The Treasury Department’s Office of Foreign Asset Control (OFAC) has promised to issue guidance on effective sanctions compliance programs. This is a long-anticipated update to prior information OFAC has released on the same subject.
OFAC has raised the stakes for sanctions enforcement, especially with respect to Iran and Venezuela sanctions programs. So far this year, OFAC has announced a number of significant enforcement actions and is sending a strong message on the importance of compliance. Companies that ignore these stakes are only asking for trouble (how is that for a trite phrase).
OFAC’s Settlement Agreement (here) with Standard Chartered Bank contains some important details surrounding sanctions compliance. DOJ’s amended deferred prosecution agreement incorporates these details be reference (here). The SCB DPA also includes some important factors credited by DOJ as part of SCB’s remedial measures.
Companies that are in the process of implementing or updating their OFAC sanctions compliance program should review these documents and should incorporate these compliance expectations and elements into their own analysis.
As part of its settlement agreement, SCB agreed to maintain sanctions compliance measures. The key elements include:
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing & Audit
A brief description of each element and the expectations relating to each is set forth below:
Under Management Commitment, SCB has to ensure that senior management reviews and approves SCB’s sanctions compliance program; and senior management executives and board of directors maintain commitment and support of SCB’s sanctions compliance program.
Senior managers also are required to delegate sufficient authority and autonomy to deploy its policies and procedures to mitigate SCBS’ sanctions risks; and compliance units(s) must receive adequate resources, including in the form of human capital, expertise, information technology and other resources, as appropriate, that are relative to SCB’s breadth of operations, target and secondary markets, and other factors affecting to its overall risk profile.
Senior management has to promote a “culture of compliance” throughout the organization; and demonstrate recognition of the seriousness of apparent violations of the laws and regulations and the importance of preventing recurrence.
Under Risk Assessment, SCB has to conduct an OFAC risk assessment in a manner and with a frequency that adequately accounts for potential risks posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations; and SCB has to develop a methodology to identify, analyze, and address the particular risks it identifies.
With respect to Internal Controls, SCH has to design and implement written policies and procedures outlining its sanctions compliance program. These policies and procedures have to be relevant to the organization, captures SCB’s day-to-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.
Further, SCB’s internal controls have to adequately address the results of its OFAC risk assessment and profile, and should enable SCB to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC.
Interestingly, with respect to automated databases used for sanctions compliance, SCB has to ensure that it has selected and calibrated the solution in a manner that is appropriate to address SCB’s risk profile and compliance needs, and SCB routinely tests the solution to ensure effectiveness.
SCB has to enforce its policies and procedures through internal and/or external audits and has to ensure that its OFAC-related recordkeeping policies and procedures adequately account for its requirements. SCB specifically has to ensure that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
SCB further has to clearly communicate the sanctions compliance program’s policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of SCB.
In particular, SCB has to appoint personnel to integrate the sanctions compliance program’s policies and procedures into SCB’s daily operations. This process includes consultations with relevant business units and ensures that SCB employees understand the policies and procedures.
With respect to Testing and Audits, SCB has to ensure that the testing and/or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization. SCB has to employ testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and ensure that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of SCB’s OFAC-related risks and internal controls. Further, SCB has to ensure that, upon learning of a confirmed negative testing or audit result pertaining to its sanctions compliance program, it will take immediate and effective action to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
Finally, with respect to Training, SCB has to ensure that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support SCB’s sanctions compliance efforts. SCB’s training program has to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates. SCB has to conduct training for all relevant employees at least once a year. SCBs training resources and materials have to be available to all personnel and easily accessible. Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, SCB has to take immediate and effective action to provide training to relevant personnel.