The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is known for imposing hefty penalties for violations of US economic sanctions, with individual violations amounting to up to US $295,141 or twice the value of the transaction, whichever is greater, per prohibited transaction, and overall penalties sometimes running into the hundreds of millions, or even billions, of dollars.

Despite this, OFAC historically has not provided much guidance for companies on the expected elements of an effective OFAC compliance program.  OFAC regulations do not specifically require a sanctions compliance program, but OFAC’s Enforcement Guidelines provide that OFAC will take into account the “existence, nature, and adequacy” of a company’s “risk-based” sanctions compliance program in deciding whether to impose a penalty and, if so, the amount of such a penalty.  Treasury has provided limited guidance directed specifically to financial institutions, but industry often found itself reading between the lines of OFAC’s enforcement actions for guidance.

That has changed in recent months. In December 2018, Treasury Under Secretary for Terrorism and Financial Intelligence, Sigal Mandelkar, gave public remarks detailing specific elements that Treasury expects to see in an effective sanctions compliance program for all U.S. companies.  These include:

  1. Ensuring senior management commitment to compliance;
  2. Conducting frequent risk assessments to identify and mitigate sanctions-specific risks within an institution and its products, services, and customers;
  3. Developing and deploying internal controls, including policies and procedures, in order to identify, interdict, escalate, report, and maintain records pertaining to activity prohibited by OFAC’s regulations;
  4. Engaging in testing and auditing, both on specific elements of a sanctions compliance program and across the organization, to identify and correct weaknesses and deficiencies; and
  5. Ensuring all relevant personnel, particularly those in high-risk areas or business units, are provided tailored training on OFAC obligations and authorities in general and the compliance program in particular.

Under Secretary Mandelkar promised that OFAC would be providing further information on the expected elements of sanctions compliance programs, including as a feature of future OFAC settlement agreements.  In accordance with this promise, OFAC in recent enforcement actions has raised and elaborated on these elements.  For example, in its December 2018 settlement with Zoltek Companies, Inc.  (“Zoltek”), OFAC explained that “[e]ffective sanctions compliance programs have policies, procedures, and controls designed to identify prospective and in-process transactions, as well as customers and counter-parties, for potential OFAC issues, as well as mechanisms designed to adequately respond to warning signs and raise sanctions-related issues to a sanctions compliance officer or point-of-contact.”   Zoltek also agreed to various undertakings organized around the specific elements identified above.  As part of its “Management Commitment” obligations, for example, Zoltek agreed to provide appropriate human capital, information technology, and other resources to its OFAC compliance program, and to expand a Director of Global Compliance position to include US sanctions issues.

Likewise, in its March 2019 settlement with Stanley Black & Decker, Inc. (“Black & Decker”) and a Chinese subsidiary,  Black & Decker committed, in accordance with the elements above, to: (1) senior management establishing a “culture of compliance” that empowered sanctions compliance personnel; (2) conduct regular risk assessments to ensure that its internal controls appropriately mitigate the entity’s sanctions-related risks; (3) conduct regularized audits; and (4) provide ongoing sanctions compliance training.  OFAC also noted that foreign acquisitions pose “unique risks,” and explained its expectation that U.S. companies will conduct substantive sanctions-related diligence before and after mergers and acquisitions, including “appropriate steps to audit, monitor, and verify newly acquired subsidiaries and affiliates for OFAC compliance.”  OFAC in particular encouraged U.S. companies to consider “[t]esting of compliance procedures and timely auditing of subsidiaries” to mitigate sanctions risks from such events.

OFAC’s articulation of specific elements it expects to see in OFAC compliance programs for all U.S. companies, not merely U.S. financial institutions, is consistent with another trend that emerges from its enforcement over the past few years: an increasing focus on actions against non-financial companies.  All of 2019’s five enforcement actions to date have been against non-financial institutions, more than 70% of 2018’s and 2019’s were against non-financial institutions, and the largest aggregate sanctions-related penalty in the last three years was assessed against a non-financial institution.

Practical Considerations

All U.S. companies, and non-U.S. companies with any form of U.S. exposure, should be considering whether they have a comprehensive program for compliance with OFAC sanctions and whether it contains the specific elements OFAC has said it expects.  This is especially important for non-financial companies which in the past have had less guidance for their programs and faced less enforcement but now increasingly are the subject of enforcement.

OFAC’s recent actions also point to the need for an enterprise-wide approach to sanctions compliance, one that addresses not only U.S. affiliates but also the activities of non-U.S. affiliates and recently acquired subsidiaries.  In particular, more than half of OFAC’s enforcement actions in 2019 have involved activity undertaken by a recently acquired affiliate.  OFAC expects that acquiring companies not only will conduct sufficient due diligence to identify potential sanctions exposure prior to acquisition, but, critically, that they will implement a post-closing control framework—including policies, training, and audits—that ensures that any problematic activity has in fact stopped.  This requires the sanctions compliance team to be treated as an active part of the acquisition diligence team and to be given the resources necessary to immediately bring a new acquisition up to the same enterprise-wide risk management standards.

For more information, please contact us.