How do you ensure your company is compliant when dealing with sanctions? Need guidelines on how to put a sanction compliance program together? You’re in luck. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has published framework for developing an effective sanctions compliance program (SCP). This framework outlines five essential components.
- Senior management commitment
- Risk assessment
- Internal controls
- Testing and auditing
Senior Management Commitment
- Senior management reviews and approves the organization’s SCP.
- Senior management ensures that its compliance units have sufficient authority and autonomy to deploy effective policies and procedures. As a part of this, senior management ensures direct reporting between senior management and compliance units, including routine and periodic meetings.
- Senior management ensures that compliance units have adequate resources.
- Senior management promotes a “culture of compliance,” throughout the organization. This includes:
- The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal.
- Senior management messages and takes actions that discourage misconduct and prohibited activities and highlight the potential repercussions of non-compliance with OFAC sanctions.
- The ability of the SCP to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.
- Senior management demonstrates recognition of the severity of apparent violations and of the laws and regulations enforced by OFAC.
OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One approach is for organizations to conduct a routine “risk assessment” for the purposes of identifying potential OFAC issues. While there is no “one-size-fits all” risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. For example, an organization’s SCP may assess the following:
- Customers, supply chain, intermediaries, and counter-parties.
- The products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems.
- The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.
According to the framework, an effective SCP should include policies and procedures to identify, interdict, escalate, report, and maintain records of potential OFAC violations. The criteria for effective internal controls are based on the following:
- The organization maintains written policies and procedures outlined by the SCP.
- The organization implements internal controls that adequately address its risk profile. These internal controls should enable an organization to identify, interdict, escalate, report, and maintain records of potential OFAC violations.
- The organization enforces the policies and procedures that it implements through internal and/or external audits.
- The organization ensures that it adheres to adequate OFAC-related recordkeeping policies and procedures.
- The organization ensures that upon learning of a weakness in its internal controls, it takes immediate and effective action to identify and implement compensating controls, including determining the root cause of such weakness and remedying the root cause.
- The organization clearly and effectively communicates the SCP policies and procedures to relevant staff, including gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.), and to external parties performing SCP responsibilities on behalf of the organization.
- The organization appoints personnel to integrate the SCP policies and procedures into the daily operations of the organization.
Testing and Auditing
OFAC recommends a comprehensive, independent, and objective testing or audit function as part of the SCP. This function should enable organizations to be aware of how the SCP is performing and when updates, enhancements or recalibrations may be needed to account for a changing risk assessment or sanctions environment. A testing and auditing function should adhere to the following guidelines:
- The organization commits to ensuring that testing or auditing is (i) accountable to senior management, (ii) independent of the audited activity or function, and (iii) endowed with sufficient authority, skills, expertise, and resources.
- The organization commits to ensuring that it employs testing and auditing procedures that are sufficiently sophisticated and that such procedures are comprehensive and objective.
- The organization confirms that upon learning of a negative testing result or audit, it will take immediate and effective remedial action to identify and implement compensating controls that correct the root cause of the shortcoming.
OFAC stresses that providing an effective training program to all appropriate employees and stakeholders is an integral component of a successful SCP. An effective training program will consist of the following:
- The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and relevant stakeholders (e.g., clients, suppliers, business partners, and counter-parties).
- The organization commits to providing OFAC-related training with a scope and frequency that appropriately reflects the risk profile of the organization.
- The organization commits to ensuring that upon learning of a negative testing result or audit, it will take swift and effective action to provide training or other corrective action with respect to the relevant personnel.
- The materials and resources that are part of the training program are easily accessible to applicable personnel.