At the beginning of May, the Office of Foreign Assets Control (OFAC) published its deceptively bland-sounding guidance about trade sanctions, “A Framework for OFAC Compliance Commitments” (the Framework).
The reality was anything but bland. Within the 12-page document, OFAC crammed a tremendous amount of information about how a sanctions compliance program should work. And since publishing the Framework, OFAC has taken two actions that indicate how the agency plans to police against sanctions violations. From all of that so far, compliance officers can start piecing together what an effective sanctions compliance program should look like and how to go about implementing it.
Since publishing the Framework, OFAC has taken two actions that indicate how the agency plans to police against sanctions violations.
Our first indicator was an enforcement action OFAC took against a large investment bank on May 28. The bank, with more than $2 trillion under management, had been processing payments from a retirement plan to one of its customers. The amounts involved were barely $11,000 – a vanishingly small sum for a bank so large.
The customer’s accounts were all in the U.S., and the customer himself was a U.S. citizen — but at the time of the transactions, he was living in Iran. Which the bank knew, because the customer had given a Tehran address on his processing forms.
Sending money to someone living in Iran violates U.S. sanctions law, and the OFAC declared those payments exactly that, a violation. It did not, however, impose any monetary penalty on the bank. Why? Among other things, because the bank restructured its compliance program to respond to all sanctions issues with a dedicated sanctions compliance team. That improvement to escalation protocols was what OFAC wanted to see, and therefore rewarded.
Our second guidepost comes in the form of a new penalty policy OFAC announced in June. OFAC said it will not necessarily give credit for fines businesses pay to other agencies as part of some joint settlement. That’s a departure from the Justice Department’s “anti-piling on” policy announced in 2018 and demonstrates OFAC’s desire to protect the “strategic use of its enforcement authorities,” as its director Andrea Gacki said.
These two indicators show that OFAC is determined to protect (and use) its ability to impose penalties, but also is willing to forgive penalties when a company implements compliance reforms.
What should compliance officers make of that?
Strong Sanction Compliance Programs Pay More Attention to Detail
Per our case above, OFAC went easy on the investment bank because the bank restructured its sanctions compliance program. Prior to this incident, the bank took a decentralized approach. Each operating unit had its own sanctions compliance team, which used its own screening software.
When an operating unit’s screening tool flagged a suspicious transaction (which did happen here), the unit’s own compliance team reviewed the matter rather than passing it along to specialized sanctions compliance folks at the bank’s headquarters. This means in some cases, sanctions experts weren’t always the ones reviewing and evaluating suspicious transactions.
All of that was restructured as part of the bank’s settlement with OFAC. Now every sanctions issue goes to that specialized sanctions compliance program at headquarters.
To learn more about managing this type of scenario, you can review an outline in the “Root Causes of Sanctions Compliance Breakdowns” section of the Framework. In example No. 8, OFAC warns of having decision-makers scattered across business units, who make faulty judgments and don’t escalate sanctions issues to others who might know better.
Strong Sanctions Compliance Programs Have Authority & Are Designed Accordingly
In a previous post published right after the release of the Framework, I discussed the need for sanctions compliance officers to have clear authority, competency, and responsibility for sanctions issues. That’s one point made clear in the OFAC framework: if a business intends to take sanctions compliance seriously, then those principles should be vested in a specific person, who can then lead the charge on sanctions compliance.
Our investment bank, however, shows what “leading the charge on sanctions compliance” can look like in practice. That is, if the sanctions compliance officer then wants to build a strong sanctions compliance capability throughout the whole organization — that may require a restructuring of your compliance program, where a centralized team can give sanctions risk the attention it deserves.
Another way to think of the issue here is through the lens of internal control. Throughout the Framework, OFAC stresses the importance of internal controls that can find, interdict, and escalate sanctions issues. The tricky part, however, is that sanctions risks change all the time, as blocked persons or businesses move on or off sanctions lists.
Throughout the Framework, OFAC stresses the importance of internal controls that can find, interdict, and escalate sanctions issues.
Compliance officers could create a system of internal controls to do all that with a decentralized compliance function; technically, that’s possible. But would all that internal control work be worth it? Effective internal control is hard enough to achieve for financial reporting or FCPA compliance, and those rules move at a glacial pace.
For something as dynamic as sanctions, that challenge is all the harder. So the more strategic choice may be to restructure your compliance program for a centralized sanctions compliance team as OFAC mentions in its guidance. That path might offer the most risk assurance for budget dollars spent.