What Compliance Officers Need to Know About OFAC Compliance
What Compliance Officers Need to Know About OFAC Compliance
The Office of Foreign Assets Control (OFAC) regulates financial transactions between U.S. entities and specified foreign nations, businesses, and individuals. For U.S. entities that are subject to OFAC’s oversight, compliance needs to be a top priority; and, generally speaking, responsibility for managing compliance will rest with the entity’s compliance officer.
So, as a compliance officer, what do you need to know about OFAC compliance? Today more than ever, compliance officers need to ensure that their financial institutions and companies are doing what is necessary to satisfy OFAC’s requirements. OFAC has a mandate to enforce financial institutions’ and companies’ compliance obligations, and OFAC enforcement actions can lead to blocked assets and transactions, civil monetary penalties (CMP), and even criminal prosecution in some cases.
“All financial institutions and companies in the U.S. need to make OFAC compliance a priority. Non-compliance with OFAC’s sanctions programs and regulations can have severe consequences, and OFAC is increasingly taking proactive measures to enforce entities’ compliance obligations.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
In A Framework for OFAC Compliance Commitments, OFAC makes clear that management’s commitment to compliance is a key factor in the Office’s evaluation of entities’ compliance efforts. OFAC also makes clear that all entities subject to its oversight should have a “dedicated OFAC sanctions compliance officer” (although this may be “the same person serving in other senior compliance positions, e.g., the Bank Secrecy Act Officer or an Export Control Officer”). As a result, the compliance officer’s role is key, and entities’ OFAC compliance officers must have a clear and comprehensive understanding of what is necessary to avoid OFAC enforcement action.
5 Key Facts About OFAC Compliance
With this in mind, here are five key facts about OFAC compliance:
1. OFAC Has Published Several Compliance Resources that Entities Can (and Should) Follow
OFAC has published several compliance resources that financial institutions and companies can (and should) follow when developing their sanctions compliance programs (SCP). Crucially, however, while these resources are instructive, and while OFAC expects entities to utilize them, OFAC also makes clear that it is ultimately up to each individual entity to determine its specific SCP needs.
In other words, compliance officers cannot rely on OFAC’s guidance exclusively when evaluating their financial institutions’ and companies’ compliance obligations—as counterintuitive as this may seem. Instead, compliance officers must work with their institution’s or company’s counsel to develop and implement policies and procedures that reflect the institution’s or company’s specific risks and needs.
What guidance is available from OFAC? OFAC’s publicly-available compliance resources include:
- A Framework for OFAC Compliance Commitments (the “Framework”) – This compliance resource provides an overview of five “essential components of compliance” according to OFAC: (i) management commitment, (ii) risk assessment, (iii) internal controls, (iv) testing and auditing, and (v) training. Crucially, however, OFAC also indicates in the Framework that there are “at least” five essential components of compliance—signaling that the Framework should not be used as the sole source of information on the issues to be addressed in an SCP.
- Economic Sanctions Enforcement Guidelines (the “Guidelines”) – The Economic Sanctions Enforcement Guidelines appear in Appendix A to 31 C.F.R. Part 501, which is the source of the core OFAC regulations governing transactions with foreign entities and individuals. The Guidelines address several aspects of OFAC compliance, from the steps financial institutions and companies should take to address compliance to when self-disclosure of an apparent violation may be necessary.
- The OFAC Risk Matrix – The Annex to the Economic Sanctions Enforcement Guidelines contains the OFAC Risk Matrix. While the Risk Matrix is intended primarily as a tool for financial institutions and companies to assess the efficacy of their compliance programs, it also provides key insights for developing an effective SCP.
- OFAC Information for Industry Groups – Along with general compliance guidance, OFAC has also published specific compliance guidance for certain industry groups. These industry groups include instant payment systems, credit reporting, exporters and importers, financial sector, insurance sector, legal and compliance services sector, money services businesses, non-governmental organizations and non-profits, and virtual currency.
- OFAC’s FAQs – OFAC has published extensive FAQs on its website, and it continues to regularly publish additional FAQs in response to specific events and inquiries. OFAC’s website provides a searchable database where compliance officers can look for guidance on well over 1,000 topics related to effective SCP development, implementation, and management.
These are in addition to OFAC’s sanctions and general licenses, both of which are also publicly available through OFAC’s website. While the guidance available from OFAC is (or should be) helpful, the volume of information available also makes it very challenging to develop and administer an effective SCP.
As a result, while compliance officers should be familiar with the rules, regulations, and sanctions programs that apply to their financial institutions and companies, they should also be prepared to engage with outside counsel when questions or issues inevitably arise. In many cases, financial institutions’ and companies’ obligations will not be clear, and making informed decisions may even require engaging with OFAC directly.
2. Entities Should Be Prepared to Proactively Engage with OFAC When Necessary
There are various scenarios in which a financial institution or company may need to proactively engage with OFAC in relation to its SCP. Compliance officers must be able to determine when engaging with OFAC is necessary (or may be necessary), and they should consult with their financial institution’s or company’s outside counsel promptly to make informed decisions about if (and how) to make contact.
When should compliance officers consider engaging with OFAC proactively? Some examples of common scenarios include:
- The Entity Needs Interpretive Guidance – OFAC will provide interpretive guidance upon request in certain circumstances. If a financial institution’s or company’s obligations under an OFAC sanctions program or general license are unclear, then seeking interpretative guidance may be a necessary precursor to pursuing a proposed transaction.
- The Entity Needs to Apply for a Specific License – If it is clear that a transaction is prohibited under an OFAC sanctions program and no general licenses apply, it may still be possible to execute the transaction (or obtain the release of blocked funds) by obtaining a specific license. Financial institutions and companies seeking specific licenses must submit conforming applications to OFAC.
- The Entity Needs to Self–Disclose a Compliance Violation – Financial institutions and companies may have an obligation to self-disclose compliance violations in various circumstances. When self-disclosure is necessary, compliance officers should work with their institution’s or company’s outside counsel to carefully formulate their submissions.
3. OFAC Expects Entities to Conduct Risk Assessments and Reviews
As noted above, conducting risk assessments is one of OFAC’s five “essential components of compliance.” To conduct risk assessments, financial institutions and companies must evaluate their SCPs using the OFAC Risk Matrix. The OFAC Risk Matrix lists 13 areas of compliance and provides examples of “low,” “moderate,” and “high” risk in each area. By determining into which category their institution or company falls in each of these 13 areas, compliance officers can gain an understanding of both: (i) the risk of OFAC compliance failures; and, (ii) the risk of facing OFAC scrutiny and enforcement.
But, here too, OFAC’s guidance does not reflect the only risks that compliance officers need to address. The OFAC Risk Matrix is intended to be instructive, not exhaustive. If a financial institution or company faces other compliance-related risks, then it must also assess (and address) these risks on an ongoing basis.
4. OFAC Expects Entities to Test and Audit Their Sanctions Compliance Programs
In addition to conducting risk assessments, OFAC also expects financial institutions and companies to test and audit their SCPs. While risk assessments focus on evaluating the present circumstances, tests and audits focus on identifying issues that have the potential to lead to trouble in the future. By effectively stress testing their SCPs, and by auditing their institutions’ and companies’ compliance efforts for potential shortcomings and failures, compliance officers can determine what is necessary on a go-forward basis—not only in terms of effective compliance program management, but also in terms of the need for self-disclosure.
5. Documentation and Implementation Are Equally Important
Finally, we’ll close with a note on the importance of both documentation and implementation. Too often, compliance officers have a tendency to focus on one or the other—either they make sure they have a well-documented SCP, or they make sure that everyone knows their role in managing OFAC compliance. But, both of these aspects of compliance are equally important. An SCP is useless if it sits on a shelf. Likewise, if a financial institution or company cannot demonstrate its implementation efforts, it won’t be prepared to withstand scrutiny in the event of an OFAC inspection or investigation.
Effectively managing OFAC compliance is a constant cycle. Compliance officers must work with counsel to develop policies and procedures, they must implement these policies and procedures, and then they must document their implementation. Compliance officers must also work with counsel to identify new compliance obligations and risks on an ongoing basis, and they must implement changes to their SCPs when necessary.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.