Global turmoil and the war in Ukraine have made the United States drastically expand the breadth of the economic sanctions that it has imposed on foreign nationals. Using statutes passed by Congress that authorize him to do so, the President of the United States has imposed these sanctions against thousands of people, companies, and other organizations that pose a threat to the United States’ foreign interests and its national security. However, it is up to the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury to enforce them.
To help enforce these economic sanctions, OFAC has released lots of guidance for domestic companies on how they can comply with them.
Here are five things that the OFAC compliance and defense lawyers at Oberheiden P.C. think that American companies and their stakeholders should know about these compliance requirements for 2023.
1. Make Sure You Have OFAC’s 5 Basic Requirements Covered
The amount of compliance guidance that OFAC has released, as well as the occasional specificity of that material, can be a double-edged sword for American individuals and companies. It means that OFAC has some fairly high expectations that you and your company will take their input to heart and follow their recommendations. Varying from them should only be done if the variance can be strongly justified.
According to OFAC’s guidance materials, the five basic compliance requirements are:
- A managerial commitment to achieving compliance
- Risk assessments and reviews
- Internal controls that are reasonably designed to detect OFAC violations and to respond to them appropriately
- Employee training and retraining
If your company has decided that any of these elements are unnecessary, there should be a strong explanation ready in case OFAC investigates your company for a potential violation of sanctions. If OFAC is unpersuaded by your rationale, the penalties that the agency imposes are likely to be significantly higher than if all of its recommended compliance measures had been carried out to the letter.
2. Now is the Time to Audit Your OFAC Compliance Efforts
Given that the fourth element to a compliance strategy that satisfies OFAC’s requirements is auditing, conducting an audit of your OFAC compliance mechanisms should already be on your company’s agenda.
However, the recent actions that the U.S. has taken against foreign nationals should spur companies into expediting their next scheduled auditing session or into planning new ones.
As Dr. Nick Oberheiden, OFAC compliance and defense lawyer and founding partner of the national law firm Oberheiden P.C., says, “There is no time like the present to review the efficacy of your OFAC compliance system. New individuals and companies are getting added to the list of Specially Designated Nationals (SDNs) every week thanks to the turmoil across the globe. The odds of inadvertently doing business with one of them has probably never been higher. Taking the time to audit your OFAC compliance efforts is the best way to make sure they are working as they should and are effectively insulating the company from legal liability and the significant costs of violating sanctions. If the audit finds a shortcoming, it can be addressed before it leads to a violation.”
3. Review Your Cybersecurity Protocols
One area that should demand your immediate attention is the cybersecurity aspect of your OFAC compliance efforts. Not only are the parties that have been getting added to the list of SDNs technologically savvy and willing to engage in cyberwarfare to get what they want, but OFAC also recently altered its regulations pertaining to cybersecurity requirements in compliance efforts.
A relatively large portion of the new additions to the SDN list of sanctioned individuals and organizations have to do with the Russian invasion of Ukraine. Many of them are tied to the Kremlin in some way. This gives them access to potent and highly-skilled weapons in cyberwarfare. If history is any indicator, Russian actors – particularly those remotely tied to the state – are willing and able to resort to cyberattacks to achieve their goals. It would not be a surprise if they were to resort to it in an attempt to evade sanctions.
Perhaps because of this very real possibility, OFAC updated its cybersecurity requirements and regulations in September of 2022, after the war in Ukraine had started. Published at 15 C.F.R. Part 758, these new regulations tell domestic companies how OFAC thinks that they should protect themselves from cyberattacks conducted by sanctioned parties. The final rule that announced these changes explains some of OFAC’s reasoning behind them.
4. It May Be Wise to Appoint an OFAC Compliance Officer
Particularly for companies that have not taken action on their OFAC compliance requirements in some time, it may be wise to appoint a compliance officer whose sole job is to handle OFAC-related matters.
Delegating OFAC compliance to a corporate officer or manager who already has other tasks can overburden them. The variety of jobs that they have can also become a distraction, leading to poor performance on not just OFAC compliance, but also in the officer’s other responsibilities. In either situation, your company would continue to be exposed to the serious penalties that come with a violation of U.S. sanctions – a violation that becomes far more likely to happen if the company is not in full OFAC compliance.
By appointing an OFAC compliance officer – even temporarily or on a contractual basis, for a period of time only long enough to bring the company back up to speed with OFAC’s requirements – you can ensure that the job gets done.
5. Keep Up to Date with the OFAC SDN Lists
Through it all, though, the most important OFAC requirement is to know who is a sanctioned party and to avoid dealing with them. The first and most fundamental part of satisfying this requirement is to keep apprised of the SDN lists that OFAC publishes. If you do not know who is on them or who has been added to them recently, it will be impossible to avoid them in the course of your company’s business dealings.