On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) published its most comprehensive guidance to-date on the development and implementation of a risk-based sanctions compliance program (“SCP”). This guidance – titled “A Framework for OFAC Compliance Commitments” (the “SCP Guidance”) – follows several enforcement settlements, which OFAC used to offer targeted guidance regarding the shortfalls of the settling companies’ SCPs. Taken together, the SCP Guidance and the settlement announcements offer the most detailed statements to-date of OFAC’s views on what constitutes an effective program to comply with U.S. sanctions requirements and how OFAC will assess the adequacy of a firm’s SCP in the context of an enforcement action.
The SCP Guidance follows close on the heels of updated guidance from the U.S. Department of Justice (“DOJ”) on how federal prosecutors who are considering bringing criminal actions against corporations ought to assess corporate compliance programs. The Debevoise Client Update on the DOJ guidance is available here, and that guidance should be considered in tandem with OFAC’s pronouncements in considering how to design and implement an SCP that meets the government’s expectations.
THE SCP GUIDANCE
The SCP Guidance builds on earlier pronouncements from OFAC, scattered across its Enforcement Guidelines, Frequently Asked Questions and targeted compliance recommendations for U.S. financial institutions and other industries.
The SCP Guidance reiterates OFAC’s policy that an appropriate SCP should be “risk-based” and tailored to take into account a variety of factors, such as “the company’s size and sophistication, products and services, customers and counterparties, and geographic locations.” Irrespective of this tailoring, however, the SCP Guidance describes five “essential” components for every SCP:
Management Commitment: Involvement by senior management, adequate resourcing and promotion of a “culture of compliance” that rewards prudent conduct and permits escalation of potential issues “without fear of reprisal”;
Risk Assessment: Ongoing, periodic review of the company’s clients, products, services and geographic locations, among other risk factors, to identify areas in which the company may encounter compliance obligations;
Internal Controls: Written policies and procedures that clearly and effectively identify, interdict, report and mitigate noncompliant activity;
Testing and Auditing: Independent assessment of the effectiveness of internal controls and checks for inconsistencies with operations; and
Training: Periodic training, at least annually, that provides appropriate employees and other stakeholders job-specific knowledge regarding their sanctions compliance responsibilities.
Analyzing the “root causes” of compliance failures is a particular focus of the SCP Guidance. The document includes a dedicated section that outlines and describes programmatic deficiencies OFAC has identified repeatedly in prior enforcement actions. The SCP Guidance identifies a non-exhaustive list of 10 “root causes” of its prior enforcement actions:
lack of a formal OFAC SCP;
misinterpreting, or failing to understand the applicability of, OFAC’s regulations;
facilitating transactions by non-U.S. persons (including through or by overseas subsidiaries or affiliates);
exporting or re-exporting U.S.-origin goods, technology or services to sanctioned persons or countries;
utilizing the U.S. financial system, or processing of payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries;
sanctions screening software or filter faults;
improper due diligence on customers/clients (e.g., ownership, business dealings, etc.);
decentralized compliance functions and inconsistent application of an SCP;
utilizing non-standard payment or commercial practices; and
LESSONS FROM RECENT ENFORCEMENT ACTIONS
OFAC has long relied on its notices of enforcement actions to convey guidance to the regulated community. In recent months, OFAC has enhanced this practice by including in its notices concluding summaries that highlight certain compliance practices that OFAC believes relevant to the action. Two particular themes from those actions and OFAC’s summaries stand out.
Four recent enforcement actions involve variations on the following fact pattern. A U.S.-based holding company acquires a non-U.S. subsidiary. In the course of the acquirer’s due diligence, it discovers that the foreign company does business in Cuba or Iran, which are both subject to a U.S. embargo. The holding company takes some steps to fold the company, once acquired, into its SCP and prevent the new non-U.S. subsidiary from doing such prohibited business. Nonetheless, the subsidiary continues to do such business anyway.
These enforcement actions demonstrate that even heightened pre-acquisition due diligence may not be sufficient to ensure post-acquisition compliance with U.S. sanctions. In such circumstances where a foreign acquisition has preexisting relationships with U.S.-sanctioned persons and jurisdictions, OFAC describes an expectation that the U.S. acquirer implement proactive controls on the new subsidiary’s activity, such as regular compliance audits and follow-up due diligence.
These cases also demonstrate the importance of having a robust system of internal controls that allows a company to respond decisively to sanctions violations once discovered. In one example, a U.S. holding company repeatedly received notice that its foreign subsidiary was engaging in sales to Cuba. The acquirer responded by reinforcing to subsidiary management that such sales must cease, securing representations from them to that effect and even disclosing the initial compliance failure to OFAC. The company failed, however, to stop the subsidiary’s sales and was ultimately penalized $5.5 million.
International Supply Chains
In two other recent OFAC enforcement actions, U.S. companies unwittingly purchased goods sourced from sanctioned jurisdictions through suppliers based in nearby countries that represented that the goods were compliant with U.S. legal restrictions.
These cases evidence the importance of supply-chain due diligence. OFAC considers international trade to be a high-risk activity and expects suppliers that operate near sanctioned countries to adopt and abide by compliance procedures commensurate with the high risk. For example, companies facing these risks should consider implementing supply-chain audits with country-of-origin verification and conducting mandatory OFAC sanctions training for suppliers.
Armed with OFAC’s expectations, U.S. firms and international businesses doing business with a U.S. nexus should review and assess their SCPs against OFAC’s baseline expectations. Doing so may lessen the risks of U.S. sanctions violations and could reduce the potential liability should an apparent sanctions violation occur (particularly if the firm can demonstrate that the violations occurred notwithstanding best efforts to follow OFAC’s SCP Guidance).
Please do not hesitate to contact us with any questions. For periodic e-mail summaries of developments in economic and trade sanctions, please subscribe to the Debevoise & Plimpton LLP Sanctions Alert by e-mailing email@example.com, or sign up on the Insights Subscribe page of our website. The firm’s sanctions-related publications may also be found at The Sanctions Resource page on our website.