On May 2, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) took a significant step by issuing the framework for OFAC Compliance Commitments (framework), which formally puts companies on notice of OFAC’s expectations with respect to an effective economic sanctions compliance program (SCP). Importantly, OFAC indicates that it will take into account under its Economic Sanctions Enforcement Guidelines whether a company maintains an effective SCP in determining whether and what penalties to impose in the event of apparent violations, drawing a direct connection between compliance effort and enforcement exposure.
The framework specifies five “essential components” of an SCP and, in publishing this guidance, OFAC states that future OFAC settlement agreements may require companies to remedy program deficiencies to meet its newly-articulated standards for SCPs. Notably, OFAC issued the framework just days after the U.S. Department of Justice published its Evaluation of Corporate Compliance Programs guidance, reflective of a U.S. government focus on gauging whether a compliance program is effective to determine what enforcement measures to take in the event of violations.
Five Key Takeaways
- The framework provides a reminder of the expansive reach of OFAC’s jurisdiction, necessitating that both U.S. and non-U.S. companies strongly consider implementing an SCP even if they have viewed their sanctions risk exposure as limited or attenuated.
- Organizations must adapt internal controls to the dynamic nature of sanctions, and must regularly test the effectiveness of technology tools to conduct tasks such as restricted party screening.
- Training of employees must be tailored to the functions of the relevant individuals involved, ongoing and continuously assessed, and a bona fide training program may extend beyond employees to certain counterparties.
- The framework is indicative of OFAC’s endorsement of broader U.S. government expectations for effective regulatory compliance programs, and sends a clear message that OFAC intends to hold organizations responsible for ensuring that their SCPs support a living compliance program which responds to and effectively mitigates real-time risks specific to the organization’s operational profile.
- The extent of mitigation credit available to organizations before OFAC for apparent sanctions violations, and OFAC’s determinations of whether and to what extent it will impose penalties, will increasingly turn on OFAC’s assessment of the effectiveness and quality of their risk-based SCPs.
