For the first time, the US Office of Foreign Assets Control (OFAC) has reached out to provide guidance to firms on creating and maintaining an effective sanctions risk mitigation framework. The guidance is primarily based on the essential criteria which OFAC regards as the tools necessary for firms to achieve their business aims, whilst also mitigating the inherent sanctions risks facing them.
Who does this apply to?
If your business trades in US dollars, is affiliated with a US company, involves a US person in the payment chain, transacts in the supply of any US origin goods and/or uses US products, then this is relevant to you. You could potentially be facing US enforcement risk from OFAC and therefore need to be fully aware of your obligations.
What does the guidance say?
The guidance requires that each firm's framework is founded on the principles of a risk-based approach, including an initial sanctions risk assessment which, in outlining specific risks, then allows for the implementation of effective mitigating controls; this is to then be constantly evolved and updated on an ad hoc basis.
The framework states that firms that are compliant with OFAC’s expectations and who thus utilise an effective sanctions risk mitigation framework will ultimately benefit when subject to subsequent enforcement proceedings (for example, where apparent violations have been identified).
A Five Pillar Approach to Best Practice
Despite OFAC’s focus on its own unilateral sanctions regimes, the framework nevertheless lends itself as a best practice check list which may be utilised by all firms to ensure compliance with non-US sanctions. To that point, OFAC recommends that firms consider the following five essential components within their sanctions risk mitigation framework:
- Management commitment to compliance should be a top to bottom approach across the firm and senior management should encourage a whole-firm culture of compliance. Management should ensure that the firm has adequate resources dedicated to the compliance department in order to effectively mitigate sanctions risk. OFAC also remind firms of the importance of having a nominated person for the oversight of a firm’s AML/CTF and sanctions risks mitigation framework (in the UK, this would typically be the MLRO).
- Risk assessment is an essential component relating to the design and implementation of an effective sanctions risk mitigation framework. This should generally consist of a holistic review of the organisation from top-to-bottom to assess its touchpoints to the outside world and will allow the organisation to identify potential areas in which it may, directly or indirectly, engage with sanctioned persons, parties, countries, or regions.
- Internal controls including policies and procedures, in order to identify, escalate, report (as appropriate) and keep records pertaining to any activity that may be prohibited. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to sanctions compliance and to minimise the risks identified in the risk assessment.
- Testing and auditing should be conducted in order to ensure the comprehensive, independent, and objective assurance of a firm’s sanctions risk mitigation framework; this should include where and how its programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as appropriate. It also allows for the identification of program weaknesses and deficiencies and enables the subsequent remediation of such compliance gaps.
- Training is integral component of a successful sanctions risk mitigation framework and should generally provide role-specific knowledge, communicate responsibilities and will ultimately hold employees accountable for sanctions compliance.
Root Causes of Sanctions Failures
Interestingly, OFAC also sets out an additional list of non-exhaustive root causes that frequently lead to weaknesses within a firm’s sanction risk mitigation framework. The list enhances the need for a root cause analysis of existing and potential threats to the firm for sanctions and early detection allows for mitigation and thus reduces the firms risk of regulatory repercussions.
The root causes of apparent sanctions failures and violations include the following:
- Lack of an effective formal sanctions risk mitigation framework;
- Misrepresenting, or failing to understand the applicability, of OFAC’s regulations;
- Facilitation of transactions by non-US persons (including through or by overseas subsidiaries);
- Exporting or re-exporting US-origin goods, technology or services to OFAC sanctioned persons or countries;
- Sanctions Screening Software or Filter Faults;
- Improper Due Diligence on Customers/Clients;
- Inconsistencies regarding the application of internal systems and controls; and
- Individual liability of employees within the firm by playing a key role in causing or facilitating a sanctions breach (either through negligence or by bad actors).
Essential Guidance for An Effective Sanctions Risk Mitigation Framework
All-in-all, OFAC’s guidance is an essential document for firms to ensure that they formulate and implement an effective, compliant and risk-specific sanctions risk mitigation framework across their business.
If you are interested in getting help or back up for your sanctions compliance programme, require independent assurance or an understanding of the applicability of OFAC’s regulations, let’s start a conversation today. Book a free consultation with Philip Creed, Director of Fincrime.