Building an OFAC Compliance Program For Your Company

Although OFAC does not strictly require compliance programs as part of the economic sanctions regulations, they do recommend and expect sophisticated actors to have procedural safeguards in place. The Office of Foreign Assets Control repeatedly expressed that the core elements of a compliance program include the following:

  • Risk assessment
  • Internal controls
  • Testing/Audits
  • Responsible persons in charge (i.e., appointed compliance officers), and
  • Training

When building an appropriate compliance program, we look at the type of business that company or individual is conducting and from that point determine the best ways to implement these different steps necessary in a compliance program.

Risk Assessment

Compliance programs often start with the risk assessment that a company has on file, often prepared by compliance counsel, identifying the types of transactions in which there should be a higher level of scrutiny on the part of employees and processes within the company. A risk assessment can help identify which areas require higher standards of internal controls.

A risk assessment will look at a company’s:

  • Size and Location
  • Customer Base
  • Partners, Brokers, Agents, Intermediaries, and Suppliers
  • Products and Services Offered
  • Transactions (e.g., complexity, amount of cross-border transactions, etc.)

Internal Controls

Internal controls mean the policies and procedures in place to ensure that transactions conform to the sanctions regulations.  For instance, the names, parties, locations, addresses, and even details such as employer identification numbers must be collected from potential customers and screened appropriately.

Policies should focus on creating a culture of compliance and broad directives that clearly communicate the company’s policy to strictly adhere to the rules.

Procedures should focus on creating clear step-by-step instructions for each process that are easy to follow and that fit the policy objectives.

Testing and Audits

It is also very important when a company installs interdiction software or implements training policies and procedures to test and audit the efficacy of their procedures. By looking at the enforcement actions taken by OFAC over the last decade, you can see that many companies and banks violate economic sanctions not out of any willfulness, but simply because their compliance program was lacking.

For this reason, companies should seek to work with someone who can create a tailored compliance program appropriate to the size and nature of your business. As your business changes, it is critical to ensure that your compliance program changes accordingly. By putting testing and audit steps into place, you can ensure that no deficiency on the part of the program results in an inadvertent violation of the sanctions.

OFAC recommends independent testing and auditing of the entire system on a routinely scheduled basis.

Designating a Compliance or Risk Management Officer

It is necessary to have responsible persons in charge of the different compliance aspects of a sanctions compliance program. For large companies, this may mean hiring a compliance officer or instituting a compliance division as part of the risk management of the company. For smaller and mid-size companies, it may be more appropriate to choose certain officers or managers who are already part of the business to be responsible for the sanctions compliance program. It is important to assign responsibility so that the person can be appropriately trained and take the necessary steps such as quarterly testing to ensure that someone is keeping a constant eye on and evaluating the efficacy of the compliance sanctions program.

OFAC Sanctions Compliance Training

Proper screening training often involves training employees on how to use the sanctions list. At times, when companies are dealing with a high volume of transactions, they may want to make the investment into interdiction software. Interdiction software allows companies to automatically screen for high-risk entities. Although sometimes it can be expensive, it may save a company from even more expensive fines.

When implementing a compliance program, it is imperative to work with counsel who understands employee training.  When working with clients on instituting a compliance program, our firm often sets up multiple tiers of training. One tier of training may be for all types of general employees so that everybody knows that when certain things occur, they should take the appropriate steps to report it to the individuals in charge who can take suitable actions regarding any potential, apparent, or past sanctions violations.

On the other hand, there should be increased specific training for divisions that often deal with the type of information that must be evaluated according to the United States economic sanctions regulations. For instance, staff in accounting or invoicing departments who often look at customer information should have training on how to screen those names.

Finally, it is important for the responsible persons in charge and often for management across the board to have another level of training so they understand, on a higher level, the policies and procedures that are in place. They need to know what to do if someone approaches them with information about a potential sanctions violation. A compliance program is an incredibly important step in a company’s growth in a business internationally.