Originally published in NAVEX Global's Top 10 Risk & Compliance Trends for 2020 eBook.You can download the full eBook here.
On May 1, 2019, the world of sanctions compliance was upended when the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) decided to jump into the compliance game by issuing its first-ever Framework for OFAC Compliance Commitments. Like the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs, this framework sets forth OFAC’s expectations as to what it believes a sanctions compliance program (SCP) should look like. However, while the DOJ guidance further clarified existing policy, OFAC’s framework imposed significant new obligations. Perhaps even more importantly, the document signals a fundamental shift with respect to how OFAC will apply, monitor and enforce sanctions against organizations going forward.
The Treasury has made it clear that compliance will no longer be measured in steps taken but in results achieved.
These changes partly stem from even broader evolutions in U.S. foreign policy. Throughout the past decade, presidential administrations from both parties have demonstrated increasing appetites for using cross-industry sanctions to target rogue regimes, a practice that former U.S. Treasury and National Security Council official Juan Zarate has described as “the unleashing of a new era of financial warfare.” The sweeping U.S. sanctions against Iran, first levied under the prior administration in 2010 and re-applied by the current administration in 2018, are perhaps the most high-profile example of this approach. However, similar sanctions have also been enacted against other rogue regimes such as Venezuela and Russia.
The Future of OFAC Compliance
OFAC’s application of these sanctions has taken on new life under the leadership of Sigal Mandelker, the Under Secretary of the Treasury for Terrorism and Financial Intelligence. Sigal, who I had the pleasure of working with during her tenure at the Department of Justice (DOJ), has played an instrumental role in transforming the expectations placed on all companies that do business abroad. A former Deputy Assistant Attorney General, she has worked closely with the DOJ and has demonstrated a willingness to refer sanctions violators to DOJ for criminal investigation. Although she left the Treasury Department this past October, there is every reason to believe that OFAC will continue upholding the trends she began. In fact, I predict that the relationship between OFAC and DOJ will eventually mirror the latter’s relationship with the SEC, with the two agencies working in close coordination to address both civil and criminal enforcement, respectively.
Perhaps the most interesting component of OFAC’s new guidance is the implicit message that OFAC no longer cares why your program failed. It doesn’t matter if your violations were made in earnest, or if they resulted from actions taken by your third party without your knowledge. Regulators no longer want to hear your excuses.
This means that all organizations subject to OFAC jurisdiction need to elevate their game. The Treasury has made it clear that compliance will no longer be measured in steps taken but in results achieved. It is no longer enough to conduct a cursory screen of your suppliers or distributors, nor will ignorance serve as a defense. Any company engaged in international commerce, including those with foreign services, clients, and customers, needs to have a fully functioning SCP.
Steps for Organizations to Take
You don’t need to go far to determine the steps organizations must take to align with new sanctions compliance expectations. OFAC provides a five-part prescription.
1. Get Senior Management Commitment
OFAC’s definition of commitment is technically precise and relies on measurable actions undertaken by senior leadership. Leaders must:
- Actively review and approve the organization’s SCP
- Designate a dedicated OFAC sanctions compliance officer, and imbue that role with authority and autonomy
- Create effective internal systems for whistleblowers to report misconduct
- Severely and publicly punish violators to demonstrate the organization’s commitment to compliance to all members of the organization
- Offer strong reporting mechanisms
2. Tailor Program to Risk Profile
The guidance radically expands the responsibility of contracting organizations, plainly stating that there are a “multitude of areas organizations should include in their risk assessments.” Assessments should rely not only on customer-provided information, but on independent research. A third party’s failure to disclose incriminating information is no excuse, as it is incumbent upon the contracting organization to rigorously vet any potential partner. Assessments should also be performed during all mergers and acquisitions. Critically, the new OFAC guidelines require that such evaluations be performed “with a frequency…that adequately accounts for potential risks.” Under this new policy, risk assessments must be regularly updated in response to violations or deficiencies uncovered during testing or audit functions.
3. Evaluate Internal Controls & Calibrate Solutions
Once an organization has completed its initial risk assessment and profile, it must adequately address the results through policies and procedures that clearly and effectively identify, interdict, escalate, record and report prohibited activities. Here, OFAC specifically states its expectation that organizations utilize “information technology solutions” to manage this complex task. However, the adoption of a technology solution alone is not enough. The guidance stipulates that organizations must select and calibrate solutions “in a manner that is appropriate to address the organization’s risk profile and compliance needs.”
4. Test & Audit
Of course, an organization’s risk profile is not static, nor do internal controls or technology solutions come perfectly calibrated. Effective SCPs are audited and tested regularly to check for weaknesses and deficiencies. OFAC expects SCP elements to be routinely recalibrated to account for changing risks. Such testing functions should be comprehensive, objective, independent and accountable to senior management. When test results are negative, corrective action should be immediate and effective. It should also address the “root causes” of failures, rather than focusing on their symptoms.
5. Train Appropriate Personnel
Finally, the OFAC guidance requires firms to implement training programs for all appropriate employees and personnel. While training has traditionally been part of SCPs, what is noticeably different here is the frequency. OFAC now requires training to be provided annually at a minimum. Further, training should be tailored to both the entity’s risk profile and each employee’s individual role. Training should also be extended to the organization’s external stakeholders, including clients, suppliers and business partners.
These sweeping new responsibilities and obligations for entities with partners, clients, suppliers, distributors or customers overseas are not spurious. They are the direct and considered consequence of long-term U.S. foreign policy, and they are likely to expand rather than recede with time.
While the challenges posed by the new OFAC guidance may seem daunting, firms can and should use this moment as an opportunity to imbue their compliance functions with the authority, autonomy, resources and technology that regulators now expect of them. We are entering a year of change in the sanctions world as successful businesses and compliance programs anticipate these shifts in the compliance landscape and adapt accordingly.