OFAC Leans in on Sanctions Compliance: A Renewed Focus on Enforcement
On May 2, 2019, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) took a significant step by issuing the framework for OFAC Compliance Commitments, which formally puts companies on notice of OFAC's expectations with respect to an effective economic sanctions compliance program.
May 10, 2019 at 11:30 AM
10 minute read
On May 2, 2019, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) took a significant step by issuing the framework for OFAC Compliance Commitments (framework), which formally puts companies on notice of OFAC's expectations with respect to an effective economic sanctions compliance program (SCP). Importantly, OFAC indicates that it will take into account under its Economic Sanctions Enforcement Guidelines whether a company maintains an effective SCP in determining whether and what penalties to impose in the event of apparent violations, drawing a direct connection between compliance effort and enforcement exposure.
The framework specifies five “essential components” of an SCP and, in publishing this guidance, OFAC states that future OFAC settlement agreements may require companies to remedy program deficiencies to meet its newly-articulated standards for SCPs. Notably, OFAC issued the framework just days after the U.S. Department of Justice published its Evaluation of Corporate Compliance Programs guidance, reflective of a U.S. government focus on gauging whether a compliance program is effective to determine what enforcement measures to take in the event of violations.
Five Key Takeaways
- The framework provides a reminder of the expansive reach of OFAC's jurisdiction, necessitating that both U.S. and non-U.S. companies strongly consider implementing an SCP even if they have viewed their sanctions risk exposure as limited or attenuated.
- Organizations must adapt internal controls to the dynamic nature of sanctions, and must regularly test the effectiveness of technology tools to conduct tasks such as restricted party screening.
- Training of employees must be tailored to the functions of the relevant individuals involved, ongoing and continuously assessed, and a bona fide training program may extend beyond employees to certain counterparties.
- The framework is indicative of OFAC's endorsement of broader U.S. government expectations for effective regulatory compliance programs, and sends a clear message that OFAC intends to hold organizations responsible for ensuring that their SCPs support a living compliance program which responds to and effectively mitigates real-time risks specific to the organization's operational profile.
- The extent of mitigation credit available to organizations before OFAC for apparent sanctions violations, and OFAC's determinations of whether and to what extent it will impose penalties, will increasingly turn on OFAC's assessment of the effectiveness and quality of their risk-based SCPs.
Enforcement Risk Is Increasing
OFAC has taken a flurry of actions in 2019 which underscore its focus on compliance program enhancement. As of May 1, 2019, OFAC has issued 12 enforcement actions and settlement agreements totaling over $10 million in penalties, not including the nine-figure settlements for banks Standard Chartered and UniCredit. While OFAC has traditionally focused its enforcement efforts on financial institutions, the subjects of these recent enforcement actions and settlement agreements have notably included entities in the engineering, manufacturing, shipping, and software industries. OFAC's focus beyond financial institutions makes it apparent that sanctions enforcement risk now extends to all players in the global economy. Significant fines have been imposed even when there were several mitigating factors.
In several of these settlement agreements, OFAC has identified compliance benchmarks and pointed out how companies fell short. For example:
- In its January 2019 settlement agreement with e.l.f. Cosmetics, Inc. (ELF), OFAC criticized the company's compliance program as “either non-existent or inadequate,” given that ELF did not timely discover that the vast majority of the eyelash kits it imported from China contained materials from North Korea.
- In its March 2019 settlement with Stanley Black & Decker (SBD), though the company conducted pre-acquisition due diligence and training upon closing, OFAC still criticized SBD for thereafter not adequately following up “to take appropriate steps to audit, monitor, and verify newly acquired subsidiaries and affiliates for OFAC compliance.”
OFAC's focus on compliance in enforcement actions and settlement agreements has been echoed in other agency statements. In December 2018, the Undersecretary for Terrorism and Financial Intelligence signaled OFAC's strategic direction in important remarks, stating (1) “OFAC will be outlining the hallmarks of an effective sanctions compliance program;” (2) “these types of compliance commitments will become an essential element in settlement agreements;” and (3) “implementation of these commitments will ensure that companies are aware of their OFAC obligations and dedicating sufficient time and resources towards compliance.”
Five Essential Components of a SCP
The framework specifies that OFAC expects an SCP to “be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.” OFAC emphasizes that an effective SCP needs to be risk-based, i.e., shaped to the size, scope and breadth of an organization and its risk factors, as well as dynamic, meaning not only developed and implemented but also constantly updated and recalibrated.
Management Commitment. OFAC states that the commitment and support of an organization's senior management “is one of the most important factors in determining its success.” In evaluating the quality of management commitment, OFAC will consider several factors, including whether:
- Senior management has reviewed and approved the SCP, and taken steps to ensure compliance units are delegated sufficient authority and autonomy, with direct reporting lines and routine and periodic meetings.
- Compliance units receive adequate resources such as information technology software and systems, which will generally include appointment of “a dedicated OFAC sanctions compliance officer” with relevant sanctions expertise or expertise in subjects that are related, such as financial crimes or export controls.
- Management fosters and promotes a “culture of compliance” providing oversight over the actions of the organization and enabling personnel to report sanctions misconduct without fear of reprisal.
- In the case of apparent sanctions violations, senior management recognizes the seriousness of those apparent violations and implements remedial measures that represent systemic solutions to address their root causes.
Risk Assessment. OFAC recommends that organizations take a risk-based approach when designing an SCP, and it emphasizes the importance of regularly conducting risk assessments to identify threats or vulnerabilities and mitigate any risks identified through that exercise. This entails an overall review of the organization with a focus on an assessment of its touchpoints to the outside world. OFAC states:
For example, an organization's SCP may conduct an assessment of the following: (i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.
OFAC adds that such a risk assessment can then inform due diligence an organization undertakes, and specifically refers to the examples of counterparty onboarding and mergers and acquisitions. Regarding onboarding, the risk assessment may include developing a “sanctions risk rating” for counterparties at the time of onboarding, which in turn will guide the timing and scope of future due diligence. In mergers and acquisitions there should be due diligence as well, both to address issues prior to the conclusion of the transaction and to audit and test for additional sanctions-related issues after the transaction is completed.
Internal Controls. OFAC states that an effective SCP should include internal controls such as written, communicated, integrated and enforced policies and procedures, to “identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity” that may be prohibited by OFAC sanctions. OFAC emphasizes that, given the “dynamic nature” of sanctions, an SCP has to be capable of adjusting rapidly to changes published by OFAC, e.g., with respect to the List of Specially Designated Nationals and Blocked Persons (SDN List); the Sectoral Sanctions Identification List (SSI List); updated sanctions programs; new regulations or guidance; and general licenses. When information technology solutions are used, such as for screening, OFAC stresses that it expects “the organization routinely tests the solutions to ensure effectiveness.”
Testing and Auditing. OFAC recommends testing and auditing of the SCP, to ensure that entities “are aware of where and how their programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment.” OFAC stresses that it is the “organization's responsibility” to remediate compliance gaps by taking immediate and effective action to identify and implement controls to address the root cause of weaknesses found.
Training. OFAC advises that “[a]n effective training program is an integral component of a successful SCP.” With respect to employees, such training should be provided once a year at a minimum and the training program as a whole should “(i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.” OFAC adds that training may also extend beyond employees to certain stakeholders such as business partners, clients and suppliers, and recommends that its scope be tailored to the nature of such counterparties, as well as the products and services the organization provides and the geographic regions in which it operates. If testing or auditing reveals a negative finding, there must also be related training or corrective action.
Root Causes of Breakdowns or Deficiencies
OFAC likewise identifies 10 “root causes associated with apparent violations of the regulations” to help companies in formulating and revising their SCP. Some of these factors concern a lack of understanding that OFAC sanctions can reach U.S. legal and individual persons or U.S.-owned or controlled subsidiaries, as well as those dealing in U.S.-origin goods and technology or using the U.S. financial system. OFAC also provides a reminder not to approve or refer sanctioned country business and thereby risk violating the prohibition on “facilitation.”
Other factors go to shortcomings in compliance practices, such as outdated or narrow counterparty screening procedures; incomplete counterparty due diligence procedures; and insufficient awareness that “non-traditional business methods” can be red flags for sanctions circumvention. OFAC also points out that decentralized compliance functions can lack key features such as proper oversight; an escalation process; and an audit function, as well as suffer from miscommunications regarding an organization's sanctions policies and procedures.
The Road Ahead
By issuing the framework, OFAC has now heightened expectations of compliance and tethered an effective SCP to its enforcement outcomes. It important for industry to follow through on implementing these compliance commitments, as failure to do so may meaningfully increase exposure to fines and penalties in the event sanctions violations occur.
Mario Mancuso is a partner at Kirkland & Ellis and leads the firm's international trade and national security practice. Sanjay Mullick and Anthony Rapa are partners, and Abigail Cotterill is of counsel, at the firm.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrump, ABC News Settlement in Defamation Lawsuit Includes $1M in Attorney Fees For President-Elect
Trending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250