Much already has been written by my colleagues about the Office of Foreign Assets Control (“OFAC”) Framework for Compliance Commitments, which was published on May 2, 2019. Very briefly, the Framework provides OFAC’s expectations that sanctions compliance programs (SCP), should include at least five essential components of compliance:
(1) management commitment;
(2) risk assessment;
(3) internal controls;
(4) testing and auditing; and
I think it was an excellent development that OFAC, which generally is not known for being very clear and transparent about application of its complex and far-reaching regulations, provided us with detailed guidance regarding its expectations for sanctions compliance programs.
The Framework contains a significant amount of detail and valuable guidance as to what companies can do to meet OFAC’s expectations. For example, under Management Commitment, OFAC guides that SCP’s should receive the attention senior management, that the management ensures that sanctions compliance units have sufficient resources and authority to do their jobs, that the management promotes a culture of compliance, and addresses compliance failures. Under Internal Controls, OFAC provides details of its expectations regarding written compliance procedures, their enforcement, recordkeeping, and information technology solutions (such as screening software). Likewise for risk assessments, testing and auditing, and training – the Framework provides detailed and very helpful guidance for all these aspects of compliance.
There is bad news, though. The bad news pertains to how wide are OFAC’s expectations for sanctions compliance programs in the sense of to which companies they apply. In OFAC’s own words, this includes “organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or
services, to employ a risk-based approach to sanctions compliance.” Naturally, “organizations subject to U.S. jurisdiction” includes all entities that are organized in the United States, and under some, though not all, OFAC sanctions programs, it also includes U.S.-owned or controlled foreign subsidiaries.
The logical next question is which companies, in which industries, need to implement OFAC sanctions compliance programs. The best-known OFAC enforcement cases in recent years involved the deepest of pockets – major global banks and financial institutions. Witness the eye-popping fines of $964 million on BNP Paribas in 2014, $330 million on Crédit Agricole in 2015, and $639 million on Standard Chartered Bank last year. Many other financial institutions, both in the U.S. and in other countries, have faced OFAC’s punishments. Major multinational companies that export their products and sell them around the world were also always on notice that they could be subject to OFAC enforcement and therefore needed to maintain sanctions compliance programs. For example, National Oilwell Varco was fined $6 million in 2016, and last year General Electric faced a fine of $2.7 million.
Banks and multinational manufacturers, however, never were the only targets of OFAC’s enforcement. In fact, most OFAC enforcement cases dealt with provision of services, rather than the export of goods. OFAC’s enforcement in 2019 underscored that OFAC means business for a wide variety of companies engaged in trans-national business in a variety of sectors. There were 26 case settlements with total fines reaching $1.29 billion, a significant ramp up of enforcement from previous years. These settlement included companies in the following sectors:
- Electronic travel-booking
- Industrial manufacturing
- Financial institutions
- Software and technology
- Supply chain solutions
There were cases involving household name companies, including Allianz, Apple, Expedia, and Western Union, as well as smaller and less-known companies. Overall, OFAC’s enforcement record demonstrates that all companies that are subject to OFAC’s jurisdiction and engage in international business, especially in high-risk parts of the world or with high-risk business partners, would be well-advised to have an OFAC sanctions compliance program.
That does mean that if your company provides or receives goods or services across borders, you should think about a sanctions compliance program. Actually, you should do more than think about it, and actually implement it. And you should ensure that you have sufficient expertise, either internal or external, to implement this program. Think of that as a cost of doing international business.
Then, again, there is some good news. OFAC is not out to get you. In my experience, OFAC and other U.S. government agencies understand that compliance is always a work in progress. As OFAC states in the Framework for Compliance Commitments, “each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations.” So your sanctions compliance program does not necessarily need to be very extensive or difficult to implement. As long as it demonstrates commitment to compliance and is designed to address your company’s unique risk profile, and incorporates a plan for continuous improvement, your SCP will really help you in OFAC’s eyes.