In new OFAC sanctions compliance guidance, clearer expectations of formalized program to mitigate, or aggravate failings.

The government agency charged with crafting the country’s sanctions programs has issued a rare and powerful piece of guidance.  It is a detailed, prescriptive framework laying out what it considers a strong compliance program to prevent companies from breaching sanction rules – a missive that could mitigate or negate a penalty, or, in its absence, elevate the endgame to egregious.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has detailed the key pieces of a sanctions compliance program (SCP) it believes can aid large, global organizations that are headquartered in the U.S. or do significant business in the country to more effectively prevent failings, identify weaknesses more quickly, and better uncover and report designated entity hits and programmatic misses. OFAC, for the first time, has framed the elements of a sanctions compliance program, in a bevy of ways mirroring many of the tenets of the anti-money laundering (AML) compliance program. This includes prongs such as crafting stout internal controls, engaging in proactive OFAC risk assessments, adequately training and arming staff with knowledge and resources and testing and auditing systems and their human decision-makers to ensure systemic vulnerabilities are closed quickly.

The OFAC sanctions guidance also parallels many of the tenets outlined in guidance released April 30 by the U.S. Department of Justice (DOJ) detailing what is expected of corporate and financial crime compliance programs to gain credit when failings occur. It emphasizes a key shift toward the effectiveness of company efforts, rather than just having detailed policies and procedures done in good faith. The guidance, which applies to the whole of the department’s Criminal Division – including corporate and banking compliance settlements – builds on 2017 guidelines, which included a list of sample topics and questions for prosecutors to calculate when deciding if a company has demonstrated a true commitment to compliance and should get credit in a corporate settlement. It asks if the company’s compliance program is well designed, effectively implemented, and if the program actually works in practice.

The timing of the OFAC guidance also comes at a time of uncertainty and upheaval, where sanctions programs are aggressively expanding against certain countries, including Iran and more recently Venezuela. In tandem, the incredible costs tied to penalties for sanctions failings at banks have again been placed squarely in the global compliance consciousness with two billion-dollar plus penalties in a recent two-week period against Standard Chartered and UniCredit, a callback to a decade of major penalties against banks for similar egregious acts. Penalties peaked at $9 billion for one bank in particular.

These figures are exactly why an OFAC call to create compliance programs holds such promise for banks, and for public and privately held companies as well.

After a relatively quiet 2018, OFAC enforcement cases have assumed an unprecedented pace in 2019 – since January 31, OFAC has announced 14 settlements, an average of one per week. The settlements have been as large as USD $639,023,750 for 9,335 distinct violations, and as small as USD $13,381 for just six, targeting major international financial institutions and modest, privately held companies alike – underscoring that no potential violations are too big or too small to escape OFAC scrutiny.

In certain rare cases, OFAC has chosen not to issue a monetary penalty – even though it could have – because of the depth and effectiveness of a counter-sanctions program, the transparency and responsiveness of the company and commitment to remediate the root causes of the failure.

OFAC states that while each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance:

Management commitment: Promotes a culture of compliance by ensuring SCP staffers have adequate authority, autonomy, resources and executive responsiveness for failures.

Risk assessment: Similar to the AML risk assessment, but done through the lens of U.S. sanctions policies, cognizant of the nearness to rogue regimes, sanctions evaders and their regional proxies.

Internal controls: As in the case of the AML transaction monitoring system, these can include the actual automated sanctions screening systems and the policies around investigating and escalating potential hits. The inputs and outputs of the screening systems, overall resources and expertise of those reviewing the alerts also should be inline with the potential sanctions risks the institution may encounter to mitigate and report potential hits – similar to how banks facing higher AML risks must have stronger programs with more advanced systems and more seasoned staffers.

Testing and auditing: This is typically done by a group outside of sanctions, either internal or external, that can review both sanctions screening inputs and outputs and scrutinize the decisions of staff to ensure potential hits are analyzed, escalated and dispositioned. Institutions should consider sanctions review teams with deep law enforcement and federal investigations experience – even former OFAC staff.

Training: Without training on how regimes evade sanctions policies, what regions of the world this happens and in what ways – such as through trade and co-opted correspondents – there is no way analysts can make the right decisions. Training has to be expansive, relevant, nuanced and infused with deep historical knowledge and a current understanding of the geopolitical power shifts driving sanctions evaders.

When applying the framework guidelines to a given factual situation, OFAC will consider favorably subject persons that had effective SCPs at the time of an apparent violation, according to the guidance.  For example, under General Factor E, the compliance program, OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a civil monetary penalty (CMP) on that basis. Subject persons that have implemented effective SCPs that are predicated on the five essential components of compliance may also benefit from further mitigation of a CMP pursuant to General Factor F, or the remedial response, when the SCP results in remedial steps being taken. Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious,” a term used liberally in many of the largest sanctions penalties that have hit banks and other institutions.

In conclusion, the tacit meaning: just as on one side of the pendulum, having a well-run sanctions compliance program can lower penalties, the lack of a compliance program – or even having a “paper program” that is a mere figurehead effort, can more easily allow a prosecutor to dub a program and its failings as purposefully faulty, long-running and enterprise-wide, hence, a conclusion of egregious.