New Guidance from OFAC: A Framework for OFAC Compliance
Last year, OFAC signaled that it would be issuing much-anticipated guidance for companies on building sanctions compliance programs and, on May 2, 2019, OFAC delivered.
"A Framework for OFAC Compliance Commitments" (the Framework) sets forth OFAC's view of the elements of an effective compliance program. In the buildup to publishing the Framework, OFAC increasingly had included compliance-related guidance in its public settlement documents and enforcement notices, much of which is reproduced and highlighted in the Framework as "root causes" of sanctions violations.
OFAC makes clear that its Framework is not "one sizes fits all." Rather, the Framework recognizes that each company's program should be based on a comprehensive assessment of risks in the company's business, and adequately tailored to address those specific risks. While a company does not violate any law or regulation if it fails to follow the Framework guidance, in the event a company is involved in an OFAC violation, its failure to follow the guidance will have a detrimental impact on the both the form of resolution with OFAC and the severity of the penalty. Further, a company adhering to the guidance also may stand a lower risk of becoming involved in an OFAC violation. In any event, a company that appears before OFAC in settlement discussions will need to convincingly explain whether, how and why its program deviates from the Framework as the Framework most likely will become a "checklist" that may be mechanically applied by OFAC to test compliance programs. The Framework is built around five "essential components": (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
OFAC indicates that it will apply the Framework in enforcement cases in three situations. First, after determining that a civil monetary penalty is appropriate, OFAC will use the Framework to determine which elements of the Framework the company will need to incorporate in its compliance program in conjunction with the settlement. Second, OFAC will use the Framework to evaluate mitigating factors warranting a reduction in penalty under OFAC's Enforcement Guidelines, including whether the company had an effective compliance program at the time of the violations or whether the company's remediation efforts warrant mitigation. Finally, OFAC will use the Framework when evaluating whether the case involves "egregious" sanctions violations.
The Framework is useful in determining what OFAC considers necessary for an effective sanctions compliance program. However, its key value may be when there is a compliance failure. In that situation, the Framework provides a script for settlement discussions with OFAC and a measurement tool for assessing potential penalties, including aggravating and mitigating factors that OFAC will weigh in the balance.