OFAC Best Practices: AML Compliance and Sanction Screening
January 11, 2021
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has issued extensive guidance for financial institutions regarding what constitutes an effective sanctions compliance program.
The document: A Framework for OFAC Compliance Commitments, gives detailed policy discussion notes which should help companies establish their training programs for dealing with OFAC issues.
OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
The document represents the most detailed statement to date of OFAC’s views on the best practices that companies should follow to ensure compliance with U.S. sanctions laws and regulations.
It is meant to serve as a guide to prevent sanctions violations from occurring in the first place. It also provides greater transparency with respect to how OFAC will assess the adequacy of a company’s existing compliance program when violations do occur. This will also help determine what penalty to impose as a last resort. Of course, the end goal of sanctions is to stop trades with sanctioned parties.
The guidance reflects OFAC’s aggressive approach to enforcement.
Five Components of an Effective Sanctions Compliance Program
OFAC in its compliance framework believes a company should generally take a risk-based approach tailored to that company’s particular profile.
The detailed framework recognizes that there will be some variability from one organization to the next in terms of the particulars, they have set out five essential components for you to use to set up a strong sanctions compliance program.
1 Management commitment
Senior management need to show commitment to supporting an organization’s Sanctions Compliance Program (SCP). This is a critical factor in determining the success of the program. Effective management support includes the provision of adequate resources to the compliance teams and support for compliance personnel’s authority within an organization. The term “senior management” may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors.
2. Risk assessment
Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central pillars is for organizations to conduct a routine and ongoing risk assessment for the purposes of identifying potential OFAC issues they are likely to encounter.
The results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks. While there is no “one-size-fits all” risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.
This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions.
For example, an organization’s SCP may conduct an assessment of the following:
- customers, supply chain, intermediaries, and counter-parties;
- the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and
- the geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.
- Risk assessments and sanctions-related due diligence is also important during mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.
3. Internal controls
An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.
The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments.
Policies and procedures should be enforced, weaknesses should be identified and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.
Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC.
These include the following:
- updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions related lists;
- new, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions; and
- the issuance of general licenses.
4. Testing and auditing
Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps.
Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.
An effective training program is an integral component of a successful SCP. The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following:
- provide job-specific knowledge based on need;
- communicate the sanctions compliance responsibilities for each employee; and
- hold employees accountable for sanctions compliance training through assessments.
In addition to the similarities to the DOJ compliance focus areas, the five OFAC elements loosely correspond to the elements of compliance as articulated by the Financial Crimes Enforcement Network (“FinCEN”) with respect to financial institutions.
Broadly speaking, the new OFAC framework corresponds with the lifecycle of a compliance program starting with a deep commitment on the part of senior management to creating a culture of compliance backed by sufficient resources. OFAC then advises that companies conduct a thorough assessment of, among other things, their customers, supply chain, intermediaries, counterparties, products, services and geographic locations to identify potential sources of sanctions-related risk.
To prevent those risks from materializing, OFAC makes clear that it expects companies to develop appropriate internal controls, including policies and procedures designed to detect and report upward potential sanctions violations. Such policies and procedures should also be regularly tested and updated to address any weaknesses that may be identified.
At the same time, to ensure the program is properly implemented, relevant employees should receive training on the company’s sanctions compliance policies and procedures at regular intervals of no more than a year.
Within each of the five components of an effective sanctions compliance program, OFAC also provides concrete examples of best practices that companies are expected to follow. For example, when conducting a risk assessment, companies are advised to develop an onboarding process for new customers and accounts that includes a sanctions risk rating based on both know-your-customer information provided by the potential counterparty and independent research conducted by the company.
Consistent with OFAC’s existing Economic Sanctions and Enforcement Guidelines, when apparent violations do occur, the nature and extent of a company’s compliance program will continue to be a potential aggravating or mitigating factor for purposes of determining what penalty to impose. With the publication of the new OFAC compliance framework, companies subject to U.S. jurisdiction now have the benefit of a more granular understanding of what policies and procedures will lead OFAC to conclude that their sanctions compliance program is adequate or deficient.
In recent settlement agreements, OFAC has often required companies to certify on an annual basis that they have implemented and maintained an extensive set of sanctions compliance commitments. Now that OFAC has clearly staked out what it views as the essential components of an effective sanctions compliance program, it assesses that such periodic certifications are likely to become a regular feature of OFAC settlements going forward.
Ten Common Pitfalls of Sanctions Compliance Programs
In addition to spotlighting what it views as the components of an effective sanctions compliance program, OFAC also identifies in an appendix to its new framework common areas where sanctions compliance programs fall short. Derived from recent OFAC enforcement actions, this section of the framework is designed to alert U.S. and non-U.S. companies to common pitfalls that could cause a company to incur U.S. sanctions liability.
OFAC identifies a total of 10 common causes of U.S. sanctions violations, including:
- Lack of a formal OFAC sanctions compliance program;
- Misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
- Facilitating transactions by non-U.S. persons;
- Exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries;
- Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
- Sanctions screening software or filter faults;
- Improper due diligence on customers and clients;
- De-centralized compliance functions and inconsistent application of a sanctions compliance program;
- Utilizing non-standard payment or commercial practices; and
- Individual liability.
These root causes of sanctions violations are best viewed as traps for the unwary. While many of the potential causes of U.S. sanctions violations are familiar to compliance teams, the document is an excellent refresher of the various ways in which companies commonly run afoul of OFAC regulations.
Now that OFAC has finally provided a detailed statement of what it views as sanctions compliance best practices, companies engaging in activities with a U.S. nexus should take this opportunity to carefully review the strengths and weaknesses of their existing sanctions compliance programs.
In particular, companies should use the OFAC framework as a baseline, carefully assess whether their own compliance program contains all of the basic components that OFAC has indicated that it expects to be present, and update their compliance program accordingly. By taking these simple steps, compliance-minded companies may reduce their risk of incurring U.S. sanctions liability and may also reduce their potential exposure if, despite their best efforts, a violation somehow occurs.
While the sanctions are constantly evolving, the best practices for following their guidance have not.
Since 2009, 11 banks have forfeited more than $14 billion in settlements for U.S. sanctions violations and violations of New York State law. See CaseWare RCM’s blog on how to monitor and screen individuals, entities and transactions as well as best practices to optimize the results in order to avoid some of the penalties and fines associated with sanction violations. The blog can be found here.
CaseWare RCM Inc., makers of financial crime detection, prevention and management solution Alessa, has expertise in this area that can help your company remain compliant with constantly changing sanctions.
Alessa provides the tools that financial institutions need to take a risk-based approach to their AML compliance program. Clients can choose which tools they need, depending on their customer, product and geographic risks.
With deployments in more than 20 countries in banking, insurance, fintech, gaming, manufacturing, retail and more, Alessa is the only platform organizations need to identify high-risk activities and stay ahead of compliance.
To learn more about how Alessa can help your organization, contact us today.