Recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments” to help organizations take a risk-based approach to developing a sanctions compliance program (SCP).
Entities like the Wolfsberg Group and the Financial Crimes Enforcement Network (FinCEN) have released similar guidance in the past, but issuing an official SCP framework is new territory for OFAC. OFAC’s motivation for publishing the framework is unclear, but it could be the seemingly record-setting pace for enforcement cases in 2019. OFAC has levied more than $1.2 billion in civil penalties against businesses so far this year.
It’s important to remember that a one-size-fits-all SCP doesn’t exist. Each program will vary depending on several factors, including an organization’s size, line of business, geographic location and customers. However, the OFAC framework recommends every SCP should focus on these five essential components of compliance:
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing and Auditing
So how should your organization incorporate ideas from the framework? Here are five specific takeaways, based on the five compliance components above, that you can implement right away to improve your OFAC compliance efforts.
Management Commitment: Identify an OFAC Compliance Officer
Identifying an OFAC compliance officer who can serve as a compliance linchpin and promote a “culture of compliance” throughout your entire organization is crucial to the success of your SCP.
This is someone you can hire or promote from within if you have a qualified internal candidate. The OFAC officer will fuel leadership’s engagement every step of the way, ensure employees are properly trained and continuously monitor your SCP for deficiencies.
Risk Assessment: Don’t Re-invent the Wheel
Risk assessments can be scary and daunting, but they don’t have to be. Your risk assessment should inform due diligence efforts during events like onboarding and mergers and acquisitions, so chances are you already have a decent risk assessment in place.
Remember, the OFAC framework says there is no such thing as a universal SCP that works for all organizations. Build the assessment around your organization’s parameters, making sure to include specific clients, products, services and geographic locations. Take a look at OFAC’s risk matrices to make sure your risk assessment is configured correctly.
Internal Controls: Mind Compliance Gaps with Tech
According to the framework, “An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.” As you complete your risk assessment, identify any potential gaps in your OFAC compliance efforts and look to incorporate controls that will remediate those shortcomings.
Your SCP must adjust rapidly when the Treasury Department issues OFAC updates. In other words, if you’re using a manual process to scan OFAC lists, it’s time to look for an automated solution that can keep up with OFAC changes and your business environment.
You should be able to customize your screening solution based on your organization’s unique needs. Make sure your transaction thresholds are set properly, that you understand how the algorithms work and how matches are returned. Be sure to audit your solutions regularly to ensure proper calibration.
Testing and Auditing: Always Be Checking
Speaking of regular audits, testing and auditing your SCP at least once a year should be a no-brainer, yet this is a deficiency we keep hearing about from regulatory agencies.
The negative effects that a lack of testing can have on an organization are evident when you scroll through any list of OFAC violations and enforcement actions. However, scrolling through that list can also inspire good ideas for testing your SCP, in addition to any inadequacies you may identify in your risk assessment.
Sanctions change almost every day, and it’s up to you to stay on top of the changes and make sure your screening solution’s thresholds and settings are set to yield accurate results.
Training: Can You Be More Specific?
Training is a critical aspect of any compliance program. However, training is not nearly as effective when it isn’t tailored to specific jobs.
For example, a front-line teller who processes wire transactions or accepts deposits needs to know how OFAC regulations tie into these specific scenarios—and understand what can happen if they complete a transaction for someone on a watch list.
Provide training to all appropriate employees and personnel on a periodic basis (annually, at a minimum). Your training program should:
- Provide job-specific knowledge based on need
- Communicate the sanctions compliance responsibilities for each employee
- Hold employees accountable for sanctions compliance training through assessments
If you’re found engaging in business with parties on the OFAC SDN List, even inadvertently, your organization could be hit with massive penalties. Using the above takeaways to build a comprehensive SCP is an excellent way to ensure your organization steers clear of such infractions.
Learn More about OFAC Compliance
Looking for a deeper understanding of how to better understand and meet your business’ OFAC compliance obligations? Download our “Understanding OFAC: A Best Practices Compliance Guide for Businesses” to learn best practices for OFAC compliance.
Amber Goodrich, compliance strategist for CSI Regulatory Compliance, has more than 15 years of financial industry experience. She is a Certified Anti-Money Laundering Specialist (CAMS) and a Certified Regulatory Compliance Manager (CRCM).