What You Need to Know About OFAC’s Requirements
The Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury is going to continue to be active in 2024 as it enforces American economic sanctions on foreign parties. As global conflict continues in Ukraine and elsewhere, the U.S. has cast its net wide for people and companies that are responsible for the upheaval. By imposing sanctions on them, the U.S. aims to protect its interests abroad and promote the country’s own national security.
For domestic companies, though, this makes it extremely important to comply with OFAC’s requirements. Willfully or even accidentally doing business with a sanctioned party can lead to criminal charges for violating American sanctions or expensive civil claims against you or your company.
Here are four things about OFAC enforcement and compliance in 2024 that the OFAC defense and compliance lawyers at the national defense firm Oberheiden P.C. think you should know.
1. Be Sure to Check Off the 5 Basic Boxes of OFAC Compliance
Because its primary goal is to financially isolate America’s enemies and other threats to global security, OFAC goes to great lengths to instruct domestic companies on how to adequately comply with the agency’s requirements. The thought is that, with adequate guidance for domestic companies, OFAC’s job becomes easier as American companies become less likely to inadvertently violate American economic sanctions.
However, all of this guidance comes as a double-edged sword for U.S. companies and individuals. Because there is so much of it, OFAC expects you to take it to heart and adopt the compliance strategies that they recommend.
Broadly speaking, there are five basic elements to an OFAC compliance protocol, according to OFAC:
- Managerial commitment to compliance
- Risk assessments and reviews
- Internal controls
- Auditing and testing
- Training and retraining of relevant employees
While OFAC acknowledges that each company will have unique compliance needs and risks, the reality is that the decision that you do not have to follow an aspect of its compliance recommendations has to be backed up with ample supporting evidence. OFAC will expect its guidelines to be carried out, and persuading them that a variance from them is justified may not be easy to do.
2. There is No Time Like the Present to Audit Your OFAC Compliance Efforts
Precisely because varying from OFAC’s compliance recommendations is to be done at a company’s own risk, auditing your existing compliance systems to ensure that it meets OFAC’s current expectations is an extremely important thing to do.
Given that the risks of violating sanctions due to noncompliance with OFAC’s requirements has never been higher, thanks to the agency’s high levels of activity in adding new names to its list of Specially Designated Nationals (SDNs), auditing your OFAC compliance system should be near the top of your company’s list of priorities for 2024. Auditing your compliance protocol is, after all, one of the five key components to compliance, according to OFAC. The best time to do it is now.
“Because OFAC has added so many new parties to the list of sanctioned individuals and companies, the risks of accidentally doing business with one of them are very high, right now. As a result, the costs of noncompliance with OFAC’s requirements are high, as well. The best way to know for sure that your company is still in compliance is to audit its existing compliance structure. If holes are found, actions can be taken to plug them up and better insulate the company from the legal liability that follows an OFAC violation.” – Dr. Nick Oberheiden, founding partner of Oberheiden P.C. and a leading OFAC lawyer at the firm.
3. Appointing an OFAC Compliance Officer Can Streamline Things
Two of the many reasons why companies struggle to adopt an OFAC compliance mechanism are because it either relies on other officers to handle the issue or because it utilizes a task force or team of personnel to decide how to best go about doing it.
The problem with these approaches is that they can overburden other executives or create deadlocks among a team of equally powerful decision-makers. Whether because creating and implementing the OFAC compliance system gets punted by busy corporate officers or delayed by a team that cannot reach a decision, the results are the same: Your company remains exposed to legal liability for violating U.S. economic sanctions.
That exposure can be very costly if it manifests in a sanctions violation. Civil actions by OFAC are strict liability offenses, so even inadvertently dealing with a sanctioned party can carry hundreds of thousands of dollars in fines for each transaction. Willfully dealing with a sanctioned party, however, is a crime that will be prosecuted by the U.S. Department of Justice (DOJ) and can carry decades in federal prison for responsible individuals.
With these steep penalties in play, companies should take whatever steps necessary to get their OFAC compliance measures up and running. In many cases, that requires appointing an OFAC compliance officer whose sole job it is to make that happen. This ensures that the person in charge of enacting your company’s OFAC compliance system is not distracted and that the resulting system is not the product of a series of compromises made by each member of the team in charge.
4. Review Your Cybersecurity Protocols to Ensure It Complies with OFAC’s New Requirements
Companies should also make a point of ensuring that their cybersecurity systems are in line with OFAC requirements. OFAC updated its cybersecurity requirements in September, 2022, so if this component of your company’s OFAC compliance system has not been reviewed since then, the legal obligations that have to be met have changed. If your company is no longer in compliance with the agency’s requirements, it can be exposed to legal liability.
Taking these precautions is made even more important by the fact that many of the individuals and companies that have been getting added to the SDN lists are technologically savvy and have shown a willingness to use cyberattacks to get what they want. It is not unreasonable to think that they will use cyberwarfare to evade sanctions if that is what it takes.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.