What does OFAC compliance mean for your business?
We frequently talk about BIS and DDTC when it comes to export compliance, but less often, do we discuss the importance of OFAC compliance. When it comes to OFAC compliance, there are three mistakes we often see companies make:
- Failing to Understand How Far-Reaching the OFAC Sanctions Are.
- Not Including OFAC lists in Restricted Party Screenings.
- Having a Compliance Program Which Does Not Address Sanctions.
Who Does OFAC Compliance Apply To?
The Office of Foreign Assets Control (OFAC) is responsible for administering and enforcing economic sanctions programs against countries and groups to support U.S. foreign policy (think current news as well as narcotics and terrorism).
Complying with OFAC is essential, especially for those companies with subsidiaries and partners overseas. Too often, fines come as a result of a U.S. company either not being aware of what their overseas subsidiaries are doing or turning a blind eye.
Violation of OFAC regulations can result in criminal penalties and/or civil penalties similar to those administered under the ITAR and EAR. Companies must do their due diligence to adhere to OFAC compliance or risk penalties and violations including:
- Criminal penalties with fines up to $1 million and/or 20 years of prison for each violation.
- Civil penalties with fines up to $55,000 per violation.
- Prohibited transactions can lead to the forfeit of goods seized.
OFAC sanctions present a huge risk for U.S. companies and show the importance of knowing the regulations and how they apply not only to U.S. entities but to foreign partners as well.
A recent example of OFAC sanctions
Just recently, a Swiss airlines communications firm, SITA, was fined $7.8 million for 9,256 violations of the Global Terrorism Sanctions Regulations.
SITA was fined for providing services and software to airlines sanctioned by OFAC, giving companies a stark reminder of the importance of complying with the OFAC regulations.
In order to avoid OFAC fines and penalties, companies must understand and comply with the regulations. Merely having a few general procedures or none at all simply does not cut it and puts your business at risk of running afoul of OFAC regulations.
It is crucial to review your program to determine if what you have in place is enough. Below are three mistakes companies make when it comes to OFAC compliance.
1. Failure to understand how far-reaching the OFAC sanctions are
Many companies underestimate just how far the regulations reach- extending not only to foreign subsidiaries but also in the goods and the services that they control.
Take, for instance, our example of SITA, whose main infraction was offering US-origin software to designated global terrorists on the OFAC list.
Even though SITA is a Swiss-based company, they were not excluded from the OFAC regulations in that the software they were using was of U.S. origin and therefore captured under the OFAC regulations.
There were several aggravating factors that led to such a huge fine. Here are a few:
- SITA did not self-disclose the violations even though SITA had knowledge that goods and services were being provided to Specially Designated Global Terrorists (SDGTs).
- SITA operates in almost every country in the world and, as a result, was determined to be sophisticated enough to have known better.
- SITA harmed the foreign policy objectives of the Global Trade Sanctions Regulations by providing services and goods that benefitted or facilitated the operations of airlines sanctioned for supporting terrorism.
In the case of SITA, not only was the software of U.S. origin, but OFAC found both the software and services were subject to U.S. jurisdiction, “because they were provided from, or transited through, the United States or involved the provision of U.S.-origin software with the knowledge that customers designated as SDGTs would benefit from the use of that software.”
Who do the OFAC regulations apply to?
The OFAC sanctions are also unique in that they apply to all U.S. persons and permanent residents wherever they are located.
This includes persons (both U.S. Persons and Foreign Persons) within the United States, U.S. persons outside of the United States, and all U.S. incorporated entities and their foreign branches.
In certain OFAC sanction programs, foreign subsidiaries owned or controlled by U.S. companies must also comply with the sanctions. Other programs require foreign persons possessing U.S.-origin goods to comply, such as what we saw with the SITA penalties.
It is crucial that companies review each transaction to ensure they are in compliance with these rules, even if they are not located within the United States.
Under the OFAC rules, a company is considered to be owned or controlled by a U.S. person if the U.S. person or entity holds a majority of seats on the board of directors, holds a 50% or greater equity interest by vote or value in the entity, or otherwise controls the actions, policies, or personnel decisions of the entity. Other sanctions programs consider different factors such as “control,” as well as ownership.
Companies need to take care in ensuring that not only their U.S. locations are complying with OFAC, but that their foreign subsidiaries and branches’ transactions are compliant with OFAC regulations, as well.
2. Not including OFAC lists in restricted party screenings or faulty screening
Screening customers should be a key element of any compliance program. There are online tools designed to assist with screening, as well as websites offering consolidated lists. However, oftentimes, the software or lists do not include the OFAC lists or do not update to account for additions to the lists.
Companies must check the tools they are using to ensure they include the most up-to-date OFAC lists. There are several OFAC sanctions lists, each dealing with a specific target, individual, or group. OFAC has consolidated the lists into one list.
In addition, if you use a screening tool, that tool should include the OFAC lists, but be sure to confirm. One of the main lists, the Specially Designated Nationals List (“SDN List”), contains over 6,400 names of individuals and entities with whom U.S. citizens and permanent residents are prohibited from doing business wherever they are located.
Other sanctions lists include Sectoral Sanctions Identification or SSI. The SSI lists individuals, companies, and entities in sectors of the Russian economy and prohibits certain activities by U.S. persons, wherever they are located.
OFAC suggests including identifiers in your review such as the SWIFT business identifier codes in order to identify any blocked, sanctioned, or designated financial institutions.
Be sure to pay attention to different spellings of countries, cities, and entities. Cyrillic characters or acronyms should not be used when screening. Apple has recently assessed a fine by OFAC of $476,000 to settle 47 sanction violations that occurred as a result of faulty screening.
In addition to the lists described above, OFAC considers any entity that is 50% or more owned by a prohibited or restricted party to be a restricted party themselves. This means that not only is screening crucial but looking into the ownership structure of who you are doing business with is just as important. In many cases, additional screening tools are required to determine this information.
3. Having a compliance program that does not address sanctions
Many compliance programs fail to include any reference to OFAC regulations and how to comply with them. According to OFAC, a primary root cause of violations is a lack of a formal Sanctions Compliance Program, or SCP.
What is a Sanctions Compliance Program?
As with any compliance program, it is crucial to have a plan in place, communicate the plan and abide by it.
While a formal program is not a regulatory requirement, OFAC suggests that entities subject to U.S. jurisdiction have an SCP in place to avoid costly violations and penalties.
This includes those organizations conducting business in, with, or through the United States as well as those companies conducting transactions involving U.S.-origin goods, technology, or services.
Consult the OFAC Compliance Framework Publication
OFAC has issued a framework publication designed to help companies understand and comply with the OFAC regulations.
According to the framework publication, OFAC encourages organizations to take a risk-based approach to sanctions by maintaining a sanctions compliance program emphasizing five essential components:
- Management commitment: Senior management commitment and support act as a cornerstone of any compliance program by ensuring adequate resources and cooperation throughout the entire organization.
- Risk assessment: Risks that are ignored can lead to OFAC violations. OFAC recommends a risk-based approach when implementing a compliance program. Risks should be identified, analyzed, and addressed.
- Internal controls: This includes comprehensive written procedures and policies that address record-keeping, reporting, identifying potential violations, and auditing. Procedures should be clearly communicated, easy to follow and integrated into daily operations.
- Testing and auditing: A compliance program should be consistently reviewed to identify gaps and weaknesses. Self-assessments and audits should be backed by management and include corrective actions for any risks identified.
- Training: Training should be tailored to specific functions within the organization and occur on a regular basis (annually at a minimum). The frequency and depth of training should be determined by risk.
Be sure to consult the framework publication when building your program. Most of the components can be built into your existing compliance program and may act as a mitigating factor should issues arise.
Guard your business. Meet your OFAC compliance commitments.
Should you find yourself in violation of OFAC rules, mitigating factors can make a difference in the assessed fines and penalties. In addition to the aggravating factors, several mitigating factors came into play for SITA that likely led to a reduction in the penalties.
- SITA had not had any violations or fines within the past five years, which was likely the result of remedial measures they had put into place.
- SITA had enhanced their compliance program, as well as their screening process of both customers and suppliers.
- The violating transactions only represented a small percentage of SITA’s business and
- SITA was cooperative with OFAC by being prompt and detailed.
After the settlement was reached, SITA went further in improving their OFAC program to include establishing a trade compliance committee to act in an advisory capacity, appointing a global head of ethics and compliance to improve compliance as a whole, updating and creating policies to bring awareness to sanctions, and establishing an annual sanctions compliance training program.
While SITA has made great strides in improvement, costly mistakes could have been avoided by having an existing program. Take some time to assess your export compliance program. Does it include OFAC? Are you screening adequately? Does your training include sanctions programs and compliance?
Export Solutions is well-equipped to assist your company in establishing a comprehensive compliance program or assessing and improving an existing one. We can also assist with training and auditing. Contact us for a free consultation.
Emmalie Armstrong is a Trade Compliance Consultant with Export Solutions – a firm specializing in U.S. import/export regulations.