OFAC Publishes Guidance on Sanctions Compliance Programs; Previews Potential Focus on Individual Culpability

These components will not be surprising to companies that have been following DOJ’s compliance guidance in recent years, but OFAC’s publication reiterates the importance of companies implementing effective, risk-based compliance programs. Indeed, OFAC stated that it will consider the adequacy of a company’s SCP in its enforcement actions when determining (i) the amount of any civil monetary penalties, when such penalty is determined to be appropriate, (ii) remedial steps that may be required as part of any settlement and (iii) whether an apparent violation is deemed “egregious.”

Significantly for international companies, OFAC’s expectations for risk-based SCPs are broadly in line with practices across the globe. In the European Union (EU), for instance, the European Commission is finalizing EU-wide guidance on best practices for internal compliance programs, with draft guidance published in September 2018 and followed by public consultations in November 2018. Certain EU member states (e.g., the Netherlands) have recently published national guidance as well.

This client alert first provides an overview of the five essential components of an SCP described in OFAC’s guidance (and also highlighted in DOJ’s guidance issued last month). It then describes the 10 common root causes of violations of U.S. sanctions laws and analyzes the potential implications of statements in OFAC’s guidance regarding holding individuals accountable for sanctions violations.

Five Essential Components of an SPC

(1) Senior Management’s Commitment

OFAC’s guidance makes clear that a company’s senior leadership, executives and board of directors must have a strong commitment to a company’s risk-based SCP. This commitment should include (i) reviewing the SCP, (ii) ensuring that it receives adequate resources and is fully integrated into the organization’s daily operations, (iii) ensuring that the compliance team has sufficient authority to administer the SCP’s policies and (iv) fostering a culture of compliance by taking allegations of misconduct seriously and, when appropriate, taking necessary remedial action. In essence, OFAC wants to see that the individuals at the top of a company take their obligation to comply with U.S. sanctions laws seriously.

(2) Risk Assessment

OFAC’s guidance emphasizes that a company needs to regularly assess its sanctions-related risks by considering its specific clients, products, services and geographic locations. Only then can a company identify the risks unique to its business and make informed, risk-based decisions to determine how to effectively manage its risk. OFAC also notes that this assessment cannot be a one-off event; it should be undertaken both at regular intervals and at times that pose specific sanctions-related risk (e.g., when onboarding new customers, suppliers or other counterparties or during mergers and acquisitions).

(3) Internal Controls

OFAC also makes clear that an effective SCP must include appropriate internal controls, including written policies and procedures designed to ensure compliance with U.S. sanctions laws. These controls need to provide employees with guidance relevant to the company’s day-to-day operations to avoid misconduct. The company’s policies should be designed to address the company’s understanding of its risks as identified in its risk assessments. Finally, these policies need to be communicated to employees, integrated into the company’s daily operations and fully enforced.

(4) Testing and Auditing

According to OFAC, an effective SCP must include regular audits against a company’s current policies and procedures to ensure that such policies are effectively managing the company’s sanctions-related risk. The results of the audits should be communicated to senior management, and, when negative, the root causes of the problem should be identified and adequately addressed.

(5) Training

The final essential component according to OFAC is the training of relevant employees on the organization’s sanctions compliance policies and the employees’ job-specific sanctions compliance responsibilities. These trainings should happen at an appropriate frequency and, depending on the employee’s functions, with the appropriate scope. They should also incorporate the negative results of any audits. Training resources and materials should be accessible to all relevant employees.

Common Root Causes of Violations of U.S. Sanctions Laws

In addition to identifying the five essential components of an effective SCP, OFAC’s guidance identifies the following 10 common root causes of violations of U.S. sanctions laws, which companies can also use as a guide in implementing and assessing risk-based compliance program improvements:

1. lack of a formal SCP
2. misinterpreting or failing to understand the applicability of OFAC’s regulations
3. facilitating transactions by non-U.S. persons
4. exporting or re-exporting U.S.-origin goods, technology or services to OFAC-sanctioned persons or countries
5. utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
6. sanctions screening software or filter faults
7. improper due diligence on customers/clients (e.g., ownership or business dealings)
8. decentralized compliance functions and inconsistent application of an SCP
9. utilizing nonstandard payment or commercial practices
10. individual liability

The last root cause — individual liability — is noteworthy. OFAC’s guidance explains that individual employees occasionally play integral roles in causing or facilitating violations of its regulations. The guidance states that “[i]n such circumstances, OFAC will consider using its enforcement authorities not only against the violating entities, but against the individuals as well.” Significantly, this statement brings OFAC’s policy in line with DOJ guidance in recent years, which has focused on bringing enforcement actions against individuals in the white collar setting. Indeed, DOJ guidance issued in late 2018 requires a company seeking cooperation credit in the Foreign Corruption Practices Act setting to disclose “all relevant facts known to it, including all relevant facts about all individuals substantially involved in or responsible for the violation of law” so that DOJ can consider appropriate actions against individuals. Given OFAC’s historically limited efforts in pursuing enforcement actions against individuals, however, it is yet to be seen whether this statement will have teeth.

*****

The U.S. government has made its expectations on corporate compliance programs clear in recent years, and this OFAC guidance is another example of the government’s attempt at increased transparency regarding its compliance program expectations. Across the Atlantic, companies are similarly expected to implement internal compliance programs commensurate with their specific risk profiles. Given these expectations, companies should review all available guidance, including with the assistance of experienced outside counsel where helpful, and evaluate their compliance programs to ensure that they are prepared, before a problem arises, to prevent misconduct or to put themselves in the best position possible if facing an enforcement action by OFAC, DOJ or other authorities in the U.S. or other jurisdictions.