Treasury Outlines the Crucial Components of an OFAC Compliance Program
Written by Shari R. Pogach, NAFCU Regulatory Paralegal
Recently the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced the publication of A Framework for OFAC Compliance Commitments. The underlying intent of the framework is to help institutions better understand and comply with sanctions requirements.
According to OFAC, a successful OFAC compliance program should utilize a risk-based approach to sanctions compliance by developing, implementing and routinely updating a sanctions compliance program (SCP). Every risk-based SCP will vary depending on an institution’s size and sophistication, products and services, customers and counterparties, and geographic location. However, each program should incorporate at least five essential compliance components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training. The framework further breaks down the specific features to each component in creating a strong OFAC compliance program.
As an example, the framework indicates that senior management’s commitment and support of the SCP is one of the most important and critical factors in determining its success. Support is key in ensuring the SCP obtains adequate resources and is fully-integrated into an institution’s daily operations. This helps legitimize the program, empower personnel and foster a culture of compliance.
If after during an investigation, OFAC determines there is an apparent violation warranting a civil monetary penalty, the Office of Compliance and Enforcement will use the framework to determine what elements may need correcting as part of any settlement agreement. In any enforcement action, OFAC will evaluate an SCP consistent with the Economic Sanctions Enforcement Guidelines. In using these guidelines, OFAC will consider the existence, nature and adequacy of an SCP, and when appropriate, may mitigate a civil monetary penalty on that basis. When an SCP is based on the five essential compliance components, is implemented and results in remedial action, this may also mitigate any OFAC penalty. OFAC will also consider an effective SCP as a factor in determining whether an apparent violation case is considered egregious.
OFAC’s framework also includes an appendix with a brief analysis of some apparent root causes of violations identified during investigations. These include:
- Lack of a formal OFAC SCP;
- Misinterpreting or not understanding OFAC’s regulations;
- Facilitating transactions by non-U.S. persons (including through or by overseas subsidiaries or affiliates);
- Exporting or re-exporting U.S.-origin goods, technology or services to OFAC sanctioned persons or countries;
- Using the U.S. financial system or Processing payments to or through U.S. financial institutions for commercial transactions involving OFAC-sanctioned persons or countries;
- Sanctions screening software or filter faults;
- Improper due diligence on customers/clients (e.g., ownership, business dealings, etc.);
- De-centralized compliance functions and inconsistent application of an SCP;
- Using non-standard payment or commercial practices; and
- Individual liability.
Last weekend I went down to Pensacola, FL, to visit my brother. While there, I got to see the U.S. Navy Blue Angels practice. It was pretty darn cool. Although my pictures don’t do them justice, it might give you an inkling. In the last shot there are six planes, one didn't have his smoke on.