OFAC’s new Framework for Sanctions Compliance Programs incorporates a number of important principles from Justice Department and US Sentencing Guideline requirements for effective compliance programs. 

Today, I am going to review the requirements relating to Testing and Audits and Training.

Testing and Audits

OFAC requires companies to assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.

Under this element a company has to implement three specific elements:

1. The organization ensures that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
2. The organization employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.
3. The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

Training

OFAC observed that “[a]n effective training program is an integral component of a successful SCP.”  A training program should be “tailored to an entity’s risk profile and all appropriate employees and stakeholders.”  Companies have to conduct training for relevant employees and personnel on a periodic basis (and at a minimum, annually).

To meet this requirement, companies have to satisfy five basic criteria:

1. An organization ensures that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties).  Such training should be further tailored to high-risk employees within the organization.
2. The organization commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
3. The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile.
4. The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel.
5. The organization’s training program includes easily accessible resources and materials that are available to all applicable personnel.