance Program (SCP) will depend on the type of business, a company’s size and sophistication, products and services, customers and counterparties, and geographic locations. There is no prepackaged or a “one size fits all” compliance program.
OFAC has stated that Sanctions Compliance Programs ought to incorporate five components:
- Management Commitment
• Review of and approval of a SCP from Senior management.
• Compliance unit(s) are delegated authority and autonomy from senior management to deploy its policies and procedures which control an organization’s OFAC risk.
• Existence of direct reporting lines between the SCP function and Senior management.
• Routine and periodic meetings between the SCP function and Senior management.
• Compliance unit(s) receive adequate resources of human capital, expertise and information technology from Senior management.
- Risk Assessment
• Conduct OFAC risk assessment that adequately accounts for the potential risks such as: those posed by its clients and customers, products, services, supply chain, intermediaries, counterparties, transactions, and geographic locations, depending on the nature of the organization.
• Develop methodology to identify, analyze, and address the particular risks identified. Risk assessment testing and audit.
- Internal Controls
• Written policies and procedures outlining the SCP.
• Internal controls that adequately address the results of its OFAC risk assessment and profile
• Enforcement of policies and procedures through internal and/or external audits.
• Recordkeeping policies and procedures that account for requirements pursuant to the sanctions programs administered by OFAC.
• Taking immediate and effective action upon learning of a weakness in internal controls pertaining to OFAC compliance.
• Communication of SCP policies and procedures to all relevant staff (personnel within the SCP program, gatekeepers and business units operating in high-risk areas).
• Appointing personnel for integrating the SCP policies and procedures into the daily operations of the organization.
- Testing and Auditing
• Accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
• Employs testing or audit procedures appropriate to the level and sophistication of its SCP.
• If there is a negative testing result or audit finding pertaining to its SCP, the organization will take immediate and effective action to correct the situation.
• Program provides adequate information and instruction to employees, stakeholders, clients, suppliers, business partners, and counterparties.
• Scope of program is appropriate for the organization’s products and services it offers, customers, clients, partner relationships, and geographic regions.
• Frequency in providing OFAC-related training.
• Take immediate and effective action upon learning of a confirmed negative testing result or audit finding.
• Program includes easily accessible resources and materials that are available to all applicable personnel.
Don’t be a Victim of your Own Making
While OFAC SCPs are tailored made programs designed according to the uniqueness of a specific organization, there are certain fundamental “mindsets” applicable across the commercial business environment that are teachable. The existence of an effective SCP at the time of a violation will be considered by OFAC’s Office of Compliance and Enforcement when determining civil monetary penalties. Seeking professional third-party assistance in the development and implementation of a SCP within the OFAC framework can be a practical step in the right direction.