I am in a multipart series on the Framework for OFAC Compliance Commitments (Framework). Every compliance professional of any stripe needs to read, understand and implement some of the key concepts of the Framework into your corporate compliance program. It does not matter if its trade controls, anti-corruption or anti-money laundering (AML). This Framework has much to offer that you should consider. Mike Volkov has called it a “game-changer” and said, “Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for [sanctions compliance programs] SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.” In this blog post we will consider Element 3 of the Framework, Internal Controls.
Not surprisingly under the Framework, it is necessary that an effective compliance program have internal controls, including policies and procedures, to prevent, detect, escalate and report compliance program compliance activity. Much to warm my heart, OFAC also specifies a key reason is to Document, Document, and Document these actions in any compliance regime. Internal controls are designed to define procedures and processes regarding trade sanction compliance and minimize the risks identified in your risk assessments.
The Framework recognizes the dynamic nature of compliance programs. It mandates that “policies and procedures should be enforced, weaknesses should be identified and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.” In other words, your compliance program should have the ability to adjust rapidly to changes.
Under the Framework, Internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to assist an organization ensuring the accuracy and completeness of its trade sanction information and data; to enable a business to produce reliable and timely management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. They should be entity wide. For compliance purposes, controls are measures specifically to provide reasonable assurance that any assets or resources of a company are not sold to any prohibited party or shipped out to a designated country.
To implement effective internal controls, the Framework lays out seven prongs which should be met. They include:
- Written policies and procedure. Design and implement written policies and procedures outlining the compliance program. These policies and procedures should be relevant to the organization, capture your organization’s day-to-day operations and procedures and are set out in plain English and not legalese. It is interesting to see OFAC view policies and procedures as internal controls. This is analogous to the Securities and Exchange Commission (SEC) view that a Code of Conduct is an internal control in its enforcement action involving United Airlines and its former Chief Executive Officer (CEO) Jeff Smisek.
- Controls follow your risk assessment. Implement internal controls which sufficiently address the results of your organization’s risk assessment. In other words, your internal controls should enable prevent, detect, escalate and report compliance program compliance activity. It also requires calibration of the controls “in a manner that is appropriate to address its risk profile and compliance needs”. It is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increase operationalization around the internal controls a company should consider including gifts, travel and entertainment expenses. Finally, you should routinely test your controls to ensure effectiveness.
- Testing of your controls. The effectiveness and adherence to your policies and procedures should be tested through both internal and external audits. This process should allow you to compare the internal controls current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. Moreover, it is a technique that businesses use to determine what steps need to be taken to move from their current state to their desired future state.
- Document, Document, and Document. Ensure that you document your policy, both design and retention, and adequately document your compliance program. You need to report your findings with the appropriate data and analysis presented, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. Finally, all your analysis will be backed up with the data gathered during the analysis.
- When you learn of a lack of or the existence of a control weakness relating to trade compliance, take immediate and effective action, to the extent possible, to identify and implement controls until the root cause of the weakness can be determined and remediated. If the situation is unacceptable, you should present a course of action for improvement.
- You should clearly communicate your policies and procedures to all relevant staff, including compliance personnel, gatekeepers and business units operating in high-risk areas and to external parties performing compliance program responsibilities on behalf of your organization.
- Responsible Personnel. You must have personnel to integrate these policies and procedures into the operations of the organization. This includes relevant business units and you must work to make sure that the employees in any high-risk areas understand your organizations policies and procedures.
The internal control requirement under the Framework is not something new to the compliance practitioner. However, the seven prongs OFAC has laid out is a good way to think through the design, creation and implementation of your internal controls around trade sanctions.