OFAC Framework for Compliance Controls

The Office of Foreign Asset Control (OFAC) has for the first time issued guidelines on what it believes constitutes a robust compliance program covering economic and trade sanctions. This guidance entitled A Framework for OFAC Compliance Commitments outlines the type of program that should be implemented and what it should contain. The core themes are:

• Management Commitment to promote a culture of compliance and ensure that the organisations compliance unit is funded and autonomous
• Risk Assessments on the areas that an organisation is likely to encounter potential OFAC issues, for example, customers, locations, commercial products and customer networks
• Internal Controls that allow an organisations compliance program to be flexible in accordance with sudden changes to OFAC watch-lists and sanctioned licenses
• Auditing to constantly identify and target areas of weakness. Ensure that these areas can be plugged effectively and efficiently
• Training for all employees and personnel on a periodic basis

Any subsequent investigation by OFAC into a possible monetary fine being raised against an organisation will consider the elements of this framework and what the bank or financial institution under investigation has implemented.

There is a similarity in OFAC's advisory with the New York Department of Financial Services (DFS) Part 504 ruling in 2017 which also provided clarification on the screening of entities and individual's as part of an anti-money laundering policy. The DFS ruling was in part designed to address the threats of money laundering by ensuring that banks and financial institutions had sufficient tools and technology in place to better capture instances of financial crime.

Both OFAC and DFS appear to have similar expectations regarding management accountability, robust testing processes and the adequate training of staff in compliance matters.

But why have these actions come into being now and what are the potential motives for OFAC in raising its compliance commitment framework?

Over the last seven years OFAC has issued a total of 110 penalty notices totaling over $3.5 billion in monetary terms. In 2019 alone (as of May) the number of settlements concluded by OFAC stands at 14 with the total financial penalties hitting $1.2 billion.

One of the clear reasons for OFAC's attention in this area can be found from looking at a random year, such as 2015, where we can ascertain from the OFAC notices that out of 15 settlements, seven of these were issued due to no compliance program in place or an inadequate program. A similar story is also uncovered when looking at 2014 when nine out of 22 settlements issued by OFAC again lacked or had an inadequate compliance policy.

One example in 2014 comes from a North American bank that failed to review or screen bills of lading, certificates of origin and shipment advice which contained references to Iran and the Iranian Shipping Lines company. Whilst OFAC ruled it as a non-egregious case, it noted that the transaction could have been prevented as 'the documents were in the banks possession… (but the) interdiction software did not identify references to the sanctioned parties'.

Instances such as this and the continuous uncovering of export compliance breaches by organisations with no compliance program must be frustrating for regulators.

It is in this context that OFAC have specifically mentioned the root causes of previous settlements and penalties. Whilst the lack of a sanctions compliance policy is top of the list, there is also another interesting category which has been called out; 'Sanctions Screening Software or Filter Faults'.

Within this category OFAC specify instances when new additions to the Specially Designated Nationals list (SDN) and the Sectoral Sanctions Identification list (SSI) have not been updated by banks or financial institutions. Furthermore, a lack of alternative spellings for sanctioned locations such as Habana/Havana are also missing from many organisations compliance policies.

This last example is a potentially worrying sign as it suggests a weakness with current vendor products which banks and other organisations are using today. One of the most important things organisations can do is to stress-test and review their current procedures and policies for managing trade-based compliance. Weak areas such as alternative spellings of individuals and locations are easy to remedy but those items in the most recent OFAC penalty notices such as networked commercial partners associated with Iranian Shipping Lines or monitoring the destination of discharged goods require special vendor partnerships.

Banks need to work with the best content providers available in order to be proactively managing and identifying compliance risk. Shipping practices, document management and commodity end-usage are all key weapons in a compliance arsenal and are all areas in 2019 that OFAC has highlighted in their penalty notices.

The new compliance framework issued by OFAC heightens the stakes and it is important for organisations to follow through on these commitments.

Posted by Byron McKinney, Associate Director Maritime & Trade Product Management, IHS Markit