On May 2, 2019, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) took a significant step by issuing the framework for OFAC Compliance Commitments (framework), which formally puts companies on notice of OFAC's expectations with respect to an effective economic sanctions compliance program (SCP). Importantly, OFAC indicates that it will take into account under its Economic Sanctions Enforcement Guidelines whether a company maintains an effective SCP in determining whether and what penalties to impose in the event of apparent violations, drawing a direct connection between compliance effort and enforcement exposure.

The framework specifies five “essential components” of an SCP and, in publishing this guidance, OFAC states that future OFAC settlement agreements may require companies to remedy program deficiencies to meet its newly-articulated standards for SCPs. Notably, OFAC issued the framework just days after the U.S. Department of Justice published its Evaluation of Corporate Compliance Programs guidance, reflective of a U.S. government focus on gauging whether a compliance program is effective to determine what enforcement measures to take in the event of violations.

Five Key Takeaways

• The framework provides a reminder of the expansive reach of OFAC's jurisdiction, necessitating that both U.S. and non-U.S. companies strongly consider implementing an SCP even if they have viewed their sanctions risk exposure as limited or attenuated.
• Organizations must adapt internal controls to the dynamic nature of sanctions, and must regularly test the effectiveness of technology tools to conduct tasks such as restricted party screening.
• Training of employees must be tailored to the functions of the relevant individuals involved, ongoing and continuously assessed, and a bona fide training program may extend beyond employees to certain counterparties.
• The framework is indicative of OFAC's endorsement of broader U.S. government expectations for effective regulatory compliance programs, and sends a clear message that OFAC intends to hold organizations responsible for ensuring that their SCPs support a living compliance program which responds to and effectively mitigates real-time risks specific to the organization's operational profile.
• The extent of mitigation credit available to organizations before OFAC for apparent sanctions violations, and OFAC's determinations of whether and to what extent it will impose penalties, will increasingly turn on OFAC's assessment of the effectiveness and quality of their risk-based SCPs.

Enforcement Risk Is Increasing

OFAC has taken a flurry of actions in 2019 which underscore its focus on compliance program enhancement. As of May 1, 2019, OFAC has issued 12 enforcement actions and settlement agreements totaling over $10 million in penalties, not including the nine-figure settlements for banks Standard Chartered and UniCredit. While OFAC has traditionally focused its enforcement efforts on financial institutions, the subjects of these recent enforcement actions and settlement agreements have notably included entities in the engineering, manufacturing, shipping, and software industries. OFAC's focus beyond financial institutions makes it apparent that sanctions enforcement risk now extends to all players in the global economy. Significant fines have been imposed even when there were several mitigating factors.

In several of these settlement agreements, OFAC has identified compliance benchmarks and pointed out how companies fell short. For example:

• In its January 2019 settlement agreement with e.l.f. Cosmetics, Inc. (ELF), OFAC criticized the company's compliance program as “either non-existent or inadequate,” given that ELF did not timely discover that the vast majority of the eyelash kits it imported from China contained materials from North Korea.
• In its March 2019 settlement with Stanley Black & Decker (SBD), though the company conducted pre-acquisition due diligence and training upon closing, OFAC still criticized SBD for thereafter not adequately following up “to take appropriate steps to audit, monitor, and verify newly acquired subsidiaries and affiliates for OFAC compliance.”

OFAC's focus on compliance in enforcement actions and settlement agreements has been echoed in other agency statements. In December 2018, the Undersecretary for Terrorism and Financial Intelligence signaled OFAC's strategic direction in important remarks, stating (1) “OFAC will be outlining the hallmarks of an effective sanctions compliance program;” (2) “these types of compliance commitments will become an essential element in settlement agreements;” and (3) “implementation of these commitments will ensure that companies are aware of their OFAC obligations and dedicating sufficient time and resources towards compliance.”

Five Essential Components of a SCP

The framework specifies that OFAC expects an SCP to “be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.” OFAC emphasizes that an effective SCP needs to be risk-based, i.e., shaped to the size, scope and breadth of an organization and its risk factors, as well as dynamic, meaning not only developed and implemented but also constantly updated and recalibrated.

Management Commitment. OFAC states that the commitment and support of an organization's senior management “is one of the most important factors in determining its success.” In evaluating the quality of management commitment, OFAC will consider several factors, including whether:

• Senior management has reviewed and approved the SCP, and taken steps to ensure compliance units are delegated sufficient authority and autonomy, with direct reporting lines and routine and periodic meetings.
• Compliance units receive adequate resources such as information technology software and systems, which will generally include appointment of “a dedicated OFAC sanctions compliance officer” with relevant sanctions expertise or expertise in subjects that are related, such as financial crimes or export controls.
• Management fosters and promotes a “culture of compliance” providing oversight over the actions of the organization and enabling personnel to report sanctions misconduct without fear of reprisal.
• In the case of apparent sanctions violations, senior management recognizes the seriousness of those apparent violations and implements remedial measures that represent systemic solutions to address their root causes.

Risk Assessment. OFAC recommends that organizations take a risk-based approach when designing an SCP, and it emphasizes the importance of regularly conducting risk assessments to identify threats or vulnerabilities and mitigate any risks identified through that exercise. This entails an overall review of the organization with a focus on an assessment of its touchpoints to the outside world. OFAC states:

For example, an organization's SCP may conduct an assessment of the following: (i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.

OFAC adds that such a risk assessment can then inform due diligence an organization undertakes, and specifically refers to the examples of counterparty onboarding and mergers and acquisitions. Regarding onboarding, the risk assessment may include developing a “sanctions risk rating” for counterparties at the time of onboarding, which in turn will guide the timing and scope of future due diligence. In mergers and acquisitions there should be due diligence as well, both to address issues prior to the conclusion of the transaction and to audit and test for additional sanctions-related issues after the transaction is completed.

Internal Controls. OFAC states that an effective SCP should include internal controls such as written, communicated, integrated and enforced policies and procedures, to “identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity” that may be prohibited by OFAC sanctions. OFAC emphasizes that, given the “dynamic nature” of sanctions, an SCP has to be capable of adjusting rapidly to changes published by OFAC, e.g., with respect to the List of Specially Designated Nationals and Blocked Persons (SDN List); the Sectoral Sanctions Identification List (SSI List); updated sanctions programs; new regulations or guidance; and general licenses. When information technology solutions are used, such as for screening, OFAC stresses that it expects “the organization routinely tests the solutions to ensure effectiveness.”

Testing and Auditing. OFAC recommends testing and auditing of the SCP, to ensure that entities “are aware of where and how their programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment.” OFAC stresses that it is the “organization's responsibility” to remediate compliance gaps by taking immediate and effective action to identify and implement controls to address the root cause of weaknesses found.

Training. OFAC advises that “[a]n effective training program is an integral component of a successful SCP.” With respect to employees, such training should be provided once a year at a minimum and the training program as a whole should “(i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.” OFAC adds that training may also extend beyond employees to certain stakeholders such as business partners, clients and suppliers, and recommends that its scope be tailored to the nature of such counterparties, as well as the products and services the organization provides and the geographic regions in which it operates. If testing or auditing reveals a negative finding, there must also be related training or corrective action.

Root Causes of Breakdowns or Deficiencies

OFAC likewise identifies 10 “root causes associated with apparent violations of the regulations” to help companies in formulating and revising their SCP. Some of these factors concern a lack of understanding that OFAC sanctions can reach U.S. legal and individual persons or U.S.-owned or controlled subsidiaries, as well as those dealing in U.S.-origin goods and technology or using the U.S. financial system. OFAC also provides a reminder not to approve or refer sanctioned country business and thereby risk violating the prohibition on “facilitation.”

Other factors go to shortcomings in compliance practices, such as outdated or narrow counterparty screening procedures; incomplete counterparty due diligence procedures; and insufficient awareness that “non-traditional business methods” can be red flags for sanctions circumvention. OFAC also points out that decentralized compliance functions can lack key features such as proper oversight; an escalation process; and an audit function, as well as suffer from miscommunications regarding an organization's sanctions policies and procedures.

The Road Ahead

By issuing the framework, OFAC has now heightened expectations of compliance and tethered an effective SCP to its enforcement outcomes. It important for industry to follow through on implementing these compliance commitments, as failure to do so may meaningfully increase exposure to fines and penalties in the event sanctions violations occur.

Mario Mancuso is a partner at Kirkland & Ellis and leads the firm's international trade and national security practice. Sanjay Mullick and Anthony Rapa are partners, and Abigail Cotterill is of counsel, at the firm.