For financial institutions and businesses that are subject to the oversight of the Office of Foreign Assets Control (OFAC), compliance needs to be a priority in 2023. OFAC is playing an increasingly active role in overseeing financial transactions between U.S. and foreign entities in order to protect national security goals and foreign policy interests, and it is taking an increasingly active approach to enforcement of their economic and trade sanctions programs violations as well.

So, what does it take to establish and maintain OFAC compliance in 2023? By far, the most important step for financial institutions and businesses is to implement an effective and custom-tailored OFAC compliance program. The Office of Foreign Assets Control (OFAC) makes clear that there is no “one-size-fits-all” approach to compliance; and, while it provides a variety of compliance resources, it expects entities to use these resources as starting points rather than goalposts for their own compliance program.

“Developing an effective OFAC compliance program in 2023 starts with assessing the financial institution’s or business’s specific compliance duties. All entities must develop and implement custom-tailored policies and procedures; and, in doing so, they must utilize OFAC’s guidance while also making an independent assessment of their legal and regulatory obligations.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

One of the compliance resources the Office of Foreign Assets Control (OFAC) has made available to financial institutions and businesses is A Framework for OFAC Compliance Commitments (the “Framework”). In this document, OFAC highlights “five essential components of compliance,” while also noting that these are not the only essential components of an effective OFAC compliance policy. These five essential components are:

• Senior management’s commitment to OFAC compliance;
• Conducting an OFAC risk assessment to determine the entity’s compliance needs;
• Establishing effective yet flexible internal controls that allow entities to systematically meet their compliance obligations as they change over time;
• Conducting tests and audits to re-evaluate compliance (and compliance needs) on an ongoing basis; and,
• Providing adequate and role-specific training to all internal personnel.

After discussing each of these five essential components of an OFAC compliance policy in greater detail, the Framework ends with a discussion of “root causes of OFAC sanctions compliance program breakdowns or deficiencies based on assessment of prior OFAC administrative actions.” As OFAC explains in the Framework:

“OFAC has finalized numerous public enforcement actions in which it identified deficiencies or weaknesses within the subject person’s [compliance program]. These [deficiencies and weaknesses] are provided to alert persons subject to U.S. jurisdiction . . . about several specific root causes associated with apparent violations of the regulations [OFAC] administers in order to assist them in designing, updating, and amending their respective [compliance programs].”

Addressing the “Root Causes” of OFAC Compliance Policy Breakdowns and Deficiencies

Thus, OFAC’s list of “root causes” is just as important as the other guidance it provides in the Framework (and in its other compliance resources, such as the Economic Sanctions Enforcement Guidelines and OFAC Risk Matrix in 31 C.F.R. Part 501). By highlighting common deficiencies and failures, the Office of Foreign Assets Control is putting financial institutions and businesses on notice of the mistakes they need to avoid. These mistakes include:

1. Lack of a Formal Sanctions Compliance Program (SCP)

Despite acknowledging that “OFAC regulations do not require a formal SCP,” OFAC nonetheless begins its list of root causes by highlighting the importance of written compliance policies and procedures. In the Framework, OFAC states that it “encourages organizations subject to U.S. jurisdiction . . . and particularly those that engage in international trade or transactions or [that] possess any clients or counter-parties located outside of the United States, to adopt a formal SCP.” Due to the complexities and varied aspects of OFAC compliance programs, a written, formal OFAC compliance policy is essential for financial institutions and businesses of all sizes.

2. Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations

OFAC identifies misinterpreting and misapplying its regulations as another common root cause of compliance program failures. This includes both intentional and unintentional interpretation and application mistakes. As the agency explains, “several organizations have failed to appreciate or consider (or, in some instances, actively disregarded) the fact that OFAC sanctions applied to their organization . . . [and w]ith respect to this specific root cause, OFAC’s administrative actions have typically identified additional aggravating factors, such as reckless conduct, the presence of numerous warning signs . . . , awareness by the organization’s management of the conduct at issue, and the size and sophistication of the subject person.”

3. Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)

Noting that this root cause also frequently results from misinterpretation or misapplication of its regulations, OFAC warns that facilitating transactions by non-U.S. persons is a common issue that can lead to enforcement action. It advises that entities with “integrated operations, particularly those involving or requiring participation by their U.S.-based headquarters, locations, or personnel,” should address all of their financial and commercial activities in their OFAC compliance policies. This includes activities such as contracting and procurement, among others.

4. Exporting or Re-Exporting U.S.-Origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries

Exporting and re-exporting are commercial activities that entail a host of federal legal and regulatory requirements. This includes requirements enforced by OFAC. While OFAC notes that its enforcement actions in this area have generally focused on large and sophisticated companies that engaged in willful or reckless conduct, it also makes clear that it expects all entities to thoroughly address the federal export and re-export laws and regulations in their compliance programs.

5. Utilizing the U.S. Financial System, or Processing Payments to or Through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries

One of the core concerns that financial institutions must address in their OFAC compliance policies is the risk of facilitating transactions that involve blocked entities—whether through exporting, re-exporting, or other means. As OFAC notes, unlawfully facilitating transactions that involve sanctioned countries, companies, and individuals is a common issue, and it is an issue that financial institutions should be able to avoid through effective compliance program documentation and administration.

6. Sanctions Screening Software or Filter Faults

While many entities rely on screening software to prevent transactions prohibited by OFAC sanctions, as OFAC notes, this approach presents several risks. Among others, these include the risk of failing to update the entity’s software when OFAC adds entities or individuals to the SDN List or SSI List, failing to include SWIFT Business Identifier Codes and other pertinent identifiers, and failing to account for alternate spellings. Here, too, all of these are risks that financial institutions and businesses can—and should—address through the process of developing a comprehensive OFAC compliance policy.

7. Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings)

According to OFAC, “[o]ne of the fundamental components of an effective OFAC risk assessment and SCP is conducting due diligence on an organization’s customers, supply chain, intermediaries, and counter-parties.” However, as OFAC also notes, several of its recent enforcement actions have involved due diligence failures, including failure to fully investigate customers’ ownership, geographic locations, and counter-parties. Financial institutions’ and businesses’ OFAC compliance policies should include protocols for comprehensive due diligence as well as procedures designed to ensure that these protocols are followed consistently.

8. De-Centralized Compliance Functions and Inconsistent Application of an SCP

In its Framework, OFAC emphasizes the importance of appointing an OFAC compliance officer who is responsible for oversight and enforcement of a financial institution’s or business’s OFAC compliance policy. In its list of root causes, OFAC notes that “several organizations . . . have committed apparent violations due to a decentralized SCP, often with personnel and decision-makers scattered in various offices or business units.” This underscores not only the importance of having a comprehensive and custom-tailored OFAC compliance policy, but also the importance of effective, organized, and systematic implementation.

9. Utilizing Non-Standard Payment or Commercial Practices

One of the key functions of an OFAC compliance policy is standardization. By following documented protocols and procedures, financial institutions and businesses can ensure that their transactions and other commercial activities remain in line with OFAC’s rules, restrictions, and requirements. Conversely, OFAC notes that not only do non-standardized practices present risks for compliance failures, but they are also often viewed as red flags for “attempting to evade or circumvent OFAC sanctions or conceal [illicit] activity.”

10. Individual Liability

Finally, OFAC underscores the importance of internal training and enforcement by noting that “[i]n several instances, individual employees—particularly in supervisory, managerial, or executive-level positions—have played integral roles in causing or facilitating violations.” Thus, not only is effective OFAC compliance policy implementation critical, but ongoing auditing, monitoring, and enforcement are critical as well.

As you can see from this list, OFAC scrutinizes all aspects of financial institutions’ and businesses’ compliance policies and procedures—and it expects institutions and businesses to maintain strict compliance in all aspects of their operations. By addressing these root causes of compliance breakdowns and deficiencies proactively (but not exclusively), institutions and businesses can significantly mitigate their risk of facing OFAC enforcement action in 2023 and beyond.