The past year has witnessed a massive increase in sanctions-related enforcement activity and has indeed caused a stir in the global sanctions landscape. Under the new administration, the US re-imposed all nuclear-related sanctions on Iran, culminating in the largest ever single set of sanctions designations to date.
With the heightened global regulatory environment and the aggressive stance of enforcement agencies, it has been made rather clear that sanctions laws can no longer be ignored. Moreover, in an attempt to bring clarity to compliance expectations of the sanctions regime in the US, on May 02, 2019, the Office of Foreign Assets Control (OFAC) published the Framework for OFAC Compliance Commitments (Framework). The Framework sets out OFAC’s key considerations for evaluating the efficacy of a sanctions compliance programme (SCP) and in turn determining whether mitigation of civil monetary penalties ought to be granted.
While these legislative and administrative changes have obvious implications for US persons and entities, it has indeed become extremely relevant for non-US entities to carefully evaluate and understand how these changes impact them. In fact, in several cases, compliance failures resulting in sanctions violations have occurred due to organisations having failed to appreciate or consider the fact that OFAC may apply to them. The Framework lays down that all foreign entities that conduct business in or with the US, US persons, or utilising the US financial system, US origin goods or services should develop and implement an SCP in line with the requirements set out therein.
This is to say that the Framework would, presumably, apply even to Indian entities that have a direct or indirect US nexus. However, it is pertinent to note that non-US entities having no obvious connection to the US may also become subject to secondary sanctions in certain cases. It is, hence, important for companies to keep in mind the broad jurisdictional basis assumed by the OFAC while assessing its applicability.
In the following paragraphs, we aim to outline the factors considered by OFAC while evaluating an SCP. These key pointers shall serve as a ready reckoner for all companies that are in the process of developing their SCP so as to adequately safeguard their business interests.
Essential Components of an Effective SCP
- Tone at the top – While there is no ‘one size fits all’ approach towards developing an SCP and each entity would need to develop its own unique compliance framework depending on various factors such as size of organisation, scale, complexity of operations etc., one of the foremost requirements of an effective SCP is establishing a strong tone at the top and a strong compliance culture. Towards this end, senior management of the company should take steps to ensure allocation of adequate resources towards compliance functions, delegation of adequate power and autonomy, appointment of a dedicated sanctions compliance officer, etc. It is relevant to note that, in appropriate cases, OFAC may consider enforcement activity not only against the entity but also against individuals in occupying managerial or executive roles. It is hence extremely important for the management of the company to make sincere efforts towards establishing a strong tone at the top and maintaining oversight.
- Risk-based approach – Companies must adopt a risk-based approach while designing and updating their SCP. Risk assessment procedures must be tailored to identify potential areas where the company may, directly or indirectly, engage with OFAC – prohibited persons, parties, countries, or regions. Conducting periodic risk assessments to identify and accordingly address potential compliance issues, risks and red flags is in fact a fundamental pre-condition to developing an effective SCP. Furthermore, conducting proper risk assessments becomes all the more relevant in cases involving M&A transactions. It is indeed necessary to integrate compliance functions into the restructuring process to ensure that sanctions-related issues are identified, escalated and sufficiently addressed prior to the conclusion of the transaction.
- Internal controls – Pursuant to conducting holistic risk assessment procedures aimed at identifying potential compliance issues and risks, it is important to ensure that appropriate internal controls are designed to specifically and adequately address the said risks. Internal controls, including policies and procedures to identify, interdict, escalate, report, and keep records of actual and suspected violations form the very foundation of an effective SCP.
- Centralised compliance function – Having a decentralised compliance function, with personnel and decision makers scattered in various business units and offices, may result in a number of difficulties including improper interpretation and implementation, lack of escalation process, ineffective oversight or miscommunications regarding the company’s SCP. It is hence important to devote sufficient resources towards developing an autonomous and centralised SCP.
- Testing and audit function – Periodic, comprehensive and independent testing and auditing is crucial in assessing the effectiveness and success of a company’s SCP. Regular audits must be conducted to adequately identify the existing weaknesses and deficiencies in the programme and, in turn, allow for updates to, and enhancement of, the company’s SCP.
- Training – Finally, an effective training programme, tailored to an entity’s risk profile, is an integral component of a successful SCP. Training programmes aiming to effectively communicate expectations and responsibilities under the SCP must be provided periodically to all relevant employees and stakeholders (for example, clients, suppliers, business partners and counterparties). Such trainings should be further tailored to high risk employees within the organisation.