Earlier this month, OFAC published a guidance on compliance commitments. The full name is A Framework for OFAC Compliance Commitments and you can access it by clicking the foregoing hyperlink.
OFAC lists the following 5 essential components of compliance:
- Management Commitment: OFAC stresses the importance of a “culture of compliance” that is built from top down. Allocation of “adequate resources” to the organization’s compliance department is also emphasized. While no “one size fits all”, OFAC indicates that it expects to see dedicated and qualified staff tending to the organization’s compliance needs.
- Risk Assessment: This one is probably not new – OFAC advises that companies take a risk-based approach to designing and updating their sanctions compliance program (SCP). Risk assessment to identify potential OFAC compliance issues should be performed to understand, holistically, the organization’s risk profile. The Framework refers to OFAC’s Risk Matrix found in the Annex of Appendix A of the Guidelines to use in evaluating an organization’s compliance program. Third party due diligence should track the risk assessment. M&A activities in particular, “have presented numerous challenges with respect to OFAC sanctions” in recent years.
- Internal controls: Policies and procedures should be in place and in line with the risk assessment findings.
- Testing and Auditing: OFAC calls for independent testing and auditing to assess the effectiveness of an SCP. OFAC emphasizes that it is the organization’s responsibility to update and enhance its SCP.
- Training: Finally, OFAC sets out its expectations with respect to sanctions-specific training. Training should be conducted periodically, for appropriate staff.
This guidance is new to OFAC but will probably not be completely surprising to seasoned practitioners who are familiar with similar requirements in other areas, such as the DOJ’s publications of expectations on corporate compliance programs in the context of white collar crime enforcement.
This is a summary of the guidance. For much more detail, click here for the full publication.