On May 2, 2019, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) published its first-ever Framework for OFAC Compliance Commitments ("Framework"), detailing the essential components of a sanctions compliance program, and the contents were hardly a surprise. As we indicated in our recent client alert outlining the top 20 compliance lessons to learn from the past year's OFAC enforcement cases, OFAC has hinted at this Framework since last fall when it began publishing settlement agreements with compliance commitments included. Although OFAC reiterated that every company's risk-based sanctions compliance program will vary based on its own individual risk factors - including the company's size and sophistication, products and services, customers and counterparties, and geographic locations - OFAC characterized the five "essential components" of compliance as requiring: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
Instead of merely summarizing these compliance commitments, the MoFo national security team has linked each commitment to the lessons of enforcement cases of the past year. As the Framework notes, "OFAC recommends all organizations subject to U.S. jurisdiction [including non-U.S. companies that engage in transactions with a U.S. nexus] review the settlements published by OFAC to reassess and enhance their respective [sanctions compliance programs], when and as appropriate."
The Framework resembles in many respects the updated Evaluation of Corporate Compliance Programs Guidance Document published by the U.S. Justice Department's Criminal Division in April 2019. At the end of the Framework, OFAC provided a list of common "root causes" of sanctions violations to help companies evaluate their compliance programs, and we've also linked those root causes to recent sanctions enforcement cases. Accordingly, now that OFAC has articulated what it's looking for in a compliance program and described common root causes of violations, it's time for companies to review their programs to make sure they conform to expectations. Companies should do so not just to be the best they can be in terms of sanctions compliance, but also because the Framework makes clear that OFAC will "consider favorably" effective sanctions compliance programs (and unfavorably ineffective ones) when resolving future enforcement cases. Here's what OFAC expects:
As the old saying goes, "it rolls downhill." If management doesn't support or only begrudgingly supports a compliance program, then compliance staff are unlikely to be effective in their roles. Therefore, OFAC notes that it expects senior management to review and approve sanctions compliance programs.
Similarly, compliance staff need to have the authority to do their jobs. If business folks can ignore compliance staff the way they did in OFAC's case against Ericsson, there is little hope that even a well-designed program will be effective. Compliance staff should be given the autonomy necessary to implement policies and procedures to effectively control an organization's OFAC risk. As part of this effort, senior management should ensure the existence of direct reporting lines between themselves and compliance staff, including by having routine and periodic meetings.
Regardless of their authority on paper, compliance staff are unlikely to be effective at preventing sanctions violations if they are under-resourced. Senior management need to take steps to ensure that their organization's compliance staff receive adequate resources, including human capital, expertise, information technology, and other resources as appropriate, relative to the organization's breadth of operations, target and secondary markets, and other factors affecting its risk profile (see e.g., the Cobham and Société Générale cases where OFAC credited the companies with beefing up their compliance staffs). Companies, as in the Zoltek and MID-SHIP cases, should appoint a dedicated OFAC sanctions compliance officer, although - depending on the company's size and complexity - that person may also serve in other senior compliance positions (such as the Bank Secrecy Act or export control...