Kreller Hot Topic Report | OFAC on the Essential Elements of a Compliance Program

The Elements of Compliance
The Framework for OFAC Compliance Commitments outlines the “essential components” of a robust and effective sanctions compliance program (SCP). A successful SCP requires total buy-in from senior leadership within the company, thereby ensuring that the program is granted adequate authority, funding, and resources. The Framework promotes a risk-based approach to developing an SCP. Reportedly, “One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing ‘risk assessment’ for the purpose of identifying potential OFAC issues they are likely to encounter.” Such a risk assessment will take into account various factors including the organization’s clients, its products and services, its supply chain and intermediaries, and the locations of its operations, as well as high-risk interactions such as customer on-boarding and merger events.

Once an SCP is backed by management and developed with an eye to mitigating risk, the Framework recommends that a successful SCP should be formalized into a set of internal controls, policies, and procedures to both guide and document activities and transactions with potential relevance to OFAC and other regulatory agencies. These internal controls should be regularly tested and audited in order to identify weaknesses in the organization’s compliance protocol or its application; a robust SCP will be recalibrated and enhanced “to account for a changing risk assessment or sanctions environment.” Finally, relevant personnel within the company should receive training in the SCP’s substance and application on an annual basis. The Framework advises that a thorough compliance training program should “(i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.”

While companies are not required by OFAC to maintain a formal sanctions compliance program, the new guidelines strongly encourage companies with international engagements to develop not only written compliance protocols, but to hard-bake a “culture of compliance” into their corporate operations. As seen in the below case studies, the extent to which a company makes a good-faith effort at compliance plays a role in OFAC’s assessment of penalties, should a violation come to light.

Risk Factors for Sanctions Violations: Three Case Studies
In addition to providing guidelines for an effective sanctions compliance program, the OFAC Framework also discusses several of the root causes associated with the violation of sanctions regulations. Specifically, the Framework cites (i) the lack of a formal SCP; (ii) failure to understand OFAC’s regulations; (iii) a decentralized or disorganized SCP chain of command; (iv) exporting to OFAC-sanctioned entities; (v) transactions conducted through foreign-based subsidiaries and affiliates; (vi) using US-based banks to process transactions made by OFAC-sanctioned entities; (vii) a reliance on non-standard payment practices; (viii) deficiencies in screening software; and (ix) deficiencies in due diligence regarding customers and clients, as common threads in many OFAC violations. Enforcement action reports for three recent OFAC settlements highlight the interplay of the various aspects of well-crafted compliance program and illustrate several of the aforementioned risk factors.

In an April 11, 2019 enforcement action, the Office of Foreign Asset Control reported that it has reached a settlement of $227,500 with Acteon Group Ltd., its subsidiary, 2H Offshore Engineering Ltd., and several affiliate companies. According to the enforcement action, in November 2008 the Technical Director for 2H became aware of an oil well drilling opportunity in Cuba. When the Technical Director consulted the 2H Global Director about this opportunity, “The Global Director responded by forwarding an October 2007 memorandum from Acteon that specifically prohibited work or trade in Cuba… but with the added statement that he didn’t want to turn away work.” The Global Director “advised finding a way around Acteon’s prohibition on work involving Cuba” and, following the launch of the project, directed an employee to change all references to “Cuba” to references to “Central America” in the Technical Director’s expense reports. Later, the Technical Director similarly doctored the project’s letter of intent and apparently “proceeded with the project without seeking authorization from… Acteon.”

Although OFAC credited Acteon with having a policy regarding Cuba and for voluntarily disclosing the above violation, the breakdown in Acteon’s protocols and the mixed messages delivered by H2’s Global Director suggested that Acteon’s SCP, such as it was, did not have the full support of the organization’s leadership. Further, as the enforcement action notes, the above apparent violation highlights the need for a risk-based approach to sanctions protocols. A more effective SCP would have performed “heightened due diligence; particularly with regard to affiliates, subsidiaries, or counter-parties known to transact with OFAC-sanctioned countries or persons, or that otherwise pose high risks due to their geographic location, customers, or suppliers, or products and services they offer.” An audit of Acteon’s existing protocols may have revealed that the employees of H2 and its subsidiaries were not fully aware of Acteon’s policies prohibiting engagement in Cuba and required further compliance training.

In an April 15, 2019 enforcement action, settled for $553,380,759, OFAC found that UniCredit Bank AG, a German financial institution, “processed 2,158 payments totaling $527,467,001 through financial institutions in the United States” in an apparently egregious violation of numerous OFAC sanctions programs. Notably, OFAC found that UniCredit processed payments for oil-related transactions in Iran and for the Islamic Republic of Iran Shipping Lines (IRISL), an entity included on the Specially Designated Nationals and Blocked Persons (SDN) List for activities surrounding the proliferation of weapons of mass destruction. The enforcement action noted that UniCredit appeared “to have acted with willful intent to circumvent U.S. economic sanctions laws” through the use of a procedural guide which directed bank personnel to structure U.S. based payments in ways which obscured the involvement of sanctioned entities.

The UniCredit case exhibited several of the root causes of sanctions violations as described in the Framework for OFAC Compliance Commitments, including involving US-based intermediary parties to process transactions made by OFAC-sanctioned entities and through the use of non-transparent and non-standard banking practices. Most importantly, not only did UniCredit lack an effective sanctions compliance program, the organization enacted guidelines specifically designed to skirt OFAC’s regulations.

While the UniCredit and Acteon cases exhibited knowing and willful disregard of OFAC guidelines on the parts of several executives, a third recent case demonstrates that ignorance of OFAC sanctions and the lack of a formal sanctions compliance program (SCP) can also cause a company to run afoul of OFAC regulations. As reported in an April 25, 2019 enforcement action, Haverly Systems, Inc., a small New Jersey-based software company, settled with the Office of Foreign Asset Control for $75,375 for two apparent violations of Ukraine Related Sanctions Regulations, following an illicit transaction with JSC Rosneft, a company listed on OFAC’s Sectoral Sanctions Identification List (SSI). Reportedly, in August 2015, Haverly issued two invoices to Rosneft for the purchase of software support services. OFAC stipulations regarding Rosneft required the payment of such invoices to be made within 90 days; however, due to a reported lack of additional documentation, Rosneft did not pay the first invoice until approximately 9 months after it was issued. When Rosneft attempted to remit the second invoice, financial institutions refused the payment, citing the OFAC regulations.

Haverly was reportedly made aware of the banks’ refusals; however, as the enforcement action noted, “at the time of the payment attempts Haverly did not have a sanctions compliance program and did not recognize that delayed collection of payment was prohibited.” Further, the company did not contact OFAC for guidance. Haverly was ultimately able to receive payment from Rosneft only by reissuing the invoice with a new date, following “the suggestion of Rosneft.”

In assessing the violation, OFAC noted that had Haverly consulted with the agency, OFAC would likely have authorized the requested payments from Rosneft. However, the company’s complete lack of awareness regarding its conduct and “reckless disregard” for the warnings it received from the financial institutions, were viewed by OFAC as “aggravating factors.” Haverly’s lack of understanding of OFAC regulations and its failure to develop a sanctions compliance program resulted in an enforcement action, despite the company’s small size and the relatively minor nature of its transgressions.

As the Acteon, UniCredit, and Haverly cases show, OFAC appears to be utilizing both its rubric for constructing an effective SCP and its analysis of the root causes of violations in assessing the aggravating and mitigating factors in compliance violations. Companies engaging in international business would be well-served to keep the OFAC Framework in mind when developing compliance protocols, particularly during what is shaping up to be an aggressive period of enforcement.