I usually ignore hyperbole. I cringe when I hear, “[Title] was the greatest movie of all time,” or “[Title] was the greatest book of all time” (true confession — except if someone fills in the blank with The Brothers Karamazov by Fyodor Dostoevsky).
Moving on, 2019 was a big year in OFAC compliance. The Sanctions Compliance Guidance (here) was a major change in sanctions compliance. OFAC has set high expectations for compliance. Whether companies have received and responded to the message is still unclear. It may take a few years of aggressive enforcement for companies to reach the conclusion that investment in sanctions compliance is an important priority.
In support of my claim, let’s look at some of the new requirements or expectations.
A Sanctions Compliance Program must, at a minimum, consist of five elements: (1) Senior Management Commitment; (2) Risk Assessment; (3) Internal Controls; (4) Testing and Audit; and (5) Training. This is a basic list.
Under Risk Assessment, companies are now required to conduct a “holistic” review of the organization from top to bottom of the following: (a) clients and customers; (b) products and services; (c) supply chain; (d) intermediaries and counter-parties; (e) transactions; (f) locations; and (g) mergers and acquisitions.
As I have pointed out (yes, repeatedly), the addition of supply chain risks and liability for sourcing from prohibited countries and parties, increases risks exponentially and requires allocation of significant resources to identify and manage these risks. At a minimum, companies will have to regularly assess and review their supply chains, especially those suppliers/vendors that operate in proximity to prohibited countries.
A Risk Assessment has to be conducted in conjunction with design of Internal Controls. As part of this element, companies have to implement screening technologies to conduct due diligence of companies falling into specific categories identified through the risk assessment process. This procedure, in turn, requires companies to identify beneficial owners of a particular company. In practical terms, OFAC has outlined a requirement that screening has to include beneficial owners of not only third-parties, vendors and suppliers, but a comp[any’s customers. In this way, OFAC has extended due diligence requirements significantly for global companies.
In addition, OFAC has mandated that companies can no longer point to screening errors or failures resulting from inadequate technology. OFAC requires companies to document the selection of a screening system, the calibration of the screening system in relation to the company’s risk profile, and annual testing of the screening system to ensure its accuracy.
Like DOJ’s Compliance Guidance, and consistent with the framework articulated in the U.S. Sentencing Guidelines, companies have to designate a Sanctions Compliance Officer responsible for the sanctions compliance program. The individual can serve as a compliance officer for other compliance programs at the same time. The sanctions compliance function, however, should have adequate resources (human and technical) and professionals with sufficient knowledge and expertise in the area.
Finally, OFAC has joined the list of mandated training programs. Aside from annual sexual harassment and discrimination training programs, the Sanctions Compliance Guidance requires companies to conduct annual training of responsible persons, i.e. those that act in or near functions with sanctions risk.