On May 2, 2019, the Office of Foreign Assets Control (OFAC) released guidance strongly encouraging financial institutions to implement a risk-based sanctions compliance program (SCP).
While each SCP would vary depending on a variety of factors including the financial institution’s size, products and services and geographic locations, each program should include at least five essential components of compliance: management commitment, risk assessment, internal controls, testing and auditing and training.
Senior Management Commitment
OFAC considers senior management commitment critical to the success of an institution’s SCP. The definition of “senior management” differs by organization, but generally includes senior leadership, executives and the institution’s board of directors. OFAC measures senior management commitment by the following:
- Whether senior management has reviewed and approved the organization’s SCP
- If senior management ensures its compliance units are delegated sufficient authority and autonomy to enact its policies and procedures in a manner that effectively controls OFAC risk
- Whether senior management ensures the compliance unit receives adequate resources such as staffing (including the appointment of a dedicated OFAC sanctions compliance officer), expertise, information technology and other resources appropriate to the institution’s size and operations
- The ways senior management promotes a “culture of compliance” throughout the institution
- If senior management recognizes apparent OFAC violations or deficiencies as serious and implements measures to reduce the occurrence of apparent violations in the future. Such measures should address the root causes of past violations and represent systemic solutions whenever possible
OFAC considers the completion—and regular update—of a sanctions risk assessment to be a fundamental element of a sound SCP. The purpose of a sanctions risk assessment is to identify risks in order to implement appropriate policies and procedures. OFAC expects financial institutions to perform a risk assessment appropriate to the institution’s size and potential risk posed by its customers, products, services and geographic locations. In addition, the OFAC risk assessment should be updated to account for the root causes of any apparent violations or deficiencies identified during the routine course of business.
An effective SCP should include policies and procedures that help identify, correct, report (as appropriate) and keep records pertaining to activity that may be prohibited by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance and reduce the risks identified by the institution’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified and corrected and internal and/or external audits and assessments of the program should be conducted on a periodic basis. In addition, an effective SCP should be capable of adjusting rapidly to changes published by OFAC, including updates to any OFAC sanction-related lists or the enactment of any new sanctions-related legislation, executive order or regulation.
Testing & Auditing
A comprehensive, independent and objective audit function within an SCP helps identify weaknesses and deficiencies so appropriate enhancements can be made to the program to remediate compliance gaps. Such enhancements might include updating, improving or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. The audit function should be accountable to senior management and independent of SCP activities and functions, whether it’s performed internally or by an external firm.
OFAC considers an effective training program to be an integral component of a successful SCP. The training program should be provided to all appropriate employees on a periodic basis (and at a minimum, annually) and generally should provide job-specific knowledge based on need; communicate the sanctions compliance responsibilities for each employee; and hold employees accountable for sanctions compliance training through assessments. The training program should provide adequate OFAC information and instruction to employees appropriate to their duties. OFAC-related training should be appropriate for the products and services the institution offers, its customers and the geographic regions in which it operates.
What Does This Mean for My Institution?
OFAC regulations do not require a formal SCP. However, OFAC encourages institutions subject to U.S. jurisdiction—and particularly those that possess any customers located outside of the U.S.—to adopt a formal SCP. However, for many regional and community financial institutions, a review and revision of the current OFAC compliance program to include appropriate language pertaining to sanctions compliance in the OFAC risk assessment, policy, audit function and training program, and the appointment of a sanctions compliance officer, may be all that is needed.
Reach out to your BKD trusted advisor or submit the Contact Us form below if you have questions.