city

Table Of Contents

International Law

5 Components of OFAC Sanctions Compliance Program

Andrew Lopez

Andrew is the founder and managing member of Sequoia Legal, LLC headquartered in Denver. He advises domestic and foreign companies and organizations, entrepreneurs and individuals on a variety of corporate and international regulatory and transactional matters

Estimated Reading Time
updated:
4.4.21
ofac compliance

The U.S. Office of Foreign Assets Control (OFAC) recently released A Framework for OFAC Compliance Commitment, a document establishing the commitments the OFAC believes are critical to a robust sanctions compliance program for companies and businesses engaged in international trade and information or technology research and exchange.

An international business and OFAC sanctions attorney can help you create an OFAC sanctions compliance program to ensure that your business or research institution follows OFAC guidelines. Furthermore, your lawyer can update you when the rules change and conduct independent audits of your company for OFAC compliance.

What Is Sanctions Compliance?

sanctions compliance

Sanctions compliance means that your organization doesn’t sell, trade, share, or otherwise make available sensitive technology or products to parties listed on the U.S. government sanctions list.

But the answer to the question "What is sanction compliance?" goes a little further than this: Some rules prevent companies from selling anything classified as defense technology to certain parties (nations, states, organizations, or foreign persons), while other rules forbid any type of trade, whether general use or military use. Understanding how to classify the items (either tangible goods or technology and research) you wish to trade and which entities are banned from access to those items can be complicated.

Establishing an OFAC compliance program ensures that your business is compliant with current U.S. sanctions and embargoes. Noncompliance can lead to heavy fines, revocation of permits to engage in international trade, or even jail time for senior management. The basic elements of OFAC compliance programs outline with whom you can do business or exchange information, not how you operate your business.

Who Must Comply with OFAC Sanctions?

OFAC sanctions compliance applies to:

  • All U.S. citizens and permanent residents
  • All entities and persons within U.S. borders
  • All U.S. incorporated entities and any foreign branches of said entities
  • Any organization subject to U.S. jurisdiction
  • Any foreign entity conducting business with U.S. persons, or in the U.S.
  • Any person or entity using U.S.-origin goods or services
  • Any organization engaging in or facilitating online commerce or processing transactions using virtual currency (VC)

The scope of OFAC is broad; some entities may not even realize that the sanctions compliance program applies to them.

5 Essential Elements of an Effective Sanctions Compliance Program

elements of compliance program

The US Treasury Department’s Office of Foreign Assets Control (OFAC) administers and enforces U.S. economic and trade sanctions programs against targeted foreign governments, individuals, groups, and entities in accordance with national security and foreign policy goals and objectives. OFAC recently issued guidance strongly encouraging domestic and foreign entities that conduct business with the US, US persons, or use US-origin goods or services to develop, implement, and continuously update a sanctions compliance program (SCP).

While each individual entity’s SCP will vary based on the entity’s size, products or services, geographic location, and various other factors, OFAC has identified five essential components of compliance: management commitment, risk assessment,  internal controls, testing, and auditing and training.

1. Management Commitment

What is management commitment? OFAC emphasizes that senior management (including senior leadership, executives, and/or the board of directors) support of an organization’s Sanctions Compliance Programs (SCP) is imperative to its success and is essential in ensuring the SCP receives adequate resources and is fully integrated into the organization’s daily operations. Additionally, senior management support helps legitimize corporate compliance programs, empower its personnel, and foster a culture of compliance throughout the organization.

2. Risk Assessment

Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. OFAC suggests that a risk assessment should consist of a holistic review from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions.

3. Internal Controls

According to OFAC, an effective SCP should include internal controls, including policies and procedures, to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted periodically.

Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC. These include the following: (i) updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions-related lists; (ii) new, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions; and (iii) the issuance of general licenses.

4. Testing and Auditing

ofac compliance program

Audits assess the effectiveness of current processes and check for inconsistencies between day-to-day operations. Comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.

5. Training

An adequate training program tailored to an entity’s risk profile and all appropriate employees and stakeholders is critical to the success of an SCP. This includes appropriate training in scope and frequency and must be easily available to all applicable personnel.

Why Is Sanctions Compliance Important?

Noncompliance with U.S. sanctions and embargoes can result in serious legal penalties. An effective sanctions compliance program ensures that your company is protected from fines in the hundreds of thousands of dollars or revocation of your permits to trade.

For example, in the mid-2010s, a Texas company knowingly allowed its goods to be sold in Iran. It faced a fine of $15 million. Is your business able to pay a sanctions violation fine that high? Many companies would be wiped out, and nonprofit research institutions may be unable to operate.

A savvy sanctions compliance attorney may be able to help you minimize a fine if you violate OFAC requirements. Demonstrating that your organization adheres to the most important elements of compliance programs and correcting your mistakes (including voluntary disclosures) can help reduce your fines. But wouldn’t it be better to maintain compliance in the first place? The sanctions list changes often, and screening techniques for identifying sanctioned parties can be tricky. A sanctions lawyer can help your organization stay in compliance.

How an OFAC Sanctions Compliance Attorney Could Help?

An experienced international business law attorney can draft best practices for your organization, including the compliance program elements necessary to prevent unintentionally violating OFAC requirements. Your lawyer can also audit your company, find areas where you could be vulnerable to OFAC violations, and recommend steps to correct the violations. What are the elements of a strong OFAC sanctions program, and how do they apply to your entity? Sequoia Legal can help you find answers. Contact us today.

Recent Posts

View All →