After an unusually quiet year bringing enforcement cases in 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has assumed an unprecedented pace in 2019 – since January 31, OFAC has announced 14 settlements for violations of U.S. sanctions laws, an average of one per week. The settlements have been as large US$639,023,750 for 9,335 distinct violations, and as small as US$13,381 for just six, and have targeted major international financial institutions and modest, privately held companies alike – underscoring that no potential violations are too big or too small to escape OFAC’s interest.

There has been a method to the madness, however, which is reflected in the admonitions OFAC has included in its recent enforcement settlements. Famously averse to spelling out compliance expectations and best practices, OFAC has begun, via the public notices that accompany its enforcement cases, to identify specific deficiencies and risk factors that it expects companies to account for. Indeed, as the relatively small size of some recent monetary settlements suggests, public notices setting out compliance expectations are often the point (from OFAC’s perspective) of a particular enforcement action, and can be as impactful as an actual monetary penalty. OFAC further underlined its expectations on May 2, 2019, when it published A Framework for OFAC Compliance Commitments (the “Framework”), which identified the five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.

Read together, OFAC is establishing firm benchmarks that companies both in and outside the United States must pay attention to in drafting and implementing sanctions compliance policies:

• All companies are expected to develop a sanctions compliance program (“SCP”). Yes, virtually all. In its Framework, OFAC “strongly encourages organizations subject to U.S. jurisdiction as well as foreign entities that conduct business in or with the United States, U.S.-origin goods or services” to develop a risk-based SCP (emphasis added). OFAC has identified the lack of a formal or effective SCP as an aggravating in several enforcement cases this year, and no consideration is likely to be given to a company’s minimal touchpoints to the United States if a violation is uncovered. Conversely, the Framework does say that OFAC will “consider favorably subject persons that had effective SCPs at the time of an apparent violation.”
• SCPs should be tested and audited to ensure they are implementable and effective at a working level. As OFAC states in its Framework, testing and auditing procedures must be “appropriate to the level and sophistication” of a company’s SCP, and should be calibrated to ensure any weaknesses or deficiencies are identified. That includes an independent and objective assessment of whether an SCP exists on more than paper. For instance, OFAC has cited “ineffective” compliance programs as an aggravating factor in an enforcement case. Similarly, in a recent settlement involving a major (non-U.S.) financial institution, OFAC found that the bank’s compliance program was “inadequate to manage the bank’s risk and suffered from multiple systemic deficiencies.”
• Senior management must empower and allocate adequate resources to compliance officers. OFAC has credited companies with taking remedial measures to increase their compliance staffing and budget. For instance, in one recent enforcement case OFAC cited the appointment of a dedicated sanctions compliance officer as a mitigating factor. In another case, OFAC approvingly noted the appointment of a Head of Trade Compliance reporting directly to Group General Counsel. Conversely, OFAC has cited “inadequate” sanctions compliance programs as an aggravating factor, and in one recent case, the use of deficient screening software was identified as the root cause of the violation.
• Risk assessments should be regularly updated, especially before merging with or acquiring new businesses. The basis of any SCP is a risk-assessment that identifies a company’s specific risks, taking into account the profile of its customers, supply, and distribution chains; the products and services it sells, and where it does business. In its Framework, OFAC states that a risk assessment should “generally consist of a holistic review … and assess […] touchpoints to the outside world.” As a company’s business profile changes, so will its risk assessment. This is never more critical than when merging or acquiring new businesses, as made clear by several recent enforcement cases, as the acquiring entity assumes its subsidiaries liability but also its risk profile. For instance, despite recently penalizing a U.S. parent entity for the actions of its non-U.S. subsidiary, OFAC did cite approvingly to the U.S. parent’s extensive “preventative” conduct in updating its SCP during the due diligence process prior to acquisition.
• Newly acquired entities, especially those outside the United States or operating in high-risk jurisdictions, should be regularly audited. A U.S. acquiring entity’s obligations are not fulfilled simply by updating its risk assessments, however. As OFAC states in its Framework, “after [a merger or acquisition] transaction is completed, the organization’s Audit and Testing function will be critical to identifying any sanctions-related issues.” For instance, when one U.S. company acquired a European entity in 2012, it required it to cease all of its Cuba business. Nonetheless, such business continued, and OFAC held the U.S. parent liable for failing to conduct regular audits of its European subsidiary. In another recent case, OFAC alleged the U.S. acquirer was liable even though it trained and secured written commitments from its Chinese subsidiary not to engage in Iran business.
• U.S. companies with non-U.S. operations have heightened obligations to ensure they are not facilitating transactions. The risk of an OFAC violation increases as U.S. companies acquire or establish operations outside the United States. As OFAC notes in its Framework, this can be due to a number of factors – including difficulties in integrating compliance cultures and the lack of a centralized compliance function. However, it can also be because of an over-centralization of certain functions. For instance, in one recent enforcement case the U.S. parent was held liable for processing funds transfers relating to its Turkish and Chinese subsidiaries’ business with sanctioned vessels. In this case, it was the U.S parent’s centralized accounting function that precipitated the violation.
• Trainings should be tailored to business risk and to employees at every level of the company – as well as other stakeholders. In its Framework, OFAC indicates that periodic trainings should be provided to all “appropriate” personnel and, “as appropriate, stakeholders.” However, it also emphasizes that trainings should be “further tailored to high-risk employees within the organization,” which suggests that – as with SCPs more generally – there is no one-size-fits-all solution. For instance, in a 2018 settlement with a major non-U.S. bank, OFAC cited approvingly to its development of both a “comprehensive training regime for employees” across the company as well as “targeted, in-person training for employees with a higher-risk of exposure to sanctions-related transactions.” Companies should also consider mandating such trainings for high-risk suppliers, as did one recent target of an enforcement action after OFAC alleged it was liable for indirectly procuring North Korean products through its Chinese suppliers.
• Supply chains and distribution chains should be audited. It’s not just a company’s SCP that needs to be audited. As OFAC states in its Framework, as part of developing internal controls capable of identifying, interdicting, escalating, and reporting potential violations, a company should ensure that it is enforcing its policies through internal and/or external audits. In a recent enforcement case, OFAC introduced the concept of “full spectrum supply chain due diligence” when sourcing products from high-risk regions such as China. OFAC went on to state that such steps “could include, but are not limited to, implementing supply chain audits with country-of-origin verification.” Although that specific case involved a supply chain, companies should also consider taking similar measures when utilizing overseas distributors.
• Warning signs should be taken seriously by senior management. In its Framework, OFAC emphasizes that senior management should ensure direct reporting lines between the SCP function and senior management, and that employees must feel empowered to report misconduct without fear of reprisal. However, as several recent enforcement cases make clear, senior management must also act upon such warnings – whether they are raised internally or externally. For instance, in one recent enforcement case, the company’s internal investigation revealed that two reports to the ethics helpline regarding sales to Cuba led the relevant manager to seek assurances from an intermediary company and remind employees of their compliance obligations, but did not result in a full investigation. In another, OFAC faulted the company for “repeatedly ignoring warning signs that its conduct constituted or likely constituted” a violation, such as when banks refused to process an incoming payment involving an entity on the Sectoral Sanctions Identifications List.
• Individual employees should be held accountable. In its Framework, OFAC emphasizes that in several instances, “individual employees – particularly in supervisory, managerial, or executive-level positions – have played integral roles in causing or facilitating” OFAC violations. Although it has never targeted individual officers, directors, or employees in an enforcement action, OFAC warned that it will “consider using its enforcement authorities not only against the violating entities, but against the individuals as well.” This continues an emerging theme – in conjunction with one enforcement case earlier this year, OFAC sanctioned (but did not target for enforcement) the manager of the Turkish subsidiary alleged to be responsible for the prohibited conduct. And in several other enforcement matters, OFAC has cited (or required, by the terms of its settlement agreements) the firing or demotion of individual employees.