Developing an OFAC Compliance Policy: Understanding How to Use OFAC’s Framework for Compliance Commitments
The Office of Foreign Assets Control (OFAC) does not mandate that financial institutions and businesses adopt formal compliance programs (which it refers to as “sanctions compliance programs,” or “SCP”). The agency makes this abundantly clear, bluntly stating that its regulations “do not require a formal SCP.”
However, OFAC also makes it abundantly clear that it expects nothing less than full compliance. Financial institutions and businesses that engage in cross-border transactions and other forms of international commerce must fully comply with all pertinent laws (i.e., the Bank Secrecy Act) as well as OFAC’s extensive regulations. If they don’t, they can face swift and aggressive enforcement action—which can lead to substantial civil monetary penalties or even criminal prosecution.
As a result, as a practical matter, implementing an effective OFAC compliance policy is fundamental to protecting financial institutions’ and businesses’ interests. While OFAC doesn’t require financial institutions and businesses to adopt SCP, it certainly expects them to do so. In support of this expectation, OFAC has published several compliance resources—which while both non-binding and non-comprehensive, nonetheless serve as important tools for effective OFAC compliance management.
“Effective OFAC compliance management is essential for U.S. financial institutions and businesses of all sizes. While OFAC may not specifically require that organizations adopt written compliance programs, as a practical matter, carefully drafted and custom-tailored OFAC compliance policies are critical tools for compliance, risk management, and defense against enforcement actions.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
One of these resources is A Framework for OFAC Compliance Commitments (the “Framework”). The Framework is divided into two sections, each of which provides critical insights for developing an effective OFAC compliance policy. The Framework also includes references to other compliance resources (such as the OFAC Risk Matrix in the Annex to 31 C.F.R. Part 501), which financial institutions and businesses can—and should—use when developing their policies as well.
5 General Aspects (or “Essential Components”) of a Sanctions Compliance Program
The Framework begins by discussing five general aspects of an effective SCP. As noted in the introduction to the Framework, while OFAC “strongly encourages” financial institutions and businesses to incorporate these general aspects (which OFAC also refers to as “essential components”) into their sanctions compliance programs, these are not the only areas of compliance that organizations need to address. As OFAC explains:
“While each . . . SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.”
Thus, the general aspects outlined in the Framework are simply a starting point. Crucially, this is true not only with regard to the areas to be addressed when developing an OFAC compliance policy, but also with regard to the scope and substance of policy documents that address these general aspects. A running theme in OFAC’s compliance guidance is that it is not intended to be used as a true framework for compliance. Instead, financial institutions and businesses should think of OFAC’s guidance documents (including the Framework) as partial checklists that they can use to ensure that they have not overlooked the major aspects of an effective OFAC compliance program.
With this in mind, we will briefly summarize OFAC’s guidance for each of the five “essential components” in the Framework:
1. Management Commitment
OFAC emphasizes the importance of senior management playing an active role in financial institutions’ and businesses’ compliance efforts. In the Framework, it identifies five non-exclusive steps that organizations should take to ensure (and document) effective management-level buy-in:
- Senior management review and approval of the organization’s SCP;
- Senior management’s delegation of authority and autonomy to an OFAC compliance officer;
- Ensuring that the organization’s compliance unit has adequate resources to effectively administer its SCP;
- Senior management’s promotion of a “culture of compliance” throughout the organization; and,
- Demonstrating recognition of the seriousness of apparent violations through an appropriate response.
2. Risk Assessment
In the Framework, OFAC advises that risk assessments are critical tools for effective compliance management. As the agency states in the Framework, “[w]hile there is no ‘one-size-fits all’ risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.” When developing OFAC compliance policies, financial institutions and businesses should include protocols and procedures for conducting risk assessments that take into account the areas of concern identified in the OFAC Risk Matrix.
3. Internal Controls
OFAC states that internal controls designed to “identify, interdict, escalate, report (as appropriate), and keep records pertaining to [regulated] activity” are essential to effective compliance management. These internal controls may need to take a variety of different forms based on an organization’s specific structure, transactions, and risks, and the Framework outlines seven factors that OFAC will consider when evaluating the efficacy of an organization’s internal controls.
4. Testing and Auditing
Along with conducting risk assessments, OFAC also expects financial institutions and businesses to test and audit their OFAC compliance policies and procedures. Without providing specific guidance as to what these tests and audits should entail, OFAC highlights several overarching considerations for testing and auditing compliance. Some examples include:
- Accountability to senior management;
- Independence of the testing and auditing function;
- Performance by internal or external personnel with sufficient “skills, expertise, resources, and authority;”
- Commitment to ensuring that tests and audits reflect a “comprehensive and objective assessment” of the organization’s SCP; and,
- Mechanisms to take “immediate and effective action” when a test or audit reveals a compliance breakdown or deficiency.
OFAC also reinforces the importance of compliance training in the Framework, stating that “[a]n adequate training program, tailored to an entity’s risk profile and all appropriate employees and stakeholders, is critical to the success of an SCP. Here, too, OFAC provides general guidance without going into the specifics of what an organization’s training efforts should entail:
- Training programs should provide “adequate information and instruction” to employees and stakeholders;
- Training efforts should be of a scope that is “appropriate” for the organization’s products, services, customers, partner relationships, and geographic locations;
- Organizations should conduct training with a frequency that is “appropriate based on its OFAC risk assessment and risk profile;”
- Organizations should conduct adequate remedial training “upon learning of a confirmed negative testing result or audit finding, or other deficiency;” and,
- Training resources and materials should be “easily accessible” and available to all relevant personnel.
10 Root Causes of SCP Breakdowns and Deficiencies
After discussing five general aspects of an effective OFAC compliance policy, the Framework then shifts focus to provide examples of common compliance failures. The second section of the framework, titled “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions,” discusses 10 issues that can (and have) led to civil and criminal enforcement actions following OFAC investigations. These “root causes” of SCP failures include:
- Failure to implement formal OFAC compliance policies. In addition to noting that lack of an SCP is a common cause of compliance violations, OFAC also notes that this failure is frequently identified as an “aggravating factor” in enforcement proceedings.
- Misinterpretation or misapplication of OFAC regulations. In the Framework, OFAC writes that “[n]umerous organizations have committed sanctions violations by misinterpreting OFAC’s regulations.”
- Facilitating transactions by non-U.S. persons. While there is nothing inherently violative about facilitating transactions by non-U.S. persons, prior to facilitating these transactions, organizations must ensure that they have taken all necessary steps to ensure compliance.
- Exporting and re-exporting to OFAC-sanctioned persons or countries. Exporting and re-exporting are activities that fall within OFAC’s enforcement authority. The agency notes that several recent enforcement actions have involved the improper export or re-export of goods, technology, and services to sanctioned persons and countries.
- Processing payments to or from OFAC-sanctioned persons or countries. Similarly, while processing payments is a core component of many organizations’ business operations, failure to ensure compliance before processing payments can lead to a variety of legal and regulatory issues.
- Relying on sanctions screening software and filters. OFAC notes that while many organizations rely on sanctions screening software and filters, these technological tools often suffer from faults that expose these organizations to the risk of non-compliance.
- Inadequate customer due diligence. A key component of any OFAC compliance policy is ensuring adequate customer due diligence. If an organization does not have the protocols and procedures in place to ensure adequate due diligence, this can present a high risk for OFAC sanctions violations.
- De-centralized compliance functions. For financial institutions and businesses with multiple offices or locations, de-centralization of OFAC compliance functions can lead to inconsistencies, oversights, and other compliance failures.
- Non-standard payment and commercial practices. OFAC advises that organizations should have policies in place to both ensure internal adherence to standardized practices and ensure that they do not process or engage in transactions involving entities engaged in non-standard practices.
- Individual liability. Finally, OFAC notes that failure to conduct adequate training and implement effective oversight can lead to both intentional and unintentional mistakes by individual employees and stakeholders that can expose organizations to substantial penalties.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.