The guidance (12 page / 138KB PDF) is aimed at US companies as well as foreign entities conducting business in the US or using goods or services originating in the US. It sets out OFAC’s expectations for effective SCPs, and includes five components which OFAC said were essential: management commitment, risk assessment, internal controls, testing and auditing, and training.
Senior management commitment was essential and senior managers should promote a culture of compliance throughout an organisation, OFAC said.
It said risk assessment should consist of a holistic review of the organisation, assessing touchpoints to the outside world, and be carried out often enough to adequately account for any potential risks. Internal controls should make sure that the organisation is able to adjust rapidly to changes published by OFAC.
The document outlines how OFAC would incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements. It also includes an appendix that offers a brief analysis of some of the root causes of apparent violations of US economic and trade sanctions programmes OFAC has identified during its investigative processes.
OFAC noted that every SCP would vary depending on a company’s size, location, products and customers, but the five key components should be the basis of an effective programme.
Compliance expert Rebecca Devaney of Pinsent Masons, the law firm behind Out-Law.com, said: “The overall approach expected is risk-based and the principles in the framework can be applied to mitigate the risk of committing a wider range of corporate crimes. The principles are not dissimilar to those set out in the Ministry of Justice's guidance on adequate procedures to prevent bribery.
Not only will having an SCP in place mitigate the risk of committing sanctions offences, it can also mitigate the level of penalty imposed in the event of a breach. OFAC has indicated that it will consider the existence of an SCP at the time of any violation in enforcement proceedings and where an effective SCP is in place, this may mitigate a civil monetary penalty imposed,” Devaney said.
OFAC said it could also consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
The guidance also includes a list of root causes of SCP breakdowns and deficiencies based on OFAC’s previous enforcement actions. OFAC said these were included to help companies design or update their own SCP.
The causes include the lack of a formal SCP; misinterpreting the applicability of OFAC’s regulations to an activity or transaction; facilitating dealings between an organisation’s non-US locations and a sanctioned jurisdiction; re-exporting goods or services to a region subject to sanctions; conducting improper due diligence; or using the US financial system to carry out transactions involving sanctioned countries.
OFAC said it had identified numerous examples of situations where these deficiencies had been the cause of violations of sanctions regulations.