On May 2, the Office of Foreign Assets Control published A Framework for OFAC Compliance Commitments. The Framework includes an expected Sanctions Compliance Program (SCP) that institutions should consider when developing their own risk-based OFAC compliance program.
There is no “one size fits all” SCP for institutions, and each institution should establish a risk-based program based on the institution’s size and sophistication; products and services; customers and counterparties; and geographic locations. The Framework focuses on additional essential components of compliance, as follows:
- Senior management commitment
- Risk assessment
- Internal controls
- Testing and auditing
- Training
In the case of a violation, OFAC will look more favorably upon institutions with effective Sanctions Compliance Programs than those without. The Framework refers to the Economic Sanctions Enforcement Guidelines, which OFAC uses when determining administrative actions for violations.
Senior Management Commitment
Senior management commitment involves the following components:
- Review and approval of the SCP
- Ensuring compliance departments have sufficient authority and autonomy to deploy policies and procedures to effectively control OFAC risk
- Ensuring that compliance departments receive adequate resources relative to the institution’s scope of operations, markets, and other factors contributing to its overall risk profile
- Promotion of a compliance culture throughout the institution
Risk Assessments
Risk assessments should identify potential threats or vulnerabilities that can lead to OFAC violations and negatively affect an institution’s reputation and business. The institution should conduct routine and ongoing risk assessments identifying the potential OFAC issues that it is likely to encounter. This should be a holistic review of the entire institution and assess any touchpoints to the outside world. This includes customers; suppliers and vendors; products and services; geographic locations; and sanctions monitoring. Included in the Enforcement Guidelines is a risk matrix that institutions can use as a starting point to conduct a risk assessment.
Internal Controls
Institutions should have and follow policies and procedures that outline clear expectations, define procedures and processes (including reporting and escalation chains), and minimize risks identified in the institution’s risk assessment.
Testing and Auditing
Processes should be checked for effectiveness and to identify any weaknesses and deficiencies. This includes software and technology and staff interactions. Identified issues should promptly result in corrective action to protect the institution.
Training
Training should include adequate information and instruction to employees in order to support the institution’s OFAC compliance efforts. Training should be tailored to employees based on their level of potential violations.
The Framework also includes a list of root causes of SCP breakdowns or deficiencies. Institutions should review this list to see if any are immediately applicable to their normal operating activities.
Law-Related Services Disclaimer. Please be advised, CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.
