For international businesses, the costs of a weak sanctions compliance program can be steep, impacting both a company’s reputation and its bottom line. This year alone, the Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed more than $10 million dollars in civil monetary penalties for violations of U.S. sanctions programs. The entities implicated represent a variety of sectors: consumer products, large e-commerce platforms, financial services, commodities exporters, telecommunications, shippers, and lobbyists. While these entities may be structured differently and operate on different scales, they share one common element: an inadequate compliance program.
U.S. authorities investigating sanctions breaches have highlighted this deficiency as an aggravating factor for monetary penalties. For example, in a July 2020 enforcement action targeting prohibited trading activity with North Korea, OFAC detailed how Essentra FZE, a cigarette manufacturer, did not maintain a compliance program that could effectively detect or stop willful and knowing action by its employees to deal with sanctioned individuals and export goods to a sanctioned country. As a result, two of its employees were able to orchestrate a deal to ship cigarette filters to North Korea, trying to disguise the flow of funds through front companies and routing the shipment through China.
For one of the first times in an enforcement action, OFAC explicitly identified the five pillars of an effective sanctions compliance program—management commitment, risk assessment, internal controls, testing and auditing, and training—and made it clear that such pillars are critical to ensuring that companies remain on the right side of the law.
This enforcement action underscores OFAC’s message that implementing comprehensive controls can help organizations manage their exposure to sanctions risk, while failure to do so can lead to substantial fines and reputational damage.
Getting to a Robust Sanctions Compliance Program
Recent OFAC settlements and deferred prosecution agreements (DPAs) highlight how organizations are applying the five pillars to overhaul their sanctions compliance programs. The roadmap to remediation that these firms are following also tracks the expectations OFAC laid out in its Framework for OFAC Compliance Commitments.
The five areas in which these entities committed to making significant improvements are as follows:
1. Management Commitment
Organizations must ensure current senior management supports a significant investment in upgrading sanctions compliance programs. This includes confirming that compliance staff have the relevant background and training, resources, and authority to design and implement robust policies and procedures. Establishing a clear tone from the top ensures that every person employed by a firm knows that they are responsible for preventing sanctions breaches, and that if an employee reports an issue, leadership, including executives and members of the board of directors, will take it seriously.
2. Risk Assessment
OFAC also encourages organizations to conduct risk assessments to adequately account for sanctions-related risks across customers, products, services, supply chains, intermediaries, counterparties, transactions, and geographies. Organizations should update their risk assessments to account for changes in business activities or deficiencies that are identified through audits of their internal controls. Regularly updating risk assessments also helps identify blind spots and emerging risks.
3. Internal Controls
Strong compliance programs are only as effective as their adoption. Effective internal controls ensure that an organization has implemented a compliance program in a way that can prevent, detect, and respond to actual or suspected prohibited conduct. Policies must be translated into day-to-day activities that allow front-line employees as well as back-end finance team members to effectively manage risks, including sanctions risks. Establishing well-designed manual and automated controls around key business processes is key. This includes monitoring new business development, vendor or third-party onboarding, and sales and payments to ensure that business is not conducted with sanctioned persons or entities.
4. Testing and Auditing
Once a comprehensive sanctions compliance program is in place, it needs to be independently tested and audited it to confirm its continued effectiveness. The testing and auditing process should include an evaluation of the control functionality, frequency, sufficiency of resources to manage potential exceptions, and independence and authority of those with responsibility for escalation and reporting to the board, audit committee, or executive leadership. Testing and auditing practices verify that, where implementation gaps exist, the enterprise can respond to them quickly.
A firm’s compliance staff requires regular and structured training to reinforce an understanding of the risks they are facing and the actions they are required to follow under the relevant policies and procedures. This training component may also extend to other business relationships, including clients, suppliers, and business partners. Compliance staff also need opportunities to learn about changes in legal or regulatory frameworks governing sanctions, which can occur frequently. Training keeps staff at the cutting edge of a rapidly changing risk environment.
The Role of Third Parties in Assisting with Compliance
OFAC emphasizes the changes that organizations should make to internal culture, including to policies and procedures and additional resources. It also points to the importance of the involvement of third parties in supporting entities in building and maintaining robust sanctions compliance programs. Their support can help ensure these organizations are taking steps that are comprehensive, responsive to the risks identified, and flexible enough to respond to changes in law or regulation.
Such third parties can help build a compliance framework that includes policies and procedures tailored to the unique circumstances of an individual entity and its structure, products, and geographic footprint. As a result of the complexity of sanctions, organizations need a breadth of expertise to protect themselves. This need applies equally to conducting risk assessments.
Once a sanctions compliance program has its risk assessment and policies and procedures in place, external consultants can independently test effectiveness and implementation and help reinforce best practices through training. Complementing the education efforts of in-house compliance staff, third parties can leverage their up-to-date knowledge about the latest trends in sanctions enforcement and can provide written materials to supplement regular cycles of in-person training that reflect current regulatory priorities and emerging threats.
U.S. sanctions authorities will continue to signal their compliance expectations through enforcement actions. Organizations of all stripes should evaluate current programs against regulatory expectations and consider the established capabilities of third-party firms that have a track record of helping organizations build and maintain effective compliance programs.