No Sanctions Compliance Program? Expect Significant OFAC Penalties
Settlement announcements from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) generally reflect the agency’s enforcement prioritization and sanctions compliance expectations. The two most recent enforcement actions indicate that OFAC continues to target companies that operate without sanctions compliance programs. Although robust sanctions compliance programs do not provide complete inoculation from sanctions compliance risk, such programs dramatically reduce the likelihood of violations and resulting civil penalties.
OFAC Civil Penalties Against Exporters Lacking Compliance Programs
On June 23, OFAC announced a $107,691 settlement with HyperBranch Medical Technology, Inc. to resolve apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR) prohibition on the direct or indirect exportation of goods to Iran. According to the settlement announcement, HyperBranch exported about 4,000 units of various medical supplies to its United Arab Emirates-based distributor that it knew or had reason to know were ultimately destined for Iran. OFAC considered HyperBranch’s lack of a sanctions compliance program at the time of the apparent violations as an aggravating factor in the calculation of the civil penalty.
On July 5, OFAC announced a $7.6 million settlement with three separate Alcon companies to resolve apparent violations of the ITSR and the Sudanese Sanctions Regulations prohibitions on the exportation of goods to Iran and Sudan, respectively. The apparent violations involved direct shipments to Iran and Sudan. OFAC found Alcon’s lack of a compliance program to be an aggravating factor that increased the base penalty. OFAC specifically determined that “Alcon demonstrated reckless disregard for U.S. sanctions requirements by having virtually no sanctions program.”
OFAC Compliance Program Expectations
OFAC regulations do not mandate the existence or nature of sanctions compliance programs. The agency only evaluates a program after an apparent violation to determine both the type of administrative response and the amount of any civil penalty. In its Economic Sanctions Guidelines, OFAC directs businesses to assess their risk-based compliance program through consideration of a risk matrix taken from the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA) Anti-Money Laundering (AML) Examination Manual. This matrix references the five basic elements of a compliance program:
Identification of unique risk factors;
Implementation of internal controls to mitigate risk;
Independent testing and auditing to evaluate the program;
Designation of a qualified OFAC Officer; and
Effective and timely training.
In contradistinction with sanctions regulations, the BSA and its implementing regulations require financial institutions to establish and implement AML programs. Although the program requirements are specific to the type of financial institution and industry, the AML program requirements are generally similar to the OFAC compliance program expectations. Failure to satisfy these AML program requirements results in BSA violations separate from the related reporting and recordkeeping requirements.