OFAC’s new Framework for Sanctions Compliance Programs incorporates a number of important principles from Justice Department and US Sentencing Guideline requirements for effective compliance programs.
Today, I am going to review the requirements relating to Testing and Audits and Training.
Testing and Audits
OFAC requires companies to assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.
Under this element a company has to implement three specific elements:
OFAC observed that “[a]n effective training program is an integral component of a successful SCP.” A training program should be “tailored to an entity’s risk profile and all appropriate employees and stakeholders.” Companies have to conduct training for relevant employees and personnel on a periodic basis (and at a minimum, annually).
To meet this requirement, companies have to satisfy five basic criteria: