This past December, at the American Bankers Association/American Bar Association Financial Crimes Enforcement Conference, Treasury’s Under Secretary Sigal Mandelker spoke to his audience on the Office of Foreign Assets Control’s (OFAC) Compliance Commitments. While acknowledging that because U.S. economic sanctions can apply to all types of industries and businesses and there may not be a “one-size-fits-all” sanctions compliance program that can be universally adopted, OFAC does believe there are commonalities of a good program that can enable businesses in a multitude of sectors to establish and maintain a robust program of sanctions compliance.
Utilizing the experience and insight that OFAC has gained over the years by examining the “best” and the “worse” practices of entities in their compliance with sanctions, Under Secretary Sigal Mandelker outlined some basic actions that can be implemented to achieve a less risk or even a risk-free environment within which to operate and conduct business.
On May 2, 2019, OFAC published its “A Framework for Compliance Commitments”. The framework provides direction and insight into the essential elements of a “risk-based sanctions compliance program.” Utilizing a “lessons learned” approach to the wide range of violations that OFAC has encountered over the years, OFAC developed “Best Practices” for the development, implementation and management of an effective Sanctions Compliance Program (SCP).
OFAC's recommended compliance framework makes clear that a Sanctions Compliance Program must include at least the below five essential components, but it is equally clear that these five elements do not necessarily make a robust fail proof compliance program. As we all know “more” (taking into consideration the type of business endeavors a company and/or individual is involved in) is better than “less” when it comes to compliance.
The Five Recommended Elements
1. Management Commitment
“Senior Management’s commitment to, and support of, an organization’s risk-based SCP is one of the most important factors in determining its success. This support is essential in ensuring the SCP receives adequate resources and is fully integrated into the organization’s daily operations, and also helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.” 
- Senior Management support is absolutely necessary to a successful compliance program;
- Senior Management support ensuring there are adequate resources, to include a “Sanctions Compliance Officer” (or someone competently familiar with the regulations and compliance to those regulations) and Senior Management endorsement of compliance personnel’s authority;
- Senior Management should encourage a culture of compliance throughout the
- Senior Management should recognize the seriousness of compliance and the consequences of non-compliance.
Essentially, the more ownership that Senior Management takes of the compliance program, the higher the chance of success for the program.
2. Risk Assessments
“Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business.” 
- OFAC recommends a risk-based approach to the development, implementation and the continual updating of the Sanctions Compliance Program;
- Routine and ongoing internal “risk assessments” are to be conducted internally or by utilizing outside/independent experts to identify potential OFAC risks;
- A methodology which identifies, analyzes, and addresses the particular risks identified in assessments;
- Establishment and continual improvement of internal controls, including policies and procedures.
3. Internal Controls
“An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.” 
- Policies, procedures and practices should be are relevant to the activities of the organization. These should also be are easy to understand, follow, and should prevent employee misconduct;
- These should also be adaptable to changes, updates and revisions to OFAC regulations.
4. Testing and Auditing
“Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations” 
- Audits can be focused on a specific element of a compliance program (“spot check”) or they can be broad-based to encompass the entire program;
- Audit function should be reportable to senior management;
- Whether conducted by an internal or external party, the audits should reflect a comprehensive and objective assessment of the company’s OFAC-related risk assessment and its internal controls.
“An effective training program is an integral component of a successful SCP”. 
- Training should be provided to all appropriate employees and personnel on a periodic basis, and at a minimum, annually;
- Training should provide: (i) job-specific knowledge; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments;
- Training should provide adequate and clearly understandable information and instruction to employees and stakeholders.
Root Causes for Violations
The Treasury Department also outlined, based on their experience and enforcement efforts, examples of Root Causes for violations: Some of these are:
- Lack of and/or inconsistent application of a formal Sanctions Compliance Program;
- Misinterpreting or failing to understand the applicability of OFAC Regulations;
- Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates);
- Non-U.S. persons exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries;
- Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries;
- Inadequate sanctions screening and/or filter faults;
- Improper Due Diligence on Customers/Clients;
- De-Centralized Compliance Functions and Inconsistent Application of an Sanctions Compliance Program;
- Utilizing Non-Standard Payment or Commercial Practices;
- Non-U.S. persons engaging in violations of OFAC’s regulations by processing financial transactions through U.S. financial institutions;
- The failure to update or enhance sanctions screening software or filters;
- Improper due diligence of customers, intermediaries, or counter-parties as part of a company’s supply chain;
- The failure to identify and detect organizations that engage in conduct that is contrary to industry norms and practices in an effort to evade or circumvent OFAC sanctions;
- Individual and senior-level employees who engage in misconduct.
Mitigation of Penalties
In providing these guidelines, OFAC has also established another measurement tool by which it can calculate the extent of penalties assessed for violations. The absence of a Sanctions Compliance Program or the evaluation of the ineffectiveness of a program can reduce any mitigation of penalties. By the same respect, the presence of an effective program can mitigate downwards any penalty when violations occur in spite of the best effort to maintain a risk-free environment. The recent settlement with Stanley Black and Decker demonstrates that the existence of a compliance program can be a mitigation. OFAC recognized that Stanley Black and Decker provided trade compliance training to management of a newly acquired foreign subsidiary; received written assurances of compliance from that subsidiary; and later discovered/disclosed the violations through an internal investigation. These and other factors were considered strong mitigation by OFAC. According to OFAC, the fault existed when Stanley Black and Decker failed to “implement procedures to monitor or audit” the activities of its subsidiary on an ongoing basis. Still, the efforts of Stanley Black and Decker in attempting to establish a compliance program resulted in a penalty that was reduced from a potential $7m to $1.8 million.
OFAC’s “Framework for Compliance Commitments” is now established and it is up to individual and companies to comprehend, implement, and utilize that framework to establish, maintain and continually improve an effective Sanctions Compliance Program.
If your company needs assistance in navigating the OFAC regulations or in establishing a more robust compliance program, please contact us for a free consultation.
Treasury Department - A Framework for OFAC Compliance Commitments – May 2, 2019
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.