June 24, 2021
By Scott Nance *
The three lines of defense – the business, compliance, and audit – are a central feature of sanctions compliance systems. A truly effective system, though, requires a fourth line of defense – senior management.
Beyond a simple commitment to sanctions compliance, as important as that is, senior management can take a number of actions to fulfill its role as the fourth line of defense.
What’s a Senior Manager?
“Senior management” is a flexible concept, and exactly who constitutes senior management will vary from organization to organization.
The “Framework for OFAC Compliance Commitments,” issued by OFAC in 2019, says that the term “senior management” may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors.
The EU’s Fourth AML Directive defines senior management as “an officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure.“ In general, senior management will include the board of directors or supervisory board, as well as the top officials of a company, such as the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, and the Chief Compliance Officer.
However it is defined, only senior management can provide the oversight, resources, and direction a compliance system requires to operate at the highest level.
Helping others in the company perform their compliance functions
Action by senior management is necessary for the other lines, especially compliance and audit, to perform their functions properly as well.
Even the most detailed findings and recommendations from an audit of a sanctions compliance system, for example, will be useless unless senior management ensures that the recommendations are implemented.
The importance of senior management in sanctions compliance is widely recognized. In some cases, as with the EU’s Fourth AML Directive, legislation assigns senior management specific compliance responsibilities.
Both OFAC’s A Framework for OFAC Compliance Commitments and the European Union’s Draft EU Guidance on Best Practices for “Internal Compliance Programs” identify the active participation of senior management as the very first component of a sanctions compliance program. The European Central Bank in particular has emphasized the importance of involvement by senior management in fighting economic crime.
Many jurisdictions, including the European Union, impose certain obligations upon senior management with respect to compliance with financial crime laws, especially at financial institutions. For example, the EU requires the approval of senior management before the acceptance of certain politically exposed persons (“PEPs”) as customers.
Case Study: Alliance Steel
OFAC in particular will consider actual knowledge by senior management that their company is violating sanctions as an “aggravating factor in determining the nature and amount of any penalty.
An example is the enforcement action in April 2021 against Alliance Steel Inc., where OFAC explicitly identified senior management’s actual knowledge that Alliance was outsourcing work to an Iranian company as a factor in deciding to impose a civil fine on Alliance.
Steps To Take
To function as an adequate fourth line of defense, senior management should exercise some key responsibilities. It should also take the steps necessary to ensure that it understands the organization’s legal obligations, and that it is receiving the information it needs to ensure that the organization is satisfying those obligations. We list them below:
Sanctions training for top management
Senior management can fulfill its sanctions compliance responsibilities only if its members know what theirs legal obligations are.
As noted above, some jurisdiction impose detailed legal obligations on senior management.
Customized sanctions training can provide senior management both with an overall introduction to sanctions and information regarding its legal obligations, as well as its role in sanctions compliance within the organization.
It is also an excellent way to show the rest of the organization senior management’s commitment to sanctions compliance.
Designation of an official responsible for sanctions compliance
It is a recognized best practice that one person within an organization be assigned formal responsibility for ensuring compliance with sanctions laws (although many others will be involved).
This designated sanctions officer does not necessarily have to be part of senior management. However, someone within senior management should bear the responsibility within the senior management structure for overseeing sanctions compliance in general.
If the organization has one, this will typically be the Chief Compliance Officer, although it may be any other member of senior management. The important thing is that someone within senior management is tasked specifically with overseeing sanctions compliance.
Approval of a formal sanctions policy
An overall sanctions policy is another international best practice. The policy should be issued by senior management, and optimally by the Board of Directors or Supervisory Board. It should be reviewed annually.
This policy should state at the least that the company will abide by all relevant sanctions. It may go further by describing the general sanctions compliance structure and identifying any important measures, such as the decision not to do business with certain countries or types of customers. The policy should be communicated to all employees and to the public at large.
Approval of sanctions risk tolerance and risk assessment procedures
It is impossible for an organization to avoid all sanctions risk. Senior management should set the organization’s level of tolerance for individual categories of sanctions risk. This may include, for example, specifying that the organization will not do business involving certain countries or with certain types of customers.
So that risk can be properly identified and quantified, senior management should also review and approve the organization’s risk assessment methodology, as well as the actual risk assessments themselves.
Approval of the sanctions compliance structure and main processes
Complying with sanctions requires assigning responsibilities within an organization. Senior management should exercise the ultimate approval over the structure of compliance.
This structure should describe the roles in sanctions compliance of the various parts of the organization, such as marketing, sales, shipping, finance, legal, compliance, and audit.
One aspect of this is the appointment of the “designated sanctions officer.”
Senior management should also review and approve the main policies and procedures used to enforce compliance. These would include policies regarding individual country and types of customer policies and key processes, such as those for screening and approving customers and transactions. Another key component of the compliance structure is the procedure for resolving any conflicts as to whether to proceed with a customer or transaction.
Providing adequate resources for compliance
Sanctions compliance must have the resources it needs to be effective, including personnel, technology, and budget. In this context, personnel includes both adequate numbers of people and the expertise needed to perform their duties. Senior management must see to it that every component of the sanctions system has the resource it needs to fulfill its assigned function.
Authority for compliance to make decisions
Compliance must be able to say “no” to customers and transactions, or at least require their review at a higher level. If senior management allows the business to push through its decisions without regard for the opinion of the compliance function, compliance will become simply a rubber stamp. Senior management must ensure that both on paper and in practice Compliance can override the wishes of the business.
Approval of high-risk customers and transactions
Some national laws require senior management in financial institutions to approve the acceptance of specified categories of customers. Even if there is no legal requirement, the organization may decide to reserve for senior management (however defined) the authority to accept certain customers or to execute high-risk transactions. There should of course be a written procedure setting all of this out in detail.
Senior management cannot fulfill its legal obligations or its role as the fourth line of defense unless it has adequate information.
Senior management must receive regular, periodic reports on the operation of the sanctions compliance system. These should include key performance indicators, such as
- the number of customers or transactions screened,
- the number rejected, etc.
Senior management should also receive reports whenever a possible sanctions violation is identified. In addition to these reports, senior management should be accessible to Compliance, so that Compliance can provide information, seek guidance, and raise issues whenever necessary.
Regular high-level discussion of sanctions compliance
One of the best ways to help senior management to exercise its duties regarding sanctions compliance is to include sanctions compliance as a standing item in agendas for meetings of the Board of Directors or of senior management in general. Such discussions should include a review of the key performance indicators, as well as any other issues raised by the business, compliance, or audit in connection with sanctions compliance.
Of course, the results of the periodic testing and audit of the compliance system, and the findings and conclusions of the annual sanctions risk assessment, should be included in the agenda as well.
Regulators emphasize “tone at the top”
OFAC and other regulators have emphasized the importance of “tone at the top” in creating a culture of sanctions compliance.
Senior management can set this tone at the top by
- acquiring the knowledge it needs to define its legal obligations and responsibilities;
- setting up the compliance structure, with the appropriate policies and procedures;
- allocating adequate resources to sanctions compliance; and
- overseeing the operation of the system through the ongoing receipt and discussion of information.
Senior management can also foster a culture of compliance by including sanctions compliance as one of the criteria for compensation and promotion.
Finally, senior management should communicate this commitment to sanctions compliance to the entire organization.
* Scott Nance from Langley Compliance Consulting is an attorney in the Washington DC area, specializing in economic sanctions and anti-money laundering. He is a member of the ACSS Editorial Task Force He can be reached at firstname.lastname@example.org