A financial institution’s sanctions compliance program should be risk-based and unique to each financial institution. Each institution's SCP will vary depending on its size and complexity, products and services, customers and counter-parties, and geographic locations. In the guidelines, OFAC identifies five key components for OFAC compliance that are not unlike the BSA program requirements that financial institutions have been implementing for years.
1. Management commitment
As with any compliance program, one of the most important aspects of a strong SCP is a “culture of compliance,” from the top, to the middle, to the front line. As seldom seen from the regulatory authorities, the Guidelines generally defines management as senior leadership, executives, or the board of directors. In addition to promoting a culture of compliance, effective senior management is expected to:
- Review and approve the institution’s sanctions compliance program
- Deploy policies and procedures with direct reporting lines between the SCP function and senior management to include periodic meetings between the two groups
- Allocate adequate resources (human capital, expertise, information technology, and other resources), including a dedicated OFAC sanctions compliance officer with appropriate experience, qualifications, and position within the organization
- Report sanctions misconduct without fear of reprisal and to have SCP oversight of actions concerning OFAC sanctions
- Recognize sanctions compliance deficiencies and implement necessary measures to reduce future violations through addressing root causes and applying systemic solutions
2. Risk assessment
OFAC recommends that financial institutions take a risk-based approach to sanctions compliance. To determine potential risks in sanctions, institutions should conduct a routine and ongoing sanctions risk assessment. While there is no one-size-fits-all, the guidance states that a holistic top to bottom review is necessary to identify areas where to use valuable resources to mitigate those risks. The guidance outlines expectations of a sanctions risk assessment including:
- Frequency that adequately accounts for potential risks posed by customers, products, services, supply chain, intermediaries, counter-parties, transaction, and geographic locations
- Updates to account for any root causes or systemic deficiencies of sanctions violations
- Due diligence efforts such as on-boarding and mergers and acquisitions
3. Internal controls
The guidance is clear that an effective sanctions compliance program should include internal controls. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the institution’s risk assessments. General aspects of internal controls should include:
- Policies and procedures outlining the SCP, which should be enforced
- Controls that adequately address the OFAC risk assessment
- Recordkeeping that adequately accounts for pursuant to the requirements of OFAC
- Remediation of root causes of weaknesses identified
- Clear communication of SCP policies and procedures to all relevant staff
- Personnel to integrate SCP’s policies and procedures into daily operations
4. Testing and auditing
A comprehensive, independent, and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies. It is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology. The SCP program should include:
- Controls to ensure the testing or audit function is accountable to senior management and is independent of the functional structure
- Testing or audit procedures appropriate to the risk-based SCP
- Controls around identified weaknesses until the root cause can be determined and remediated
5. Training
The training program should be provided to all appropriate employees and personnel on a periodic basis, at a minimum annually. Effective SCP training should be:
- Job-specific and based and should be tailored all stakeholders
- Applicable for the products and services offered, customers and geographic regions
- Conducted at a frequency based on the institution’s OFAC risk assessment
- Enhanced and conducted upon a confirmed deficiency concerning relevant personnel
- Easily accessible resources and materials
Within the guidance, OFAC further points out several common root causes for SCP deficiencies. Being proactive and thorough with your SCP will help ensure your institution does not fall into unknown weaknesses. Common root causes include:
- Lack of a formal OFAC SCP
- Misinterpretation or failure to understand OFAC regulations
- Facilitating transactions by non-U.S. persons
- Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC sanctioned persons or countries
- Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
- Sanctions screening software or filter faults
- Improper due diligence on customers
- De-centralized compliance functions and inconsistent application of an SCP
- Utilizing non-standard payment or commercial practices
- Individual liability, particularly in supervisory, managerial, or executive-level positions