May 20, 2020
By: Jack Walsh, ACSS Reporter
Just over one year ago, in May 2019, the Office for Foreign Asset Controls (OFAC) released a 12-page framework for sanctions compliance commitments. This was the first time OFAC had ever published such detailed, prescriptive guidance, and it signaled a new desire to establish better communication with the sanctions community, particularly beyond the financial sector.
In this framework, OFAC outlined five essential components that should be present in each organization’s compliance program: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
It also detailed ten “root causes” of apparent OFAC violations that are common among companies subject to enforcement actions.
In this article, ACSS spoke with practitioners to assess the implementation and impact of this framework over the past year.
It is important to keep two key points in mind:
First, the framework mandates nothing. The expectations are not legal requirements. However, the document makes clear that OFAC will begin to consider “the existence of an effective sanctions compliance program (SCP) at the time of an apparent violation as a factor in its analysis as to whether a case is deemed ‘egregious’”.
Second, the purpose of the framework is not to reinvent compliance programs, but rather to aggregate and crystallize the guidance that OFAC has already issued through prior enforcement actions and other public statements.
Accordingly, while the publication of guidance on sanctions compliance was a rather unprecedented measure, the guidance itself is not particularly groundbreaking. The expectations encapsulate many of the most common mitigating and aggravating factors cited in OFAC enforcement actions in recent years.
Aleksandar Dukic and DJ Wolff – two Washington, D.C.-based lawyers interviewed for this article – both note that many elements of the framework have long been observed as fairly standard compliance advice.
A Call to Action? Perhaps.
In general, the framework is a helpful document that appears to have prompted companies to review their sanctions compliance programs and take additional steps to align practices with OFAC’s expectations.
Mr. Dukic and Mr. Wolff have each observed a considerable uptick in risk assessments and other written sanctions policies over the past year. They also find that the framework has heightened awareness of U.S. sanctions compliance risks across unregulated sectors, as well as overseas.
The framework has been quite a valuable asset for compliance officers who face internal resistance to sanctions compliance program implementation or are denied the resources and decision-making powers to effectively implement these policies.
Indeed, the management commitment expectation explicitly lists supplying the compliance department with adequate resources and appointing a “dedicated OFAC sanctions compliance officer” as important SCP components. But in addition, by concisely laying out sanctions compliance expectations in writing, OFAC has allowed compliance officers to substantiate their work directly from the horse’s mouth – so to speak.
By comparison, the framework alone will not spur a company to devote significant time and resources to implementing an SCP.
For Daniel Tannebaum, Partner and Global Head of Sanctions Practice at Oliver Wyman, “This document doesn’t really move the needle for firms that lack a culture of compliance or do not perceive sanctions violations as a serious compliance risk in their course of business.”
Greater Attention from Foreign Companies
Following the framework’s release, both Mr. Dukic and Mr. Wolff have observed a heightened concern among international clients from across different industries about their U.S. sanctions compliance programs. These include firms that may not have U.S. subsidiaries or affiliates, but do have other touchpoints with OFAC, such as U.S. clients or transactions involving the U.S. financial system (e.g., most U.S. dollar denominated activity).
“The framework has made international firms more conscious of their exposure to U.S. sanctions and of their corresponding compliance obligations,” says Mr. Dukic, Partner at Hogan Lovells. “It has spurred these organizations to re-evaluate their internal controls and sanctions policies, and to address potentially deficient areas accordingly,” he adds.
The 2019 OFAC compliance framework may have been especially unnerving for European companies, as it arrived on the heels of new amendments to the E.U. Blocking Statute, which punishes compliance with unilateral U.S. sanctions on Iran. Firms under E.U. jurisdiction may therefore be scrambling to navigate these competing sets of compliance demands.
Lack of Actionable Guidance
From business to business and between industries, implementation of the framework’s five compliance expectations over the past year is largely conditioned by pre-existing compliance programs and internal sanctions controls.
In the U.S. insurance sector, for example, which has traditionally been sensitive to sanctions policies, the framework has not radically altered the compliance landscape, as many expectations were already common industry practices.
Companies with robust compliance programs have been able to integrate internal program controls expectations with existing programs for recordkeeping purposes. They also generally have a better understanding of how the framework’s expectations apply to their organizations, and in turn, the appropriate level of action they need to take.
For U.S. companies with less sophisticated programs, however, the framework has not been as straightforward. One of the most common criticisms of the document is that some of the expectations lack actionable guidance for implementation and are therefore not very helpful for companies with scant compliance resources. The testing and auditing components in particular pose a challenge for these firms in this regard, as the expectations command considerable resources and expertise.
Sanctions Risk Assessment As a Standalone Exercise
Mr. Wolff and Mr. Tannebaum identify the framework’s risk assessment parameters as another source of uncertainty. Mr. Wolff, Partner at Crowell & Moring, noted that the risk matrix in OFAC’s Enforcement Guidelines as well as much of OFAC’s previous risk guidance, “was developed for and targeted at financial institutions, creating challenges for non-FIs seeking to translate the guidance to their business or sector.”
Mr. Tannebaum is also skeptical that written risk assessments are viable as routine, ongoing processes, as is envisioned in the framework. “Outside of the financial sector”, he says, “the reality is that a written risk assessment will often serve as a standalone exercise rather than the cornerstone of an SCP”.