On May 2, 2019, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance titled “A Framework for OFAC Compliance Commitments” (Guidance), providing direction regarding what OFAC considers to be—or not to be—an effective compliance program. By increasing transparency about compliance deficiencies that OFAC finds problematic, and signaling the willingness to hold individuals accountable for compliance failures, the Guidance brings OFAC in line with existing trends both domestically and internationally. In essence, the Guidance further demonstrates the commitment among US regulatory and enforcement agencies to encourage the development of effective compliance programs here and abroad.

The Guidance has been issued by OFAC to encourage organizations subject to OFAC’s jurisdiction to adopt a risk-based approach to compliance by developing, implementing and routinely updating a sanctions compliance program (SCP). While OFAC indicates that each organizations’ SCP should be tailored to the specific circumstances of each organization, it believes that all programs should at a minimum incorporate five essential components:

1. Management commitment. Senior Management is expected to review and approve the organization’s SCP, to ensure that the compliance unit has sufficient authority and resources to carry out its mission and promote a culture of compliance—including by demonstrating the seriousness of any failures of the SCP.
2. Risk assessment. Organizations should conduct regular risk assessments taking into account their client and customer base, the product and services they offer and the jurisdictions in which they operate. Organizations should also develop a methodology to analyze and address identified risks (for example, by looking to the OFAC Risk Matrix).¹
3. Internal controls. Organizations should develop policies and procedures that are easy to follow but sufficiently detailed to capture day-to-day operations. Policies should clearly be communicated to all relevant staff and procedures should be validated through audits. Immediate action should be taken when a weakness in the controls is
4. Testing and auditing. Any audits must be carried out by personnel with sufficient authority and resources and who are accountable to Senior Management. The testing must match the level and sophistication of the organization’s SCP.
5. Training. Training should be tailored to appropriately account for high-risk employees and the specific nature of the organization’s operations. Training should address any risks identified through the risk assessment and be repeated as frequently as needed to address negative audit results or newly identified risks.

Those familiar with Anti Money Laundering (AML) rules and laws will recognize that many of these components correspond with the original four pillars of an AML/Bank Secrecy Act compliance program required by the USA Patriot Act and rules adopted by the Financial Crimes Enforcement Network (FinCen) and other financial industry regulators.

The Guidance also includes a non-exhaustive list of 10 issues OFAC identified as “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions.” It is critical that organizations subject to OFAC’s jurisdiction be aware of and take into consideration these highly specific and targeted areas of concern, as such organizations are now deemed to be on notice that OFAC considers them to be problematic.

Specifically, OFAC identified the following as root causes of deficiencies: (1) failing to have a formal OFAC SCP; (2) operating under the mistaken belief that activities are not prohibited; (3) signing off on business opportunities between non-US locations and sanctioned countries, regions, or persons; (4) purchasing goods with the sole intent of re-exporting or selling to sanctioned countries, regions, or persons; (5) processing financial transactions related to commercial activity with sanctioned countries, regions, or persons; (6) failing to update sanctions screening processes to incorporate updates to the SDN list; (7) failing to conduct adequate due diligence on customers, supply chain, and counter-parties; (8) failing to consistently implement the SCP across various offices and/or business units in different jurisdictions; (9) failing to identify red flags when processing transactions; and (10) the employing individuals who have played key roles in causing or facilitating violations of OFAC regulations.

The final root cause identified by OFAC relates to actions by individual employees or executives to facilitate violations. According to the Guidance, OFAC will consider using its enforcement authorities against the individuals in addition to the organization in such instances. The growing prospects of individual liability may have a particularly significant impact on future OFAC enforcement actions. The Guidance states that in several prior instances, OFAC has found non-US employees engaged in activities designed to hide their dealings with OFAC sanctioned countries or parties, even with a SCP in place.

OFAC is not alone in exerting authority to help shape robust SCPs to achieve a specific foreign policy or national security objectives—nor in targeting individuals, as well as organizations, to do so.

Domestically, there is a growing trend among government agencies to update guidance relating to compliance programs, with a focus not only on the design and application of a compliance program but also on its effectiveness. For example, the US Department of Justice (DOJ) recently updated its guidance on how prosecutors should evaluate compliance programs in the Foreign Corrupt Practices Act (FCPA) context, focusing on three key questions: (1) is the compliance program well-designed?; (2) is the program being applied earnestly?; and (3) does the compliance program work? Like the OFAC Guidance, the DOJ guidance seems focused on ensuring that the compliance programs work in practice and not just on paper.

The emphasis in the OFAC Guidance on potential individual liability is part of another emerging trend among US government agencies to hold individuals accountable as an incentive to ensure the effectiveness of a compliance program. Recent examples of enforcement action against individuals in the US include the following:

• In April 2019, the US Securities and Exchange Commission (SEC) charged two former directors of investments at Woodbridge Group of Companies LLC for their roles in its massive Ponzi scheme. Although the two former directors were not registered in any capacity with the SEC, they were responsible for fraudulently raising at least $1.2 billion from more than 8,400 retail investors, many of them seniors, and together received more than $3 million in transaction-based and other compensation. 
• In February 2019, Financial Industry Regulatory Authority (FINRA) sanctioned two individuals, fining them $73,000 jointly and severally, and suspending them from association with any FINRA member in all capacities for 15 months and two years respectively, for making material omissions and a misrepresentation in connection with the sale of securities.
• Also in February 2019, the DOJ charged two former executives of Cognizant Technology Solutions Corp. (Cognizant) for their role in a scheme to bribe one or more government officials in India. Cognizant itself was granted a declination by the DOJ in acknowledgment that it had a pre-existing compliance program and had even taken steps to enhance its program and internal accounting controls.

Internationally, individual accountability is also on the agenda for many financial regulators and enforcement agencies. The following examples demonstrate just some of the recent instances in which international regulators have issued fines against individuals:

• In January 2019, the UK’s Financial Conduct Authority (FCA) imposed a landmark fine of £76 million against an individual for failing to act with integrity and failing to deal with the authority in an open and cooperative way. This followed the introduction of the Senior Managers Regime by the FCA in March 2016; a regime implemented in an effort to strengthen market integrity by making individuals more accountable for their conduct and competence.
• In April 2019, the Securities and Futures Commission (SFC) in Hong Kong issued monetary fines of $300,000 and $200,000 (plus investigation and legal costs) respectively against the CEO and CFO of Fujikon Industrial Holdings Limited (Fujikon). The individuals admitted that they had been negligent, resulting in Fujikon’s breach of the requirements of the corporate disclosure regime (for which Fujikon was fined $1 million). This followed the introduction of the Manager in Charge Regime by the SFC in April 2017.
• In May 2018, the Dubai Financial Services Authority (DFSA) imposed a $32,640 fine on a Vice President of Information Technology for reconfiguring computers required by the DFSA as part of their investigation. That individual was found to be uncooperative and engaged in conduct that obstructed the DFSA in its collection of information relevant to the investigation. The DFSA considered it appropriate to impose a monetary fine, in the circumstances.

It is also worth noting that in April 2018, the Monetary Authority of Singapore (MAS) issued a consultation paper on proposed guidelines for individual accountability and conduct. The MAS proposal seeks to clearly identify and delineate the responsibility of senior management and employees in material risk functions.

The willingness to scrutinize individual conduct by OFAC, in an effort to enhance financial market integrity and protect national security, brings the US sanction enforcement agency in line with other domestic and international financial regulators and enforcement agencies. The Guidance demonstrates a commitment by OFAC to provide more transparency and work collaboratively with organizations subject to the US sanctions regime by using “its enforcement authorities not only against violating entities, but against the individuals as well.”

Takeaway – The issuance of this Guidance, together with the recent DOJ guidance, should be triggering organizations to review and test compliance controls and processes to consider their effectiveness, particularly in light of the helpful root cause deficiencies shared by OFAC. Organizations should also clearly communicate to executives and high-risk employees that they may be held individually accountable for any actions taken to deliberately avoid the SCP or otherwise facilitate business with sanctioned countries, regions, or parties.

________

¹ The Annex to Appendix A to 313 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement Guidelines

[View source.]