On May 2, 2019, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) released guidance on effective sanctions compliance programs. While this is the first document of this kind from OFAC, similar guidance documents by the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have been on the books for years.  In fact, OFAC published its compliance framework just two days after the DOJ updated its earlier guidance on evaluating a company’s compliance program.  The DOJ guidance is more comprehensive than OFAC’s, and there is much overlap between the two.  This begs the question – what is the real significance of OFAC’s announcement?

OFAC’s Framework for Compliance Commitments

In releasing the guidelines, OFAC recognized that, when it comes to compliance programs, no size fits all.  Different approaches to compliance may be appropriate for companies depending on their “size and sophistication, products and services, customers and counterparties, and geographic locations.”  However, any compliance program should contain “at least five essential components of compliance.”  From OFAC’s perspective, they are:

1. commitment from management,

2. risk assessment,

3. internal controls,

4. testing and auditing, and

5. training.

OFAC’s Five Components Are Nothing New

The five components of an effective compliance program OFAC set forth in its guidance are nothing new to compliance practitioners.  For example, the US enforcement authorities have long made clear that management commitment to compliance and ethical corporate behavior is critical to any compliance program’s success.  The SEC emphasized this as early as 15 years ago, and the DOJ did too in 2012. The same is true for risk assessment, internal controls, testing/auditing, and training.  These four components display prominently in the earlier DOJ’s and SEC’s guidance documents.

Indeed, the DOJ’s and SEC’s compliance guidance offers companies additional considerations to take into account, which are not central to OFAC’s guidance.  These include: (1) authority, autonomy, and resources of compliance officers; (2) incentives for compliance and disciplinary measures against violators; and (3) confidential reporting and investigations of potential violations.  The DOJ also places emphasis on clear and easily accessible compliance policies and comprehensive procedures and pre-acquisition due diligence and post-acquisition integration.  OFAC folds these considerations into management commitment, risk assessment, and internal controls.

Why OFAC’s Guidance Is Still Helpful

OFAC’s guidance does not introduce any new concepts from the compliance perspective as such.  But it is still a helpful tool for companies for at least three reasons.  First, the guidance is the first of comprehensive guidance from OFAC on the subject of compliance.  If in the past compliance practitioners had to distill OFAC’s view on compliance from past OFAC settlements and public statements, they now have a roadmap to use.  This should make compliance easier.

Second, OFAC’s guidance makes OFAC’s evaluation of a potential penalty for sanctions violations much more transparent, at least when it comes to compliance.  The Economic Sanctions Guidelines list compliance programs as a factor for OFAC to consider, but they only refer to “the existence, nature and adequacy” of the program in very general terms. (See General Factors E (Compliance Program) and F (Remedial Response).)  OFAC’s May 2 guidance expressly provides that OFAC “will determine which of the [five] or other elements should be incorporated into the [compliance program] as part of any accompanying settlement agreement.” It also states that OFAC “will consider favorably [companies] that had effective [compliance programs] at the time of an apparent violation.”  The clarification that OFAC will rely on the May 2 guidance in penalty considerations should help guide any settlement discussions and a company’s remedial measures.

Third, OFAC’s May guidance highlights, once again, the weight the regulators and enforcement authorities place on a company’s compliance function.  As OFAC’s Director Andrea M. Gacki noted in unveiling the guidance, it “underlines [OFAC’s] commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.” Additional government’s emphasis on compliance is never a bad thing.  It may encourage companies to revisit their compliance programs and make an effort to make them stronger.

Conclusion

OFAC developed and released the compliance guidance in an “effort to strengthen sanctions compliance practices across the board.” By the express language of the May 2 guidance, it is aimed not only at U.S. companies, but “foreign entities that conduct business in or with the United States.” As one of the “root causes” of sanctions violations, OFAC’s guidance identifies a foreign company’s failure to recognize that it too may be subject to U.S. sanctions laws.  U.S. and foreign companies alike should take notice.