OFAC’s Compliance Framework: A Fine Foundation?

In May, the US Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments” (“Framework document”). This document consists of two separable parts, the first of which lays out five “essential components of compliance” that OFAC believes should form the basis for a sanctions compliance program (SCP) that will withstand regulatory scrutiny.

It is instructive to consider each of these five components through a number of different lenses: what is interesting or novel in what is being described, what is notable in what is not included, and any differences between OFAC’s Framework document and the sanctions screening guidance issued by the Wolfsberg Group, which is the only other publicly available guidance document of a similar nature.

Why is this novel?

Before we consider the individual sections, it is instructive to understand why this is the first time we’ve seen a national regulator issue guidelines such as these. After all, a fairly standardized structure of anti-money laundering (AML) programs has been disseminated and integrated into national legal and regulatory systems since the Financial Action Task Force published its first set of recommendations more than a quarter century ago. What took a sanctions-focused document, even one as modest as the Framework document, so long to be developed?

Simply put, the rationale behind AML compliance is very different from that of sanctions. Money laundering cannot only affect the ability of legitimate businesses to remain going concerns, but it can cause more wide-ranging macroeconomic consequences. Not only can widespread toleration of money laundering impact the response of entire industries to the ups and downs of economic conditions, it can also limit the government’s ability to control the national economy in response to those fluctuations. What’s more, a lax AML regulatory regime encourages the commission of predicate crimes, since the proceeds can be laundered largely without consequences. For these reasons, countries that do not manage their national money laundering risks become less attractive targets for international trade and investment. Therefore, it is generally in the national interest to attempt to tamp down money laundering with a robust, proven, standardized set of legislative and regulatory remedies.

On the other hand, economic sanctions are imposed as a function of a country’s security and/or foreign policy. From the point of security policy, while there may be societal consequences (e.g. becoming a safe haven for narcotics traffickers or terrorists) for failing to have a regulatory regime in place for sanctions, there are few, if any, economic ones that cannot be addressed through AML regulations. And few countries use sanctions as a tool of foreign policy. Given that, it is not surprising that the US, as the most prominent user of sanctions restrictions to achieve foreign policy goals (and the most aggressive enforcer of its regulatory requirements), was the first to publish such a document. If anything, one might wonder what took them so long to do so.

Management commitment

The first element delineated in the Framework document follows a theme common to financial crime conferences: “tone at the top” and “culture of compliance” (which is mentioned explicitly in the document). “Tone at the top,” which demonstrates the commitment of senior management to proper creation, maintenance and operation of the compliance function, is described as including four of the five listed elements:

• Understanding and approval of the firm’s SCP
• Understanding of the serious nature of sanctions violations that occur, and that of failures in the SCP’s design, implementation or operation. Additionally, takes the necessary steps to reduce the likelihood of further violations and/or SCP inadequacies.
• Empowering Compliance with both the authority and autonomy to accomplish its mission properly
• Providing appropriate resources for Compliance to implement an SCP appropriate for the firm, and making sure that the resourcing remain adequate as the nature of the business and risks change

The last element, promoting a culture of compliance, is also really a way to demonstrate tone at the top. OFAC suggests that the following might demonstrate the commitment to a culture of compliance:

• Enabling whistleblowers to report misconduct without fear of retaliation
• Discouraging behaviors that violate sanctions, both through corporate messaging that highlights the repercussions of such conduct, and through the use of dissuasive measures when unacceptable conduct occurs
• Giving Compliance oversight over the entire firm, including senior management, for sanctions-related issues

In a similar fashion, OFAC proposes a number of measures that can demonstrate commitment to the goal of proper resourcing. These lists of general yardsticks, while not overly prescriptive, provide an easy way to measure the level of similarity between OFAC’s sense of appropriate SCP elements and the nature of one’s actual SCP. While it is challenging, at best, to define a set of measures that should apply to firms of various sizes, from a wide range of industries, with varying mixes of offered products and risk profiles, OFAC’s expectations will likely be brought into sharper relief over time. While the Framework document may be amended, or supplemented, by more detailed sections, it is more likely that better definitions of the regulatory expectations for SCPs will appear as part of future enforcement actions.

The Management Commitment section of the Framework document is notably absent from the Wolfsberg guidance document. It is not surprising, however, given Wolfsberg’s narrow focus on sanctions screening systems effectiveness.

Risk assessment

OFAC now recommends that sanctions compliance programs be designed using a risk-based approach, much like AML programs are. As with AML, SCP design is driven by the performance of a holistic risk assessment of the business. The Framework document suggests that the axes of risk assessments are a firm’s counterparties, products and services, and geographies, which mirrors elements present in AML risk assessments ( the “delivery channel” component being curiously omitted). Picking up on themes from enforcement actions taken by OFAC over the years, these elements specifically emphasize assessing the risks of companies in a firm’s supply chain (e.g. the 2019 settlement with e.l.f. Cosmetics), and intermediaries such as distributors, and the geographies in which those parties conduct their businesses. Notably, the Framework document, harkening back to the trio of 2019 enforcement actions involving foreign subsidiaries that chose to continue sanctioned activities despite direction from the parent firm (Stanley Black & Decker, Kollmorgen Corporation, and AppliChem GmbH),  highlights the importance of conducting proper risk assessment and due diligence during corporate merger and acquisition activities.

It is also important to appreciate that risk assessments are living documents, and are not the products of a single point-in-time exercise. The Framework document reinforces that by referring to the frequency of the evaluations, as well as specifically noting that the risk assessment should be updated in response to the discovery of program deficiencies, whether or not they result in sanctions violations or enforcement actions.

One point that may be overlooked is OFAC’s suggestion that organizations should include existing information, including that supplied by the customer, in assessing the risk of a customer relationship or of a particular transaction. Some notable cases of a failure to leverage available information are Expedia’s recent failures to use a customer’s provided passport to properly identify them as an SDN, and Wells Fargo’s 2013 settlement resulting from not using the date-of-birth stored in its customer database to verify that two of its accountholders were sanctioned drug traffickers.

Internal controls

OFAC’s interpretation of “internal controls” goes beyond the notion of “policies and procedures” common to AML programs. The purpose of these controls, which include written policies and procedures, but may also leverage technology solutions, is to “clearly and effectively identify, interdict, escalate and report” potential violations of OFAC regulations. However, while much of one’s SCP is risk-based, this section of the Framework document does specifically speak to meeting requirements for recordkeeping, which implies a more prescriptive approach in this area.   

The controls are calibrated to address the needs identified in the risk assessment. When it comes to technical elements of the control regime, OFAC also expects organizations to gauge the effectiveness of the selected and configured solutions by testing them on a regular basis.

As with the risk assessment, the controls are expected to be adjusted in response to the identification of a weakness in the control regime. OFAC specifically highlights the importance of trying to compensate for failings on a short-term, tactical basis while the root causes of the weaknesses, and the corresponding long-term adjustments to the controls, are being evaluated.

One of the strengths of the Framework document is how all the components interleave with each other. For example, in this section, the management commitment described elsewhere is evidenced by having appropriate personnel to integrate policies and procedures into the firm’s operations, and communicate them to all impacted staff and any external parties.

The Wolfsberg guidance does not tie all the elements holistically as well as the Framework document, due to the very different goal of the document. On the other hand, in its area of focus, it provides a significantly more detailed view of how one might assemble effective sanctions screening systems as part of one’s internal controls. Perhaps the Framework document could be enhanced with a similar focus on what constitutes effective policies and procedures, as well as content similar to that in the Wolfsberg guidance.

Testing and auditing (and training)

According to the Framework document, testing and auditing ties together themes from the other sections. These functions drive adjustments to internal controls (including the short-term, tactical sets of compensating controls identified in the previous section), are accountable to senior management, yet are properly resourced, skilled and empowered, and are performed in a manner appropriate to the risk assessment’s conclusions.

Similar relationships exist between the training component of an SCP and the others. The scope and frequency of training is tuned to the factors that drove the risk assessment, while training resources are developed with the proper level of detail, including specialized training for those in high-risk areas and made available to all staff who require them. And part of the response to identified program deficiencies is to provide additional targeted training to the relevant staff.

While not as extensive as the other three sections, the testing and auditing, and training components get significantly more detail than in the Wolfsberg guidance. Although some of this can be ascribed to the lack of content surrounding management commitment, it is still curious that Wolfsberg does not cover training in its guidance, even for the software tools being selected, configured and implemented under its framework.

Being framed: a good thing?

The This Old House website states: “A frame is the skeleton of a house. If the frame is strong, it provides the necessary support for everything that follows. But if it’s weak, no amount of expensive finishes will hide the flaws…”

OFAC has designed a solid framework. Rather than a series of unrelated structural elements, OFAC’s prescriptions for a sanctions compliance program that will withstand regulatory scrutiny are designed so that they support each other’s functions. This can be seen in how the sections on internal controls, testing and auditing, and training all reference the risk-based approach of the risk assessment component, and the importance of the management commitment as the “foundation” of the SCP pops up in all four of the other component sections. 

If one follows OFAC’s lead, even when the big, bad sanctions target huffs and puffs at the edges of one’s business, one’s firm is much less likely to suffer the same fate as others who build their SCP out of lesser components that are more easily blown down. While one might wish for more detailed blueprints to guide one in certain areas, such as how to conduct a risk assessment, or design effective internal controls, the document still provides the basis for how to proceed building a solid risk-based sanctions compliance program that will withstand attempts at evasion, and regulatory scrutiny.

Eric A. Sohn, CAMS, global market strategist and product director, Dow Jones Risk & Compliance, New York, NY, USA, eric.sohn@dowjones.com