A Framework For OFAC Compliance Commitments
A Framework For OFAC Compliance Commitments
A Framework For OFAC Compliance Commitments
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers
and enforces U.S. economic and trade sanctions programs against targeted foreign governments,
individuals, groups, and entities in accordance with national security and foreign policy goals
and objectives.
OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities
that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or
services, to employ a risk-based approach to sanctions compliance by developing, implementing,
and routinely updating a sanctions compliance program (SCP). While each risk-based SCP will
vary depending on a variety of factors—including the company’s size and sophistication,
products and services, customers and counterparties, and geographic locations—each program
should be predicated on and incorporate at least five essential components of compliance:
(1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing;
and (5) training.
If after conducting an investigation and determining that a civil monetary penalty (“CMP”) is the
appropriate administrative action in response to an apparent violation, the Office of Compliance
and Enforcement (OCE) will determine which of the following or other elements should be
incorporated into the subject person’s SCP as part of any accompanying settlement agreement, as
appropriate. As in all enforcement cases, OFAC will evaluate a subject person’s SCP in a
manner consistent with the Economic Sanctions Enforcement Guidelines (the “Guidelines”).
When applying the Guidelines to a given factual situation, OFAC will consider favorably subject
persons that had effective SCPs at the time of an apparent violation. For example, under General
Factor E (compliance program), OFAC may consider the existence, nature, and adequacy of an
SCP, and when appropriate, may mitigate a CMP on that basis. Subject persons that have
implemented effective SCPs that are predicated on the five essential components of compliance
may also benefit from further mitigation of a CMP pursuant to General Factor F (remedial
response) when the SCP results in remedial steps being taken.
Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time
of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
This document is intended to provide organizations with a framework for the five essential
components of a risk-based SCP, and contains an appendix outlining several of the root causes
that have led to apparent violations of the sanctions programs that OFAC administers. OFAC
recommends all organizations subject to U.S. jurisdiction review the settlements published by
OFAC to reassess and enhance their respective SCPs, when and as appropriate.
MANAGEMENT COMMITMENT
Senior Management’s commitment to, and support of, an organization’s risk-based SCP is one of
the most important factors in determining its success. This support is essential in ensuring the
SCP receives adequate resources and is fully integrated into the organization’s daily operations,
and also helps legitimize the program, empower its personnel, and foster a culture of compliance
throughout the organization.
II. Senior management ensures that its compliance unit(s) is/are delegated sufficient
authority and autonomy to deploy its policies and procedures in a manner that
effectively controls the organization’s OFAC risk. As part of this effort, senior
management ensures the existence of direct reporting lines between the SCP
function and senior management, including routine and periodic meetings between
these two elements of the organization.
III. Senior management has taken, and will continue to take, steps to ensure that the
organization’s compliance unit(s) receive adequate resources—including in the form
of human capital, expertise, information technology, and other resources, as
appropriate—that are relative to the organization’s breadth of operations, target
and secondary markets, and other factors affecting its overall risk profile.
1
This may be the same person serving in other senior compliance positions, e.g., the Bank Secrecy Act Officer or an
Export Control Officer, as many institutions, depending on size and complexity, designate a single person to oversee
all areas of financial crimes or export control compliance.
2
C. Sufficient control functions exist that support the organization’s SCP—including but
not limited to information technology software and systems—that adequately address
the organization’s OFAC-risk assessment and levels.
RISK ASSESSMENT
Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not
properly handled, can lead to violations of OFAC’s regulations and negatively affect an
organization’s reputation and business. OFAC recommends that organizations take a risk-based
approach when designing or updating an SCP. One of the central tenets of this approach is for
organizations to conduct a routine, and if appropriate, ongoing “risk assessment” for the
purposes of identifying potential OFAC issues they are likely to encounter. As described in
detail below, the results of a risk assessment are integral in informing the SCP’s policies,
procedures, internal controls, and training in order to mitigate such risks.
While there is no “one-size-fits all” risk assessment, the exercise should generally consist of a
holistic review of the organization from top-to-bottom and assess its touchpoints to the outside
world. This process allows the organization to identify potential areas in which it may, directly
or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions. For example,
an organization’s SCP may conduct an assessment of the following: (i) customers, supply chain,
intermediaries, and counter-parties; (ii) the products and services it offers, including how and
where such items fit into other financial or commercial products, services, networks, or systems;
and (iii) the geographic locations of the organization, as well as its customers, supply chain,
intermediaries, and counter-parties. Risk assessments and sanctions-related due diligence is also
3
important during mergers and acquisitions, particularly in scenarios involving non-U.S.
companies or corporations.
A fundamental element of a sound SCP is the assessment of specific clients, products, services,
and geographic locations in order to determine potential OFAC sanctions risk. The purpose of a
risk assessment is to identify inherent risks in order to inform risk-based decisions and controls.
The Annex to Appendix A to 31 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement
Guidelines, provides an OFAC Risk Matrix that may be used by financial institutions or other
entities to evaluate their compliance programs:
4
completed, the organization’s Audit and Testing function will be critical to
identifying any additional sanctions-related issues.
II. The organization has developed a methodology to identify, analyze, and address the
particular risks it identifies. As appropriate, the risk assessment will be updated to
account for the conduct and root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of business, for
example, through a testing or audit function.
INTERNAL CONTROLS
An effective SCP should include internal controls, including policies and procedures, in order to
identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that
may be prohibited by the regulations and laws administered by OFAC. The purpose of internal
controls is to outline clear expectations, define procedures and processes pertaining to OFAC
compliance (including reporting and escalation chains), and minimize the risks identified by the
organization’s risk assessments. Policies and procedures should be enforced, weaknesses should
be identified (including through root cause analysis of any compliance breaches) and remediated,
and internal and/or external audits and assessments of the program should be conducted on a
periodic basis.
Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP
should be capable of adjusting rapidly to changes published by OFAC. These include the
following: (i) updates to OFAC’s List of Specially Designated Nationals and Blocked Persons
(the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions-
related lists; (ii) new, amended, or updated sanctions programs or prohibitions imposed on
targeted foreign countries, governments, regions, or persons, through the enactment of new
legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or
other OFAC actions; and (iii) the issuance of general licenses.
Effective OFAC compliance programs generally include internal controls, including policies and
procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records
pertaining to activity that is prohibited by the sanctions programs administered by OFAC. The
purpose of internal controls is to outline clear expectations, define procedures and processes
pertaining to OFAC compliance, and minimize the risks identified by an entity’s OFAC risk
assessments. Policies and procedures should be enforced, and weaknesses should be identified
(including through root cause analysis of any compliance breaches) and remediated in order to
prevent activity that might violate the sanctions programs administered by OFAC.
I. The organization has designed and implemented written policies and procedures
outlining the SCP. These policies and procedures are relevant to the organization,
capture the organization’s day-to-day operations and procedures, are easy to follow,
and designed to prevent employees from engaging in misconduct.
5
II. The organization has implemented internal controls that adequately address the
results of its OFAC risk assessment and profile. These internal controls should
enable the organization to clearly and effectively identify, interdict, escalate, and
report to appropriate personnel within the organization transactions and activity
that may be prohibited by OFAC. To the extent information technology solutions
factor into the organization’s internal controls, the organization has selected and
calibrated the solutions in a manner that is appropriate to address the
organization’s risk profile and compliance needs, and the organization routinely
tests the solutions to ensure effectiveness.
III. The organization enforces the policies and procedures it implements as part of its
OFAC compliance internal controls through internal and/or external audits.
IV. The organization ensures that its OFAC-related recordkeeping policies and
procedures adequately account for its requirements pursuant to the sanctions
programs administered by OFAC.
V. The organization ensures that, upon learning of a weakness in its internal controls
pertaining to OFAC compliance, it will take immediate and effective action, to the
extent possible, to identify and implement compensating controls until the root
cause of the weakness can be determined and remediated.
VI. The organization has clearly communicated the SCP’s policies and procedures to all
relevant staff, including personnel within the SCP program, as well as relevant
gatekeepers and business units operating in high-risk areas (e.g., customer
acquisition, payments, sales, etc.) and to external parties performing SCP
responsibilities on behalf of the organization.
VII. The organization has appointed personnel for integrating the SCP’s policies and
procedures into the daily operations of the company or corporation. This process
includes consultations with relevant business units, and confirms the organization’s
employees understand the policies and procedures.
Audits assess the effectiveness of current processes and check for inconsistencies between these
and day-to-day operations. A comprehensive and objective testing or audit function within an
SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the
organization’s responsibility to enhance its program, including all program-related software,
systems, and other technology, to remediate any identified compliance gaps. Such enhancements
might include updating, improving, or recalibrating SCP elements to account for a changing risk
assessment or sanctions environment. Testing and auditing can be conducted on a specific
element of an SCP or at the enterprise-wide level.
6
General Aspects of an SCP: Testing and Auditing
A comprehensive, independent, and objective testing or audit function within an SCP ensures
that entities are aware of where and how their programs are performing and should be updated,
enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as
appropriate. Testing or audit, whether conducted on a specific element of a compliance program
or at the enterprise-wide level, are important tools to ensure the program is working as designed
and identify weaknesses and deficiencies within a compliance program.
II. The organization commits to ensuring that it employs testing or audit procedures
appropriate to the level and sophistication of its SCP and that this function, whether
deployed internally or by an external party, reflects a comprehensive and objective
assessment of the organization’s OFAC-related risk assessment and internal
controls.
III. The organization ensures that, upon learning of a confirmed negative testing result
or audit finding pertaining to its SCP, it will take immediate and effective action, to
the extent possible, to identify and implement compensating controls until the root
cause of the weakness can be determined and remediated.
TRAINING
An adequate training program, tailored to an entity’s risk profile and all appropriate employees
and stakeholders, is critical to the success of an SCP.
7
II. The organization commits to provide OFAC-related training with a scope that is
appropriate for the products and services it offers; the customers, clients, and
partner relationships it maintains; and the geographic regions in which it operates.
IV. The organization commits to ensuring that, upon learning of a confirmed negative
testing result or audit finding, or other deficiency pertaining to its SCP, it will take
immediate and effective action to provide training to or other corrective action with
respect to relevant personnel.
8
Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based
on Assessment of Prior OFAC Administrative Actions
Since its publication of the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501,
App. A (the “Guidelines”), OFAC has finalized numerous public enforcement actions in which it
identified deficiencies or weaknesses within the subject person’s SCP. These items, which are
provided in a non-exhaustive list below, are provided to alert persons subject to U.S. jurisdiction,
including entities that conduct business in or with the United States, U.S. persons, or U.S.-origin
goods or services, about several specific root causes associated with apparent violations of the
regulations it administers in order to assist them in designing, updating, and amending their
respective SCP.
OFAC regulations do not require a formal SCP; however, OFAC encourages organizations
subject to U.S. jurisdiction (including but not limited to those entities that conduct business in,
with, or through the United States or involving U.S.-origin goods, services, or technology), and
particularly those that engage in international trade or transactions or possess any clients or
counter-parties located outside of the United States, to adopt a formal SCP. OFAC has finalized
numerous civil monetary penalties since publicizing the Guidelines in which the subject person’s
lack of an SCP was one of the root causes of the sanctions violations identified during the course
of the investigation. In addition, OFAC frequently identified this element as an aggravating
factor in its analysis of the General Factors associated with such administrative actions.
With respect to this specific root cause, OFAC’s administrative actions have typically identified
additional aggravating factors, such as reckless conduct, the presence of numerous warning signs
that the activity at issue was likely prohibited, awareness by the organization’s management of
the conduct at issue, and the size and sophistication of the subject person.
9
signing off on transactions conducted by, or otherwise facilitating dealings between their
organization’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons. In many
instances, the root cause of these violations stems from a misinterpretation or misunderstanding
of OFAC’s regulations. Companies and corporations with integrated operations, particularly
those involving or requiring participation by their U.S.-based headquarters, locations, or
personnel, should ensure any activities they engage in (i.e., approvals, contracts, procurement,
etc.) are compliant with OFAC’s regulations.
Non-U.S. persons have repeatedly purchased U.S.-origin goods with the specific intent of re-
exporting, transferring, or selling the items to a person, country, or region subject to OFAC
sanctions. In several instances, this activity occurred despite warning signs that U.S. economic
sanctions laws prohibited the activity, including contractual language expressly prohibiting any
such dealings. OFAC’s public enforcement actions in this area have generally been focused on
companies or corporations that are large or sophisticated, engaged in a pattern or practice that
lasted multiple years, ignored or failed to respond to numerous warning signs, utilized non-
routine business practices, and—in several instances—concealed their activity in a willful or
reckless manner.
10
VI. Sanctions Screening Software or Filter Faults
Many organizations conduct screening of their customers, supply chain, intermediaries, counter-
parties, commercial and financial documents, and transactions in order to identify OFAC-
prohibited locations, parties, or dealings. At times, organizations have failed to update their
sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include
pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or
sanctioned financial institutions, or did not account for alternative spellings of prohibited
countries or parties—particularly in instances in which the organization is domiciled or conducts
business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of
Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.),
One of the fundamental components of an effective OFAC risk assessment and SCP is
conducting due diligence on an organization’s customers, supply chain, intermediaries, and
counter-parties. Various administrative actions taken by OFAC involved improper or incomplete
due diligence by a company or corporation on its customers, such as their ownership, geographic
location(s), counter-parties, and transactions, as well as their knowledge and awareness of OFAC
sanctions.
While each organization should design, develop, and implement its risk-based SCP based on its
own characteristics, several organizations subject to U.S. jurisdiction have committed apparent
violations due to a de-centralized SCP, often with personnel and decision-makers scattered in
various offices or business units. In particular, violations have resulted from this arrangement
due to an improper interpretation and application of OFAC’s regulations, the lack of a formal
escalation process to review high-risk or potential OFAC customers or transactions, an
inefficient or incapable oversight and audit function, or miscommunications regarding the
organization’s sanctions-related policies and procedures.
Organizations subject to U.S. jurisdiction are in the best position to determine whether a
particular dealing, transaction, or activity is proposed or processed in a manner that is consistent
with industry norms and practices. In many instances, organizations attempting to evade or
circumvent OFAC sanctions or conceal their activity will implement non-traditional business
methods in order to complete their transactions.
11
X. Individual Liability
12